LADDER: Protective Security Specialists…

How long does it take for a lethal attack to occur against an At-Risk person?

Just 2 Seconds is the best selling book by Gavin De Becker. Along with his long time colleagues Tom Taylor and Jeff Marquart, they document how to use time and space to defeat adversaries.

There are some compelling insights gained from their research:

• In the US, attacks are most likely to be undertaken by lone assailants 87% vs. outside the US where attacks are typically the work of multiple assailants 71%.
• Attacks in the US are about as likely indoors (53%) vs. outdoors (47%).
• However, 64% of attacks happen when the protected person is outside in or around the car and 77% of these attacks are successful.

Most of these happen within a distance of 25 feet or less using a handgun. Corporate executives and their Protective Security Detail (PSD) already know these statistics and have trained together for these increasing risks.

Many have adopted the LADDER model from “Gavin de Becker & Associates” training academy:

> L ogistics

> A dvance

> D istance

> D eterrence

> E vacuation

> R esponse

The study of the motives and the psychology of why these actors pick their targets and choose the time and place has become a science. The methods and tools to assist corporate security in predictive analytics requires a substantial baseline of historical data and real-world experience.

Over 30 years ago Gavin and his team developed the MOSAIC Threat Assessment system. It is now in use with dozens of police and government agencies to help authorities and “Protective Security Details” to be more proactive and preemptive.

Protective Security Specialist’s (PSS) today are certified professionals utilizing intelligence in combination with the attributes of Time, Mind and Space to provide safe and secure travel for their clients.

The Science and the Art have converged to provide a fusion of data, strategy and ad hoc tactics to ensure the mission is completed without incident.

The profession doesn't stop there. Some Operational Risk Management firms who have these certified individuals on staff, go much further in their training and their vetting of employees.

We agree and recommend that you add these questions to your due diligence when obtaining Request for Proposals (RFPs) from these firms:

• Review all policy documents the firm has their personnel sign to become a PSS on staff.
• Review the firms hiring process and the prerequisites to join the firm.
• Review the operational standards and operating procedures to ensure 24 x 7 x 365 capabilities.
• Review the 3rd party agreements that encompass any transportation and private aviation suppliers.
• Review the firms technology and communications infrastructure including Internet, radios, information systems security controls and privacy countermeasures.

The profession has come a long way and people like Gavin de Becker & Associates have for decades established the baseline for others to compete. High net worth individuals, movie stars, public officials and corporate executives have much at stake and require comprehensive strategy execution.

Think of every assassination like attack you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for the book, all of them combined, took place in less than a half-hour.

Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers...

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors.

If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina/Harvey are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"?

The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen.

Only one can be prevented, preempted or neutralized before it can cause harm...

ORM: Pervasive Risk Across Disciplines...

What is the origin of the "Operational Risk Management" (ORM) discipline? Was it derived from the work within the financial services industry from the Basel II initiatives?

The definitions and the actual work towards creating standards of conduct and rule-based design has been evolving for the past few decades.

Operational Risk and the approach to risk that is not otherwise considered to be market or credit risk, is one mind set. The other mind set considers the hazards associated with the threat to our valuable assets.

Either point of view depends on the environment that you operate in and the risks associated with that environment.

To give a quick example, here are a few views into Operational Risk in the United States:

"It didn’t take long—the first attack on a U.S. government website hit on Saturday, a day after the killing of Qassem Suleimani in Baghdad. The fact there was an attack is not a surprise—speculation has been rife. And the style of the attack is consistent with the nature of the primary cyber threat we now face. Hackers claiming to be linked to Iran targeted a low-level domain—the website of the Federal Depository Library Program—defacing its home page, echoing Teheran’s threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag" Forbes

"Boeing will still burn more than $1 billion a month even after halting 737 Max production, according to J.P. Morgan.  Boeing’s decision to stop suspend production of the troubled aircraft was made in light of months of cash-draining groundings worldwide, but the company’s internal overhead and labor expenses will remain and will increase cash burn, analyst Seth Seifman wrote to clients."  CNBC

These examples encompass a U.S. government agency and a private sector U.S.-based global aerospace company.  Both are operational risk scenarios that could contribute to losses that will also impact the reputation of the entity involved.

