Remote IT-based support and operations of offshore oil and gas installations are increasing. The technology used to support operations is changing from proprietary closed process control systems to standardize IT systems, connected to internal networks and the Internet. In addition, a network of companies is increasingly performing operations and management. The standardized PCs using MS Windows have more vulnerability than the proprietary systems used earlier, and the increased connections and participants in the networks increase the vulnerability. This creates the need for improved information security. Our hypothesis is that an important contribution to improved information security and safety is an improved safety and security culture and improved information sharing during operations and incident handling. Such a safety and security culture should be explicitly directed towards actions that support learning. We have developed a method called CheckIT, consisting of a questionnaire and a process to improve information security and safety culture based on group discussions of key issues. Future work in this area includes refinement of the questionnaire, as well as the use of system simulation to develop a holistic perspective on the causes and outcomes of their security policies.