Magic APIs, Exploits, and other fairytales of social media

Social Media Monitoring practitioners routinely bear the brunt of command level frustration over what can and cannot be found online. After years in the discipline it is easy to see where frustrations occur. Much of the conflict is based in misconceptions about SMM technologies. Some of them are actually humorous whereas others are downright aggravating. Below are some of the most commonly encountered:

1. Vaporware: (n) a program that despite what your friend told you, does not exist. I lost count of how many times a discussion has started with, “I want a program that…” and ends with a modern iteration of “SKYNET.” The fact that such a program does not exist has caused many a police executive and security professional to hesitate before buying a product. It seems they are holding out for that one perfect, all-knowing, all-doing, super crime solving software. This is commonly referred to as a “Unicorn” among practitioners. The solution? Go with a program that provides what you reasonably need.

2. “Why can’t you find it?” This is one of the single most aggravating questions any SM practitioner can hear. The easy answer is, “There are approximately 1.2 million terabytes of data available on the commercial web and you want me to find one missing tweet? From six days ago?” Of course this answer will not win friends or convert non believers to the fold. The truth is finding information like tweets and status updates can be extremely difficult. As a rule you need at least two of the four dimensions (User, Content, Location, Time) to vector in on a specific item.

3. Secret APIs- Let’s be clear, even SMM platforms have to abide by rules. As practitioners we know one of the risks in this discipline is the loss of an API. Savvy practitioners will know enough about the various social media sites to “mainline” searches if needed. Ethical practitioners stay away from SMM platforms who claim to have “secret access” to otherwise unavailable APIs. Rumors constantly swirl of platforms negotiating back-room deals with social media sites. In the end, if the data is acquired through suspicious means, it is no good for law enforcement, and may even lead to litigation.

4. Exploit-O-Rama- This is specific to SMM practitioners who gather information for prosecution. As of right now, information obtained via a script or exploit, which would normally not be accessible without a court order, is poisoned fruit. Many a speaker will stand in front of a room and deliver amazing speeches on the power of hidden exploits, but at some point even they must admit their methods will not stand in court. The best advice, “when in doubt, get a court order.”

5. Free is Key- There are plenty of free SMM platforms out there. Some of them like Tweetdeck and Topsy are actually really good. However, at the end of the day nothing beats a paid platform. Competition in this space has benefitted practitioners more than many can imagine. Whereas a few years ago a platform would display information once every 10 minutes, today’s platforms can monitor in real-time, build heat maps, conduct link analysis, and so much more. The old adage truly holds up, “you get what you paid for.”

Livestreaming Meerkats with a Periscope?

Kiev was burning. Fascists, neo-Nazis, “Occupiers”, and nationalists battled in the streets while a country writhed in confusion. “Battle: Kiev” is considered one of the more poignant moments in the evolution of social media, and yet it lacked one major element; streaming video. Of course all of the major news media outlets from Al-Jazeera to Fox were on scene, but the video they chose to share had to pass through many layers before it was broadcast to the world. Fast forward to fall 2014 in Ferguson, Missouri where a handful of quasi-activists used their phones to provide live streaming video of the nation’s most violent protests in many decades.

No filters, no corporate liability, no notions of fair or balanced reports, livestreaming has usurped traditional media in what may prove to be the final blow to a moribund discipline. For those marching on the street livestreamers are advocates and story tellers. They assure the nation, even the world, will see their plight and come to understand their frustration. For law enforcement livestreamers represent a social paradox; are they media, are they concerned citizens, or are they malefactors with smartphones? For security professionals livestreamers challenge long established rules governing the recording of concerts and sporting events. Are they “recording” in the traditional sense or are they circumventing ticketing protocols by providing live video of the event? Truly the newest evolution in social media has brought with it some interesting questions and as always, a duality that bears contemplation.

On livestreaming’s light side we see the ability of people to tell their stories, unedited and as raw as life can be. The recent refugee crisis in Serbia is a great example. Tens of thousands of people trapped in the Serbo-Hungarian border region are unable to move on and unwilling to return to a war zone. Their stories were being livestreamed days if not weeks before traditional media began reporting the problem. As the popularity of real-time documentaries rise, stories like this will begin to fill Face Book timelines and Twitter feeds. The allure of livestreaming is the ability to directly reach an audience without filters and without unwanted bias. The next evolution will see 2016 US presidential candidates livestreaming for their base…if they are smart.

