Part 2: Designing the Ability to Properly Detect a Threat
Successful threat management programs apply an approach of detection, assessment, and management to protect an organization. An organization’s strategy toward that first step, detection of a threat, is a pretty good indicator of how effective the threat management program is going to be.
As a popular 12-step program expounds, the first step in solving a problem is admitting that it exists. The first step in successfully managing a threat is recognizing that it is there. The bottom-line for threat detection is that we are primarily talking about situational awareness on an organizational level.
There are several challenges to maintaining continuous levels of situational awareness, but the main one is the fact that attention is a limited resource. You cannot pay constant attention to everything at once. Fortunately, there are threat detection techniques that can be used to maximize the value of the time and effort you put towards the necessary situational awareness.
Using Pattern Recognition to Detect Threats
Human brains evolved with a predisposition to direct attention toward potentially threatening stimuli (Arne Ohman, 2001). We have innate detection mechanisms, based in our biology, that process data and information to identify physical and intangible threats. A crucial part of that ability is how we recognize patterns and pick out irregularities or breaks in those patterns. Our brains are experts at noticing outliers to a given context.
Pattern recognition is our capacity to classify the environment around us based on specific features. It allows us to predict and expect what is coming by comparing new information against what we have already seen or experienced.
To apply this in the context of threat detection, we are examining potential threats to determine what environmental conditions may be associated with their occurrence. A simple example of this is that being physically located in the State of Florida translates to the potential for a Hurricane to impact your organization, whereas that potential would not exist if you were in South Dakota.
As we learned in part 1 of this series where we discussed how to properly define and categorize a threat, remember that at this point in your process you are seeking to identify the potential for harm, not the probability of harm.
A Helpful Tip: Take Advantage of Existing Frameworks
As you work to define your threat environment, take advantage of work that has already been done by others in organizations that are comparable to yours. You can accomplish this by looking at existing threat-based documents that apply to your organization. For example:
- Existing threat assessments for local, regional, tribal, territorial, and neighboring communities
- Existing strategic and operational plans for organizations like your own
- Published hazard mitigation plans
- Historical data, including records from previous incidents or events
- Plans and risk assessments for similar organizations or for associated critical infrastructure or lifeline functions
The best place to start looking for existing threat detection resources is your local emergency manager. They have the best understanding of your immediate environment, and they have the existing network of contacts and additional resources to introduce you to other organizations with similar concerns and priorities.
On a national level, there are several broader resources that you can also engage. Some examples include:
- FEMA National Preparedness System – This is a gateway site that will lead you to several resources, including all-hazards threat definitions and priorities as established by FEMA. It is important to remember that these materials are developed at a federal level and may need significant adaptation to be applied for individual organizations.
- FEMA Risk Map – The FEMA Risk MAP program focuses on the potential for harm posed by flooding. The details provided here can make significant contributions to your threat assessment processes that I will discuss in a later post, but the overall map can be used to address the potential for flooding in your geographic region.
- USGS Natural Hazards Program – This is another gateway site, leading to multiple web pages with information on primarily geologic threats.
- U.S. Forest Service Wildfire Risk to Communities – This site provides free, interactive resources to look at the potential for wildfire in local communities. Specific emphasis is placed on the threat against homes, exposure types, wildfire likelihood, and vulnerable populations.
- National Insider Threat Task Force – This site provides a broad collection of resources for the detection of human-driven threats. While it is presented in terms specific to insider threats within the U.S. federal government, the concepts can be applied in a broader context as well.
When reviewing these sources, remember that you are laying the groundwork to identify patterns, not necessarily an exact match for threats faced by your organization. To take advantage of our natural predisposition to recognize patterns, and changes in those patterns, we need to establish a baseline for comparison.
Establishing your Threat Baseline
Your baseline should encompass the physical, social, economic, and cultural settings in which your organization exists. You need to define ‘normal’ in order to be able to properly detect and identify any potential deviation thereof.
A threat baseline usually includes components in the broad categories of physical, cultural, and socioeconomic factors. When describing baseline conditions, you should consider:
- What threat elements are included or excluded?
- How are the necessary data going to be collected and analyzed?
What to Include Within your Threat Baseline
Many, if not most, communities should already have a prioritized inventory of potential threats that exist in their physical environment. That list is usually based on considerations involving people, places, things, and data. It includes categorizations based on physical location, time of year, and local conditions over the recent past for those threats that are not immediate in nature. If you are not building your threat detection capability on an existing framework, make sure to include these factors in whatever processes you do develop.
Because detection of a threat involves the potential for harm and not probability, it is worth considering the inclusion of threats that may be deemed significant even if you don’t have the objective data to support their presence in the baseline. Just remember, deemed significant varies with each individual or interest group. It is a subjective evaluation and a potential source of challenge and conflict.
A local threat environment can be highly dynamic. Threats can vary over time, dependent on physical locations and even to the granularity of time of day, day of the week, or month of the year.
The rate of variation can also change. This variability is significant because it places restrictions on the quantity and quality of data that can be used to characterize the baseline conditions for your organization.
