The 2024 Guide to Threat Assessment Approaches for Law Enforcement

Active Threat AssessmentThreat Assessment MethodsLaw EnforcementPrimary

Mar 10

For law enforcement officers, the ability to accurately identify and respond to threats is paramount to ensuring public safety. Whether it’s reacting to active threats in real time or enhancing long-term predictive capabilities, threat and risk assessments are techniques that can help resolve threats and prevent violent incidents.

But threat assessment means different things to different people. Security professionals, police, military personnel, psychologists, and school counselors all conduct tasks they describe as threat assessment. These tasks are all predictive in nature, but very different.

For example, judges conduct threat risk assessments to determine whether someone presents a general danger to the public after being released pretrial, while law enforcement is more often focused on assessing imminent or immediate threats.

This guide was first published in 2019. I wrote it because I was having trouble differentiating between all the different “types” of threat assessment. It turns out that lots of people use the term. Sometimes the term is used interchangeably with “risk assessment.”

Since its publication, it has proven to be one of the most popular posts. Last year alone, more than 2,900 people all over the world had read this post. For a small company like us, this is awesome. We are proud to be helping police everywhere identify techniques that can help them protect their communities.

I hope you find this resource useful too. Don’t hesitate to reach out if we can help you or your organization.

Threat Assessment Approaches

Take a moment to think about what problem you are hoping that threat assessment will help solve.

Are you looking to:

plan for and protect facilities and critical infrastructure against terrorist attacks, insider threats, or natural disasters;
help your officers identify behavior-based threats and react to threatening individuals, such as active shooters;
protect your computer networks, systems, and servers from attacks by malicious actors;
identify, assess, and intervene with a person who may commit targeted or instrumental violence (e.g., a mass shooting); or
assess a specific individual’s risk for violent behavior.

Let’s take a deeper dive into each threat risk assessment approach. Please understand that these next sections do not represent a comprehensive review of each approach. Instead, they are meant to help you identify relevant threat assessment training and provide you with resources to learn more.

1. The Security Threat and Risk Assessment

For people who work in the security or protection industry, threat assessment refers to the process of evaluating and analyzing potential risks that could impact the security and safety of critical infrastructure and people associated with a particular site or facility.

It focuses on analyzing existing protective measures and vulnerabilities at facilities and identifying ways to reduce those vulnerabilities and enhance safety. This includes assessing things like physical security, cybersecurity, and staffing to safeguard not only critical infrastructure but any facility—businesses, elementary schools, and concert halls.

There are a broad range of threats that can affect a particular site or location, including:

External hazards, such as natural disasters and fires;
Nonviolent and violent criminal threats, such as potential thefts, threats of violence toward staff, active shooter incidents, or terrorist threats;
Potential accidents related to improper building maintenance or unsafe working conditions;
Cyber threats, such as hacking, data breaches, ransomware; and
Any other threats that could impact telecommunications, transportation, or delivery of services at that location.

Security Threat Risk Assessment at a School

For a security risk assessment, let’s take the example of an elementary or high school. Potential threats to a school could include a natural disaster, an active shooter, or accidents arising from improper safety precautions. Each of these threats requires a different response.

This security threat risk assessment includes not only identifying potential threats but also assessing the likelihood of their occurrence. Just because something can happen doesn’t mean it will.

The Vulnerability Assessment

Following the security risk threat assessment is the vulnerability assessment, which has two parts. First, it involves a determination of the assets at risk (e.g., people, buildings, equipment). This includes an estimation of the financial loss that would be incurred if the given location was successfully attacked and stopped providing service. Second, it includes an assessment of the level of attractiveness of the target (in the case of intentional attacks) and the level of existing defenses against each threat.

In the case of a school, some common gaps in security include difficulty in securing entry and access points, insufficient security measures (e.g., cameras, security personnel) due to budgetary concerns, and limitations in training and experience among school personnel.