That aspect alone, could be the major factor in why Operational Risk Management is such a growing discipline in our 2020 global landscape.

Some of the earliest origins of the Operational Risk concerns come from the military. The U.S. Navy is one of the branches who has embraced it fully:

• Purpose. To establish policy, guidelines, procedures, and responsibilities per reference (a), standardize the operational risk management (ORM) process across the Navy, and establish the ORM training continuum.
• Scope. This instruction applies to all Navy activities, commands, personnel, and contractors under the direct supervision of government personnel.
• Discussion. Risk is inherent in all tasks, training, missions, operations, and in personal activities no matter how routine. The most common cause of task degradation or mission failure is human error, specifically the inability to consistently manage risk. ORM reduces or offsets risks by systematically identifying hazards and assessing and controlling the associated risks allowing decisions to be made that weigh risks against mission or task benefits. As professionals, Navy personnel are responsible for managing risk in all tasks while leaders at all levels are responsible for ensuring proper procedures are in place and that appropriate resources are available for their personnel to perform assigned tasks. The Navy vision is to develop an environment in which every officer, enlisted, or civilian person is trained and motivated to personally manage risk in everything they do.

If only our major business entities would would fully encompass the following steps with all employees and processes then more lives would be saved, corporate assets would be protected and the enterprise would be ever more resilient:

(1) Identify the hazards;

(2) Assess the hazards;

(3) Make risk decisions;

(4) Implement controls; and

(5) Supervise.

Yet the losses and the potential for loss continues across the organizations who are well equipped to make Operational Risk Management a part of every person and operating divisions daily mind set:

The places change, the numbers change, but the choice of weapon remains the same. In the United States, people who want to kill a lot of other people most often do it with guns.

The number of U.S. mass shootings depends on how you count

Public mass shootings account for a tiny fraction of the country’s gun deaths, but they are uniquely terrifying because they occur without warning in the most mundane places. Most of the victims are chosen not for what they have done but simply for where they happen to be.

There is no universally accepted definition of a public mass shooting, and this piece defines it narrowly. It looks at the 172 shootings in which four or more people were killed by a lone shooter (two shooters in a few cases). It does not include shootings tied to robberies that went awry, and it does not include domestic shootings that took place exclusively in private homes. A broader definition would yield much higher numbers.

Whether it is on the deck of an aircraft carrier or within any organizations business facility, operational risk is pervasive. It is up to you and your organization to begin to make a difference...

Operational Continuity: Top Ten...

As your Board of Directors Meeting agenda is prepared for your next conference call, Operational Continuity should be near the top of the list of priorities.

Californian utility giant Pacific Gas and Electric (PG&E) has agreed a $13.5bn (£10.2bn) settlement with victims of wildfires in the state.  The company's equipment has been linked to several blazes including the deadliest and most destructive wildfire in state history, 2018's Camp Fire.

The risk of a significant business disruption is increasing and shareholders are increasingly asking for additional oversight by boards, to make sure that executive management is on top of Operational Risk Management (ORM) issues.

Catastrophic losses may be caused by natural disasters such as hurricanes, earthquakes, flooding, drought, tornados, fires and winter storms or man-made events.

Workplace Violence and/or Terrorist acts are tragic and complicated, taking an awful toll in human lives and resulting in insurance claims that run into the millions or billions of dollars and, often, litigation.

Here is a top ten list for your board to consider. If you can answer "Yes" to these items then you are well on your way to a high level of "Operational Continuity" in your organization:

__1. The Board of Directors reviews and approves company-wide contingency plans annually.

__2. Formal documented guidelines, policies, and procedures exist for the development and maintenance of business Continuity/Disaster Recovery, Emergency Response (evacuation and life safety) and Crisis Management plans (public relations and communications).

__3. An Operational Risk Assessment that categorizes potential threats (internal and external) has been performed on all corporate facilities for both information technology and work areas.