When you are establishing your baseline, do not forget that it needs to be a comprehensive baseline applicable across the entire organization, not just a single location at a single point in time.
As mentioned earlier, the use of existing documents that address threat management for similar organizations and of historical records related to previous incidents or events, can provide a solid starting point to help you establish your current baseline.
For example, many federal and state agencies have completed Threat and Hazard Identification and Risk Assessments (THIRAs) that may prove valuable. Furthermore, county and city departments may have pertinent information on cultural, historical, economic, and infrastructural factors that can be included as well.
When incorporating these data with those from other sources, it is essential to include the date of collection to provide appropriate context and reliability.
There is always a need to collect current data on the baseline threat environment from the physical locations where your organization’s valued assets are located. Reviewing reports or documents generated by other organizations from prior efforts is a starting point. Still, those documents are usually not sufficiently recent unless you are updating your threat register in response to a specific incident or event.
Sometimes the quality of source documents may not be appropriate because the methods used to generate them may not match statutory or regulatory requirements or recognized standards. Findings made outside of your organization will need to be validated against the individual characteristics and conditions within your organization. In some cases, that can only be accomplished through direct, boots-on-the-ground inspections and surveys.
Missing or Insufficient Data
When characterizing a baseline threat environment, missing or insufficient data are common because threat environments are dynamic and complex. The definition of “complete” data is a judgment call. Besides, there is never adequate time and money to collect baseline data in enough detail to establish the inherent, natural variation in the threat environment.
On the less technical side, there is a real problem with defining “sufficient data.” No standard defines how much detail is sufficient to characterize baseline threat conditions. Missing and nonexistent data may not be the same. These are not abstract, philosophical discussions; they need to be addressed regularly to allow useful data collection. Even when potential threats are well defined, and the data to characterize them are established, it may not be practical to spend years measuring these components completely.
While most of the data used to build a threat baseline will be quantitative in nature, incorporating qualitative elements can provide additional value in your process. This ties back to the inclusion of threats that are deemed significant because there is an intuitive feeling that they could impact operations vs. those that are proven to have the potential to harm your organization.
As I mentioned earlier, humans are wired to detect threats. Threat detection is absolutely an activity where listening to that intuition is appropriate—it is better to include more at this point and weed things out in the threat analysis process, than to ignore that intuition and potentially miss a threat.
Putting Your Threat Baseline to Work
With the completion of a threat baseline, you have a starting point for what should be an ongoing threat detection process. Instead of trying to monitor everything that is going on in the world around you, you can focus on recognizing changes from your established baseline.
Tools to Help You Detect Threats
For most types of threats, there are technological or media-based tools in place that can contribute toward the situational awareness that we are talking about. On a macro-scale, most threats are considered to be newsworthy, either because they are dramatic and catch people’s attention or because there are significant consequences associated with the potential harm involved. As a result, other people and organizations are likely investing efforts in watching for and reporting those threats, so take advantage of resources that may already exist.
- Pay attention to the news. Use multiple sources to establish and maintain situational awareness of what is going on in the world around you.
- Engage your local emergency manager and first responder communities. Sign up for any emergency alerting programs that they have available.
- Identify which school districts serve the areas that your organization operates in. Sign up for any available emergency alerting programs, especially if members of your organization have children enrolled.
- Be aware of your local weather and have either a broadcast weather radio or sign up for alerts from your local media stations.
- Monitor appropriate federal, state, territorial, tribal, or local threat resources where available. Some sites provide access to sensor data (both raw and processed) for the majority of natural threats that can be easily accessed.
Technological and Human-Driven Threats
- Stay engaged. Numerous organizations are publishing threat-related reports regularly, especially for cybersecurity-related issues.
- Use technology to your advantage. There are various tools available that can allow you to monitor activity on your systems or networks, as well as the performance of your infrastructure elements.
- People can be sensors, pay attention to them. Where technology can tell you what is going on, people can tell you why.
This is a big task. Approach it one step at a time.
As described in this article, threat detection can be an overwhelming task. It does not have to be. Apply the sage advice found in the answer to the question: “How do I eat an elephant?”
The answer: “One bite at a time.”
- Build your baseline, hopefully by starting with publicly available materials from your local community and your peers from similar organizations.
- Take advantage of biology—focus on changes in your normal vs. trying to watch for everything all the time.
- Use the right sensors—media and technology for some threats, people for others.
As you detect potential threats to your organization, the next step is to assess what those threats really mean. Can they actually harm you? How badly? And ultimately, do you care? I will discuss how to answer these questions through an organized threat assessment process in my next post.
Arne Ohman, A. F. (2001). Emotion Drives Attention: Detecting the Snake in the Grass. Journal of Experimental Psychology: General, 130(3), 466-478. doi:10.1037//0096-34126.96.36.1996, retrieved from https://psycnet.apa.org/record/2001-18060-008.
Read the other parts of this 5-part series on developing your Threat Management Program:
Part 1: Defining and Categorizing Threats for your Organization
Part 3: Properly Assessing a Threat and Analyzing its Risk
Part 4: Best Practices for Threat Management
Part 5: Building Your Threat Management Program