Threat Management: an organisational intelligence led approach that focuses on the threat actor


Threat ManagementBy Matthew Curtis and David Harding

On the 2nd of June 2014, two armed attackers threatened staff and robbed the Mortdale Hotel in Mortdale Sydney Australia. On the 5th of June 2014, at the Wentworth Park Hotel in the Sydney suburb of Homebush, armed attackers stormed the hotel carrying machetes and pistols and conducted a robbery. During the robbery several staff and patrons were threatened, some were injured. On September 11, 2001, in co-ordinated and simultaneous attacks on various aircraft, a terrorist group was able to use the aircraft as missiles attacking four buildings in New York and Washington, in the United States of America. Finally as referenced below the Australian Institute of Criminology, has identified that professional criminals are not deterred by risk and security mitigation strategies.

The above examples highlight the fact that although each site had appropriate and applicable security and risk management procedures in place that were specifically designed to mitigate such attacks, the criminals or terrorists were still successful. The case of the aircraft hijackings illustrates the difficulty within risk assessments of predicting the low probability but high harm incident rates. The case of the hotel attacks illustrate that professional criminals can circumvent security and risk mitigation procedures through good planning, preparation and intelligence gathering.

Given the extensive cost in both human and financial terms of the above examples, it might be prudent to utilise additional concepts and methods to prevent such attacks. One way to achieve this is to supplement current risk and security management strategies with additional strategies that focus on the person, or persons, that could make the attack. This concept is called Threat Management, and to understand this concept, it is first necessary to appreciate how it differs from Risk Management.

Dictionaries generally define the word ‘threat’ to be the intention to cause harm. This implies that a threat is made by those with the ability to make rational and conscious choices. This means that threat arises from a person’s, or group’s conscious decision to cause harm. Threats are measured by assessing a person’s or group’s capabilities, their past performance and history as threat actors, and other indicators such as media statements, public rhetoric and levels of community support.

Conversely, the generally accepted Risk Management standard (AS/NZS ISO 31000:2009 Risk management-principles and guidelines) defines Risk to be the ‘effect of occurrences on objectives’. Risk focuses on occurrences or events. Risk is event driven and measures the likelihood of a particular event and the harm that that event could cause.

If the two concepts are to be compared, Threat focuses on the intention to harm, Risk on the specific events or occurrences. Threat is assessed by measuring a person’s or group’s intentions and their capabilities. Risk is assessed by determining the likelihood of a particular event or conceived scenario, and the harm that that event could cause. The two concepts are distinct, as are the methods needed to assess and manage them.

Threat Management can be defined as ‘the coordinated management of resources to guide, counter, or neutralize the behavioral process taken from the development of criminal intent up to the point of actuating a crime or other harmful action’. Threat Management focuses on human-centric threat actors. This means that one of the first priorities is to identify the threat actor, their intentions and stage they have reached in the attack planning cycle that consists of planning, preparation and intelligence gathering. Once identified, resources can be assigned that can guide, disrupt, counter or neutralise the threat actor’s intentions and capabilities.

Traditional risk and security management concepts would suggest the questions, “Why focus on the person who is going to commit the crime?” and “Shouldn’t Security Risk Management strategies mitigate the criminal intentions?” Unfortunately, Security Risk Management Strategies do not. No matter how thorough the security and risk mitigation strategies are, they will be static in both time and location. This gives the professional criminal the opportunity to develop their own strategies to overcome or circumvent the security and risk strategies that have been put in place. As Smith and Louis of the Australian Institute of Criminology identified in the report ‘Armed robbery in Australia: 2007 National Armed Robbery Monitoring Program’, professional criminals are not deterred by security and risk mitigation measures put in place by an organisation.

Professional criminals will simply plan a method to overcome the security measures. For the organisation that must develop strategies to counter the professional criminal, investing resources to identify and disrupt the actual criminal are called for. This is especially so in the current security environment that is becoming more ambiguous for all, including law enforcement and national security authorities. Potential targets need to take much more responsibility for their own security in relation to threat actors.

The Criminal Development Pathway Model

For managers with responsibility for the protection of assets and persons from deliberate attack by criminals, terrorists, or other hostile threat actors, an understanding of the processes and pathways exploited by these groups is vital. Understanding the development of criminal intent to cause harm, the types of groups that these individuals will gravitate towards, and the planning, preparation and intelligence gathering that is undertaken prior to an attack, can suggest interventions that can prevent criminal, terrorist or other attacks.

Threat actors, such as criminals and terrorist often follow an identifiable and predictable pathway of development. This development commences in the community that the individual originates from, where there is an acceptance of a particular illegal activity. However, such acceptance does not necessarily mean the intention to commit the crime, rather that the community accepts a particular behaviour. An example may be as sublime as “It is all right to take something from someone that can afford it”.

Potential threat actors tend to seek out other like-minded individuals. Here, the potential criminal will further reinforce the belief system that the conduct of a particular activity is acceptable behaviour. Individuals at this stage will gravitate towards gangs, groups, chat rooms or in the case of radicalisation, religious sub-groups.

The next stage will see intentions turn to actions. Here the potential criminal commences physical actions to plan, prepare and gather intelligence on an appropriate target. Planning may consist of the development of an appropriate method of attack, the identification of resources required, and perhaps undertaking some form of general intelligence gathering into types of and applicability of targets.

Preparation may include the gathering of resources necessary to carry out the crime. For example, a terrorist group intent on placing an improvised explosive device at a particular location will need to gather and prepare the explosive materials, and also place it at the chosen location.