Media Monitoring Teams (MMT) stand to gain valuable insight if they can properly leverage livestreams. Street level content allows them to watch what is happening in a much more comprehensive fashion. While standard media monitoring provides unmatched situational awareness, streaming video adds a real-life aspect on top of the real time analysis. For example, a recent protest in Arizona was held outside of a light rail extension grand opening. A standard MMT approach provided little to no information on the protest or the impact on the event. Two livestreamers however provided a ground-level view of the ceremony and the protest. It was easy to see, based on the two streaming points of view, the protest was well attended but peaceful, and the ceremony was barely affected.

Unfortunately, a dark side of livestreaming is also alive and well. A recent scan of 20 random livestreamers around the world revealed 16 female users under 17 years of age. Each of them had an army of followers encouraging everything from flashing their breasts to sex acts. The implications of this are deep and deeply troubling. Livestreaming’s greatest strength, unfiltered information, may also prove to be its greatest weakness. A livestreamer controls the message by virtue of controlling the stream. Just as in Ferguson, one point of view does not the truth make. Biased from its foundation, a nefarious livestream can infect the minds of millions, making them believe an asymmetrical war has been declared on a peaceful population.

Similar to the early days of social media, livestreaming will too see its bumps and bruises. There will be cases of rampant child pornography and literal live action violence, but we will also see humanity triumphing over great odds and visit far reaches of the globe hitherto only dreamt of. Police departments, corporations, and of course governments can send information directly to their audience without interfering media bias. For MMTs the time to learn about livestreaming has come. Livestreaming content is being produced at the speed of life, and we must be prepared to acquire, understand, and evaluate it at the same speed.

Scoring a Touchdown with Social Media

This post originally appeared on Chris Adamczyk’s Linked-In Account in August, 2015

It’s that time of year again. Stadiums are cleaned, fantasy leagues are formed, and season ticket holders clear their Sundays. Football arrives with the same fanfare as Christmas morning, complete with special meals, family gatherings, and drunken comedy. Amidst the joviality in parking lots and stadium concourses, lone offenders lurk and creep their way from victim to victim. Oftentimes fans are so enamored with the exhilaration of  a “red zone” drive, they don’t realize they’ve fallen prey to a nefarious actor disguised as a fellow devotee.

It is a an expensive paradox that despite millions of dollars dumped into physical security and intrusive safety measures, crime still occurs in and around modern stadiums. Interestingly, the one security measure seemingly overlooked, yet ever present, is the personal interest each fan takes in ensuring they have a good time. Chief in that concern is how they communicate, albeit inadvertently, information about crime, suspicious activity, and disruptions. Law enforcement and security just need be in the right place to read what the fans are saying.

Enter, social media monitoring. Whether it’s a football game or a choral concert, attendees can’t wait to show where they are and what they are doing. Unique in sporting events is the sheer volume of social media sharing. Pictures, videos, and “tweets” create a river-like flow of data from each stadium across the country. Within the thousands of packets of data are clues to determining what is happening in the venue. This includes comments about a brewing fight, pictures of a skulking person near the bathroom, and comments about shady suspects avoiding security. A savvy real-time social media monitoring team will see these clues and begin gathering information and passing it to the incident commander.

The first question everyone asks after reading a paragraph like the previous is, “how?” The answer is relatively simple. There are several real-time social media monitoring platforms on the market that will help tread the rough waters of event driven sharing. Some are free and available as “add-ons” to existing accounts while others are third party apps requiring a financial investment. Of course the adage “you get what you pay for” rings true in this space, but the real return on investment comes when law enforcement and security plan their approach, diligently prepare, and communicate their findings effectively.

As Football season arrives, take time to think about the information your team is not capturing. Furthermore, take a moment to consider how the face of event security can change if we vector teams towards problems discovered and shared by fans, minutes before a “911” call is ever made.

Real Time Social Media Monitoring and Super Bowl XLIX

I’ve heard it referred to as the “Iron Circle.” A seemingly impenetrable ring of law enforcement, National Guard, fire services, the FBI, and dozens of other federal, state, and local agencies. At times it appears to be more secure than the White House. Despite dubious claims of circumventing security, I can attest, it is the most impressive display of temporary security in the United States. However, with the evolution of terrorism, criminality, and cyber intrusions, the next generation of security will not be featured in panoramic media shots or be populated with a sea of blue uniforms. It will be a small desk in a noisy room, somewhere not far from the Iron Circle, where one piece of information will have the power to move mountains.