__4. There is a current (updated annually) Business Impact Analysis that determines recovery time objectives (the maximum tolerable time to recover critical business functions) and existing resources supporting each function.

__5. Recovery strategies exist for the resumption of critical business processes and support services.

__6. The Operational Continuity Plan and the recovery efforts are driven by the business requirements of the Business Impact Analysis.

__7. A Gap Analysis has been performed to identify the differences between Business Impact Analysis (business requirements) and the current environment.

__8. Business recovery strategies have been developed for all essential business functions.

__9. Manual workarounds exists for processes that could be completed in the absence of automated systems.

__10. Business Continuity and Disaster Recovery plans are exercised and tested bi-annually.

If you answered "No" or "Don't Know" to any of these ten, then your organization is at risk to a myriad of threats including shareholder legal actions...

Fusion Center: A Top Line Opportunity...

Operational Risk Management (ORM) is about managing a jigsaw puzzle of vulnerabilities and threats, that expose those weak points in community or organizational operations.

How can a U.S. community such as Las Vegas, NV, Dallas, TX, San Bernardino, CA, Dayton, OH or El Paso, TX in concert with law enforcement, public safety, emergency management and private sector entities, embrace a collaborative process to improve intelligence sharing?

Together and ultimately, to increase the ability to deter, detect, and prevent domestic terrorism while safeguarding our homeland, sometimes you have to tell a story and create a narrative.

Fusion centers bring all the relevant partners together, to maximize the ability to prevent and respond to workplace violence, terrorism and other major criminal acts. By embracing this concept, these entities are able to effectively and efficiently safeguard our homeland and maximize anti-crime efforts.

Who knew, what and when?  Even before 9/11, the private sector has embraced the idea of "Fusion Centers" and for good reason.

It has often been labeled the Security Operations Center (SOC), that includes the convergence of both the physical and information-based risk management professionals, taking place to mitigate a spectrum of risks and new opportunities.

As a Board Director or Executive Committee member of your public or private organization, the economic reasons for doing this are many and the benefits of greater insight and more rapid response are a continuous mandate.

A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to mitigate internal and external risk events, by analyzing data from a variety of internal and external sources.

When you begin to coordinate the company departments or government entities, the rules of the game calls for agreements, contracts and memorandums of understanding (MOU).  These are required to help facilitate coordination and cooperation. Here are some of the elements that should be considered:

• Involved parties
• Mission
• Governance
• Authority
• Security
• Assignment of personnel (removal/rotation)
• Funding/costs
• Civil liability/indemnification issues
• Policies and procedures
• Privacy
• Terms
• Integrity control
• Dispute resolution process
• Points of contact
• Effective date/duration/modification/termination
• Services
• De-confliction procedure
• Code of conduct for contractors
• Special conditions
• Protocols for communication and information exchange

Regardless of how much planning goes into the establishment of the corporate or the public domain fusion center, the challenges are similar. Funding, resources and attention by the power base of leadership.

One way to keep the Fusion Center at the center of the CEO's or Mayor's daily progress review comes back to economics. The top line revenue discussions here are no different than the same arguments that the head of Marketing has for the advertising budget.  The bottom line.

The Chief Marketing Officer (CMO) is consistently getting a robust piece of the budget pie because they have done an effective job of convincing everyone that advertising/branding is what generates sales leads.

Sales leads convert to top line revenue. So the question is, how many dollars produce a sales lead and what is the ratio of the number of leads generated to the number that close new revenue business.

What is the argument for the head of the Fusion Center? How does this become a top line revenue opportunity and not just a cost?

The same way advertising is justified to create leads is the same way the Fusion Center creates a different yet equally valuable risk management lead.

In either case, the data and information required to generate a lead in advertising and to generate a lead in mitigating risk begins with a hypothesis.

At today's speed of business and commerce, both are generated from raw data and information either collected internally or purchased externally to the organization. The answer lies in the Information Economics analysis exercise of generating each and the value to the community and continuous operations of the organization.

In the end, you may find that both are equally important and now it's a matter of fine tuning the ratio of budget dollars devoted to the Fusion Center vs. the Marketing Department.

