vulnerability need not be. This concept will be discussed further in the vul-
nerability assessment chapter (Chapter 5).
Threat Identification and Classification
The best predictor of the future is the past. This same idea holds true when
assessing adversaries. A thorough understanding of how adversaries operated
in the past can assist security decision makers in predicting future adversarial
operations. Without fear of jumping to conclusions, many security profes-
sionals knew immediately that Osama Bin Laden was responsible for the World
Trade Center and Pentagon attacks on September 11, 2001 as soon as the
second plane hit the World Trade Center. This accurate assessment was based
on knowledge of prior attacks by a terrorist organization that the world came
to know as al-Qaeda.
While the al-Qaeda example is universally understood in the security
industry, the same logic can be applied to commercial and industrial targets. If
security decision makers understand the adversary’s perspective, effective
protection measures can be efficiently allocated to reduce the threat. How do
adversaries select targets? What types of assets have been targeted in the past?
What are their intentions, capabilities, and motives? Bank and financial insti-
tution security professionals have made excellent use of threat information
sharing to prevent certain crimes. Similarly, retailers have shared information
to track baby formula thefts.
Although the goal of any security decision makers should be to quantita-
tively identify threats, it is not always possible to do so, and some threats must
therefore be assessed qualitatively based on assumptions and educated guesses.
Crime threats can normally be assessed quantitatively based on historical crime
data, whereas understanding a particular criminal must be qualitatively
addressed. This is a key difference of crime analysis, the examination of his-
torical crimes with little regard to the criminal himself, the adversary.
In this chapter, the focus will be on understanding the adversary or the qual-
itative perspective. In the crime analysis chapter (Chapter 4), a data-driven,
quantitative method will be discussed. So what type of information is needed
to describe a threat qualitatively?
The type of adversary
The adversary’s intentions
The adversary’s motivations
The adversary’s capabilities
Threats can be classified as either human or natural. Human threats are
those involving people working on the inside of the organization such as
employers and contractors (insiders), people who attack from outside of the
organization (outsiders), or a combination of the two. Natural threats are those
30 Strategic Security Management

Get Strategic Security Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.