The concept of “protective intelligence” was originally founded on the assumption that those actors that attempt to harm public figures share a common behavior & way of thinking. Additionally, these actors forecast their operational planning in the form of various pre-incident indicators – which, if detected and analyzed, can be used to mitigate threats.
This has been best illustrated by the FBI in their 2018 report on Pre-attack Behaviors of Active Shooters, where they made the following observation: “on average, each active shooter displayed 4 to 5 concerning behaviors over time, that were observable to others around the shooter.” At the end of the day, a proactive initiative allows us to use our knowledge gained to assess and mitigate potential threats before they materialize. [Reference 1]
In this light, the guiding principles behind protective intelligence can be applied to a much wider range of use cases outside the typical realm of just protecting public figures, CEO’s, and High Net Worth Individuals. Having decades of experience in this arena, we see the benefit of deploying protective intelligence initiatives in various sectors, including corporate security, loss prevention, educational campus safety, religious community centers, and more. In fact, as the number of violent incidents increase, we have determined that so does the noise, chatter, and unhealthy behavior that led up to the event.
Customers, employees, and shareholders of companies expect to see the implementation of modern methods to detect threats. When this is the case, why do we continue to adopt archaic & reactive solutions that ignore the ability to detect a serious physical threat early in its lifecycle – especially when so many signals are present, many of which are detectable by machine?
We understand that while a typical workflow process for protective intelligence management may work well in one sector, it doesn’t mean that the same process is absolutely perfect for another. However, the general mechanics, objectives, issues with disparate data overload, and investigative workflows for protective intelligence are very similar, no matter who or what you are trying to protect. As security professionals, we need to be made initially aware of potential threats as early as possible in the operational planning cycle of the malicious actor. We also need to maintain continuous focus on those potential threats and never lose track of them. If we perform our jobs correctly, we can start to see trends, anomalies, and behavioral risk patterns that indicate “something” may happen soon.
Our shared objective is to detect, disrupt, or otherwise stop a plan of violence prior to it occurring. Protective intelligence is a multifaceted process, and we hope to shed light on areas that will simplify this workflow and get all of us in the security space speaking the same language when it comes to early threat detection. Please feel free to share your insights, experiences, and thoughts at the conclusion of this article.
Protective Intelligence Efforts & The Guiding Principles Behind Them
In previous articles, we have given this simple definition for protective intelligence:
Protective intelligence is an investigative and analytical process used by protectors to proactively identify, assess, and mitigate threats to assets.
There is no definitive set of guiding principles for security professionals involved in protective intelligence, as many threats may be time-bound, geopolitical, or contextual in nature. However, the below list will help identify what we see as the most important ideas to be gained about threat assessment and early threat detection initiatives:
- Virtually all violent actors display pre-incident indicators of some kind, prior to initiating an attack.
- Violent actors generally share a common pattern of behavior and thinking.
- Early detection creates a window of opportunity for security programs to prevent, disrupt, or otherwise reduce the impact of threats on assets.
- Proactive identification and accurate assessment of potentially violent actors allows teams to minimize the pursuit of false positives….allowing the team to operate more efficiently.
- Protective intelligence efforts can provide workplace and EDU administrators with the knowledge that they need to provide help for a person of concern. (Especially when it may involve a former employee, co-worker, or student. Our point of view is that not every protective solution requires an adversarial approach).
By being creative and applying these efforts to various programs, we can integrate protective intelligence into virtually all aspects of asset protection including Executive Protection, Corporate Security, Loss Prevention, Brand / Trust Divisions, Campus Safety, Special Events, K1-12 Schools, and Higher Education. The objectives are all shared, and they are the protection of people and assets. These objectives are often overlapping since a safe workplace or school makes for safe employees and students, which gives them the freedom to flourish. The requirements are also very similar – to proactively cultivate a baseline of information to determine what is normal and what an anomaly. When an anomaly (person, event, behavior, etc.) arises, teams should be able to recognize and evaluate it immediately.
