Preparation or Paranoia?

Paranoia photo

Preparation or Paranoia?

Is it better to be prepared or paranoid? Can you be over-prepared? Well, it might be more of a matter of perspective. Being paranoid can actually help you identify gaps, it's just easier to assume everyone is a threat. But, some-times being prepared is much easier to maintain than having to be paranoid and unsure that your mitigation rules and procedures will be able to stop an attack in time, or perhaps even before it can realize.

Why does this happen?

Why do we fall into a state of paranoia? Is it really paranoia when we evaluate the state of things in the world we face today? I sort of want to say that the fact we need to barricade ourselves in our own homes should probably tell us that we might be way past the point of paranoia. Of course it would be unhealthy to constantly be in that state. But, how do you move away from paranoia into a state of preparedness? Will you ever really be prepared for everything? Sure, being properly prepared can help reduce strain and stress, and direct more attention to where it is more critically needed. But then what is it you need to be prepared for? The truth is, you simply cannot always be prepared for everything, all the time. I certainly do not want to feel more stressed out on a family trip out to town than actually relaxing for a change. And if you ask any CPO, it gets tiring to be on a constant state of awareness. And although I do stress the importance of awareness, I also need to warn about the dangers of paranoia. I mean, is that six year old really planning to mug me? Or is the over dressed dude with the baseball cap and aggressive stance really just a friendly by-passer in the parking lot?

Will it make a difference?

It's never a bad idea to know what your go-to action should be with possible scenarios you might encounter. It's dangerous to assume that what we train for will be the only reality we will get to face. So, when you are certain of what is going on and what is not, you can overcome the state of paranoia and rather focus on things that require more of your attention and things you can have some form of control over. I do not want you to try and control everything. But make sure you have some form of control, like having a task covered by a team-mate or spouse or outsourcing it. Preparing a detailed risk-assessment will help identify where you need to focus on and what measures need to be trained and perfected more.

Think of it as a type of contact sport

If you want to score, you need to be on the attack. But, often you will need to defend your post as well. Proper, prior preparation will determine how quickly you neutralize the attacking team, regain control and get back on the attack. The reality is you will take some blows. But you can greatly control the outcome of those blows, with blocks and countermeasures.

This is where some of us tend to overdo it and look more like we are moving into a state of paranoia. We carry 3 sets of briefs and plan our routes in such order that we will get the opportunity to use them after we wet ourselves. And while we over plan for the most common things, we neglect to properly align ourselves to the actual threat (that was supposed to be identified with proper risk assessment) and make the one with a greater probability of realizing our main focus. Maybe I could avoid needing three pairs of briefs and identify the threat moving into position. Then I can act on it before it can realize.

Just like our contact sports, we practice different plays beforehand. And we try to stick to them rather than work things out whilst on the field. But if we only focus on our play, we potentially miss what the opposing team might be positioning us to do. So it makes sense that a lot of us tend to lean more to the side of paranoia. We need to have basic plays in our arsenal that are tested and perfected, both for defending and for attacking.

So it gets confusing, right?

It doesn't have to. The key is to identify common plays that you will need to succeed in. In boxing, for example, you might be able to use one block more effectively than another. So use that as your basis, as your go-to block. Something you can always rely on to keep you in the fight, no matter what the opponent throws at you. And perfect it. But never stop there, that specific block might be in-effective against another type of martial arts or weapon. So for that reason you need to know what type of opponent you are likely to be facing, and prepare for that. Think about the whole "never bring a knife to a gunfight" type of scenario. Whenever I get into a self-defense training type of talk with someone, I always coin what Bruce Lee taught the world: Focus on a handful of things you can master and execute with perfection, rather than try and learn every move. This eliminates the probability of your mind getting cluttered and possibly creating a delayed response, which we all know in our environment could prove fatal! Focus on, for example, five things, create the neural pathways, and hone them in. And when you need to act, your options are limited to just those five, thus reducing your reaction time. Think about the fight/flight/freeze response again.

Whenever I have no idea what to do with specific information. I pass it on to another teammate or outsource it completely. Like having someone to do some background check or research on a specific name or company etc. This might give you a better idea of what to look out for while on the task and what to pay more attention to. You do not want to be on a task and having to spend more attention on every little person and thing around you and not have much attention span left to focus on the actual threat determined by your preparation tactics (pre-determined threats). So while on the task, your mind will not need to wander all over the show and start questioning things that could have been mitigated before-hand.

