Terrorists may target an organisation’s personnel, customers, physical assets and information. This choice of target means that a security management programme needs to be multi-layered in order to properly protect from a variety of threat contexts.
Rational choice theory states that terrorists will employ a cost-benefit analysis to select targets based on the value of the target, the ease of access and the likelihood of success. Whilst security management cannot change the value of the target, it can aim to control the potential for access and minimise the likelihood of success.
Elements of security management include physical and technical systems, effective management processes and procedures as well as adequate levels of competency for all personnel.
All of these elements combine to create a culture of security within the organisation.
The first step in security management is to assess the potential risks to an organisation and then develop processes and strategies to mitigate against them. This is an ongoing process as risks will continually evolve and change.
For example, the IRA had a common modus operandi of using hidden or vehicle-based bombs, but as counter measures improved against these types of attacks other groups adopted new methods of attack such as using a vehicle as a weapon. These vehicle ramming attacks required minimum capability and have a huge and highly newsworthy impact.
On July 14 2016 an ISIS attacker drove a truck into a crowd in Nice killing 86 people and wounding more that 430 others.
This then led to many similar attacks including the London Bridge attack on June 3 2017.– Counter Extremism Project, 2023
The process of risk assessment involves identifying the terrorist threats and evaluating the risks associated with these. Factors to be considered (National Counter Terrorism Security Office, 2023):
- The national threat level and, if known, for a certain sector.
- Reasons why an organisation or neighbour may be targeted for attack.
- Reasons why an organisation or neighbour may be easy to attack.
- Events or activities which may attract an attack.
- What attack types may be used against an organisation.
- What work practices may expose or protect from a terrorist attack.
- Anything on site which may be used to aid an attack.
Information as to the current national threat level is put into the public domain by the Security Service and can be accessed on the National Protective Security Authority website. The information covers both the current threat level as well as threats of specific types of terrorism. Additional support is available from Counter Terrorism Security Advisors from regional Police forces.
Having assessed the risks, the next step is to assess the physical measures required to detect, deter and delay an attack. These measures include buildings and infrastructure.
For example, the rise in attacks using a vehicle as a weapon has led to a variety of anti-vehicle barriers now commonly seen in vulnerable locations. The next layer of protection is then search and screening equipment such as x-ray equipment and chemical and explosive detectors. This is all backed up with technology and control rooms which is used to control access and allow easy monitoring through CCTV, tracking and control systems.
Staff play an important role in observing, detecting and responding to terrorist threats. In addition to security staff, all staff should be aware of how to protect an organisation and deal with any type of attack.
In the event of an attack occurring, robust planning combined with training and exercising is likely to mitigate the effects as far as possible. Following the Kerslake Report into the Manchester Arena bombing, the forthcoming Martyn’s Law (Protect Duty) will put a statutory duty on organisations that meet thresholds for public accessibility to implement risk assessment, planning and training.
Exercising is essential to any effective crisis response in order to rehearse the response to a given threat. Rick Rescorla is noted for his role in the 9/11 Trade Center attack as his appreciation of the terrorist risk had led him to implement regular evacuation drills which ultimately led to the saving of nearly 2700 Morgan Stanley employees.
The results of an exercise should be evaluated similarly to a real incident to assess the effectiveness of existing measures and procedures and to identify any improvements that are required.
- A recovery plan should specify the key resources, procedures and actions required to establish business as normal as quickly and efficiently as possible following any incident.
- This plan should also consider reputational damage and how it can be minimised.
- A cohesive communications plan will also inform recovery processes by providing clearly defined lines of communication using a variety of channels.
No organisation can ever be totally protected from a determined terrorist attack, however it can reduce it’s accessibility as a target and be better prepared to deal with an incident.
This requires ongoing diligence, risk assessment and evaluation of current practices & procedures.
The layered approach allows an organisation to consider the threat environment from the outer physical barriers to the internal technical measures and personnel skills. Ongoing evaluation of the changing risk landscape and the practices and procedures in place to deal with all threats is a key element of any terrorist risk management strategy. The totality of this approach creates the holistic security culture.