If you are a Chief Risk Officer (CRO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the answer to consistently funding your Fusion Center just might be found in how timely data and information is utilized.

What is the true value to the continuous livelihood and resilience of your community or enterprise...

OSAC: The Insider Threat...

In November 2007, the "Insider Threat" was on the minds of Global Security Executives that year as evidenced by a half day emphasis on the current trends and issues.  We wonder what will have changed over a decade later, at the 2017 OSAC Annual Briefing.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm.

In a converging organization with outsourced services around every corner, the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year!

You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:

1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective and comprehensive operational risk program;

3. Lack of adequate decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.

The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:

• Is your policy enforced fairly, consistently and legally across the enterprise. 

• Would our employees, contractors and partners know if a violation was being committed? 

• Would they know what to do about it if they did recognize a violation?

If you don't know the answers to these questions, then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management.

Perhaps it is time for the Private Sector to get serious about the "Insider Threat."  The U.S. Department of Defense has been on point with the issue now for years:

The Defense Department is preparing to add 500,000 employees to its continuous evaluation pilot by Jan. 1 as part of DoD’s effort to add rigor to the security clearance process.

Daniel Payne, the director of the Defense Security Services, said Sept. 20 that the additional half-million employees would bring the total uniformed and civilian employees enrolled in continuous evaluation to 1 million. There are more than 4.3 million cleared employees and service members across the government, including 1.3 million at the top-secret level, according to the Office of the Director of National Intelligence’s 2015 report.

Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for, are the means to gain a larger budget for their departments and to be able to invest in new "Insider Threat" technologies and tools.

Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively...

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events, requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making".

This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with such machine learning threat intelligence systems such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas.

Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

"On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan? --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story? This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

• Who is responsible for entering information into the Intelligence Records System?
• Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
• What types of source documents are entered into the Intelligence Records System?
• Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?

Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new domestic counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?

1. Who poses threats?
2. Who is doing what with whom?
3. What is the modus operandi of the threat?
4. What is needed to catch offenders / threat actors?
5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?

Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime.

Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative applications, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" lying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

Utility of Attack: Target Selection and Execution...

The threat spectrum for Operational Risk Management (ORM) professionals is wide and they are constantly evaluating opportunities to learn.  Recent data breaches, terrorist attacks and the strategies utilized by adversaries online and on the ground, has surfaced another key lesson learned:

u·til·i·ty n. (pl. -ties) 1 the state of being useful, profitable, or beneficial (in game theory or economics) a measure of that which is sought to be maximized in any situation involving a choice.  The New Oxford American Dictionary

Here are two data breach examples:

1. On May 30, 2016, Omni Hotels discovered they were the victim of malware attacks on their network affecting specific point of sale systems on-site at some Omni properties. The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date. They have no indication that reservation or Select Guest membership systems were affected.  50,000 records are impacted.
    
2. Prior to May 2016, identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year. Atlanta-based Equifax’s W-2 Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people.  According to a letter Kroger sent to employees dated May 5 2016, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.

Here are two terrorist attack examples:

In two major domestic terrorism events in the United States this past year, "Utility" was a major factor and should not be discounted, in analyzing motivations and "modus operandi" of homegrown violent extremists.  In San Bernardino, CA the adversaries were planning a major attack and had already stockpiled explosives and ammunition.  In Dallas (Mesquite), TX the adversary was planning a major attack and had already stockpiled a cache of explosives as well.

In both of these cases, the adversaries had accumulated and trained to use explosives in an attack.  Then they came upon a choice.  A utility.

1. In San Bernardino, an incident with government co-workers motivated the employee attacker to deviate from the intended plans and to capitalize on the "Utility" of a workplace holiday gathering at the county facilities.
2. In Dallas, a peaceful protest march that would attract a significant government presence of police officers, motivated the attacker to deviate from future plans and to capitalize on the "Utility" of a public gathering.

