Fixing Security Risk Management: focus on the threat actor

Government and private industry place enormous emphasis on the concept of Risk Management and Security Risk Management. In an article published in Security Solutions Magazine in November 2016, it was identified how dangerous and ineffective this concept actually is. It was shown that in areas where the concepts of Risk Management and Security Risk Management were implemented, crime rates actually increased. Such a significant trend requires a rethink into the effectiveness of the concept, especially when applied against an actor with intent to harm, hereafter called a Threat Actor.

Studies conducted by the United States Secret Service, American Psychological Association, the Australian Institute of Criminology, the US State Department, and this author have identified the limitations that situational crime prevention and security risk treatment options have when applied against a Threat Actor. These studies have also identified that a focus and assessment of the Threat Actor’s intentions to harm, may allow for the refinement of management options that can be directed towards reducing the risk of attack, or lowering the incidence of criminal attacks.

This article will outline varying methodologies that seek to identify and assess a Threat Actor’s intentions, and their capabilities to carry out those intentions. The article will also outline varying management strategies and methodologies that can be used to provide resources that can reduce the risk and incidence of criminal attack.



So as to avoid confusion, it is important to understand that risk and threat are two separate concepts. Both concepts require two separate and differing assessment tools and methodologies.

Threat is defined as the intention to harm. A Threat Assessment determines an actor’s intentions and the ability to carry out those intentions. The first stage of a Threat Assessment includes identifying and gathering specific information regarding the Threat Actor. Analysis is then carried out on such components as the actor’s intentions, capabilities, and background history.

Risk is different to Threat. Risk according to ISO 31000:2009 Risk Management-Principle and guidelines, can be defined as the effect of occurrences on objectives. Risk is normally calculated by determining the likelihood of a specific event and the effect that that event could have. The process of assessing Risk commences with identifying the varying occurrences that could happen. The next step includes analysing the varying components, such as likelihood of the event based on previous data, and the financial, personal etc effects and outcomes, should the identified event occur. Finally, an evaluation of the significance of each segment and the whole is determined.

Threat focuses on intentions and capabilities; Risk focuses on likelihood and effect. A Threat Assessment requires behavioural, psychological, cultural and intelligence etc assessment tools. A Risk Assessment requires statistical, consequence, historical etc assessment tools. The two concepts should not be intermingled.


The Threat Assessment

Several methodologies can be utilised that focus on a Threat Actor’s intentions and capabilities. These include the American Psychological Association’s Virginia Student Threat Assessment guidelines, the United States’ Secret Service guidelines, the Australian Standards Handbook HB167:2006, and Criminal Threat Management.

The American Psychological Association’s Virginia Student Threat Assessment Guidelines have been developed to assist in the identification and management of school children who may have developed intentions to harm others. The assessment process commences when a student is identified as having intentions and behaviours to harm other students. Then, a seven-step model is applied. This model includes an interview with the subject. Then, a distinction between a transient threat (minor) and substantive threat (significant) is made. A response is then developed, which includes conducting and implementing a safety plan.

The United States Secret Service has conducted considerable research into assessing those persons who may wish to harm either US government officials, such as the US President, or US government facilities. The Secret Service utilise the input of local law enforcement bodies to identify a person of interest. The Secret Service then focus its Protective Intelligence and Threat Assessment Investigation on such areas as the individual’s motivations and goals, that individual’s communication with others regarding their intentions, previous deviant and mental history, interests and capabilities in attack methodologies.

In Australia, the Australian Standards Handbook HB167:2006 Security Risk Management specifically mentions the inherent issue of the actor with an intention to harm within the Protective Security Sphere. The Handbook then redefines a threat as being ‘anything that has the potential to prevent or hinder the achievement of objectives or disrupt the processes that support them’. It then identifies potential harmful events, and the effect the event could have on the achievement of objectives. The assessment focuses on geographical influence, threat source, threat targeting and threat type.

Criminal Threat Management has been developed for use within the protective security environment. It primarily focuses on the asymmetric Threat Actor and utilises an assessment methodology that allows the organisation to identify those persons with an intention to harm it. This model commences with the identification of the communities that the organisation is located within, and those communities that come into the organisation. The model then focuses on identifying those persons or groups from within each community that may have beliefs that could lead persons to harm the organisation. Once a Threat Actor’s intentions have been identified, an assessment of the Threat Actor’s intelligence gathering capabilities, the Threat Actor’s view of the vulnerability of the target is conducted. In addition, a counter-surveillance operation is conducted to determine the immediacy of the Threat Actor’s intentions.


Threat Management

The aim of a Threat Assessment is to provide decision-makers with the information that can allow for the development of management plans to prevent the incidence of crime, or for the Threat Actor’s intentions to find fulfilment.

Whichever method is selected, at the completion of the process, the assessment should identify who has an intention to harm, and what type of harm is intended. What capabilities the group or person has. And when the Threat Actor will carry out their intentions, should they not encounter interference, and what methods the actor could use to carry out their intentions.

From the above assessment, decision-makers can utilise available resources to manage the Threat Actor. Some options could include the provision of alternative avenues of social and economic assistance to provide persons the opportunity to achieve their goals without the need to harm others. This could include the provision of funds to allow for the purchase of necessities rather that acquiring those necessities through criminal means.

Alternatively, situational crime prevention measures, or security risk treatment measures could be implemented to prevent the opportunity that a Threat Actor has to carry out their intentions. These options, once refined through the development of an appropriate Threat Assessment methodology, have the potential to achieve a more beneficial and cost effective outcomes than otherwise may have been possible.

In addition, investigative operations may indicate that the Threat Actor has developed sufficiently along the Criminal Development Pathway to allow law enforcement to intercede and neutralise the Threat Actor’s intentions or capabilities. In some cases this may mean the removal of the target, or the physical control and management of the Threat Actor.

As outlined in the Criminal Threat Management model, measures can be put in place that will allow for the changing of the deviant belief system that the Threat Actor has been identified with. Counter-arguments to the deviant belief can also provide preventative opportunities and finally, should all else fail, neutralising the threat actor through law enforcement intercession, prior to the Threat Actor’s attack, can provide opportunities to prevent crime.

This article has outlined several methodologies that can be used to assess a Threat Actor’s intentions and capabilities. Each methodology aims to assess the information gained and provide decision-makers with additional knowledge and understanding of the Threat Actor. Such an understanding can better aline and manage resources allocated to prevent the incidence of harm being actioned by the Threat Actor.

David Harding is an internationally experienced Threat Management consultant and advisor. He is a Research Associate with the Australian Security Research Centre (ASRC) and has researched and written about security, asymmetric and non-state security threats. The ASRC will be holding Master Classes on Threat Assessment and Threat Management.


[mc4wp_form id=”4789″]