This was the case during Super Bowl XLIX. While the media, fans, and critics took note of the army of law enforcement patrolling the stadium and related events, a small team of open source specialists were working 18 hour days pouring over an immeasurable amount of data. The information we discovered spanned from vague threats to specific situations, each one requiring some level of law enforcement response. Through all of this we developed some best practices I feel are worth covering. I must premise my observations with this; they are my observations. I’ve been conducting open source analysis since 2008 and I’ve logged well over a thousand hours. That being said, I constantly run into people in this field who challenge my perspective and cause me to see things in a new light. Rest assured, as you read the last line in this work, someone already hit “send” to let me know where I’m wrong. So be it.

The first best practice is finding the right people who can ask, “Why?” Anyone can be an analyst not everyone can be a good analyst. A good analyst is a person who looks at data for what it is, and then asks, “Why?” The same is true in open source analysis. I can sit you in front of the best media monitoring platform out there, but if you don’t know how and when to ask why, you may as well be an empty chair. I was fortunate enough to have two incredible analysts who were well trained and even more importantly, tenaciously inquisitive. They knew the difference between background “noise” and indications of trouble. In short, in order to be effective you need to ask why, a lot.

The second observation is the value of geolocation and its convergence with time. I’m not going to dive deep into special relativity or space time theory, but the addition of geolocation has added an incredibly useful dimensional element to open source analysis that deserves much more explanation. Simply put, when I first began open source analysis I was a prisoner of the past. Our rudimentary web crawlers could only find information after it had been in existence for several minutes (sometimes hours), and the location was practically nonexistent. Now we have media monitoring software like Media Sonar which captures information as it is being posted (time), and combines it with location (dimensions one, two, and three). Einstein would be proud! The combination has radically changed how we conduct real time analysis of social media and open sources.

I could list several examples, but that would take days. Here are a few that should make you stop and think about what you have been missing;

  1. A subject tweets, “My plans for tonight; get high as **** and break into the arena. Wish me luck.”
  2. A photo is posted to Instagram showing scantily clad women and the caption, “We need girls for the Super Bowl.”
  3. A selfie boldly states, “Thanks to security I now have to hide my **** in my boots. Try to find it now!”

Each one of these comments were tagged with a location and captured seconds after being posted. Each one required a law enforcement and/or security response. I venture to say that a few short years ago, none of these comments would have been seen let alone addressed.

The next observation may seem a little self-serving, but allow me to explain; Hire someone who knows how to do this. Law enforcement, government, and private security pride themselves on their “social media person.” I’ve personally been told numerous times that “so-and-so is a Subject Matter Expert and he/she can find anything on social media.” To that I say, congratulations! What you have is a digger and diggers are awesome! When I’m not doing real time, I’m a digger as well. But when you need information now, digging is only part of the job. You need someone who can read the real time data like reading a book. More precisely, like listening to a song. Like a single note in a song, the data you see is one element of a dynamic, emergent property. The difference is, that property could be a serious crime. So, either spend the time and money to train someone properly, or look outside for that extra help. (Incidentally you can find my email here).

Finally, the last observation I would like to make in this forum is the importance of diversity. Not in the sense you probably just imagined, but in the sense of tools of the trade. Real time analysis is hard. It takes a major investment in time and energy and can cause burn out really quickly. This is especially true when you’ve been watching social media feeds for 13 hours straight and suddenly someone from across the room who has nothing to do with real time analysis, logs-on to their Twitter account and finds a legitimate threat. The truth is, information slips through from time to time. In order to mitigate the slippage, use a few different tools. I would not suggest using more than three at a time, and to be honest, even using two at a time is hard. It is worth it however to have one person on the geolocation data, and another using keyword searches without the geolocation. The geolocation platform should always be primary. Key word, hashtag, and other searchable platforms are secondary, but in a pinch, may become the primary tool.

The Iron Circle will always be impressive, but as we gain an understanding of the synergy which exists between the virtual and real worlds, what happens in that small room not so far away, will be even more impressive!

