Threat Assessment - Part 2: The Method

Our previous article in this series, THREAT ASSESSMENT: The Concept, introduced a five-step process for this first phase of risk management. This post will discuss that process in greater detail.  

Our Threat Assessment method has five steps:

1. Describe the target: what is it that you seek to protect, and under what conditions?
2. List all threats.
3. Characterize each threat to distinguish it clearly from others.
4. Identify linkages between threats.
5. Rate all threats for their probability and consequences, and plot them on a Graded Threat Matrix according to these ratings.

Step 1: Describe the target: what IS IT you seek to protect, AND UNDER WHAT CONDITIONS?

You must set boundaries on your effort by defining the "target." Is it your family, your home, your business, your community, or something less tangible like the quality of your child's education, a constitutional right, or even your way of life?

For instance, if the target is your family home, you must characterize it in somewhat greater detail, for instance:

• Are there children in the home, or extended family with special medical or dietary needs? How many fit, able, alert adults are present?
• Is your home in a rural, suburban, or urban setting?
• Is your assessment based on today's context, or are you anticipating worsening conditions due to the trends discussed in our previous post in this series?

You can make an assessment as broad or narrow as you wish, by stating specific conditions in your target characterization: seasonal variables, night versus day, work/school days that determine the level of occupancy, conditions that follow some specific precursor event such as a wildfire or outbreak of civil unrest, and so on. If you adopt a narrow focus, then you will probably conduct additional assessments to address other conditions and eventualities; these will all be related, and later ones will benefit from earlier efforts as they will have much in common. These variations in method are entirely up to you, based upon your own preferred approach and mental organization.

For another example of how you might characterize a target, let's look at a family business, a retail shop located in the business sector of a small, rural Wyoming town.The shop caters to tourists and locals, selling a variety of local crafts, home furnishings, and gifts. Hours of operation are 9:00am to 6:00pm Tuesday through Saturday, year-round. There are two distinctly different conditions: during working hours when family members and employees are arriving, working, or departing from the shop; and during non-working hours when the shop is empty, locked, and alarmed. In later steps, as you list and characterize particular threats, you can simply note which ones pertain to these different conditions; or you could address them with separate assessments.

The owners are concerned first about personal safety of the family and employees, secondarily about impacts on sustainability (the ability to continue to conduct business), and finally about loss of inventory and damage to the property. Those priorities may all seem self-evident, but should be a factor in the target characterization. Don't go too far down the rabbit hole in this step, as you will be looking much more closely at your target in your Vulnerability Assessment. For now, simply characterize it enough to help your team define the threats it faces.

Step 2: List all threats

Compile a list of all possible threats. The best method is to assemble a group consisting of trusted friends, family, or associates, to bring fresh, 'outsider' perspectives and to combat normalcy bias, confirmation bias, and the tendency to defer to one person's opinion. Conduct a brainstorming session, which is simply a group discussion centered around a whiteboard, during which any participant is free to suggest any potential threat. It is important in this step not to dismiss any suggestion, no matter how outlandish or unlikely it may seem. Everything goes on the list, and no one wields a veto. It's useful to have a facilitator to manage the list and moderate the discussion.No deep analysis is called for in this stage. All that is needed is to assign a name and, if necessary, a brief description to differentiate this threat from others that might be similar.

An example of a threat list for the retail business profiled in Step 1, under the range of conditions discussed in our first post on this topic, could shape up as follows. Note that little effort is spent to organize or evaluate the entries at this point; we'll merely run two columns, one for environmental and one for human threats.

Environmental Threats

Some of these are "normal" conditions or events to which you must adapt, like seasonal weather or geography. Some are uncommon events, like a "hundred-year flood" or natural disasters which could impact you either directly or indirectly.Remember, at this point, we are not assigning probability, just compiling a list of possibilities. For this Wyoming business, environmental threats might include:

• Extreme cold, snow and ice in winter (potentially November through May), impacting travel.
• High winds that can impede travel or delivery of freight any time of year.
• Severe thunderstorms that may result in power outages.
• Wildfires in the surrounding countryside – which can have a number of secondary consequences.
• Earthquakes or volcanic events - from mild to severe.
• A powerful solar flare or coronal mass ejection (CME) that disrupts the electric power grid or the performance of communications and electronic devices.

