 |
 |
|---|
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
||
|
Change the paradigm from risk- to threat-based decision-making The horrific tragedy of the massacre on the Virginia Tech campus raises numerous questions, not the least of which is how best to secure our schools, campuses, businesses and buildings from threats of low frequency threats we may think have a low probability of occurring. In a press conference hours after the attack, a speaker from Virginia Tech University said the attack was “a low-probability high-stake” attack that could not have been prevented. That type of statement is a recipe for failure and raises the need to reconsider how we “think” and “do” security. In recent years, the generally accepted security paradigm called for risk-based decision making, one that considers risks through a cost benefit analysis to mitigate and minimize costs and consequences. Security risks are comprised of three variables: the probability of an occurrence, our vulnerability at a given time and place, and potential consequences. The problem with looking at prevention only through these variables is that it ignores the fact that threats are ever present though the probability of an attack may be low. The question is, “Can we protect our businesses, schools, universities and facilities based on a different thought process?” We believe we need to strike a balance between risk-based decision-making that provides a road map, generates a security master plan and determines resource allocation and a threat-based process. We need a decision-making process that is cost-effective yet offers a threat-based scenario-driven plan that considers all credible, realistic threats that may occur at a facility. Threat-based thinking has as one of its underlying assumptions that we must do everything possible to prevent any attack at a facility. To focus on one or two likely threats is folly. A security plan can’t be based solely on an analysis of frequency of events but must include preventive measures, not just responses. Questions about the effectiveness of the security, emergency plans and crisis-response plan of Virginia Tech Campus will continue to arise and be closely examined. Was there a plan to prevent such attack? Was the response of law enforcement agencies rapid and adequate? Were there any warning signs that should have been picked up by campus law enforcement and university officials? Were there any emergency and crisis policies and procedures in place, and if so, were they tested and practiced? These questions are important for a critical analysis of this attack and there are certainly lessons that will be learned. But is it going to change the way we think about security? Our obligation as security professionals is not solely to reduce risks and losses, but to protect the life of those we serve. Campus buildings and facilities are not more important than human life and “open environment” is a state of mind, not a question of security measures. Our challenge is to provide guidance that will allow facilities and institutions to be welcoming and secure at the same time.
When strategizing our security program from a threat-based perspective we need to follow these steps:
The right balance between risk-based and threat-based security decision-making will enable us to focus on the prevention of future attacks, not just on the reduction and mitigation of its consequences. This approach will help insure the safety of our institutions and workplaces and decrease the likelihood of “low-probability threats” striking terror upon us. Amit Gavish is senior corporate adviser for international security issues at SSC Inc. of Shelton. He conducts risk assessments and security training seminars on detection, prevention and preparedness for terrorist and suicide bombings. 
|
||