The OSINT Scammers

The police commander looked at the woman introducing me as though she was explaining advanced physics. When she completed her introduction and a brief explanation of open source monitoring he simply replied, “okay.” It was less an affirmative response than an indication he was still not sure what type of voodoo I practiced. As we walked away she said to me, “Well, he’s the incident commander and you will be spending a lot of time together…so good luck.”

The commander’s response was common ground for a law enforcement open source practitioner. To me it was neither good nor bad, but an indication of where we stand in the broader LE community. “OSINTers”, as we are called, occupy the land between true computer forensics and black magic. To some we are digital ninjas who can glide along the keyboard and produce volumes of information in less time than it takes to empty a K-cup. To others however we represent the best scam going. Unfortunately we’ve done this to ourselves, and if we keep it up, we will go the way of 3 ½ inch floppies.

If you walk into any law enforcement conference in the US and throw a rock, you will likely hit seven open source subject matter experts. They openly describe their art as OSINT, or open source intelligence. Their self-ascribed accolades are almost as dubious as the job they perform. Many will tell you how awesome they are, how smart they are, and how much you really need them. Some of them are products of one or two open source gathering platforms on the market. When you ask them what they do, the truth usually comes out after a few minutes of self-aggrandizement; they surf the Internet…period. Most OSINT “SME’s” use such a broad-based approach to OSINT they end up producing volumes of useless information. In some of the worst cases, they creep through Face Book, Instagram, and others looking for photographs of Marijuana, guns, and “gang indicia.” These folks will demand a high priced OSINT gathering platform, three or four screens at their desk, and will end up costing departments thousands in overtime while producing nothing but strands of useless information. On their best days they might snag a photograph of a teenager smoking a blunt, and if the OSINT god smiles upon them they will hit the jackpot with a photograph of weed lying next to a gun in a nondescript hotel room. Huzza!

The law enforcement community is saturated with these people and they are killing the discipline one deployment at a time. The problem with their approach is they see OSINT as a way to impress others with tech-savvy and screen-shots of drugs all while solidifying a position for themselves in the future. They rarely produce anything with evidentiary value and if they do, courts have a field day stripping their methods and reducing them to something akin to a modern day peeping tom. At large events, they basically troll the internet looking for that one terrorist who decides to Tweet his attack minutes before he executes. In short, they are more like street cops roaming the city waiting to get lucky.

In the meantime, a small cadre of well-trained law enforcement intelligence professionals are working silently in the OSINT realm. It is these people that are the true future of LE-OSINT. These few don’t need a high priced platform, but if they have one it will be one tool in their box. OSINTers of this genre may be involved in evidence gathering, but they approach it with subpoenas and court orders. Most of them however see OSINT as an intelligence art like HUMINT and SIGINT which take time to learn proper gathering and analysis techniques. OSINTers of this level use targeted gathering approaches so as not to waste time rifling through hundreds of spring break photos. These OSINTers spend hours preparing for large events, establishing a baseline of behavior and seeking out grass roots trends. Finally, these OSINTers respect the privacy of other users and keep an eye towards civil liberties protections.

Back to the commander and I. We spent three hours together in the command center; me working my “Matrix” style voodoo and he watching over my shoulder between trips to the meatball tray. It wasn’t till a moment wherein I was able to provide a SITREP of the entire venue footprint that he finally sat back and shot a look of approval. I don’t know what it was he wanted to see, but it was clear I’d earned my spot in the command center for several games to come. Hopefully as we progress we show how this new method of public safety is worthy of the time and money that will be spent. It is my hope that in 10 years, LE-OSINT will take its place beside special investigations and computer forensics as a respected and reputable discipline.

What is a threat assessment?

After yesRisk Assessmentterday’s post, it became evident many people had never heard of threat assessments in terms of  mental health and crime prevention. Typically assessments are not added to the calculus of overall preventative measures on a local law enforcement level. In most cases this is due to a misunderstanding of their usefulness. In other cases unfortunately, assessments are willfully avoided in an effort to limit agency liability. In the end, we all do assessments of people, situations, buildings, syndicates and so on daily, we just don’t formalize them and distribute them outside of a controlled group. After having conducted well over 400 assessments in the last five years, I’ve learned the only good assessment is one that can be acted upon. For this to happen, they have to be sent to the people who need them most. This piece will focus on some basic tenets of an assessment. Later, I will discuss the “to whom…” portion. Understand, an in-person class on assessments lasts 10 hours so what follows is a very compressed version.

