Day after day, on social media and elsewhere on the Internet, there are lots of folks who are seemingly shocked every time a bad guy shows up and acts like a bad guy. Seriously, how many times have you read or seen “I can’t believe Suspect A was able to murder all of those people” or “If only they (security) did XYZ like I thought of during a conversation with my veterinarian who may have been in the military, that bad thing wouldn’t have happened”? I see it quite a bit and frankly, I’ve decided it may be time to finally add my .02 about it.
Those of us in security who have spent some time studying “the threat” (insert whatever scary bad guy you’re dealing with) understand what few who haven’t studied it don’t. No matter how awesome your protective measures are, they do little to mitigate (and certainly not “prevent”) the attacker unless you start thinking a bit like they do. Herein lies the fatal flaw of most “white hats” and even some “grey hats”.
- You think of attacks in ways that you would conduct them. No offense but if you’re protecting yourself against robbers but know relatively little of them, you may be looking to deploy solutions which don’t work against that threat. One of the most painful things any security professional can hear when doing a site survey with a client from the client is “If I were the bad guy, this is how I would do it.” More often than not, it is not how the bad guys would attack. Think security cameras in homes. Most people will deploy a camera at home with the thought the camera provides an extra layer of protection when in fact it doesn’t. I have known several victims of home invasions who either had cameras installed or had an alarm sign out front. These are two commonly deployed deterrence tools that we know don’t work. Instead, focus on the problem as if the bad guy would ignore the deterrence measures (because he will because we have little proof he won’t) and proceed with the attack and use things like cameras as after-incident mitigation tools to catch the perpetrator later.
- You think of your threat as one-dimensional. Most good guys see their threat based on commonly accepted precepts of what the threat is and how he has attacked in the past. Just because the bad guy only hit you or the other guy using one vector doesn’t mean he won’t try something different later. A great example of this is 9/11. Prior to the second World Trade Center attack, there were common beliefs that terrorists were only capable of performing certain kinds of attacks. What no factored in was changing realistic threat capabilities. In other words, we assumed the threat wasn’t evolutionary in his tactics. Seriously, who could’ve imagine having to protect a building against two near-simultaneous aircraft crashes? Perhaps we could have had we accepted the idea that as we change so does the threat.
- You think the threat is omnipotent and omnipresent. It’s easy to get caught up in the hype of a threat. I do it sometimes. This is a natural defense mechanism after an attack has occurred. Why? No one likes to have their vulnerabilities exposed. After every mass shooting or act of violence that makes the news, we assume every venue that is like the one that was attacked is also vulnerable and being selected as the “next” target for another perpetrator.
I remember fondly working on 9/11 on a small Air Force base on a perimeter patrol. What I recall the most are the initial attitudes people had of al Qaeda. We believed this one attack displayed a level of sophistication unseen by them before on US soil could be replicated on a massive scale. Every Muslim, ignorantly, was assumed to be a sleeper agent waiting for cues from “Muslim HQ” to attack us wherever and however they chose. The months and years ahead showed how far from the truth that was. Imagine how many countless resources were expended before we realized the fallacy behind this assumption.
- You think your attacker “chose” you for a variety of reasons he didn’t. People almost always assume an attacker chose to attack them or others for reasons they didn’t. Rape is commonly thought to be a crime of lust because good people believe sex is the only reason you rape because it’s the end-result. However, most criminologists and psychologists would agree rape is a crime of power. I would argue the majority of crime takes place for this very reason. Terrorism occurs because of this as does murder (what’s more powerful than ridding yourself of someone permanently), drug dealing, fraud, and a host of other crimes. You’re either fighting to obtain it (i.e. steal it from someone else) or committing crime to become more powerful. This confusion could possibly explain why most crime “prevention” measures based on policy fail at alarming rates – we’re clueless on what truly motivates people to attack us.
- You assume because you haven’t seen the threat, he must not exist. Whether we see the threat or not, we should never assume he does not exist. While the threat can’t be everywhere every time, the threat can still be very much. Never assume the absence of threat means he or she isn’t going to show. You still need to adequately protect your assets as if today is the day you’re going to be attacked. Remember, the attacker chooses the time of attack. You choose how well-prepared you’ll be when it happens.
I’m not proposing anyone go out and hire a red team. I firmly believe one of the reasons we, often, fail so miserably at security sometimes is due to our natural inclination to think the bad guy thinks like we do when they don’t. So how can we fix this?
