Second Sight Training Systems

View Original

5 Threat And Risk Assessment Approaches for Security Professionals in 2024

Threat assessment means different things to different people. Security professionals, police officers, judges, psychologists, and school counselors all conduct tasks they describe as threat assessment. These approaches are all predictive in nature, but very different.

Before we dig into threat assessment, a bit of background on this article. This post was first published in late 2019. Since publication, it has been the most popular page on our website. As of January 2024, 82,224 visitors from all over the world have read this post. For a small company like us, this is awesome. We are helping security professionals everywhere identify techniques that can help them secure lives and property.

In the 2024 updates, we are providing access to more outside sources that can support any type of threat assessment. We will also provide updated terminology based on our understanding of the state-of-the-art in these areas.

I hope that you find this resource useful too. Don’t hesitate to reach out if we can help you or your organization.

Threat Assessment Approaches

Take a moment to think about what threat and risk assessment means to you or what problem you are hoping that threat assessment will help you solve.

Are you looking to:

  1. plan for and protect facilities and critical infrastructure against terrorist attacks, insider threats, or natural disasters;

  2. help your security personnel identify and react to threatening individuals, such as active shooters;

  3. protect your computer networks, systems, and servers from attacks by malicious actors;

  4. identify, assess, and intervene with a person who may commit targeted or instrumental violence (e.g., a mass shooting); or

  5. assess a specific individual’s risk for violent behavior.

While we can’t conduct a comprehensive review of each method, this post is meant to define each one and help you identify threat assessment training and resources.

Now, let’s take a deeper dive into each threat and risk assessment approach.

1. The Security Threat and Risk Assessment

For people in the security or protection industry, threat assessment refers to the process of evaluating and analyzing potential risks that could impact the security and safety of critical infrastructure and people associated with a particular site or facility.

It focuses on analyzing existing protective measures and vulnerabilities at facilities and identifying ways to reduce those vulnerabilities and enhance safety. This includes assessing things like physical security, cybersecurity, security management and staffing, to not only safeguard critical infrastructure but any facility – businesses, elementary schools, concert halls.

There are a broad range of threats that can affect a particular site or location, including:

  • External hazards, such as natural disasters and fires;

  • Nonviolent and violent criminal threats, such as potential thefts, threats of violence toward staff, active shooter incidents, or terrorist threats;

  • Potential accidents related to improper building maintenance or unsafe working conditions;

  • Cyber threats, such as hacking, data breaches, ransomware; and

  • Any other threats that could impact telecommunications, transportation, or delivery of services at that location.

Threats & Risks at a School

For a security risk assessment, let’s take an example of an elementary or high school. Potential threats to a school could include a natural disaster, an active shooter, or accidental injuries that could result from improper safety precautions. Each of these threats requires a different response.

This security threat risk assessment includes not only identifying potential threats but also assessing the likelihood of their occurrence. Just because something can happen doesn’t mean it will.

The Vulnerability Assessment

Following the security risk threat assessment is the vulnerability assessment, which has two parts. First, it involves a determination of the assets at risk (e.g., people, buildings, equipment). This includes an estimation of the financial loss that would be incurred if the given location was successfully attacked and stopped providing service. Second, it includes an assessment of the level of attractiveness of the target (in the case of intentional attacks) and the level of existing defenses against each threat.

In the case of a school, some common gaps in security include difficulty in securing entry and access points, insufficient security measures (e.g., cameras, security personnel) due to budgetary concerns, and limitations in training and experience among school personnel.  

Learn about Security Threat Risk Assessment

If you are interested in learning more about security threat risk assessment, here are some great resources:

2. Active Threat Assessment

For security professionals, threat assessment is also used to describe a process of observing, identifying, and reacting to potential imminent and immediate threats. These could be against your clients, their facilities, or your personnel. At Second Sight, we refer to the systematic process of identifying threats as “active threat assessment.”

The Active Threat Assessment Methodology

Active threat assessment involves a focused observation of behaviors and actions. In this methodology, an observer (such as one of your security officers) systematically observes their environment, identifies potentially suspicious individuals (also known as persons of interest), and assesses the potential threats posed by these individuals.

A person of interest (POI) is an individual who is a target for further observation. They may become a target due to suspicious activity or a display of threatening behavior.

Further observation of the POI involves an assessment of threat indicators, which are visual behaviors that indicate a potential threat. For example, a POI might be trying to avoid notice, or they could show visible signs that they are carrying a weapon.

These assessments, in combination, allow for the identification of active threats.  

