Why Your Company Needs a Protective Intelligence Program

Why Your Company Needs a Protective Intelligence Program
April 15, 2020 SDC Development 2

Why Your Company Needs a Protective Intelligence Program

By TorchStone VP, Scott Stewart

Many people perceive protective intelligence (PI) as some sort of highly-secret government program that is only used to protect the President and other high-level elected officials from terrorist plots.

Certainly, this is one important use-case for PI, but in truth, PI programs are proactive tools that can be used to help any company or organization stay “left of the boom.”

What is Protective Intelligence?

As we delve into the topic of PI, let’s begin with a quick definition.

In simple terms, a PI program is a collection of processes that are designed to forecast, identify and assess threats and then implement appropriate security measures to avoid, deter or mitigate those threats.

Perhaps the biggest advantage PI offers to companies and organizations that practice it, is that it allows security personnel to be proactive, rather than merely reacting to an event already underway.

As any child learns from playing the hand-slapping game, action is always faster than reaction.

Now, a clever kid will try to gain an advantage by anticipating the opponent’s move and proactively moving first, but that proactive move is an action itself, and not a true reaction.

This simple lesson learned by children has been confirmed by a number of scientific studies conducted at places such as the Force Sciences Institute.

When it comes to an armed attack, studies have conclusively proved that action is ALWAYS faster than reaction, no matter how well-trained the reacting party is.

Once the knife moves, the bullet fires, or the bomb detonates, all the victim can do is react.

Sometimes a poorly planned and executed attack, or perhaps a bit of luck may save the target of an attack, but it is simply not prudent to bet your life on incompetence or luck.

It is far better to see an attack developing and then take action to avoid or mitigate it before it can be launched.

And this brings us back to PI.

Understanding the How

In order to proactively forecast, assess and analyze threats, you must first develop a deep understanding of the behavior, tactics, and techniques associated with the various threat actors who could possibly target your company’s people, facilities, and information.

These actors can include criminals, terrorists, activists, unstable individuals, and espionage actors, among others.

To gain that understanding you need to go beyond analyzing the five W’s: who, what, where, when, and why, to focus on the how.

The five W’s are important, of course, and obviously, any analysis of an incident must also include those facts, but by focusing on and breaking down the behavior, tactics, techniques and procedures used by the threat actor as he planned and executed an attack is what allows us to then begin to watch for similar behavior and tradecraft that could indicate someone else is beginning to plan and prepare an attack.

How this behavior is manifested – and perceived – will vary depending on whether the threat actor is an outsider or an insider.

We will write on this topic in more detail some other time, but for our purpose here, it is sufficient to state that attacks don’t just appear magically out of a vacuum.

They are the result of a discernible planning process and that planning process can be perceived and interrupted.

By focusing on how an attack was conducted and then applying it to conceptual frameworks such as the pathway to violence, the terrorist attack cycle, the criminal attack cycle, and the human intelligence recruitment cycle, protective intelligence teams can educate the rest of the security team, and the workforce in general to the behaviors and actions associated with them.

Critically, PI teams will also highlight points in those cycles where attackers are vulnerable to being detected.

In this way, they not only help everyone understand what basic threats are out there but how to spot potential hostile behavior and report it so it can be investigated and assessed.

Making every employee from the cleaning staff to executives aware and empowered to report threats early and often results in a robust and proactive security operation.

PI teams also serve an important function by helping anticipate events through intelligence collection, analysis, and forecasting.

This can include collecting specific information about a scheduled protest, the analysis of a hate group’s communications indicating it could target companies in your industry, or using sound analysis of how attacks are being conducted to forecast tactics, targets and trends.

Making note of these trends allows security managers to make changes to their security policies, procedures, and even equipment to mitigate a similar attack directed against the people and facilities they are responsible for protecting.

From How to Who

In the case of an unstable individual with a focus of interest in your company or a company employee, a potential workplace violence case, or with domestic violence that could be dragged into the workplace, threat assessments are a critical function performed by PI teams.

Nearly every unstable attacker has self-identified or otherwise come to the attention of authorities or someone before the attack was carried out.

PI teams, therefore, can ensure no unstable person is summarily dismissed as a “harmless nut” until they have been thoroughly investigated and his or her communications carefully analyzed, assessed, and databased (in accordance with local and federal law.)

After extensive training and experience, tools such as the Workplace Assessment of Violence Risk (WAVR 21) by Stephen G. White and J. Reid Meloy; Frederick Calhoun and Steve Weston’s Threat Assessment and Management Strategies; or Meloy’s Terrorist Radicalization Assessment Protocol (TRAP-18,) among others, can be used by PI teams to help company leadership better understand the potential threat posed by the specific actor.

Databasing is crucial.

Once a baseline threat assessment has been conducted the PI team can catalog messages from an unstable individual and monitor them over time, comparing them with earlier missives in order to identify signs of a deteriorating mental state.

These reviews can also provide insight that the individual is beginning to advance along the pathway to violence from a grievance toward violent ideation or even progressing to research and attack planning, which takes us back to the attack cycles mentioned above.

Unfortunately, not all threats from unstable individuals come from outside a company or organization, however.

Workplace or school shootings seldom occur randomly.

The common perception following such an incident is that the individual “just snapped,” but in most cases, the factors have been building up for a long time, as the attacker progressed along their pathway to violence.

Often, shooters target a specific person or set of people they believe is responsible for their plight.

Therefore, PI teams work closely with human resources managers and other threat assessment team members to try to identify early on those employees who have the potential to commit acts of workplace violence.

