Scenarios or Table-tops…Which one is better?

The halls were filled with the sounds of gunfire and fear. Our team moved forward as fast as we could, passing victims and backpacks pursuing the gunfire. We thought the shooting was in front of us, but the labyrinth of walls made it impossible to know for sure. As we cut around a sharp corner I came face-to-face with a suspect. I fired two quick shots, hitting him in the face and neck. He yelled and recoiled backwards. A deep voice roared to life behind me, “No shooting in the face! Scenario over!” Fast forward 11 years and I was sitting at a standard, round, hotel conference room table with four people I’d never met. The woman at the front of the room just finished describing what amounted to the collapse of social order due to several days without power. Our job was to keep a local hospital running with no fresh water, no sewage service, and little to no police protection.

Believe it or not, I left both training events thinking, “That was the best training I’ve ever had” even though they were light years apart in scope and teaching styles. One was a full scope, active shooter, scenario based training module complete with SIM guns, screaming actors, and vicious assailants. The other was in a comfortable room surrounded by calm voices, candy, and chilled bottles of water. The contrast between the two could not be any clearer. If you were to look at both events from an objective standpoint you might be inclined to think the scenario-based module was superior to the table-top. The truth is one is indeed superior to the other, when done correctly.

“Realistic” scenario-based training modules are extremely popular right now. The thought process is, “we will expose our employees to the realities of the event, thus training them for the real thing.” This is not altogether a flawed line of thinking, but it can, and often does, lead to very expensive training modules that produce very little positive outcomes. The main problem with defaulting to scenario-based training is many people are ill equipped to handle the scenario, which almost always leads to failure. For scenario-based training to be effective, employees must have some foundational training upon which to rely. For example an active shooter training scenario will be successful only after employees have undergone basic crisis training. Employees need to have a plan so that plan can be tested. Conducting table-top exercises with employees lets them see the plan in action. Table-top modules build confidence in response plans and more importantly, build confidence in employee’s ability to react to a crisis. When employees finally undergo the scenario-based module, they will already know how to succeed, which in the end will help them survive the real deal.

Just like reliance on scenario based training will fail, so will a reliance on table-top exercises. For several reasons many entities use three or four of the same scenarios each year to train employees on crisis management. During the exercise the most stressful dilemma is usually trying to end the scenario before lunch. In the worst cases, employees skip the training modules and become victims rather than survivors when the real attack occurs. To avoid the monotony and dismissive attitudes, table-tops need to challenge employees and more importantly they need to build confidence. Interspersing real-life, external stressors like active assailants, will show employees the importance of table-tops. If budgets are too low for full-scale scenario-based modules, try simple things like turning out the lights and making everyone work using whatever light sources they can find. You might be surprised to see what weaknesses in personnel and facilities reveal themselves with just a tiny amount of stress.

To answer the overlying question of which is superior; it depends on the company’s level of readiness. An overreliance on either will not be effective. To ensure success, build a good training foundation and complement that foundation with real-life stressors. Most importantly remember, all crisis training is meant to ensure survival. Pick training modules accordingly.

Open Source- The New Art

There is no shortage of high priced OSINT practitioners filling classrooms and lecture halls across the country. The once disregarded art of surfing the Internet for information has become a full blown discipline. Many of the practitioners travelling the country as subject matter experts (SME) are indeed qualified and very experienced in extracting information from various internet sources. The one aspect however most of the current instructors miss is what to do with the information once extracted.

Just like the intelligence cycle, competent OSINT has a specific workflow; Research, Extract, Sort, Analyze, and Disposition. Research is the topic of most open source classes and symposia. Thousands of law enforcement, security, and intelligence professionals are very adept at scouring the Internet for information.  Most of them are equally adept at extracting the information they need. Where the cycle falls apart in many cases is at the sorting phase. Here practitioners need to stop research and extraction and look through the data they have. Decisions need to be made on what is important and what is not based on mission parameters. The data needs to be further categorized in terms of direct impact on the mission, ancillary impact, and questionable impact. From here, the deep analysis begins.