Potential Users of Active Threat Assessment

A wide spectrum of security professionals can use Second Sight's active threat assessment approach, including:

  1. Executive and personal protection specialists;

  2. Uniformed security personnel who provide foot and vehicle patrol at a range of facilities (churches, airports, schools, public events, gaming facilities, etc.);

  3. Camera surveillance personnel; or

  4. Security personnel who conduct access control or respond to incidents.

To learn more about active threat assessment, check out our companion posts:

You can also join our mailing list or enroll in one of our online active threat assessment training courses.

3. The Cybersecurity Threat and Risk Assessment

The same threat risk assessment and analysis process can be applied to cybersecurity, which is a key component of overall risk assessment. A cybersecurity threat risk assessment focuses on protecting access to information (e.g., data, personal information), access to networks (e.g., the internet at your offices), software (e.g., telecommunications systems, electronic data management systems), and hardware (e.g., the laptops and mobile phones of your employees).

A cyberattack refers to any purposeful attempt to obtain unauthorized access to a network, computer system, or device. Typically, these attacks are carried out with the intention of stealing, modifying, exposing, or destroying data or other assets. Perpetrators employ a range of techniques in carrying out these attacks.

One type of cyberattack that is becoming increasingly common is ransomware. Ransomware is a type of malware that is installed on a system without the user’s knowledge or permission, often via websites, emails, or file attachments. Once infected, the ransomware locks and encrypts a victim’s data, files, and systems, rendering them unusable until a sum of money is paid to the attacker.

Ransomware can have dire consequences. Once the data gets into someone else’s hands, there’s no guarantee that the victim will get it back. Unless they pay the ransom, which still doesn’t guarantee that cybercriminals will return the files.  In recent years, there has been a significant increase in the number of ransomware attacks, with several high-profile incidents affecting diverse entities ranging from hospitals to schools and government agencies. For example, researchers estimate that 6 in 10 health care companies were hit by ransomware attacks in the last year. These attacks disrupt services, put patients’ lives at risk and cost hospitals millions of dollars.

The basic steps of a cybersecurity threat risk assessment are:

  1. characterize the type of system that is at risk;

  2. identify specific threats to that system (e.g., unauthorized access, misuse of information, data leakage or exposure, loss of data, disruption of service);

  3. determine inherent risks and impacts;

  4. analyze and identify existing controls that may prevent, mitigate, detect, or compensate for potential threats;

  5. assess the extent to which existing controls successfully mitigate the threats;

  6. determine the likelihood of a threat occurring based on current controls; and

  7. calculate a risk rating based on a combination of impact and likelihood of occurrence.

After the assessment, you will have a better idea of what cybersecurity controls are in place and where vulnerabilities still exist. Then, you can begin implementing security controls to mitigate any potential risks. 

If you are interested in learning more about cybersecurity threat risk assessments, check out the following resources:

Ransomware-specific resources:

4. Threat Assessment for Instrumental Violence

Instrumental violence is when someone commits or threatens to commit a specific attack, such as a mass shooting. In your case, it could involve an employee who has made threats against other staff members or has been involved in recent altercations at work. For executive and personal protection, it could involve individuals who have made threats against your protectee.

Threat assessment for instrumental violence is incident- and subject-specific, meaning that it assesses the likelihood that a specific individual will commit a specific attack. This is a growing area and is often referred to as Behavioral Threat Assessment and Management (or BTAM) or Threat Assessment and Management.

The National Association of School Psychologists (NASP) describes a broad spectrum of activities for identifying and intervening with potentially violent individuals who exhibit risk factors for instrumental violence.

A noted authority on this approach is the U.S. Secret Service National Threat Assessment Center (NTAC). In a 2023 report titled “Mass Attacks in Public Places,” they noted that many mass attackers often have similarities, including: a personal grievance; a history of criminal behavior; substance abuse or mental health symptoms; or other stressors (such as financial instability). Many of these attackers also made statements or exhibited certain behaviors prior to the attack that elicited concern from others. These situational and behavioral factors can serve as flags for individuals who may commit instrumental violence.

For information on threats of mass attacks in public places, see the following resources:

Threat Assessment in Schools

Instrumental violence is often associated with schools, for which a more nuanced approach specific to the school setting can be used. This threat assessment process focuses on a range of factors, including but not limited to motives, communications, weapons access, stressors, emotional and developmental issues, and protective factors. For more information on that approach, see our post on school behavioral threat assessment.

One alarming trend that has been on the rise is the false reporting of attacks at schools and universities. More than 500 schools across the country have received these hoax calls, which are now considered to be part of a coordinated “swatting” campaign exploiting prevalent fear over school shootings. Swatting is when people falsely report violent situations like bomb threats, hostages, and active shooters to trigger a police response, preferably by a SWAT team, to a particular address.