The first thing to remember is threat assessments are dynamic. This is to say, what is accurate now may not be so in 10 minutes. For this reason, assessors expend a lot of energy keeping the assessment as accurate as possible. Most times, the assessment will hold for the time needed to take action whether that be mental health intervention or detainment. There are times however when the ink will have barely dried and the assessment needs to be updated. This point is very important to remember for two groups of people; the customer and the command staff. For this reason both the customer and command staff must dedicate a person to continually liaise with the assessment team so pertinent updates can be pushed quickly to the end users.

The next critical element of an assessment is research. Knowing the risk a subject poses comes in part from understanding from where they came both literally and figuratively. Assessors must dive deep into the history of the subject for this information. For law enforcement this means reading potentially dozens of police reports, arrest records, and field contact cards. The work can be tedious, but one nugget of information can make a life or death difference. For corporate security or contractors, research may be a major obstacle but it’s not one that cannot be overcome. Most counties across the country publish court records on-line and most police departments will provide copies of reports for a nominal fee. If that is all you have, then do what you can. Take a moment to research the subject’s digital world as well. For some, you may only find a digital shadow, while others have a significant digital footprint.

Once the research is complete, the assessor moves to the analysis phase. In reality, an assessment team would simultaneously dig and analyze, however in most agencies assessments fall on one or two people. For this reason, it is necessary to set aside time strictly for analysis. During this phase the assessor begins building a profile of the subject. They will answer questions like, is there a history of violence? What motivated the violence? What are the subject’s stressors? Based on known information, does the subject have a plan to commit violence? Do they have means, motivation, and opportunity? What is the subject’s pattern of life? Finally, as a byproduct of good analysis, the assessor should start seeing shatter-points or weak spots in the subject’s behavior. These become critical in the conclusion phase.

Post analysis, the assessment team needs to make a decision; what is the threat level? The assumption here is a threat matrix already exists. If it does not, then an assessment is nothing more than a research project. The best threat matrices are simple and contain at a minimum three levels. Threat matrices with five or more levels can be cumbersome and not conducive to true assessments. Once the assessment team has made a decision on the threat level, they need to be prepared to defend their choice. This is where the research and analysis will be scrutinized and tested. If done correctly, the threat level will coincide with the known information.

Finally, the conclusion of the assessment is where the customer will start their approach. The conclusion should highlight weaknesses in the subject’s pattern of life, violent plans, or criminal tendencies. These areas need to be exploited in order to frustrate the subject’s plan. By the time the customer reads the conclusion they should have already fo
rmulated a plan and know where their best chances of success lay. The conclusion is where analysis meets actions.

As you have probably noted by now, a full scale assessment will take time. For this reason, assessment teams should have a plan in place for short term assessments that can be used in the interim until a full scale product arrives. Regardless of the length, all assessments should provide actionable intelligence that can be taken by the customer and immediately applied to whatever operation is needed.

Ending Mass Killings in the U.S.- A radical approach.

There is a small group of law enforcement professionals in the United States who look at mass shootings and say, “We could have stopped this.” Such a phrase is not hyperbole or a sign of hubris rather it is a reflection of type of work we engage in each day. Our job is not sexy, it does not lend itself to war stories or dramatic conflicts and in most circles it is regarded with nothing more than a shrug of indifference. When the word “assessment” enters the conversation it is almost immediately set alongside crime analysis and elven magic. The world of threat assessments is seldom understood and appreciated even less, however when looking at the current state of mass murders in the United States, threat assessments may be the only answer.

In almost every mass shooting over the last decade, the suspects announced their intentions in one form or another. It is true that in a few cases, the suspects’ capability of waging asymmetric warfare on humanity caught everyone by surprise. However, in most cases during a post incident review, trained professionals saw pre-indicators of the attack and had they been in the right positions, could have intervened. It is time now that these professionals move from post incident commentary to pre-incident actions. To do this, some changes need to be made.

The first is in the law enforcement culture. Agencies need to focus on moving from a reactive force to a pro-active, intelligence led entity. Intelligence led policing (ILP) is the foundation upon which true threat assessments are built. Agencies with an established intelligence cycle will find assessments a force multiplier. The concepts of ILP have been hijacked in recent years by command staffs bent on adapting their procedures to the newest technology. In doing so, the emphasis has been removed from human analysis and placed on sophisticated algorithms promising everything from temporal to predictive analysis. The unfortunate proof of their monumental failures is found in Arizona, Connecticut, and California. At the end of the day, ILP is about the intelligence cycle not artificial intelligence.