Analysis of open source information is contingent on the overall impact to the mission. If, for example, you are investigating a series of photographs depicting a subject holding firearms, and the subject is a prohibited possessor, the analysis of the photos will need to be rigorous. An investigator will need to determine if the suspect is readily identifiable. Is the weapons he or she possesses real or fake, and what clues lead to either conclusion? How recent is the photograph? Where was the photograph taken? Finally, what was said about the photograph by the poster and the followers? From a criminal intelligence stand point, what about this post has ramifications beyond this case? A private security officer who is examining the photographs must review each comment to measure the general mood of the posts. A lot can be learned about employee social networks and insider threats by reading comments.

Aside from meaningful analysis, the disposition of open source information can be one of the hardest phases of the cycle. Here, a practitioner needs to store the information or deliver it to the needed customer. In law enforcement you have two main choices; case information and criminal intelligence. Case information means the information is evidence and needs to be stored and processed in accordance with court procedures for prosecution. The implications of such a disposition are many due to the various methods for storing digital information. If it is determined the information falls into the criminal intelligence realm, it is governed by 28 CFR Part 23 and will need to be audited. In the intelligence field, this information may need to be sent to other intelligence professionals for analysis on larger threats or trends. Private security may share the information with Human Resource professionals, or store it as a part of insider threat investigations. In any case, disposition of the information will ultimately be scrutinized and must therefore be carefully handled.

Open source intelligence (OSINT) is still an emerging tradecraft and will go through many iterations before it is commonly accepted. Following the cycle above and seeking out training that reinforces the cycle will build a cultural foundation for practitioners and make the discipline far more reputable. As challenges arise, security will be found in establishing solid industry standards like the cycle described above. For those in command positions; seek out full scope training and move away from training that only focuses one aspect of the discipline. After all, looking at a small piece of the canvas is nowhere near as inspiring as seeing the full painting.

New Threats Require New Defense Strategies

As we enter a new phase of terrorism old counterterrorism measures need to be reviewed and updated. Since 9/11 the law enforcement community has been building counter terrorism strategies on the theory that each terrorist event requires significant pre-planning and that this pre-planning is done in a manner detectable by the public and law enforcement. Much of the counterterrorism industry is accustomed to the “Eight Signs” or pre-indicators; Surveillance, Information Gathering, Security Testing, Finance, Logisitics, Strange Behavior, Dry Runs, and Deployment. This strategy worked for several years because it was assumed major attacks would require significant time spent performing each pre-indicator. Today many of these pre-indicators have been compressed or eliminated which reduces the possibility of detection. Two types of attacks illustrate this, and the need for updated strategies; active shooters and cyber attacks.

Active shooter cases appear to be on the rise in the United States. In post-attack analysis certain patterns have emerged, but there is a lack of pre-incident “unifying behaviors” explicit enough around which to craft countering strategies. For example, in all active shooter cases the suspect required access to a firearm. Since the purchase of weapons is not prohibited, nor successfully monitored, there is no way to build a countering strategy around acquisition. Surveillance and Dry Runs are still possible gateways of prevention, but rely more on luck than science to be successful. To effectively combat active shooter attacks we need to look at core prevention strategies with an understanding that the risk of an active shooter attack will always be present. This assumption in place, prevention strategies need to focus on reducing the risk posed to potential targets. Re-writing emergency plans, identifying shelter-in-place locations, and proactive security measures are all proven methods for reducing the risk of active shooter attacks. These strategies are most successful when complimented by real-life training scenarios exposing participants to the sights and sounds of the real incident.