If you want to know if you are over-prepared, ask a colleague to review some things for you. Doing this, helps you get more professional insight and, the colleague might identify some spaces you do lack in and help identify sectors you tend to overdo. Who knows, maybe that just might shed some weight from your tasking. Or perhaps it helps indicate something you might have missed initially?

When you operate in a team environment, everyone must be aligned. Why should each member plan their luggage when one or just a few more extra hands can manage and transport kits and or equipment? Or you might want to make sure you mention your concerns to the team, no matter how ridiculous it may sound. You never know how the risk that you're thinking of, is being mitigated by another member if you never ask.

Conclusion

Do what you are tasked to do and do it well! Only then can you improve on less-likely sectors that can be improved or perhaps cut out completely. Like having to carry a first-aid kit on your person, but you spend most of your day inside a vehicle or office space. So you can rather have a more sophisticated kit stashed at one of these locations or in the vehicle for example. I sincerely hope this was more informative than confusing, and if you feel that you still don't grasp it yet, comment below or drop me an email and I'll get back to you with more insight.

Interested to learn more? See the following links:

Principal profiling

Physical security threat assessment

Fight/Flight/Freeze

Awareness training

Action plan

Principal profiling

adult-chart-close-up-1043514

Principal profiling

What is it?

A principal profile is the use of accumulated knowledge of your principal's characteristics, history, and behavioral patterns to establish a general idea of who your principal is, how he might react to certain situations and if he might be living a high/low-risk lifestyle.

Why use it?

You simply cannot design a protection detail for any principal if you do not have a good idea of who the principal is and how he/she functions. The principal profile will contribute to your threat assessment. To complete the principal profile you will need to ask a lot of questions and do a lot of digging. Information is critical for principal profiling. The principal profile is also essential to indicate what level of threat your client is at and what the nature of the threat is.

Risk factors

Each principal profile will be unique from one to the next.
There will also be varying risk factors and levels of threat from one client to the next. So for you to draw up the most applicable protection detail and contingencies,  you have to know what it is you will be facing.

It might seem odd

Some questions at the start might seem irrational or inappropriate even, but at a later stage may prove to be the key in finding out why an attack might be made on your principal and possibly even how and which type of attempt might be made, or, you might even find that your client does not need your services at all.

What should it tell me?

Your principal profile should be able to draw a picture of one of the following scenarios:
1) A threat has been made towards your principal because of who he/she is.
2) A threat has been made towards your principal for who he/she represents.
3) A threat has been made towards your principal for what he/she represents.

Should I just go with the info my principal provides?

A principal may neglect to mention key factors when you run solely on his/her discretion and believe everything he/she says without running your investigation. You can easily find yourself in an unwanted and potentially career-damaging position when you are ill-informed or unprepared for a scenario.