- Study your adversary. Seriously, pour over any open source intelligence you can on your threat. Read the paper and look for crime stories. Pick up a police report or two on similar venues like yours. I’ll leave how you conduct your research to you. Just do it. Stop assuming blindly how the attack will go down or even who your adversary is.
- Consider hiring folks who can think like attackers. I’m not saying you hire criminals but red teams hire specialists who can mimic attackers. Choose folks from a variety of backgrounds to round out your security team. By the way, by “background”, I’m not talking education. I mean pick a team with a variety of specialists.
- Test your systems with exercises. The only way you’re going to learn is by testing how well your security program holds up against an actual attack. Consider doing this with little to no notice and have an after-action or “hot-wash” debriefing with your red team and affected staff right away. Finally, fix the vulnerabilities as soon as possible.
- Reward outside the box thinking. When I was a young boy, I recall my fondest memories were playing games like “hide-and-go-seek” with my friends. The guys who were the most creative were the best at this game. Why? Because they were unpredictable. I’ll leave how you choose to reward these folks on your own. Just do it.
I can’t even begin to tell you how many times I run into stores that have decoy cameras in lieu of real cameras. I also can’t tell you how many countless times these same stores get robbed. Buying a decoy camera, in my opinion, are invitations for criminals. This is not to say most criminals can’t tell the difference between fake and real. This is to say that many of these businesses and homes that utilize decoy cameras don’t quite get what kind of mitigators they need to adequately protect themselves and their assets.
The added statistic at the bottom of this photograph is especially troubling because it dupes customers into believing they have added another layer of “security”. This is correct in some respects. Remember what I said about “security” being a goal and less of an action? The problem lies in exactly the same place issues of semantics in security are – it relies on data that is either incomplete and more than likely, irrelevant to their protection needs.
We all know cameras serve a variety of purposes other than video surveillance. We also understand some vendors and property owners either have poor tools or are so under-trained they may as well not have a camera. However, when an incident happens, the last thing property owners want to tell the police and insurance companies (worse yet, a jury in a civil liability trial) is they thought a decoy or non-operative camera offered better protection.
If you’re a property owner and considering one of these decoys, turn around and invest in a camera system you will monitor and maintain. If you’re a pro, call these out and the dangers behind using them.
There’s been yet another act of mass violence at a school and, or course, the media has lost its mind. People are wondering how this could have happened and why. As security professionals, these questions are not new and nor is the answer. For those in the field, bear with me, I’m going to over how and why these things happen.
- It has nothing to do with WHO at times and more with WHERE. Let me explain. We always assume people target us because we mistakenly believe the target is “special” to the attacker in some sort of way. This is a common theme in our attempts to understand attacker methodology with respect to terrorism. All over electronic punditry, we’re saturated with folks who proclaim “they attack us because they hate us.” So this has become our mantra for every attack of any variety. What we fail to account for is that it’s not entirely exclusive as to who they attack but where. On Twitter, I have been practically shouting when it comes to mass violence, one of the most key ingredients, if not the key ingredient, is the presence of crowds. Nothing is more appetizing to an attacker but to make his attack seem grand and above-average for a swath of reasons I’m not qualified to adequately explain here. Let’s just say, you should NEVER EVER be surprised by the actions of mentally disturbed people.
Crowds are also, normally, not difficult to get large casualty numbers from. Think about the last time you were at baseball game or major sporting event. Ever notice the large crowd at the ticket or embarkation areas. As a security professional, whether you’re working or not, this is perhaps one of the most precarious chokepoints to be at. A chokepoint is a place where people have no other choice to be at in order to go some place. Everyone working anything from Secret Service to convoy security will tell you to ALWAYS avoid chokepoints. Why? They offer the presence of crowds, very narrow escapes for victims, and the ability of attackers to conceal themselves in the crowd.