Learn More About the Security Risk Threat Assessment

If you are interested in learning more about security threat risk assessment, here are some great resources:

Argonne National Laboratory’s protocol for identifying vulnerability and protective measures.
Guidance for Conducting a Risk Assessment from Harvard University’s Department of Risk Management and Audit Services
The Cybersecurity and Infrastructure Security Agency’s (CISA) web-based Infrastructure Survey Tool for determining the overall security and resilience of a facility
Guides from the U.S. Department of Homeland Security (DHS):

An overview of threat risk assessment and planning for emergency services personnel
How to sustain public safety services during an emergency
Critical infrastructure vulnerability assessments and mitigation plans
Determining a particular location’s security level
Resource listing for state, local, tribal, territorial, and campus law enforcement

Customizable risk assessment templates from the Ready Campaign:

Printable forms to conduct risks and needs assessments
Printable forms for planning response and recovery efforts for different potential emergencies

Online school-focused risk assessment tools:

The Department of Education’s REMS Site Assess Tool is a free school-based risk assessment available as a mobile app
The School Security Assessment Tool (or SSAT) available from CISA

2. Active Threat Assessment

For law enforcement officers, threat assessment is also used to describe a process of observing, identifying, and reacting to potential, imminent, or immediate threats. These threats could be against your officers or the public. At Second Sight, we refer to the systematic process of identifying immediate threats as “active threat assessment.”

The Active Threat Assessment Methodology

Active threat assessment involves a focused observation of behaviors and actions. In this methodology, an observer (such as one of your officers) systematically observes their environment, identifies potentially suspicious individuals (also known as persons of interest), and assesses the potential threats posed by these individuals.

A person of interest (POI) is someone who displays some type of abnormal behavior warranting closer observation. At this time, an officer can assess threat indicators, which are visual behaviors that might indicate threatening behavior or suspicious activity. If threat indicators are apparent, the POI may become a target for potential interdiction.

Active Threat Assessment Training

Threat assessment skills will help your officers focus their attention on true threats and better equip them to prevent potential tragedies. For example, a POI might show visible signs that they are carrying a weapon. In such a scenario, it could help an officer identify and prevent a potential active shooter incident.

Second Sight offers active threat assessment training for law enforcement professionals. Law enforcement classes are certified through the IADLEST National Certification Program (NCP) and are regularly updated based on emerging research as well as feedback from our participants.

To learn more about active threat assessment, check out our companion posts:

“Active Threat Assessment: Identify Potential, Immediate, and Imminent Threats,” which describes our active threat assessment process in detail;
“The 4 Benefits of Situational Awareness,” which describes situational awareness, the first step of active threat assessment;
“Situational Awareness in the Workplace,” which shows how anyone can be aware to help identify security of threats;
“Context in Threat Identification and Assessment,” which explains how to systematically observe your environment;
“Identifying Active Threats Through Behavioral Change,” which provides detail on identifying behavioral threat indicators; and
“Identifying Concealed Weapons at Protests,” which applies active threat assessment in the context of mass gatherings, such as protests.

You can also take our free online course, Introduction to Active Threat Assessment. In this course, you can learn about the active threat assessment methodology and decide if our full-length active threat assessment programs are right for you and your officers.

Enroll Now

3. The Cyber-security Threat Risk Assessment

The same threat risk assessment and analysis process can be applied to cybersecurity, which is a key component of overall risk assessment. A cybersecurity threat risk assessment focuses on protecting access to information (e.g., data, personal information), access to networks (e.g., the internet at your offices), software (e.g., telecommunications systems, electronic data management systems), and hardware (e.g., the laptops and mobile phones of your officers).

A cyberattack refers to any purposeful attempt to obtain unauthorized access to a network, computer system, or device. Typically, these attacks are carried out with the intention of stealing, modifying, exposing, or destroying data or other assets. Perpetrators employ a range of techniques in carrying out these attacks.

One type of cyberattack that is becoming increasingly common is ransomware. Ransomware is a type of malware that is installed on a system without the user’s knowledge or permission, often via websites, emails, or file attachments. Once infected, the ransomware locks and encrypts a victim’s data, files, and systems, rendering them unusable until a sum of money is paid to the attacker.

Ransomware can have dire consequences. Once the data gets into someone else’s hands, there’s no guarantee that the victim will get it back. Unless they pay the ransom, which still doesn’t guarantee that cybercriminals will return the files.

In recent years, there has been a significant increase in the number of ransomware attacks, with several high-profile incidents affecting diverse entities ranging from hospitals to schools and government agencies. For example, researchers estimate that 6 in 10 health care companies were hit by ransomware attacks in the last year. These attacks disrupt services, put patients’ lives at risk and cost hospitals millions of dollars.

The basic steps of a cybersecurity threat risk assessment are:

characterize the type of system that is at risk;
identify specific threats to that system (e.g., unauthorized access, misuse of information, data leakage or exposure, loss of data, disruption of service);
determine inherent risks and impacts;
analyze and identify existing controls that may prevent, mitigate, detect, or compensate for potential threats;
assess the extent to which existing controls successfully mitigate the threats;
determine the likelihood of a threat occurring based on current controls; and
calculate a risk rating based on a combination of impact and likelihood of occurrence.