In another part of the country, this list could expand to include tornadoes, hurricanes, tsunamis, severe summer heat and humidity, and other natural environmental factors; but Wyoming is spared most of these.

Human Threats

These cover a broad spectrum of bad behaviors and damaging events or conditions. For the first pass at generating a threat list, focus on the behavior, what you would see or experience "on the target." As we discussed earlier, criminal or psychopathic behavior can have many underlying causes or motivations, but we are not psychologists or investigators; focus on the behavior. The list for our family business target might include:

• A lone active shooter – regardless of motivation.
• Property crime e.g. burglary, auto theft or vandalism.
• Random, spontaneous, less lethal violence affecting business staff or customers; this could include robbery, assault, battery, intimidation, mugging, carjacking, kidnapping or rape.
• A disgruntled employee, neighbor, or acquaintance who threatens or commits an active of violence.
• A distraught family member – e.g., a jealous husband, wife, lover or someone who has suffered extreme recent trauma or loss.
• A politically motivated extremist or group, targeting you for your business practices or affiliations, or identifying you as oppressors or exploiters on some racial or class basis.
• An armed group with gang or organized crime affiliations.
• A participant in an originally peaceful protest or demonstration that becomes agitated and violent. Here and in the above item, it's not the motive that defines them or sets them apart, but the context and conditions.
• A terrorist event that does not target you, but affects you, for instance an attack on a nearby dam, bridge, utility substation, or large gathering of people, resulting in mass casualties, restricted travel and communications, and an extraordinary law enforcement response.
• A rioter, arsonist, or looter, taking advantage of chaotic conditions and or reduced law enforcement presence. We'll address the linkage and sequential nature of this one later – how it can follow, as a second order consequence, many of the other threats listed.

Step 3: Characterize each threat to distinguish it clearly from others.

This is easy and mostly self-evident for environmental threats. Human threats, though, can be more difficult. Here is where you must begin to consider numbers, motivation, proficiency, organization, and persistence or dedication. As each of those variables increase in value, the threat becomes harder to deter, disrupt, or defeat.

A casual thief might be deterred by a hardware store deadbolt on the rear door in the alley; he's looking for an easier target, and he'll keep moving until he finds one. An active shooter in a school hallway may try to open a classroom door if he believes there are potential victims behind it; but if the door is locked, he doesn't try to breach it; he moves on. Whether either of these individuals lack the tools and the skills to pick a lock or breach a door, or just realize their window of opportunity is rapidly closing, is irrelevant to the outcome. In either case they move on. The outcome could be very different if the thief wants a particular, valuable work of art behind that locked door, or the shooter has one primary target that he knows is in that locked classroom – and either of them has come prepared to get through a locked door. So while your original threat list may have had entries for "thief" and "active shooter" you are now obliged to define each a bit more, and this may generate new, separate entries. Now you have "casual thief/target of opportunity" but also "skilled thief/tools and a plan." Your entry for "lone active shooter" may need to become two entries: "lone shooter/random target," and "lone shooter/planned, specific target." In later stages of risk management, the requirements for deterring or defeating mitigating these variants will be significantly different.

Unless you are off-grid in a mountaintop retreat, an electrical power failure probably made it onto your threat list; but if you don't already have it broken out, you probably need to consider all or most of these variations:

• Local power outage due to component failure, vandalism, or storm damage; this could be either short term (minutes or hours) or long term (days).
• Large-scale (regional or national) power outage due to hostile human action (war, terrorism, eco-sabotage) or a natural event (solar flare/geomagnetic storm, earthquake). Either could be days, weeks, months or longer in duration.

The above are examples of how the initial threat list needs a second pass to refine the descriptions. This almost always results in a longer list.

Intelligence Confidence Levels

Priority Intelligence Requirements (PIRs)

Some proposed threats will have low ICLs, or you just don't have sufficient information to characterize or evaluate a particular threat. In some cases, there may be major differences in opinion among your team. Address these by formulating Priority Intelligence Requirements (PIR), to seek out more reliable information and fill the gaps. Assign each to an individual or team with a reasonable deadline for completion, and then reconvene to finish your analysis of this threat.