The second change is in the mental health system. A true assessment of a person’s capacity for murder will only be complete with the opinions and analysis of mental health professionals. Law enforcement threat analysts have expressed major frustration with the chasm between them and the medical community. The medical industry must realize that HIPAA has been turned from a protective oversight to an impenetrable brick wall used more as a liability shield than a patient’s right. Threat analysts working with psychologists would offer a powerhouse team of professionals dedicated to preventing mass killings while at the same time respecting the sacred nature of patient privacy. Furthermore, only mental health professionals know the enigmatic system and how to leverage it to get people the help they need before bullets are fired.

Finally, the public has to change the conversation about mass killings. This has never been about political affiliations or allegiances. It has always been about man’s inhumanity to man. Each time a human being is rundown, stabbed, or shot in a mass killing the nation loses a little of its’ soul. As pundits and fear mongers race to the closest microphones, men and women across the country beg the heavens to make it “not their baby” or sink in thankful prayer they have been spared. The conversation needs to focus on making this stop. Making it stop means getting to the root of the problem which in many cases is mental health, indifference to suffering, and yes even terrorism. Some of these things can be countered in the home, for the others there are resources available. People need to know there is a way to counter this problem and it has little to do with slogans and focus groups.

The power to stop mass killings exists. Through competent cooperative assessments based on true intelligence led concepts, threat analysts can and will stem the tide of mass murder. As stated earlier, it will require some changes, but the changes are not so radical when compared to the suffering each incident brings the public.

CyberWars: The On-line Empire Strikes Back

When is the last time you saw a group of liberal activists join hands with conservatives? In the real world, partisanship is a commodity that pays high dividends. In the cybersphere however, the highest dividends are paid when ideologies melt away and activists join hands to defeat a a common enemy. Recently the U.S. Government has been designated the biggest enemy. 

In 2012 hundreds of thousands of Internet activists coalesced to form a global resistance to the Stop Online Piracy Act (SOPA). The act was hailed by politicians as a way to fight piracy, but the regulations and punishments for something as inconsequential as downloading a song were so severe and so draconian it led many to believe its passage would destroy the free Internet. The on-line resistance to SOPA was so intense the bill was shelved as was it’s sister, PIPA, also a regulation heavy bill. The success of the anti-SOPA/PIPA movement had never been seen  before and opened the door for a new wave of activism.

After SOPA’s defeat it was thought to be unlikely  a similar cause would ever rise again. Then came the Snowden revelations. Terabytes of information exposing the United State’s mass surveillance programs set the cybersphere afire. Edward Snowden’s “David & Goliath” style story, combined with the near daily scream worthy revelations were a perfect combination for a new cyber rebellion. The chance was not wasted. 

February 11th, 2014 was titled “The Day we Fight Back.” The date was chosen to commemorate the suicide of prolific down-loader Aaron Swartz. The goal of the 2/11/14 action to was two-fold; show the U.S. government that the Internet will no longer support mass surveillance and two, encourage people to support to the “USA FREEDOM ACT.” The USFA is hailed as a codified curtailing of the NSA and mass surveillance. As the day wore on, rumors of fight back operations spread through the Internet. Several on-line services displayed a unique banner (like the one above) indicating their support for fight back. Within the cyber rumorsphere there were whispers of DDOS attacks and phone re-routing although at this point they remain rumors.

It will take several weeks and possibly months to know the full impact of fight back. It is likely businesses and/or government offices will refuse to release DDOS information until several weeks have passed. Either way, the sheer amount of participants will give supporters enough leeway to pronounce the day a success. In any case, the rise of on-line activism continues and the crescendo shows no sign of slowing.

Analyze this; 2.5

“On a scale of one to five, which number represents thermonuclear war and which represents peace? The answer is simple; it depends on the value of one.”

This question is an oversimplified explanation of quantitative analysis. Every action has a numeric value and when those values are taken together, massaged with an algorithm, and plotted on a graph they tell you everything you need to know. Ask yourself this however, is that really true? Can quantitative analysis really tell you what you need to know in each discipline? Perhaps in finances, traffic accidents, and poker games the answer is yes, but when it comes to real world risk analysis, numbers are as useful as elven magic.