After the assessment, you will have a better idea of what cybersecurity controls are in place and where vulnerabilities still exist. Then, you can begin implementing security controls to mitigate any potential risks.

If you are interested in learning more about cybersecurity threat risk assessments, check out the following resources:

International Association of Chiefs of Police’s (IACP) Law Enforcement Cyber Center
FEMA’s detailed overview of different cyberattacks and how to mitigate their impacts
Resources from the Cybersecurity and Infrastructure Security Agency (CISA)
Framework and guidance for conducting a Cyber Resilience Review (CRR) assessment
Guidance for protecting mobile devices and securing wireless networks.
Ransomware-specific resources:
1. CISA’s StopRansomware.gov
2. 2023 #StopRansomware Guide by CISA, NSA, and the FBI

Quick start guide to combating ransomware
Protecting against ransomware attacks
What to do if you are hit by ransomware

4. Threat Assessment for Instrumental Violence

Instrumental violence is when someone commits or threatens to commit a specific attack, such as a mass shooting. In your case, it could involve an employee who has made threats against other staff members or has been involved in recent altercations at work.

Threat assessment for instrumental violence is incident- and subject-specific, meaning that it assesses the likelihood that a specific individual will commit a specific attack. This is a growing area and is often referred to as Behavioral Threat Assessment and Management (or BTAM) or Threat Assessment and Management.

The National Association of School Psychologists (NASP) describes a broad spectrum of activities for identifying and intervening with potentially violent individuals who exhibit risk factors for instrumental violence.

A noted authority on this approach is the U.S. Secret Service National Threat Assessment Center (NTAC). In a 2023 report titled “Mass Attacks in Public Places,” they noted that many mass attackers often have similarities, including: a personal grievance; a history of criminal behavior; substance abuse or mental health symptoms; or other stressors (such as financial instability). Many of these attackers also made statements or exhibited certain behaviors prior to the attack that elicited concern from others. These situational and behavioral factors can serve as flags for individuals who may commit instrumental violence.

For information on threats of mass attacks in public places, see the following resources:

Our companion post, “Threat Assessment and Active Shooter Prevention”
DHS’ guidance for first responders regarding securing public gatherings and active shooter preparedness
The NCTC’s First Responder Tool Box on Threat Assessment and Management
Behavioral Approach to Violence Prevention, developed by the National Threat Evaluation and Reporting Program
Training resources available from the National Threat Evaluation and Reporting (NTER) Program Office at the Department of Homeland Security:

Foundations of Targeted Violence Prevention eCourse

Behavioral Threat Assessment and Management (BTAM) Train-the-Trainer program for public entities

RAND’s framework for preparing for and responding to mass attacks:
1. Detecting and assessing the extent of the threat posed
2. Follow-up actions to implement should such an attack occur
3. Databases where authorized personnel can access information about a specific person to assess their potential risk

Threat Assessment in Schools

Instrumental violence is often associated with schools, for which a more nuanced approach can be used. This threat assessment process focuses on a range of factors, including but not limited to motives, communications, weapons access, stressors, emotional and developmental issues, and protective factors. For more information on this approach, see our post on school behavioral threat assessment.

One alarming trend that has been on the rise is the false reporting of attacks at schools and universities. More than 500 schools across the country have received these hoax calls, which are now considered to be part of a coordinated “swatting” campaign exploiting prevalent fear over school shootings. Swatting is when people falsely report violent situations like bomb threats, hostages, and active shooters to trigger a police response, preferably by a SWAT team, to a particular address.

Swatting incidents can be dangerous, putting the lives of the individuals at the reported location at risk. Law enforcement might respond aggressively, not knowing that the situation is a hoax. The fear and trauma associated with a sudden, intense police response can also cause lasting psychological effects for targeted individuals. These incidents also occupy limited emergency services in a community and can cause delayed responses to genuine emergencies.

Proactive mitigation strategies are essential to preventing and limiting the impact of these incidents. For information on how to identify and respond to a potential swatting incident, see this guide from the state of Washington’s School Safety Center.