Consider the 7 P's

1) People - The principal and closest relatives, friends, and business partners.  We must get to know on a professional level, the people that our principal comes into contact with every day or constantly. Clients are related to many people in lots of different ways. Either by blood, marriage, friendship, business, leisure, casually or intimately. Relationships can be a cause of many a problem.
2) Places - Places the principal and close relatives frequently visit. Where people are born, where children go to school, where they work, spend holidays, live, dine, and play, are all important things to know when assembling the principal profile.
3) Personality - Of the principal. The personality of your principal can draw different types of attention. Depending on the type of personality your principal has, it can draw unwanted attention, obsessive, and potentially dangerous persons. Especially some more adamant business people can have strong personalities that might aggravate others.
4) Prejudices - Prejudices are pretty simple. Many people develop prejudices from a very young age, past down from previous generations, and others form prejudices through personal experience. But they are real, and they can cause problems. You need to be aware of your principal's prejudices and ready to de-escalate any situation that can occur because of it. Also knowing the prejudices of potential attackers will help in identifying how and why an attack might occur. There are different types of prejudices, such as Culture, Race, Religion, Sex, Age, Controversy, Class, and even Nationality to mention a few.
5) Personal history - The history of your principal can provide crucial information that will help establish the profile of your principal. It might also help establish a picture of who might be posing a threat to your principal. You should look at the following, and any other things you might think of that is important to your principal.
- Schooling / Education / Qualifications
- Careers / Positions held
- Full name and title / Know name / Aliases
- Family members (current and previous) / Children
- Honors / Distinctions / Achievements
- Place of residence (Current and previous, family members) / Place of birth
- Medical history / Allergies / Medications / Blood group
- Marital status / Previous spouse
- Nationalities (previous and current)
- Languages
- Military service
- Political history
- Convictions
6) Political/religious views - This one cannot be missed or neglected. A person's political standing can make others unhappy. This could trigger an attack unknowingly or cause colleagues to act violently. You need to know what is the principal's political standing and is he/she an active member of a political party, and whether he will participate in political events.
The principal's religious believes and virtues will indefinitely cause some sort of unwanted result at one point or another. Knowing what your principal's religious standing is and how he/she was raised, will help to establish protocols and responses. You should be able to anticipate unwanted attention and work around them.
7) Private lifestyle - A principal's private lifestyle can expose him/her to various threats and situations. Some things are very confidential and you need to be aware that a protection officer might have to know things about the principal that can and will cause great damage to the principal's reputation. If you are uncomfortable with any of the principal's private lifestyle choices, it is best to move on to another project. But the more we know about the principal, the better we can prepare ourselves for unwanted scenarios. Think of some of the following questions:
- Does your principal work long hours? Is it from home or late hours at the office?
- Does your principal commit adultery?
- Does your principal like to visit clubs or other institutions? Does he/she like to entertain friends at home? or does he/she prefer to spend time alone with family?
- Is your principal an outdoors person, or a sportsman/woman?
- Does your client participate in more risky hobbies/sports such as racing or fighting?
- Does your principal prefer to drive his/her vehicles or utilize a chauffeur?
- Does your principal like to travel a lot or internationally?
- Does your principal enjoy a high-profile lifestyle and flaunt possessions/assets?
- Is he/she a substance abuser?
- Is your principal a workaholic?
You can get creative with the questions and learn to ask more specific things as time goes on.
Conclusion:
After drawing up your principal profile you should be able to see key traits in your principal's personality and be able to identify if he/she is either a High-risk, Medium-risk, or Low-risk profile and use it to help formulate contingency plans. You will also be able to identify what type of people and organizations might want to threaten your principal and identify if they have the necessary motivation to follow through with the threat.
Read more one prejudices @ https://en.wikipedia.org/wiki/Prejudice
Learn more about different personality traits @ https://www.livescience.com/41313-personality-traits.html

Physical security threat assessment

LOGO

 Physical security threat assessment

First of all, if you think this is just for professionals, don't be misguided! A threat assessment can be implemented by any person eager to improve their security at home, place of business, office, ranch, farm, flat, or even just a single room! It is just a simple step-by-step system that has been developed over a couple of years, and can be used by anyone willing to put some thought and research into it!

Why use it?

One of the most common risks an organization runs is stagnant and non-evolving security measures. Unfortunately, these things can only be addressed if it is known to the organization. For that reason, it is necessary to perform a complete threat assessment. Sadly, too often a comprehensive threat assessment is missing completely or never updated. So it's your responsibility as the Advisor/Consultant/Team-leader/Security manager or head of the house to make sure that all the risks are reduced to an acceptable level.

The biggest mistake most organizations make is waiting for a safety breach or incident to happen before they implement mitigation strategies. Preparing a thorough threat assessment will undoubtedly help in improving overall security. It will also help in identifying which preventative measures to implement and reduce the risk of possible threats.

Any organization will always have some form of physical threat. Whether it's from general crime, human error, or even natural elements. Physical security is not a one-size-fits-all package. It gets very specific to the organization itself, especially when it comes down to demographics and location.

Before we start

Before we go any further, you should have a clear knowledge of the differences between risk, threat, and vulnerability. If you are unsure or just need a little refresher to make sure you are on the right track, you can learn the difference >Here<. It's also important to note that there are different methodologies out there and each one probably works, but will not necessarily be comfortable for everyone. That's why you need to learn from each of them and develop something that you are comfortable to use.

That being said, you should make sure that the following points are covered in your assessment:

  •  Buildings, assets, and vehicles are characterized
  • Undesirable events should be identified
  • The consequences of those events should be determined
  • The types of threats should be identified
  • Testing and analyzing the protection security systems and procedures
  • Complying with law and regulations
  • Identifying reasonable control measures needed

To formulate the assessment:

Formulating a threat assessment can be done by following these 5 steps:

1) Characterizing facilities

So it should be obvious that you should first know what the actual basis is that your working with. The boundaries of the site, where buildings are on the site, all access points, floor plans, procedures in place, and current security measures if any should be noted. You will need to reach out to some contacts to get all of this information and make sure it is as accurate as possible. Depending on how long the organization has been up and running, you will be able to use things like building blueprints, municipal reports, security SOP's and IAD's, previous threat assessments and reports, environmental reports, site surveys, and a few more.