The complexities of cyber warfare are vast and numerous, and because the warfare is conducted in “cyber space” traditional pre-indicators are not valid. Whereas state secrets were once the currency of the realm now cyber collectives attack everyone from corporations to police agencies meaning it is virtually impossible to identify which specific data is at risk and which is not. The old adage of the best offense being a robust defense is very prescient in cyber warfare. By examining threats and trends, and being proactive with system security, the risk of a successful cyber attack is significantly mitigated. It is also vital to examine nontraditional security measures in data management and access controls. Finally, the use of preventative intelligence will add the final touch to a robust security posture. Preventative intelligence leveraged against cyber attacks will be addressed in another entry, however it is vital to understand how important it is in defending your networks.

As the world moves from one iteration of terror to another, counterterrorism strategies need to evolve. Counterterrorism strategies built around significant pre-planning operations needs to give way to current methods of protection, detection, and deterrence. While there is always an inherent risk of attacks regardless of time or place, using intelligence and building strong and flexible defense networks will mitigate risk and save lives.

Using Risk to Fight Crime?

Risk, risk management, and risk mitigation strategies have existed in one form or another for several years in banking and business. The discipline of risk management however tends to be ignored when it comes to law enforcement. This is not to say law enforcement is unfamiliar with risk, they most certainly are, but they tend to see risk only in terms of measuring officer safety. Risk management strategies can also be used to fight crime in a more efficient and effective manner.

Risk requires four elements; context, environment, actions, and consequences. In law enforcement the consequences are always the same; crime. Therefore the other three elements serve as the core of crime prevention through risk management. The best way to describe this is to use a scenario. Take an alley between two multi-level buildings. Alone, the alley represents nothing, and based on its simplicity is not at risk of crime. Take that same alley and change the environment to nighttime, say 9:35pm and add the context of the alley being the quickest route from the local library to St. Mary’s college. With these factors in the place, the alley begins to look more and more like a breeding ground for crime, but we still need actions, which in law enforcement comes in the form of suspects and victims. Suspect actions typically fall closely in line with environment, as in you will find more drug users around drug houses and potentially more vehicle burglary suspects in shopping mall parking lots. In this case, let’s assume this dark alley is the meeting place for small time street robbers and thieves of opportunity. The final element needed to make this scenario come to life is the actions of a victim. Namely, they need to enter the alley.

There are many ways of looking at the alley scenario. Each one requires that law enforcement see the alley and all of its elements as precursors to crime. This conclusion well in place, we must now look at how to prevent the crime. Some law enforcement minds would respond by increasing marked car patrols in the area of the alley. The thought being, “bad guys don’t like the police and will stop being bad guys while we are around.” In terms of basic crime prevention this is a questionable practice, but in terms of risk management it’s absolutely useless. Random patrols do not remove any of the elements of risk we identified above. From a pure risk management standpoint we need to remove one or more of the elements creating the risk. The addition of sufficient lighting for example will affect the environment as will visible CCTV cameras. Public outreach on the part of the school to educate the students on the dangers of walking alone will mitigate the risk of a solo student using the alley. Finally the use of strategic policing, focusing on high risk suspects in the area, will mitigate the chances a suspect and victim will meet in the alley.

The alley example is an obvious oversimplification of larger criminal problems however the same basic principle applies across the board. If a neighborhood is known for gang activity, it is incumbent on the police to examine the area from a risk management stand-point and move strategically to counter the gang problem. The same can be said for neighborhoods known for burglaries, intersections known for collisions, and apartment complexes famous for drug crime. Simply forming task forces with the stated goal of arrests, does nothing to mitigate further risk. However when you remove one element from each of these criminal equations, your chances of diminishing the risk of continued crime increases exponentially. This also places the police agency in a position to form crime eradication strategies to hopefully bring safety and security to the area.

Risk based policing fits neatly with intelligence led policing techniques in that it is most successful after a full examination of the criminal dynamic has taken place. This furthers the goal of efficient resource allocation. As technology continues to spring forward the use of social networking and digital communications will increase the success of risk based policing. Risk based policing is not a panacea, but it is a far more effective strategy than random police patrols or strategies based solely on high arrest statistics.