Before you click away in an angry huff, consider this: You’ve been asked to analyze the risk of recidivism of a convicted felon who is about to be released from prison. When you look through his criminal history you see he committed two armed robberies, six shoplifts, and four assaults over a three year period. He spent the last seven years in prison. Based on that information what is his risk of recidivism?

Odds are if you presented those facts to a criminal intelligence analyst or a police detective you would be told the risk is high. They would assign a numerical value to each crime, add them up, use some crazy algorithm and tell you this person is going to be a problem. If you went strictly by the numbers, then yes, this ex-con will more than likely offend again. If you step outside of the number parameters however, you encounter the reality of the assessment which is, the ex-con is a human being.

Saying the convict is human is not social commentary, it’s a fact that requires a different method for cataloging. Enter qualitative analysis. Based on the person’s history there is cause to believe he may re-offend, however there are several variables at play. For example, what were the socio-economic conditions of the subject prior to incarceration? Has the person found religion while in prison? What conditions will greet the subject upon his release? What factors that were present seven years ago will still be present upon release? All of these questions are extremely important when analyzing the risk of recidivism or any risk involving human beings. If you don’t believe me, ask yourself this; what number value should be associated with anomalous human behavior?

The challenges facing an analyst converted to the world of qualitative analysis is knowing which questions to ask and where they rank in the final risk analysis. Each situation demands a new grouping of questions, however over time, the analyst will recognize core questions asked in each analysis. This is why risk analysis on people require more than one analyst and should go through a rigorous vetting process with other equally skilled analysts. After all, we are mapping human behavior and can’t exclude the possibility of personal bias.

It is time we train our law enforcement risk analysts and investigators to use a qualitative system. It will be a change, and challenges lie ahead, but as we encounter the growing need for threat intelligence, predictive analysis, and efficient forecasting we need to focus on the reason for the analysis; evaluating possibility. Numbers alone won’t do the trick.

Exploiting Criminal Syndicate Risks

Combating organized crime is like cleaning oil off your driveway. There are dozens of methods to clean up the mess, yet none of them will do the job alone. Deciding how to clean the mess is just as frustrating as actually cleaning. In the same manner, many law enforcement organizations don’t know where to begin when routing out syndicate crime. In most cases law enforcement aims their resources at the most obvious areas; street level criminals and money. These are not altogether bad tactics however just like cleaning the sludge off your driveway a few methods alone will not eradicate the syndicate. Instead of traditional methods for combating organized crime, law enforcement can learn a few tricks from traditional risk analysis.

Syndicates thrive off the fact they don’t appear complicated on the surface. However, they typically sink deep roots into one or more methods of preserving their existence which adds layers of complexity. Their diffused rooting, while necessary for survival, is also a weakness and can be exploited through common risk analysis.  For example, when examining supply chains, business continuity plans, or site security we look at several factors including communication, redundancy, and resiliency. Using this same tactic we can expose risks within organized criminal syndicates and exploit them to collapse the enterprise.

The first step in analyzing a syndicate’s risk is to map their internal structure. For example, all successful criminal syndicates have at least three levels of organization; upper leadership, mid-level management, and foot soldiers. Many syndicates will have other operational and management levels. To adequately collapse the order you need to know the structure from top to bottom and understand how each level interacts with ones above and below. Mapping may not be easy if the syndicate utilized a cellular structure however that too has weaknesses that can be exploited.

The next step is to detail what the syndicate needs to survive. In most cases you find common needs like communication, recruits, and possibly money. There may be several “needs” and the more the better because with more needs comes more risk. Once you have mapped out the groups’ needs, overlay them on the structure. This will let you see which level of the group is responsible for these needs. At this point, several “red flags” will become obvious. These red flags are what we call “risks.” If no red flags are obvious then deeper analysis may be needed to expose other facets of the group like ideology and cultural dependency.

Similar to prioritizing risks for mitigation, you now prioritize the syndicate’s risks for exploitation. Target one element and become the threat directly associated to that risk. In some cases where the risks are cultural this will require non-traditional law enforcement techniques like outreach and collaboration. In syndicates where the risks are not cultural and easily identified, exploiting the weakness will threaten the group’s entire stability.

Combating organized crime through risk analysis is of course more complicated than described above, however the basic template will not change. Every criminal syndicate has weaknesses, it’s up to law enforcement to find the weaknesses, exploit them fully, and eradicate the group.