Protective Intelligence In Action
Executive Protection Application: This use case is the most commonly recognized benefactor of protective intelligence programs and initiatives. After all, many executive protection teams are tasked with providing safety and risk insights for a client, all while doing so on a budget, with less personnel than typically desired, and while also coordinating a vast array of facilitation-based requests. Executive protection teams in effect, become mobile security advisors operating in a low-profile mode, with a client that may travel 200+ days per year.
In executive protection, it makes perfect sense to use intelligence-based initiatives in order to understand the threat landscape, and associated risk level for a principal, whether they are operating in their familiar base of operations or traveling abroad.
Regardless of whether a principal is a business magnate, a creative, or tech CEO, they are all subject to the same forces: greater exposure in the media brings unwanted attention from many sources. This can be as benign as a solicitation for financial assistance or as severe as a person with a violent history that believes the principal is the cause of all their misfortunes. In any event, executive protection teams are responsible for exercising due care by investigating those cases that may pose a threat to a principal’s health, family, assets, reputation, and more.
A common workflow for protective intelligence investigations by executive protection teams, follows this general line of action: (a) identify & gather greater details about the threat actor (b) assess the threat based on the full context of the situation (c) then implement the desired strategy that is most likely to create the safest outcome for the principal. Unless the threat is assessed as insignificant, it is to the advantage of the executive protection program to monitor the behavior, mode of living, and red-flag events of the threatening actor.
Corporate Security Application: Many corporate security teams have established protective intelligence / threat assessment programs – not only to protect executives, but to provide an added layer of security for potential workplace violence or related hazards to the campus and employees.
To no one’s surprise, pioneers in this area are those companies that have received the greatest amount of negative publicity and threats: quasi-government organizations involved in anything perceived as being controversial, aerospace / defense contractors, pharmaceutical / biotechnology, etc.
What can a protective intelligence program do for a company’s campus? First, for companies that are consistently receiving negative public media attention, it is not uncommon for them to be subject to organized protests at, or near their campuses. Therefore, careful attention to social media activity and news media reports relating to the company is vital. This will allow security managers to anticipate disruptions and to take measures to ensure the safety of employees and the protection of assets. For environments like this, it is only sensible to monitor and track the activity of threatening organizations and people, so that the security posture of the company can be tailored based on escalations or de-escalations in adversarial activity.
Next, the workplace violence (prevention) function of the protective intelligence program cannot be overlooked. Having the ability to monitor and document the behavior of potential insider threats is critical. As information comes from HR managers, anonymous tip lines, and various department heads, protective intelligence professionals are tasked with making assessments and security recommendations. Often times, these assessments are formed by investigators’ own due diligence: manually checking social media, open source & public records, internal reporting mechanisms, access control data sets, etc.
EDU Application (K through 12): Consider how protective intelligence might be used to protect students & faculty at a school campus. We all have access to the mountains of professional literature and government reports about past acts of violence at schools and the behavior of the violent actors that carried them out. This gives the school’s safety & security representative a reliable baseline against which to make judgements about potentially violent students, faculty, and other threat actors.
Similar to other industries, protective intelligence on a school campus may start with a human observation followed up by identifying concerning social media posts by those associated with the school. As an example, concerning open source activity would include content expressing a fascination with death/violence, an interest in past school shooters or mass murderers, signs of depression or self-harm, etc. (all of which are themes that have been developed by mental health professionals).
Outside of online media, several important data sources can be integrated to help safety & security professionals make adequate assessments about potential threats. First, anonymous reporting by faculty and students plays an important role, as past events show that ignoring these concerns can have dangerous consequences. Second, Student Information Systems (SIS) can be integrated to provide insight about disciplinary actions, attendance, grade trends, mobility, and other historical factors. Third, public records and other proprietary sources can provide additional information. If all of this information can be viewed in a single environment, it makes the assessment of potentially violent actors much easier than the alternative, which has been to continue with a highly manual, siloed approach to organizing and connecting disparate data points – which increases the likelihood that a potential threat indicator will be missed.