2) Now you need to determine what events are undesirable to the organization (the risks)

This will vary for every organization. Any crime or disruption in operations is undesirable, and sometimes you might be called in to address something specific, like for instance theft among employees or a physical threat that has been made known to the organization. The following are things to look for:

  • The crime rate in that specific area and also if there are high-risk areas close by.
  • Industry-specific crimes, for example, drug stores and banks will have different types of specific risks related to their trade.
  • Common crime, things like theft and crimes of opportunity.
  • The number of people who will be accessing the organization's infrastructure
  • Cameras and other monitoring systems
  • Lack of manpower
  • The political and religious standing of the organization can also attract more risks
  • Training of staff or team members
  • If there are any direct threats to the organization or one of its high-ranking officials

So now that you have your whole list of risks compiled. Its time to rank them in order of probability, frequency, and impact. Let's say you score each risk on each of these factors on a scale of 1 to 5. Then add up the total of each risk. So the higher the total (the probability and impact), the higher the risk, and that is a threat to the organization. In another column, you can add the control measures that are currently in place if any, and deduct that from the total of the other 3 columns. So if there is good access control currently in place you would score that higher than no access control.

Another important thing to look for is any vulnerabilities the organization has. These will be risks that are not addressed at all and have a good probability of happening, and also possible risks that will have a significant impact but are not being controlled. However, this is only vulnerabilities visible on paper, when on-site and assessing the buildings and controls, you will most likely find more vulnerabilities. This includes out-dated and defective equipment and uncontrolled areas.

3) SOP and IAD's

I would like to separate Standard Operational Procedures and Immediate Action Drills a bit as it is something that is being badly neglected. SOP's and IAD's are as important as any other security system in place, without it there is no guidance in reaction and things often turn out quite bad or undesirable to an organization. Once again the organization's aim should be kept in mind when drawing up these procedures. I like to look at procedures before implementing mitigation as it will assist a great deal when it comes to cost, as you will likely see how much man-power and how much equipment is needed to achieve operational objectives.

The way your system integrates and reacts to threats is an important risk to look at. If the response is slow, the risk is greater, if the response is incorrect, the risk increases. I am pretty sure you get the picture here. A common risk when it comes to applying IAD's or responding to a threat is when all staff members rush to the location of the threat, leaving their areas of responsibility unattended and opening up the proverbial back-door for intruders to sweep in unnoticed. Identify roles and responsibilities for each threat and make sure every staff member knows it!

SOP's and IAD's should also be time/shift relevant! During holidays and night shifts for example there might be fewer staff members on duty. This can change things dramatically. There should never be any regulation changes, strict procedures should be attained at all times! The last thing you want is a burglary at night because staff members or cleaners left a door/gate unlocked or open.

Another thing to remember here is a detailed plan and list of immediate contacts that should be activated during emergencies or incidents. A touch of automation can be good in certain situations and again not so good during other situations. You do not want to be dropping security barriers and trapping employees inside when a fire breaks out, but dropping barriers when a deranged shooter tries to get access can be a good move. And also having a procedure of who to be contacted in case of more serious threats is very important! Will a tactical team be needed to respond from outside? Who will that be? do you have the relevant contacts and procedures to follow in case of a bomb threat? Who has to be contacted in case buildings need to be evacuated? Neighboring buildings could start burning, who do you contact then?

4) Addressing the threats

After you have compiled your list of risks and figured out what lacks in the procedures you should now be able to see the threats to the organization. Now you need to determine the course to be taken to minimize the risk of these threats. It should come as no surprise that the cost will greatly affect the course you will take. Staying within budget and getting maximum security optimization is not easy at all! Tip -This is where your contact list can be a great source of success.

Start by looking at the biggest threat on your list (the highest score one). What equipment will be needed to address it? Think of detection, cameras, man-power, and every other piece of equipment and training needed to reduce this threat to a lower score. A lot of times the same type of equipment and so on will automatically improve the other threats too. Or at least some of the same equipment and manpower can be used to tackle other threats.

Now re-asses the other threats according to the equipment, etc. that was added to the security system. From there, again, take the highest ranking threat and address it like the first one. Just continue this cycle until you can reach a reasonable level of risk from each threat. Always remember to KISS it as far as possible or use automation as much as possible, just be cautious of the cost factor, especially when it comes to software updates and such.

5) Analyzing system effectiveness

Physical protection systems should be described in detail before it can be tested! Ideally, you would like to stop a threat immediately and without any delay or negative outcomes and with as little as a possible disturbance in normal operations. But in reality, this rarely happens and one will always have to deal with some sort of shortcoming.