What is ILP and why should I care?

We have all seen the latest and greatest programs come and go in law enforcement.  Community Policing (CP), Problem Oriented Policing (POP), and CompStat have all etched their legacies in the industry. Along with these programs come flocks of new gadgets, the latest technology, and of course money. There is a simple method however, that does not rely solely on gadgets nor does it require a lot of money; Intelligence Led Policing (ILP).

The national intelligence community is shrouded in secrecy and for good reason. There are however some publicly known intelligence processes that are directly applicable to law enforcement. The first is the intelligence cycle. The CIA perfected this cycle and its use has been seen in most state level fusion centers across the United States. It would take several pages to do justice to the intelligence cycle so for the sake of brevity we will just list the steps. They are planning, collection, processing, analysis, and dissemination. The cycle is named such because after dissemination analysts collect information on the results and start the cycle again. The intelligence process is at the core of intelligence led policing.

In law enforcement the intelligence cycle manifests itself as follows; an analyst notices an uptick in burglaries in a specific neighborhood. She feels the uptick might be indicative of an organized crew. She creates a collection plan with the sole purpose of answering the question; who are the suspects? She then requests all information related to the crimes. Patrol officers and detectives begin sending all they know about the burglaries to the analyst. She sorts the information into categories and begins to analyze it all for clues. Once analyzed, she produces a document with refined, actionable information (also called intelligence) including suspect information, vehicles, and a basic temporal analysis indicating the most probable time of day for the crimes. Patrol squads take the information and modify their patrol tactics to concentrate on the area most at risk for the burglaries. Specialty units employ covert assets and surveillance on investigative leads. As each unit finishes a task, they report their findings to the analyst who continues through the cycle exploring new leads and eliminating dead-ends. Finally, a coordinated effort leads to the arrest of the burglary crew.

ILP is not simply the reactive process as described above. A true ILP strategy confronts all three law enforcement needs; prevention, detection, and prosecution. It can be said that once a strong ILP strategy takes hold in an agency, they begin to steps in front of crime. This specific process will be explained in a follow-up entry. A strong ILP strategy is also scalable to fit every problem encountered in modern policing. The template can expand or contract based on the criminal trends. For example a series of shoplifts may only require one cycle to identify the suspects and end the criminal threat. Other crime series may require an ILP strategy that deploys to meet all three needs at once. A narcotics ring or stolen merchandise crew are examples. What is paramount in any series is a willingness by all personnel to let the cycle run its course and not try short cuts or combine old strategies simply because “they worked years ago.”

ILP strategies are also scalable to the technological capabilities of each agency. A true intelligence led process does not rely on high priced technologies to function, although a robust data extraction program is helpful. While many software programs are “a good fit”, basic data extraction and management can be accomplished through the creation of workflows deployed by human analysts. Of course, the larger the data set, the bigger the technological need, but the base level ILP templates can run without expensive software. History has shown that an overreliance on technology dulls certain law enforcement skills therefore all ILP strategies must have a healthy mixture of technology and human influence.

There will always be roadblocks to implementing ILP templates in an agency. Chief among them will be the stigma associated with allowing “intelligence” to lead investigations. Due to a cultural misunderstanding of what criminal intelligence is, many agencies will balk at accepting ILP or will adopt a light ILP strategy only to fill it with their own contradicting best practices. The key to ILP is to show officers and detectives a direct benefit to them. Patrol officers want to detect and prosecute crime, but general patrol is the least successful means of accomplishing this. Directed patrol however, meaning patrol led by intelligence, not only suppresses crime, it allows the officers to “hunt bad guys” in an efficient manner. Other roadblocks will arise, but they can all be overcome. Like industry, law enforcement must evolve. Officers can either be perpetually reactive or they can leap forward and proactively combat the criminal threat. Intelligence led policing is the spring board for this leap.


Welcome to our new website.