Dr. Erroll Southers is correct:

While the impetus for attack is rooted in beliefs, a terrorist’s selection of how and where to attack is based on a consideration of utility. This is the estimate of an attack’s consequences with respect to the intended target’s value as a domestic or international interest and the political impact the attack will have on the intended audience. Utility is a primary consideration for extremists during preparation for an attack, weighing desired results against the investment in activities to plan, rehearse and execute an operation. Always mindful of the aftermath, utility weighs heavily in the decision-making process of target selection, possible attack paths, methodologies and execution.  Southers, Erroll (2014-09-25). Homegrown Violent Extremism (pp. 9-10).

In both cases, the adversaries accelerated their plans.  They abandoned their use of explosives and a future planned event, to act on their emotions and motivations of the moment.  Domestic Terrorism in the United States will continue at a rapid pace without a more serious focus, on Homegrown Violent Extremism.

Whether it be online with the trust of your data systems or offline with the safety and security of your citizens, employees and facilities, beware of the changing opportunities for your adversaries, to launch their attack...

Utility, leveraged by your adversaries, is a consideration that must be continuously evaluated and analyzed in your particular threat environment. 

Domestic Terrorism: Tears for Those in Blue...

The sniper ambush on those sworn officers to protect us in Dallas, Texas USA on July 7, 2016, is yet another portrait of tragedy and sorrow in our Homeland.  Whether you are an American safe today in your home after another graveyard shift or at high risk on the front lines in the shadows of a foreign country, it does not matter.  This particular domestic event targeting our protectors, and so soon after Orlando, FL, should be a another wake up call to area code (202).

Operational Risk Management (ORM) professionals across the U.S. are unified once again, in our vigilance and our mission.  Domestic Terrorism in our world, will continue to be manifested as long as people can read, listen and be influenced by other people.  Here or abroad.  The methods used for this indoctrination, whether delivered in small groups sitting in a circle over a cup of coffee or tea, or increasingly over the Internet does not matter.  The process is the same.

The "Cues and Clues to Teach" have been detailed before in this blog.  Domestic Terrorism in the United States has been moving along a spectrum of incidents at a pace that seems to be accelerating.  Lone individuals or groups who plan, train and act in order to bring their own psychological justice to reality, is one of our greatest challenges:

The statutory definition of domestic terrorism in the United States has changed many times over the years; also, it can be argued that acts of domestic terrorism have been occurring since long before any legal definition was set forth.

Under current United States law, set forth in the USA PATRIOT Act, acts of domestic terrorism are those which: "(A) involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; (B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and (C) occur primarily within the territorial jurisdiction of the United States."[2] 

The pace and the origins of domestic terrorism in the United States are vast and metastasizing.

In order to begin or enhance your journey into understanding the root causes of this growing threat in America you should start with Eric Hoffers book: The True Believer: Thoughts on the Nature of Mass Movements.  And once you are finished with it, turn to Erroll Southers Homegrown Violent Extremism.

Developing your awareness is the beginning of any journey to solving problems and developing more effective and comprehensive preventative solutions.  Building knowledge about how people can transform from a individual working in a war zone or sequestered from society, to the front pages of the Washington Post, is a worthy goal for any Operational Risk professional.  As a human resources professional at Company or Agency USA or the retail employee in the ammunition section of Dicks Sporting Goods, you also have a role to play.

Vigilant "Employees and Citizens" must be continuously trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational.  Based on the O'Toole study, these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:

• Low tolerance for frustration
• Poor coping skills
• Failed relationships
• Signs of depression
• Exaggerated sense of entitlement
• Attitude of superiority
• Inappropriate humor
• Seeks to manipulate others
• Lack of trust/paranoia
• Access to weapons
• Abuse of drugs and alcohol

What did you know?  When did you know it?  What have you done about it?  They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace.  What grade would you give your organization today for these fundamentals?

Godspeed to all of those on their journey now, to better comprehend this event and to all the grieving family members across our Homeland...

The Third Offset: Seeking the Speed of Trustworthiness...