Swatting incidents can be dangerous, putting the lives of the individuals at the reported location at risk. Law enforcement might respond aggressively, not knowing that the situation is a hoax. The fear and trauma associated with a sudden, intense police response can also cause lasting psychological effects for targeted individuals. These incidents also occupy limited emergency services in a community and can cause delayed responses to genuine emergencies.

Proactive mitigation strategies are essential to preventing and limiting the impact of these incidents. For information on how to identify and respond to a potential swatting incident, see this guide from the state of Washington’s School Safety Center.

For more information on instrumental violence threat assessment in schools, see the resources below:

5. The Violence Threat Risk Assessment

Violence threat risk assessments are typically used to estimate the likelihood that an individual will exhibit violent behavior in the future. They are used to help practitioners and intervention providers make informed decisions about risk mitigation, supervision, and treatment options for potentially dangerous individuals.

Like the instrumental violence approach described above, this approach also involves identification of risk factors and intervention strategies. The difference, though, is that violence threat risk assessment focuses on assessing an individual’s predilection for violence more generally and is not related to a specific attack against a specific target.

This is often referred to as a violence risk assessment or just a risk assessment. A critical difference between this risk assessment and the threat assessment for instrumental violence is the former measures the likelihood that an individual will commit some sort of violent act in the future, while the latter is focused on predicting a specific targeted act.

This approach may not be something you or your personnel perform directly. Typically, these assessments are conducted by qualified clinical professionals. There are different types of violence threat risk assessments that predict different types of risks, ranging from domestic violence to terrorism. Some of these rely on the judgment of professionals, while others are actuarial-based.

One recommendation is the shift toward structured professional judgment (SPJ) approaches. The SPJ approach involves a systematic evaluation of risk factors by professionals who use their expertise and judgment to reach a conclusion about an individual's level of risk. Some of the commonly known SPJ approaches are the Violent Extremism Risk Assessment (VERA), the Extremism Risk Guidance 22+ (ERG 22+), the Spousal Assault Risk Assessment (SARA), and the Historical Clinical Risk Management-20 (HCR-20).

In contrast, actuarial-based risk assessment instruments (RAIs) predict risk by using statistical methods and a scoring system informed by historical data and criminological theory. Using the scoring system, RAIs screen for predetermined risk indicators, which are used to generate a numerical risk score. The risk score reflects the likelihood of a future event, such as recidivism or targeted violence. Some of the most commonly used RAIs are the Violence Risk Appraisal Guide (VRAG), the Virginia Pretrial Risk Assessment Instrument (VPRAI), the Level of Service Inventory-Revised (LSI-R), the Ohio Risk Assessment System (ORAS), and the Public Safety Assessment (PSA).

Each approach has pros and cons. In the SPJ approach, professionals examine a wide range of aggravating and mitigating factors and can offer more personalized assessments, especially in unique circumstances. However, some criticize the SPJ approach for being too subjective and inconsistent when making risk evaluations due to variations in professional judgment and individual biases.

In contrast, RAIs are consistent in making predictions based on the same inputs, as they rely on predetermined formulae to assess risk. However, there are concerns about their potential to outperform human judgment, as RAIs don’t adapt well to uncommon circumstances, and they often include static factors (such as being a male) that cannot be changed. Relatedly, if historical data is biased, the algorithm might perpetuate biases.

Ultimately, selecting a risk assessment tool involves considering the specific nature of the risk being assessed (e.g., violent extremism, general violence, sexual offending), the characteristics of the population being assessed (e.g., age, gender, cultural background), the setting or context of the assessment (e.g., forensic mental health, correctional facility), and the availability of empirical evidence supporting the tool's reliability and validity.

The Public Risk Innovation, Solutions, and Management (PRISM) framework by the Public Entity Risk Institute (PERI) provides a comprehensive approach to risk management for public entities. While it is not an actuarial-based tool, PRISM encompasses various aspects of risk identification, assessment, and management. The framework includes various modules and resources that assist organizations in understanding, preventing, and responding to a range of risks, from financial and operational risks to strategic and reputational risks.

For more information on violence threat risk assessment, check out the following resources:

What’s Next?

All of these approaches are essential to protecting our community and keeping people safe. Depending on your needs, any of these approaches to threat and security assessment may be relevant to you or your personnel.

As a next step, take a deeper dive into some of these resources or check out our recently updated online program: Active Threat Assessment for Security Professionals.