Incidents of mass violence demonstrate the need for a risk-based security model

When I turned on the news today, I was writing an article on the second shooting at Fort Hood from last week when I saw that there had been a violent knife attack at a Pennsylvania high school, with 20 casualties and at least eight injured critically. 

Once again, we see violence on a mass scale. The FBI has been brought in and next will come information on the victims.  With two major events in the last two weeks, what can we deduce about the security in place at both Franklin Regional High School and Fort Hood? News flash: The current security model is not working!

Current security models

Disaster preparedness is improving, emergency management is working, but security is still not where it needs to be.  It is a systemic problem based on the fact that security around the U.S. is still locked in a “reactive” mode, not a “proactive” mode.

The main reason for this reactive mode in security organizations is because most security officers come from a law enforcement background, with a model which is based on crimes and arrests, which is totally reactive.  A crime happens and police officers go into action and arrest the perp.

This reactive model does not work for preventing security incidents and mass violence because it is incident driven, not risk driven.  It focuses on individuals, not on a more holistic, generalized view of threats and it totally leaves solutions (controls) out of the equation.

After studying pages of after action reviews, post-incident analyses and media sources, the one recommendation that makes sense is that organizations need to switch to a risk-based, proactive mode for security to work.

The question for the Fort Hood incident is how could this happen again at the same military base? Especially after reviewing the 89-page independent review entitled “Protecting the Force,” which was one of three reports created after the initial Fort Hood Shooting, where 13 were shot and 43 injured.

If you look at the recommendations, they are very bureaucratic and procedural.  They could have been written by an efficiency expert, not by anyone with a background in security, and covered things like policy changes, having screening for clergy and psychologists, and improved mental health programs. These are all important, but they do not provide a secure environment.

The LAX after action analysis’ number one recommendation was to change the security focus to a risk-based approach.

Risk-based security

The problem with a reactive approach is that you can’t screen and lockdown everyone. Fort Hood, for example, has 80,000 individuals living on the base, and probably hundreds of visitors who go in and out every day.  It’s impossible to assess the mental health and the “intentions” of all of them.

That’s why a risk-based approach works. It focuses on the potential threats and then evaluates the existing controls to see whether they offer the required amount of protection based on the likelihood of the threat occurring.

You stop violent events by controlling access and by controlling weapons.  No matter how unpopular they are, you use metal detectors at certain points, you use security officers at key entrances, and you control entrances and exits. 

Once the event starts, you can improve security by having faster notification (panic alarms), the ability to disable weapons and attackers, and through adequate transport and better emergency response. To avoid the violence, however, you need to have good access control.

The risk-based approach makes use of annual risk assessments that are holistic in nature. They are not done on stovepipes, they include the entire organizations, input from staff members, visitors, students, vendors, soldiers, and patients on how they see security from their point-of-view, which is always dramatically different from administration.

A risk-based approach requires an organization to:

  • Define potential security risks.
  • Develop standardized risk assessment processes for gathering and analyzing information,and use of analytical technology.
  • Risk-based security focuses on prevention of new incidents whether they are active shooter, general violence, etc.
  • Enhances security’s ability to rapidly respond to changes in the threat environment. 

More bang for the buck

According the LAX (LAWA) after action report: “Simply adding more security does not necessarily provide better security.  Determining priorities and where to achieve great value for the dollars invested requires regular, systematic assessment of the likelihood and consequences (risks) associated with a range of threat scenarios that morph and change more quickly now than ever before. 

Collaborative engagement in a security risk assessment process across the community builds the buy-in needed to develop and sustain a holistic security program over time. Leaders must be open to challenging established practices and demonstrate a willingness to change direction.”

Making the switch to a risk-based security program is the best recommendation for those who want to protect their staff, students, patients, vendors, clients, soldiers, and visitors from a mass casualty event, or for all the organizations who don’t want to have a terrible incident happen in the first place.