The U.S. national security "Insider Threat Score" is on it's way as a result of the aftermath of the Office of Personnel Management (OPM) hack.  The National Background Investigation Bureau (NBIB) is now standing up operations within the Pentagon umbrella.  Operational Risk Management (ORM) professionals are tracking this closely for good reason.  Social media activities such as this one, could one day be a factor in that score.

Simultaneously, the NIST Special Publication 800-160 2nd Draft has been released.  This document entitled:  Systems Security Engineering "Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems" addresses a key component in the national security mosaic.

So if the goal of creating the "Insider Threat Score" is to help automate and maintain the process for better understanding trustworthiness, then the NIST publication should be at the center of the table at the National Background Investigation Bureau.  Why?  Definitions in Appendix B of the SP 800-160 Second Draft:

Trustworthiness: An attribute associated with an entity that reflects confidence that the entity will meet its requirements.

Note: Trustworthiness, from the security perspective, reflects confidence that an entity will meet its security requirements while subjected to disruptions, human errors, and purposeful attacks that may occur in the environments of operation.

Trust: A belief that an entity will behave in a predictable manner in specified circumstances.

The degree to which the user of a system component depends upon the trustworthiness of another component.

Note 1: The entity may be a person, process, object, or any combination thereof and can be of any size from a single hardware component or software module, to a piece of equipment identified by make and model, to a site or location, to an organization, to a nation-state.

Note 2: Trust, from the security perspective, is the belief that a security- relevant entity will behave in a predictable manner while enforcing security policy. Trust is also the degree to which a user or a component depends on the trustworthiness of another component (e.g., component A trusts component B, or component B is trusted by component A).

Note 3: Trust is typically expressed as a range (e.g., levels or degrees) that reflects the measure of trustworthiness associated with the entity.

The future of the automation of the clearance process, continuous monitoring of "Insider Threat Scores" and the trustworthy secure systems software engineering for accomplishing this remains mission critical.  The "Cleared Community" of private sector "Defense Industrial Base" (DIB) contractors will also be impacted by the convergence of both.

So who are the personnel who could be impacted by these two converging initiatives:

• Individuals with systems engineering, architecture, design, development, and integration responsibilities; 
• Individuals with software engineering, architecture, design, development, integration, and software maintenance responsibilities; 
• Individuals with security governance, risk management, and oversight responsibilities;
• Individuals with independent security verification, validation, testing, evaluation, auditing, assessment, inspection, and monitoring responsibilities;
• Individuals with system security administration, operations, maintenance, sustainment, logistics, and support responsibilities;
• Individuals with acquisition, budgeting, and project management responsibilities;
• Providers of technology products, systems, or services; and
• Academic institutions offering systems security engineering and related programs.

As the government moves towards more trustworthy secure computing systems the private sector will be there to assist.  Yet the future of our trusted environments will depend on how often we perform and how well we perform without error.

Software is continuously changing and the fear of changing it too often, has been one of our greatest downfalls.  That fear of change has created our largest exposures to continued exploits and attacks, by our most sophisticated adversaries.  Remember, Edward Snowden worked for a private sector contractor.

There are a few trustworthy organizations that have realized this fact and are now on an accelerating path for reaching a higher level of trust.  With their software systems and their people.  However, they did this with a leap of faith and the understanding that the speed to reach more trusted computing environments, was absolutely vital.

Look around the Nations Capital beltway and you will find a few examples of the ideal innovation architecture strategy that will propel us into that next level of trustworthiness.  An affirmative decision to trust is now before us and the time we take to make that trust decision is our greatest challenge.  Will it be hours, minutes, seconds or nanoseconds?  Marcel Lettre, undersecretary of Defense for Intelligence has this perspective:

"The intelligence community’s role in what Pentagon planners call “the third offset”—the search for continuing technological advantage over enemies—will feature robotics, artificial intelligence, machine learning and miniaturization. They will be applied in the areas of “pressing for global coverage capabilities, anti-access/area denial, counterterrorism and counter-proliferation, cybersecurity and countering insider threats,” Lettre said.

He said Defense is reaching out to obtain the expertise of its industrial partners, including Silicon Valley, while workforce planners are focused on “bringing in another generation skilled at innovating in the technology sector.”