- Violence has very little to do with the tools. Think about that for a second. I have made it no secret I enjoys guns. I do. However, I also understand the temptation to want to ban them. I’ve seen the statistics and the simulated models in whitepapers from folks who have never fired a gun or actually witnessed violence. I have a problem with this overly simplistic conceptualization of the problem. Erroneously, we believe the issue is with the mass proliferation of guns. Unfortunately, the discussion rarely acknowledges the socioeconomic, psychological, political, and cultural issues that drive some violence. More importantly, we ignore what mankind has known for decades – you can ban the tool but violence will always remain and the loss of any life is intolerable. Do you think if mankind had no guns he wouldn’t find a better way to commit acts of violence? Think about that for a second. We had no electric chair until Thomas Edison did a proof-of-concept demonstration to show the dangers of electricity. Man will always find ways to commit acts of violence against one another for whatever reason it deems fit. This is not to say we can’t have mitigators in place but we can’t for one second believe we’re getting rid of the problem solely with a ban of the tools or knee-jerk “reforms”.
- People mistakenly use “mitigation” and “prevention” interchangeably. Security professionals understand the difference between the two. Websters defines “mitigate” as “to make (something) less severe, harmful, or painful”. Many people believe we can prevent acts of mass violence “if only we do X,Y, or Z.” There’s a huge fallacy that we can prevent crime. This comes from a sublime arrogance of humans who believe we can stop our fellow man from acting out against us.
The issue may seem to be one of semantics but I argue that it’s not. You can’t “prevent” me from speeding. Only I can do that. I used an analogy the other day where I articulated, “Just as Match.com doesn’t make marriages, you can’t “prevent” crime. You can set conditions with good mitigators but ultimately the decision to move forward or stop is on the principle actor(s).” Think about that for a second. No matter what measures you put in place, whether it’s a guard at a school or metal detectors, my ability to accomplish the task of killing a large amount of people at a particular location is solely left to my motivation, intelligence, ability, and imagination.
I have long argued that we have to move away from the idea that we can “prevent” crime to one where we “mitigate” attacks. A while back, I said people mistakenly believe by locking a door that somehow they have thwarted a burglary without seeing any firsthand information a burglar attacked the door and left because it was locked. Yet, everyday, most of us lock our doors anyway thinking we’re doing crime “prevention” when in fact we’re doing crime “mitigation”. Mass violence occurs many times because we mistakenly believe our mitigators can prevent it.
- We rely too heavily on certain mitigation tools. Having an armed guard at a location is a mitigator not a prevention tool. The guard is there to ensure you have the means to adequately respond to acts of violence until police arrive. School administrators have for far too long relied on guards as prevention tools and have stopped doing other things which are more effective in mitigating these acts like deploying good cameras, training personnel on monitoring camera feeds, practicing lockdown procedures with teachers and other staff during non-working hours, talking with local police about their capabilities, training staff on conflict deescalation, and paying attention to warning signs.
- We don’t train staff on attack methodology and psychology in school. Teachers and other staff are often taught how to respond to these events which is great. However, solely doing this ignores how often teachers and staff are the best sensors we have to students who may be a danger. Many times, they may observe a student doing reconnaissance or testing security and not even know it. Imagine how many lives could be saved if teachers and staff had a threat working group chaired with the school safety official and principal in schools where these incidents have taken place.
- We used to do a really good job of being very proactive with mental health incidents in this country. I’m not advocating going back to asylums. Most were wrought with abuse and shoddy practices. No, what I want is for us to become much more proactive with mental health. We can no longer see mentally ill people as “someone else’s problem”. Mass violence has taught us we can no longer think of it like this. Yet, we do. When we removed the ability of doctors and other mental health professionals to intervene immediately and possibly treat long-term issues, we placed our citizens at risk. How? When most seriously mentally disturbed people come to the attention of authorities, it is often too late and the nature for how long and where they can be adequately be treated has greatly diminished. In some jurisdictions, the police can only place you on a “mental health hold” at a local mental health facility for 72 hours or less, in many cases. If you don’t exhibit the behavior further and can be treated, you’re out.
As a former law enforcement officer, I can tell you the most distressful call to go to is a mental health one. Given that most mental health hospitalizations are never found (either because they can’t legally or no measures exists to enable it) on background checks for firearms, the problem grows exponentially worse. Many of those who have committed acts of mass violence had already been diagnosed as being seriously mentally ill but couldn’t be put in long-term care because they hadn’t been deemed a danger and even if they had, I’m unaware if this would have barred them from having firearms (as discussed previously, I’m not sure a ban for them would have been effective in preventing violence in some instances).
I understand this list is not all-inclusive but this is how I see the problem in a more condensed manner than I believe can be adequately addressed on a forum such as this. You may have other solutions or know of other ideas. As always, they are greatly appreciated.