Intelligence gathering by the threat actor may occur at two points during the criminal development process. Initially the threat actor may need to identify a target that is appropriate to the threat actor’s aims and competence. This form of intelligence gathering could often be achieved through the routine activities that criminals engage in. For many criminals the target locations are those that they have had some form of exposure to. In criminology this is called Routine Activity Theory.

The criminal or terrorist will also need to gather specific intelligence that is relative to the intended target. Ultimately, the criminal will need to have knowledge of the security arrangements around the target, its vulnerabilities and how best to exploit them to attack the target. This level of detailed intelligence can only come from specific surveillance and reconnaissance of the target. In some cases this information can be gained through legitimate cover engagement with the target and its personnel. In addition, and of particular importance, the threat actor may conduct reconnaissance and intelligence activities in person, so as to gain a first hand, and eye, knowledge of the potential target.

Organisational Integration

However, understanding the criminal development pathway is only one segment of Threat Management. By utilising this knowledge, an organisation can integrate an intelligence gathering process that incorporates direct feeds of information from the varying communities that the organisation has contact with. In today’s dynamic security environment, an organisation that proactively responds to changing threat actors and risks will have the best outcomes. Good intelligence processes are a critical factor in organisational response and resilience. In addition, implementing processes to enable these strategic goals is recognised as good corporate practice.

At the strategic level, such a system would detail enterprise-level intelligence requirements, feeds and analytical processes to provide management with early outcomes. Operationally, localised intelligence could focus on the security domain of the organisation itself and draw from the surrounding community where possible. Also, a whole-of-organisation approach with a trusted insider focus could maintain a clear commonality of purpose to the vectors or enablers of strategic threat.

Such a system could provide intelligence feeds via tailored intelligence networks that could inform judgements about strategic threat. This is an all-sources approach, and for major organisations could include Government (National and State security and law enforcement authorities), members of the business community (like-minded organisations) and the wider community in relation to local and localised threats and threat actors. Additionally, in today’s multimedia environment the monitoring of data from social and other media in the public domain should also be considered.

The principle driver of intelligence activity needs to be an evidence-based understanding of the security, threat and risk environment. Such an understanding could also identify gaps in the organisation’s knowledge of threat actors and risk, and in its ability to obtain intelligence on threat actors and risk events. An understanding of intelligence needs within the organisation, its decision-making processes, business units and individuals that require intelligence support could be the basis for definition of intelligence requirements and in turn, the most appropriate sources to be developed for that intelligence.

This will require the development of policies and conventions to execute an intelligence cycle within the organisation. The intelligence cycle will typically include the implementation of processes that will enable intelligence targeting, intelligence acquisition, reporting, analysis, distribution to those who have a need to know, and feedback.

The Application Process

The next stage is to apply this knowledge and system to a process that will identify the threat actor, and then develop strategies that will guide, counter or neutralise that actors intentions. This process commences with the identification of the communities that an organisation comes into contact with. Each organisation will inherently have a variety of different communities that the organisation is geographically located in, communities that come into the organisation including through the internet, and those communities that the organisation has had business dealings with, including competitors. Each community should be assessed for their potential to harbour persons that could have intentions to harm the organisation.

The community assessment should identify the list of threat actors that could have intentions to harm the organisation. This list, although it may not specifically identify threat actors by name, should have the actors identified with sufficient detail to allow appropriate decisions on whether to act and what actions should be commenced.

Following the identification of threat actors, an assessment of each individual threat actor’s progress along the criminal development pathway can be undertaken. To make this assessment, intelligence gathering activities could be conducted by the organisation. In addition, this assessment could discover what targets the threat actors may have identified. Finally, through the utilisation of counter-surveillance, the organisation could be able to identify the stage that the threat actors are up to in their development pathway. In combination, these assessments can provide an intelligence-based picture of the threat actor’s intentions and plans.

When the above information is gathered, an intervention plan can be developed. In essence, the organisation will have three options available to it, to guide, counter or neutralise the threat actor. If identified at the early stages of the criminal development pathway, the organisation may be able to implement strategies to guide the potential threat actor away from their intention to cause harm. Should the threat actor have already commenced their planning and preparation then strategies that counter or disrupt the threat actors planning can be developed. Finally, should the threat actor have conducted surveillance and be in the final stages prior to an attack, the only viable option may be the neutralisation of the threat actor.

Following the implementation of the intervention plan, the organisation would be able to assess the results of the operation. Ultimately, the results could be that there was no event, or that the event was managed. If unsuccessful, and the threat actor was able to achieve their objective, then the event was unmanaged. This assessment could then lead to additional corporate learning, organisational responses and better business resilience.


This article has introduced the concept of Threat Management. The article has identified the Criminal Development Pathway that criminals and terrorist’s follow in their development of harmful intentions up to the point of actual physical attack. Understanding of this pathway could provide vital opportunities for the organisation to identify the level of intent and timing of intended attacks of the threat actor.

Also introduced was a strategic plan for the integration of Threat Management into a corporation. Such an intelligence system could allow the organisation to determine the allocation of specific resources at specific and required times. This could provide the organisation with advance flexibility in the competitive marketplace. The intelligence system identified could provide managers with the opportunity to have better understanding and control in an increasingly ambiguous security environment.

Finally, the process that an organisation could follow to identify the communities where a threat actor may originate from was introduced. By following the outlined process an organisation may be able to develop strategies that can guide, counter or neutralise a threat actor’s intent and actions.

The model and process outlined in this article comes from a more detailed body of work that has been published in the Journal of Applied Security Research, titled Threat Management: The Coordinated Focus on the Threat Actor, Their Intentions and Attack Cycle.

Or by following this link: .