New Horizons: Commitment to the Long War...

What new technology invention or planetary event will change our way of life forever?  As the sun rises over the water, or the high rise buildings or the dew filled rolling meadows, one can only wonder.  The "New Horizons" streaked past Pluto after nine years from it's launch and 3 billion miles from Earth this week.  What other possible achievement is mankind capable of obtaining, that provides new knowledge and insight about our origins and our future.

Operational Risk Management (ORM) has been at the core of the New Horizons mission from its Genesis, until the day the space probe stops sending us more information.  Over these past nine years the observation and collection of data across our solar system, has provided answers to so many questions as we continue our quest for discovery.

Think about that timeline for a minute.  What has your organization accomplished that requires that kind of commitment to ongoing exploration and data analysis?  How would you keep people focused on continuous learning and problem solving, to gain new understanding and perhaps more empathy in your company.  Patience is often hard to find, when the boss is asking you what you have produced since yesterday.

There are tremendous challenges to keeping the mission focus in mind, even for nine years and beyond.  Maybe that is why there are term limits on some roles in public offices and as a result elections are necessary every two or four years.  Term limits puts priorities in perspective and clarifies what should be accomplished first and foremost.

What if you knew when you were going to die.  You knew exactly what would happen when your life ends.  It is written.  How would your thinking change, about what is important and what needs to be accomplished tomorrow.

How would you change your way of living and the vision to accomplish the promise of the future, if you did believe the stories of how it would all turn out.  Would you change the way you live your life, while you had the confidence that you would reach that promised place.  What if you had been taught this by trusted colleagues, read about it in sacred books or on the Internet and was assured that it was attainable.  If you would only believe:

Chattanooga, Tennessee (CNN)  A day after gunman Mohammad Youssuf Abdulazeez ended the lives of four Marines and wounded three other people, hundreds in Chattanooga gathered in prayer to mourn their deaths.

There were Christians. There were Muslims. A cross-section of the Tennessee community packed Olivet Baptist Church for the Friday night vigil.

Authorities are trying to figure out why Abdulazeez -- an accomplished student, well-liked peer, mixed martial arts fighter and devout Muslim -- went on the killing spree.

U.S. Attorney Bill Killian said the shootings are being investigated as an "act of domestic terrorism," but he noted the incident has not yet been classified as terrorism.

Reinhold said there is nothing to connect the attacker to ISIS or other international terror groups. Abdulazeez was not on any U.S. databases of suspected terrorists.

He was not known to have been in trouble with the law except for a DUI arrest in April. He apparently was not active on social media -- one of the common ways police investigate terrorism.

Ones mind has to flashback to the Boston Marathon bombing and the aftermath of that act of domestic terrorism in the United States.  Was this act of jihad on our U.S. citizens, the promise to the future, painted by people these terrorists trusted and respected?  Was this horrific act in Chattanooga against our military, just another blueprint for what our future holds for homegrown violent extremism (HVE) in America?  More on this from the New York Times:

Officials said there was no indication so far of any links to terrorist groups, leaving them to wonder how a young man with no known history of violence or radicalism turned up Thursday with several weapons, spraying bullets at Americans in uniform. Some “lone wolf” attacks have been carried out by people who had no direct contact with extremist groups, but they were influenced by messages online, like those from the Islamic State urging Muslims to take up arms and attack American military sites.

“This attack raises several questions about whether he was directed by someone or whether there’s enough propaganda out there to motivate him to do this,” said a senior American intelligence official, who spoke on the condition of anonymity because the investigation was still underway.

The Charlie Hebdo attack in Paris again was a location with meaning to the actual terrorism act itself by these two brothers inspired by Al-Qaeda in the Arabian Peninsula (AQAP).  It was a target put on a list by people who have a long-term focus and are able to accomplish their goals, even without a nation states resources.  The priority for any nation is to continue a long-term view, on what domestic terrorism and homegrown violent extremism really means, for a local community, in any country.