As an example, in one threat assessment we have performed, there were concerns about extremist training camps in remote locations. Rumors and a handful of past incidents suggested this as a potential threat, but reliable information was lacking. PIRs were generated to address the locations, size, population, and orientation or ideology of these camps. Because of the potential seriousness, further assessment and ranking of threats waited upon reliable answers to these PIRs.

Step 4: Identify Linkages Between Threats

Take another pass through your list, to discover linkages between certain threats, or threats that naturally cluster together. Some threats are often coupled with, or follow, or precede others, in the way that looting often follows a hurricane or long-duration power outage.These linkages are important because measures you take to protect against one threat will also help you against others, and you must be sure to consider the way threats cluster together or enable one another. Later in the risk management process you can gain considerable leverage from this.

If your list is as long as it should be, you'll quickly be able to make these connections.One threat may enable another, or if one threat materializes, others may logically follow.This may lead you to revise a threat characterization, or to generate new threat entries to recognize these relationships.

For example, a 7.0 or greater magnitude earthquake will have direct effects such as physical damage to roads and structures and personal injury to individuals. In the aftermath, though, other specific threatsare almost sure to develop, which may also arise independently or from other causes; these could include:

• Traffic congestion as people try to evacuate the affected area;
• Communication failures as cellular networks are overloaded or key towers and relays are damaged, and landlines are cut.
• General lawlessness as public safety agencies are overwhelmed by the need for lifesaving response;
• Looting by criminal gangs or random mob action;
• Extended power outages;
• Health and safety effects of damage to fuel or chemical storage facilities or power plants;
• Structural fires that cannot be controlled because of damage to water mains, and/or wildfires that cannot be controlled because of limited availability of crews, equipment and aircraft, or damage to roads, or fuel shortages.

Step 5: Rate EACH threat for ITS probability and ITS consequences, and plot IT on a Graded Threat Matrix.

Rate each threat on a 1 (low) to 5 (high) scale for the probability that it will occur; and again, for the severity of its consequences if it does occur.These ratings should be established by discussion and consensus within your Threat Assessment team. Below is a sample worksheet with a list of rated threats different than we constructed previously; it is not specific to (nor would it be complete for) any particular target; it is only an illustration of the process.

THREAT ASSESSMENT WORKSHEET (sample)

THREAT: a category of potential threat to the designated target

CHARACTERIZATION: describes and differentiates this threat from others

PROBABILITY: how likely, on a 1-5 scale, is this threat to occur and affect you directly?

CONSEQUENCE: how dangerous is this threat, on a 1-5 scale, if it does occur?

Next, plot all listed threats on a Graded Threat Matrix, as shown in the example here, according to the probability and consequence you have assigned them.

That completes the final step of Threat Assessment, but it still provides no easy or automatic answers. Only you can determine how to prioritize these threats for attention. Some conclusions may suggest themselves: Threats #5, 9, and 10 are clustered at the 1,5 point, representing the lowest probability but the highest consequences.If this were 1975, you'd probably have global thermonuclear war and worldwide global cooling crowded in there with them. Does the low probability mean that you can afford to ignore them – will actions you take regarding other, more likely threats mitigate these enough to satisfy you? You have to answer that for yourself. A lesson this method provides graphically, is that you might be wise devote more attention to the threat of violence from a lone psychopath (#7) first, as it's much more likely and still quite dangerous. And, as we've suggested in the step that identified linkages, the measures you take to defend against the lone attacker will be of some value against a much wider array of threats as well.

This prioritization can wait, however. It will be easier after the next step of risk management, which is a Vulnerability Assessment (VA). Your VA uses your Area Study and Site Survey(s) to characterize your target, and compare its characteristics to the array of threats you have created. Not only will it identify weaknesses against one or more threats; you may also find that it influences your analysis and prioritization of those threats. For instance, if you live at the end of a remote mountain road, some of the antisocial violent behaviors on our sample threat list may be of less concern to you than they are to your friend who lives in an apartment complex in town; on the other hand, during a severe or sustained scenario, lonely refuges may be specifically targeted as they were in Argentina following its currency collapse in 2001. We'll discuss concepts and methods of Vulnerability Assessment in our next post in this series.