So to stop any threat you should first be able to identify it. A continuous threat assessment will outline threats and should be communicated with team members to remain effective and ahead of the threat. Team members should be trained in identifying abnormal behavior and activities, technology implemented and physical barriers used for this purpose. Strategically designing entries and exits can be just as valuable, to make sure any threat has to pass the detection phase before being able to access any facilities or inflict any damage to the organization.

After a threat has been detected, there should be a way to confirm that the detection is valid and of real concern and not just a nuisance alarm. This can be done via team members in contact with a Control-room/Security management or Team-leader. There should be good knowledge in the team about how criminals operate and how target selection works and everything that goes hand-in-hand with it. One can use the OODA loop to great effect here. Find out more about how the OODA loop works and the different phases criminals or a probable threat uses to select their attack right >Here<.

Once a threat has been confirmed, the aim is to delay the threat to get reaction forces to the threat and minimize its undesired actions. Of course, it is ideal for a team member that is in the vicinity already, to be able to neutralize the threat. But it is also ideal to have more than necessary force available. One adversary can be extremely determined or under the influence of narcotics and over-power or out-think a team-member and then become a more aggressive threat.  The effectiveness of response is measured by the time taken to get to the threat and to neutralize the threat.

So keep in mind that some organizations might require you to try and neutralize a threat without using aggressive force, I know, it's not something I am very much happy to say but to spare you a potential client or project you need to know how to act. And in this instance you need to know non-lethal options available, but, it is your job to convince these organizations about the reality we face each day. Organizations would likely want to avoid PR damage because of an unjustified shooting on their premises.

Testing effectiveness

To test the effectiveness you should be sure to fully understand all of the above points and what is required of your system to achieve maximum effectiveness. Only then can you define what is required and to be implemented. Once that has been put in place, there are a few ways to test its effectiveness, you could use penetration testing, call in other experts and run some drills over different times to see if detection and neutralization systems work. Nothing can prove effectiveness more than an actual criminal attempt, it's important for organizations to immediately assess their response after an attempt and identify any issues and improve on them.

Upgrading systems

If for whatever reason you can identify any viable threats after implementing mitigation strategies, you need to check for possible upgrades or changes in the system. This includes equipment, manpower, procedures, and software. When you implement new strategies or add anything you should again test for effectiveness, and repeat until the level of risk is acceptable. Always remember the cost affected with upgrades and additions or changes.

More on this topic

To follow up on this piece will be a few more posts regarding principal profiling and equipment and some more tips and tricks to help you formulate a threat assessment.

Until then, feel free to comment below!

Please subscribe to the site or follow me on Facebook @https://web.facebook.com/ALPHADefense

Risk/Reward ratio

barbed-wire-black-and-white-crime-2057

Risk/Reward

Now and then a well-protected premises gets broken in to, and no matter what the reason was, someone found a way to break through the security systems. Why is that? Well, honestly, unless you live like a well-protected president (who also gets some attacks now and then), you will never be impenetrable or completely safe from every threat. I am not quite sure what other protectors like to call this, but it generally floats around as the risk/reward ratio. Meaning, if ever the reward that is to be gained is worth the risk associated or even more, then the likelihood of it happening still exists. You implement measures to irritate and keep someone from simply taking whatever they want from you. But, you can never really eliminate the urge of someone eager enough to grab it.

How is it still possible?

We have to remember that skills can be learned by anyone willing to learn them. Perhaps not always by the conventional manner we are used to, but either way, a skill can be learned. Many “masters” of their crafts become masters in the first place by developing beyond the conventional ways.

So, with that mouthful out of the way, here is what I mean. In reality, if I have to get or take from you what I so desperately want or need, especially when I have no other choice, I will be motivated enough to get it. And in that case, whatever means you have put in place to prevent me will be vulnerable to my motivated mind. I will most likely figure out some ingenious or perhaps absurd way to pass your measures and get what I want.

I like to call it the Risk/Reward ratio. But whatever the real term is for our industry, It simply means that if my reward is worth the effort, I might just take the risk.

I can think of various ways I have defeated some security systems and things I have seen in the industry, and for obvious reasons cannot mention them here. As I am always confident that just as we protectors are utilizing the internet, social media, and various skilled courses to enhance our capabilities, so are those we fight against. Many wolves amongst the sheep.

Closing off:

So, closing off, I hope it is clear to you that not any measure is impenetrable, think about how the enemy adapts, how technology advances, and how the sheer willpower of one man can change and revolutionize our industry. If an army is in my way, will 2 armies behind me defeat them? If an alarm system is in my way, will something be good enough to defeat it? Face it, we can never, ever be complacent. If you are wondering how to plan around this, then please read here.

Till next time, keep developing.