For more information on instrumental violence threat assessment in schools, see the resources below:

Our companion posts: “Identifying Active Threats in Schools” and “School Behavioral Threat Assessment”
Resources to prevent and mitigate targeted violence by SchoolSafety.gov
The National Behavioral Intervention Team Association (NABITA)’s behavioral threat assessment tool and rubric
Template for conducting student threat assessment inquiries, courtesy of the U.S. Secret Service (USSC)
University of Illinois Chicago (UIC) Violence Prevention Plan

5. The Violence Threat Risk Assessment

Violence threat risk assessments are typically used to estimate the likelihood that an individual will exhibit violent behavior in the future. They are used to help practitioners and intervention providers make informed decisions about risk mitigation, supervision, and treatment options for potentially dangerous individuals.

Like the instrumental violence approach described above, this approach also involves identification of risk factors and intervention strategies. The difference, though, is that violence threat risk assessment focuses on assessing an individual’s predilection for violence more generally and is not related to a specific attack against a specific target.

This is often referred to as a violence risk assessment or just a risk assessment. A critical difference between this risk assessment and the threat assessment for instrumental violence is the former measures the likelihood that an individual will commit some sort of violent act in the future, while the latter is focused on predicting a specific targeted act.

This approach may not be something you or your officers perform directly. Typically, these assessments are conducted by qualified clinical professionals. There are different types of violence threat risk assessments that predict different types of risks, ranging from domestic violence to terrorism. Some of these rely on the judgment of professionals, while others are actuarial-based.

One recommendation is the shift toward structured professional judgment (SPJ) approaches. The SPJ approach involves a systematic evaluation of risk factors by professionals who use their expertise and judgment to reach a conclusion about an individual's level of risk. Some of the commonly known SPJ approaches are the Violent Extremism Risk Assessment (VERA), the Extremism Risk Guidance 22+ (ERG 22+), the Spousal Assault Risk Assessment (SARA), and the Historical Clinical Risk Management-20 (HCR-20).

In contrast, actuarial-based risk assessment instruments (RAIs) predict risk by using statistical methods and a scoring system informed by historical data and criminological theory. Using the scoring system, RAIs screen for predetermined risk indicators, which are used to generate a numerical risk score. The risk score reflects the likelihood of a future event, such as recidivism or targeted violence. Some of the most commonly used RAIs are the Violence Risk Appraisal Guide (VRAG), the Virginia Pretrial Risk Assessment Instrument (VPRAI), the Level of Service Inventory-Revised (LSI-R), the Ohio Risk Assessment System (ORAS), and the Public Safety Assessment (PSA).

Each approach has pros and cons. In the SPJ approach, professionals examine a wide range of aggravating and mitigating factors and can offer more personalized assessments, especially in unique circumstances. However, some criticize the SPJ approach for being too subjective and inconsistent when making risk evaluations due to variations in professional judgment and individual biases.

In contrast, RAIs are consistent in making predictions based on the same inputs, as they rely on predetermined formulae to assess risk. However, there are concerns about their potential to outperform human judgment, as RAIs don’t adapt well to uncommon circumstances, and they often include static factors (such as being a male) that cannot be changed. Relatedly, if historical data is biased, the algorithm might perpetuate biases.

Ultimately, selecting a risk assessment tool involves considering the specific nature of the risk being assessed (e.g., violent extremism, general violence, sexual offending), the characteristics of the population being assessed (e.g., age, gender, cultural background), the setting or context of the assessment (e.g., forensic mental health, correctional facility), and the availability of empirical evidence supporting the tool's reliability and validity.

The Public Risk Innovation, Solutions, and Management (PRISM) framework by the Public Entity Risk Institute (PERI) provides a comprehensive approach to risk management for public entities. While it is not an actuarial-based tool, PRISM encompasses various aspects of risk identification, assessment, and management. The framework includes various modules and resources that assist organizations in understanding, preventing, and responding to a range of risks, from financial and operational risks to strategic and reputational risks.

For more information on violence threat risk assessment, check out the following resources:

Open-access digital book Violent Extremism: A Handbook of Risk Assessment and Management by Caroline Logan, Randy Borum, and Paul Gill, published in 2023
The American Psychological Association (APA)’s Guidelines for Psychological Evaluation and Assessment
The Department of Defense’s report on predicting violent behavior
Risk Assessment Database, courtesy of the Berkman Klein Center
Most widely used Risk Assessments in each state

What’s Next?

All these approaches are essential to protecting our community and keeping people safe. Depending on your needs, any of these approaches to threat and security assessment may be relevant to you or your personnel.

As a next step, take a deeper dive into some of these resources or check out our recently recertified onlineThreat Awareness for Law Enforcement Program.