What is one of the most rewarding ways to connect with the local First Responder community in your U.S. county?  Look no further than your Community Emergency Response Team (CERT) and also your nearest Infragard chapter.  As a new "Citizen Soldier" you will need to learn new skills.  You also have to keep yourself aware of the latest natural or asymmetric threats to your particular community, whether it is a geographical city or a virtual domain in cyberspace.  You can, make a difference.

"Compassion will cure more sins than condemnation”

-Henry Ward Beecher-

It means a renewed commitment to building more resilience into your community.  From the bottom up, at every family household and small business in the town, city or Metroplex.  Operational Risk Management (ORM) doesn't end when you leave your role at the workplace in the warehouse, the cubicle or the executive office of the CSO, CISO or Chief Risk Officer.

Do you remember how you felt on September 12, 2001?  That uncertainty and the feeling you had, about the welfare of your closest loved ones or neighbors.  This was the catalyst for a 14+ year battle.  Just as the "New Horizons" hurtles millions of miles past Pluto, this commitment to the "Long War" is not over, and probably never will be.

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

Risk Leadership: From the Inside Out...

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe.  Operational Risk Management (ORM) provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise.  As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting?  Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO).  What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization?  How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO).   What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday?  It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow.  Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis.  The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:

According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat. 

These findings a few years ago, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks. 

Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. 

Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year. 

Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.

The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary.  How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game.  Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency.  Complacent employees, suppliers and customers will remain your most lofty vulnerability.  Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes?  The following areas must be addressed in order to get closer to the truth.

• Governance
• Policies
• Regulatory and Statutory Concerns
• Civil rights and Liberties

Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself. Is a policeman or fireman on the ground in every major city in the country part of the IC? Are they not collectors of Homeland Security Intelligence as they fill out their manual or electronic "Suspicious Activity Reports" (SARS)? If they are then as much a part of the greater HSI mechanism that is deemed collection and not analysis, so too will they be subjected to the laws of the land regarding privacy and information governance.

Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the data bases for unstructured query yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.

Regardless of how the collector gets the information it still remains a matter of relevance with other data that already exists in a repository or the addition of a future data set that suddenly creates a "Red Flag." It isn't until that "Red Flag" indicator goes off that the human analyst can then put grey matter on the issue to determine the relevance at that point in time and the implication of the law, policies and governance. This topic has been addressed in previous posts to this blog:

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.

The topic of Homeland Security Intelligence is really about the Information Risk Governance and Consumer Privacy laws that protect us as U.S. citizens. At the same time, these same legal statutes might be the exact balance between what law enforcement and the intelligence community need to do their jobs without infringing on the rights of "John Q. Jihadist."  Here is a great example:

By LOGAN G. CARVER

AVALANCHE-JOURNAL

A Saudi student appeared to smile Friday morning as U.S. marshals escorted him to his first federal court appearance on a terror charge.

Khalid Ali-M Aldawsari, 20, stood before U.S. Magistrate Nancy Koenig charged with attempted use of a weapon of mass destruction.

The former Texas Tech student was suspected of purchasing chemicals and supplies to build a bomb and of researching possible targets in the United States before his arrest by federal officials late Wednesday.

Aldawsari came to federal attention after trying to have a large quantity of a suspicious chemical, which has both benign and nefarious uses, shipped to a Lubbock freight address, according to a sworn affidavit by an FBI agent filed in support of the warrant for Aldawsari’s arrest.

Subsequent electronic surveillance led to two secret searches of Aldawsari’s Lubbock apartment, where authorities found a makeshift lab that could be used to make explosives, as well as some of the ingredients and supplies necessary to build and detonate a bomb, according to the affidavit.

E-mails and his personal journal indicated an interest in planning attacks, ranging from an initial desire to start a local al-Qaida-type organization to researching nightclubs as a potential target, according to the FBI investigation.

Homeland Security Intelligence collected from a U.S. domestic chemical company, freight trucking line and as a result of legal searches of the suspects apartment all were utilized to interdict this potential plot of terrorism in the United States. Effective HSI will determine whether we continue to be as effective in the future. Gods Speed to us all....

operational risk