When I turned on the news today, I was in the middle of writing an article on the 2nd Shooting
at Ft. Hood from last week, and then saw that there had been a violent knife attack at a
Pennsylvania high school, with 20 casualties and at least eight injured critically, the next day,
there was a hate crime shooting at the Jewish community center in Overland Park, Kansas.
Once again, we see violence on a mass scale, the FBI has been brought in, and next will come
information on the victims. With two major events, in two weeks, what can we deduce about the
security in place at both Franklin Regional High School, Pennsylvania, and Fort Hood, Texas.
NEWS FLASH: THE CURRENT SECURITY MODEL IS NOT WORKING!
CURRENT SECURITY MODELS
Disaster preparedness is improving, Emergency Management is working, but security is
still not where it needs to be. It is a systemic problem based on the fact that security around
the U.S. is still locked in a REACTIVE mode, not a PROACTIVE mode.
The main reason for this reactive mode in security organizations, is because most security
officers come from a law enforcement background, with a model which is based on crimes
and arrests, and it is totally REACTIVE. A crime happens and police officers go into action
and arrest the perpetrator(s).
CRIME HAPPENS = PERP IS IDENTIFIED = PERP IS ARRESTED
Unfortunately, this reactive model does not work for preventing security incidents and mass violence
because it is INCIDENT DRIVEN, not Risk-Driven. It focuses on individuals, not on a more holistic,
generalized view of Threats, and it totally leaves Solutions (Controls) out of the equation.
After studying pages of after action reviews, post-incident analyses and media sources, the one
recommendation that makes sense is that organizations need to switch to a RISK-BASED,
PROACTIVE mode for security to work.
This was highlighted in a remark made by a Pentagon official, commenting on the 2nd Fort Hood
Shooting on April 2, and the fact that new DOD recommendations for security, had just been released.
“After the Navy Yard shooting in September 2013, another round of recommendations were made
to improve security at all DOD installations, however, a Pentagon official said that the new
recommendations had not yet been put into effect at Fort Hood. At Fort Hood, very little had
changed from 2009 regarding security procedures for soldiers at the entrance gates.”
The question for the Department of Defense is “how could this happen again at the same military
base? I took extra time to study the 89-page document called An Independent Review “Protecting
the Force”, one of 3 reports created after the initial Fort Hood Shooting, whene 13 were killed, and
43 injured.
If you look at the recommendations, they are very bureaucratic and procedural. They could have
been written by an efficiency expert, not by anyone with a background in security, and covered things
like policy changes, and having screening for clergy and psychologists, and improved mental health
programs. These are all important, but they do not provide a secure environment.
The LAX after action analysis’ Number One recommendation was to change
the security focus to a Risk-Based approach.
RISK-BASED SECURITY
The problem with a reactive approach is that you can’t screen and lock down everyone. At Fort
Hood, for example, there are 80,000 individuals living on the base, and probably hundreds of
visitors who go in and out every day. It’s impossible to assess the mental health, and the
‘intentions’ of all of them.
That’s why a Risk-Based Approach works – because it focuses on the potential threats and then evaluates the existing controls to see whether they offer the required amount of protection based on the likelihood of the threat occurring.
You stop violent events by controlling access and by controlling weapons. No matter how unpopular they are, you use metal detectors at certain points, you use security officers at key entrances, you control entrances and exits.
Once the event starts, you can improve security by having faster notification (panic alarms), ability
to block, or disable weapons and attackers, adequate transport, better emergency response, but to
avoid the violence, you need to have strong access control.
The Risk-Based approach makes use of annual risk assessments that are holistic in nature. They
are not done in stovepipes, they include the entire organizations, they include input from staff
members, visitors, students, vendors, soldiers, patients on how they see security from their point
of view, which is always dramatically different from management or administration.
A risk-based approach requires an organization to:
- Define potential security risks.
- Develop standardized risk assessment processes, for gathering and
analyzing information, and use of analytical technology
- Risk-Based Security focuses on PREVENTION OF NEW INCIDENTS
whether they are active shooter, general violence, etc.
- Enhances security’s ability to rapidly respond to changes in the threat environment.
MORE BANG FOR THE BUCK
According the LAX (LAWA) after action report, “Simply adding more security does not
necessarily provide better security. Determining priorities and where to achieve great
value for the dollars invested requires regular, systematic assessment of the likelihood
and consequences (risks) associated with a range of threat scenarios that morph and
change more quickly now than ever before.
Collaborative engagement in a security risk assessment process across the community builds
the buy-in needed to develop and sustain a holistic security program over time. Leaders must
be open to challenging established practices and demonstrate a willingness to change direction”.
Making the switch to a Risk-Based security program is the best recommendation for those who
want to protect their staff, students, patients, vendors, clients, soldiers, and visitors from a mass
casualty event, or for all the organizations who don’t want to have a terrible incident happen in
the first place!
Caroline Ramsey-Hamilton
President, Risk and Security LLC
Caroline@riskandsecurityllc.com
www.securityinfowatch.com/blogs
www.riskandsecurityllc.com