From prescriptive rules to responsible organisations – making sense of risk in protective security management – a study from Norway

ABSTRACT Protective security management aims at protecting against malicious acts. It has, in a relatively short period, undergone substantial changes. One such change is the introduction of risk management. This article investigates a debate about a standard for security risk assessment (SRA) in Norway. It focuses on sense-making by security professionals, drawing on a unique interview material. The analysis utilises Michael Power’s theory on risk governance, as well as insights from security studies. A central finding is that the SRA approach was introduced to create more analytical security management. The importance of analysing one’s values (assets) makes it key to scrutinise the organisation’s characteristics, goals and vulnerabilities, regarded as moving security management in the direction of corporate governance. The article investigates how understanding of risk assessment and security interplay, and identifies a tension between risk (assessment) and the goal of protection, which makes security management risk averse. A requirement of creating sound security is viewed as a potential for burdensome organisational responsibility and blame. The analysis identifies elements of what is often described as resilience (attention towards vulnerabilities), but without the political reading (neo-liberal abdication of the state), thus contributing to the literature on resilience.