University Application: One group of institutions that is leading the way when it comes to formalized protective intelligence programs, is university campuses. Not every campus has a protective intelligence / threat assessment program, but many have proven systems in place for taking a proactive and structured approach to assessing potentially violent actors (students, employees, etc.) before problems emerge.
As an example, consider the system that Virginia Tech University has in place. First, they have a Safety and Security Policy Committee which is made up of subcommittees from threat assessment, workplace violence, health & safety, and emergency management & risk assessment. Second, they have a multidisciplinary threat assessment team to identify and evaluate potentially violent actors, which includes several full-time case managers monitoring and tracking cases throughout their life cycle. Next, they have peripheral groups and structures in place that support the threat assessment team, such as their “Care Team”, counseling department, and others. As you would have guessed, detailed policies and procedures are also in place to protect confidentiality, ensure records keeping functions, and more. The level of proactive intelligence management at Virginia Tech is rather impressive, although the program’s deployment was an unfortunate requirement due to a horrific compelling event which occured in 2007. This act of violence cost the souls of 32 people, while an additional 17 were wounded, and countless others had their lives changed forever. [Reference 2]
Loss Prevention Application: While some people may not readily recognize protective intelligence as an adoptable process for loss prevention, the fundamental ideas of protective intelligence can also be applied in this area. This is one case in which we are focused on malicious actors, with our lens pointing toward the prevention of theft and intellectual property brand damage. Regardless, that goal can be supported with proactive identification, pattern recognition, and tracking of individuals and groups in relation to loss events (appropriately followed by strategies to mitigate those losses).
Consider how having intimate knowledge about loss events could help loss prevention professionals with their mission, ie: pre-incident indicators for large scale theft. First, threats to assets exist from employees and others who already possess some inside knowledge of the business operations. When investigations are conducted on employees responsible for taking company assets, it is advantageous for investigators to identify risk factors that are indicative of someone who would take from the company (criminal history, financial difficulty, access control anomalies, etc.). Often, the best sources for this information can be human observations combined with social media and public record data. Second, a necessary tool to generate insights about loss events is the detailed analysis of relationships between individuals and organized groups responsible for losses. Of course this can be done manually, while painstakingly reviewing relationships between potential employees responsible for theft. However, the requirements of large scale investigations increase to an even greater degree when it comes to conducting complex investigations with many decentralized data points, such as analyzing the activities of organized groups impacting company assets. Lastly, a peripheral and sometimes overlooked advantage for retail organizations, is the leveraging of intelligence solutions to identify stolen and counterfeit goods being sold online in both open source and dark web channels. Both in the physical security and loss prevention space, our success is only limited by our professional imagination.
Although the concept of protective intelligence was initially recognized as an investigative technique used by the US Secret Service to protect public figures, the fundamental ideas behind it can and should be applied to every type of asset protection plan. From the executive protection & corporate security use cases to those of educational institutions, protective intelligence can provide an added layer of safety for people and assets – one that extends beyond the real estate of the campus, and one that leverages the valuable research conducted by mental health & investigative professionals. We hope that you share our enthusiasm for implementing strategies which were at one time only used to protect billionaires and political figures, to now protect our business leaders, employees, students, and everyone in between.
Author Credit: This article was written by the Protective Intelligence contributors, Thomas Kopecky and Travis Lishok.
(1) A Study of the Pre-attack Behaviors of Active Shooters in the United States Between 2000 and 2013 (2018)
(2) A Virginia Tech Demonstration Project: Implementing Behavioral Threat Assessment on Campus (2009)
About The Protective Intelligence Blog
By every metric, the role of protective intelligence is growing increasingly important for your security program, as it operates domestically and (especially) internationally. Protective Intelligence is our medium for understanding not only threat matrix and risk level, but also trends, problems, solutions, as well as ideas to support the mission of protective security professionals. The speed by which we can send and receive information, and the amount of information we need to evaluate, has eliminated problems in some areas and exponentially compounded problems in others. Our team seeks to address issues stemming from these problem areas, offering next-level analyses and proven solutions with an eye toward the future.
Our content contributors come from organizations involved in protective intelligence research, corporate executive protection, threat assessment investigations, and related security intelligence fields.