Innocent employees can also drag their personal issues with them to work.

A 2015 survey by the Centers for Disease Control estimated that 10 percent of women and 2 percent of men report having been stalked by an intimate partner.

In a significant number of these cases, legal remedies are unavailing and the stalking ends in violence.

The workplace — including employee parking — is one of the sure places the stalker knows they can find and confront the victim.

A robust protective surveillance program — supported by a sensitive employee outreach program for information gathering, databasing (in accordance with local and federal law,)  and PI analysis — can go a long way in supporting a company’s duty of care for employees.

In workplace settings as well as other potential threat areas, PI operatives can also provide the rest of the security team with photographs and descriptions of any person identified as a potential problem.

If a particular person has been identified as a potential target, they can also be briefed and the information shared with the security team, administrative assistants, family members, and household staff, as deemed appropriate.

Watching for Watchers

If a hostile actor is permitted to conduct unhindered surveillance of a target, the chances of them identifying vulnerabilities to exploit increase dramatically.

Surveillance is also one of the places during the attack cycle when an attacker becomes vulnerable to detection by his intended target.

There have been numerous examples of hostile actors who have decided not to conduct an attack against a specific target because they were uncomfortable conducting surveillance of that target.

Because of these factors, it is important to deny or at least inhibit, hostile actors from the ability to freely conduct surveillance.

PI teams can help in this effort to deter surveillance by educating the workforce, uniformed security personnel, and security operations personnel about surveillance tactics and techniques.

They can also identify likely surveillance “perches,” or locations where hostile surveillance operatives would be likely to operate, around corporate facilities or executive residences so that extra attention can be paid to such locations.

This makes it more difficult for hostile surveillance to operate freely without detection.

Once potential surveillance is detected, dedicated countersurveillance teams can be assigned to identify and determine the intent of the party conducting the surveillance.

All hostile actors engage in some degree of pre-operational surveillance, though the degree and length of this surveillance may vary depending on the hostile actor’s intent and the circumstances.

A purse-snatcher, for instance, might cause a potential target for a few seconds, but a professional kidnapping gang might conduct surveillance of a potential target for weeks.

The degree of surveillance tradecraft — from very clumsy to highly sophisticated — will also widely vary depending on training and street skills.

While countersurveillance efforts are valuable, they can’t operate in a vacuum.

They need to be part of a larger PI program that includes analytical and investigative functions.

Investigations and analysis are closely related yet distinct components that can help us focus countersurveillance operations on the most likely or most vulnerable targets.

This supplements the observations of the countersurveillance team and can help point them to any suspicious people or groups that need to be watched.

Countersurveillance operations are far less valuable if they’re conducted without databasing or analysis of what’s been observed over time, distance, and in different environments.

For example, a countersurveillance team without an analytical element would find it difficult for countersurveillance operatives to recognize when the same person or vehicle has been encountered on different shifts or at different sites.

This again reinforces the importance of understanding the tactics, the “how,” of surveillance: It’s good to know that a terrorist or criminal conducted surveillance, but it’s even better to understand the surveillance tradecraft they employ.

Therefore, this type of analytical input is critical to the success of countersurveillance teams.

It helps guide what they are looking for.

And when you find what you’re looking for, you can apply the next tool: Investigation.

Most often, something that appears unusual to a countersurveillance operative, or even a member of the workforce, has a logical and harmless explanation, perhaps a private investigator working on a divorce case against a company employee, but it’s difficult to make that determination without an investigative unit to follow-up on possible red flags noticed by countersurveillance and vetted by analysis.

One other advantage to PI counter surveillance operations is that being amorphous by nature, they’re far more difficult for a potential assailant to detect than traditional overt security measures.

Looking From the Outside In

Another crucial function of a PI team is to “red team,” or to assess the security program from the outside and identify vulnerabilities.

Most security teams look from the inside out, but PI can look from the outside in.

In the executive protection realm, this can include analysis of the principal’s schedule and transportation routes in order to determine times and places s/he is most vulnerable.

The security team can then focus countersurveillance or even overt security assets on these crucial locations.

Red teams can also perform cyber research, including social media monitoring.

That is, they study a potential target through the eyes of a criminal or a mentally disturbed person, attempting to gather as much open-source and public record information as possible.

Such a project helps determine what sensitive information is publicly available and can highlight how that information could be used by a criminal planning an attack.

Red teams can also attempt to infiltrate a facility in order to test access control or can conduct surveillance on executive protection team operations to look for vulnerabilities.

This combination of countersurveillance, analysis, and investigation can be applied in a number of other creative and proactive ways to help keep hostile threat actors off balance and deny them the opportunity to take the initiative.

Why bother with PI when you can just add close protection officers to create a harder target and force the attacker to choose an easier target? This comes back to our action/reaction equation from the beginning.

If the stalker, kidnapper, terrorist, or other attacker believes the target is of sufficient value — or if the attacker doesn’t plan to survive the attack — no amount of overt protection will deter them: They’ll just plan around the security.

That is why close protection alone is no guarantee of security.

The best protection is detecting and avoiding the attack before it is launched, and protective intelligence is the proactive tool that makes detection and avoidance possible.

Let Us Help You Become Proactive

TorchStone is in the Business of Before.

We have assembled a team of world-class, highly-experienced protective intelligence practitioners that includes investigators, analysts, and psychologists.

We can either serve as your organization’s PI team or come alongside to support and supplement the efforts of your existing PI team.

Please contact us for more information about our PI practice.