Probability: Looking at Likelihood When Assessing Personal Risk

116_1693

There is a tendency to be drawn to the more exotic, spectacular or exciting threats when considering personal risk rather than the more likely but more mundane threats.  In many parts of the developing world your greatest risk is a vehicle accident.  Poorly maintained vehicles, lack or total absence of professional driver training and licensing, bad roads and sometimes a lackadaisical attitude towards safety in general make this a real concern many places.  This is often compounded in places where modern medical care is severely lacking and all but the most minor medical issues require evacuation.  In an environment like this injuries sustained in a traffic accident that might be very manageable elsewhere in the world can be fatal.

While conducting a recent threat assessment in East Africa following the Westgate Mall attack, it was difficult to get the consumers of the report to appreciate the full spectrum of threat that exists apart from terrorism.  Yes, terrorism is a very real concern and the relative success of the Westgate attack (a low tech attack using limited numbers that produced high casualties and went on for days capturing worldwide media attention) may encourage further, similar actions.  Any further attacks will likely occur at soft targets where visitors and expatriates are likely to be such as hotels, transit hubs, shopping venues and so forth.  That said, Nairobi is a city racked by violent crime and for the average visitor or resident this is a much greater risk than terrorism.  There is a much greater chance of being carjacked, and possibly murdered in the process than there is of being present during a terrorist attack.

When assessing your personal risk in a particular location and perhaps basing whether or not you will go or what mitigation measures you will put in place, it’s important to consider the full threat spectrum and consider the likelihood or probability of each type of threat so that you don’t get so caught up with the more spectacular threat that is receiving massive coverage on CNN that you ignore the more probable threats that might be right in front of you.

Advertisements

Dangerous Business

Hole - Peter Shaw

 

If you do business in an international environment then chances are you deal with a wide range of people with different ideas about acceptable business practices, business ethics, conflict resolution and competition.  While some of these people may hold views very similar to yours many others may have a different perspective.   Generally speaking the further you go off the beaten path the more pronounced these differences may be.

Whether you are aware of it or not you may run afoul of one of these people.  Either by posing competition to their business, refusing to pay bribes or engage in corruption, by choosing or failing to choose a certain vendor or business partner.  In many places members of the police, military and security forces also have private sector business interest and can present a formidable threat if you find yourself in a business dispute with them.

Consider the story of Peter Shaw, a Welsh banker working for the European Commission in Tbilisi, Georgia.  Shaw was in Georgia providing consulting to the Georgian banking sector.  In June 2002, just days before he was supposed to complete his assignment and leave Georgia, Shaw was kidnapped off a Tbilisi street by heavily armed attackers in paramilitary uniforms.  He was then held captive for five months, four of them in a subterranean cell in the Pankisi Gorge under deplorable conditions, the details of which he recounts in his book Hole: Kidnapped in Georgia.  While it was never conclusively proven that his kidnapping was related to his work in banking there were strong indications that it was.  It’s possible that Shaw’s work to improve the Georgian banking sector put him at odds with powerful people who were using the financial system for their own enrichment.

While Shaw’s case is an extreme example, it’s important to be aware of potential pitfalls that may exist in the country or countries where you are conducting business.   How do you counteract this risk?  It’s difficult but due diligence on potential partners and associates and a thorough assessment of the business sector in that country is one initial step you can take.  Knowing who the key players are and what businesses they are in is a good beginning.  Another is a simple awareness of the threat and practicing good personal security measures and operational security.

 

Lessons Learned vs. Armchair Quarterbacking

One of the best ways to develop new countermeasures and enhance your personal or your organization’s security is by studying security incidents that have occurred to learn both from the mistakes of others and also from what they did well.  Rightly or wrongly there is often a tendency to focus on the mistakes and things that went wrong as these sometimes provide the most cogent lessons learned.  When doing this we need to do it dispassionately and we need to avoid the appearance of blaming the victim.  All hindsight is 20/20 and it is easy to look at all the details of an event after it has transpired and pontificate about what someone did wrong and why we would have done it differently.  It is much different when the event is unfolding and you are wrapped in uncertainty and trying to make decisions under pressure.  It is also different when you don’t have the ability to see a threat clearly due to other events or distractions that may be going on.

The horrific school shooting in Newtown, Connecticut brings this principle to the forefront.  While information and details are still coming in as of this writing it demonstrates the need to study these events to look for areas of improvement and consider how things can be done in the future to mitigate the risk.   This is not intended to be a discussion of the Sandy Hook massacre as this is being covered extensively in other venues and discussed by people much more knowledgeable about school security and active shooter situations than I am.   Those of us who are parents though are searching for information and perhaps answers and solutions to make our children safer.   Interestingly it appears from current information that the Sandy Hook Elementary School did a whole lot right in terms of their security program and perhaps exceeded what is in place at many schools.  Still we need to do a close examination to see what might be implemented to reduce the risk at other schools in the future.

One of the most valuable things we can do is to look at case studies concerning criminal and terrorist incidents and look at why the victim was vulnerable and what they might have done to reduce or even eliminate that vulnerability.  If we are looking at confrontational crimes targeting individuals we might look at a robbery incident where the victims was distracted and fumbling with her car keys when she was approached and victimized.   Looking at a kidnapping we may find the victim habitually departed for work each day at the same time and used the same route.  We should also look at our own experiences where we had near misses or close calls and look at areas where we could have done something differently.  In these cases we need to be frank with ourselves if we were lazy, complacent, overconfident, disregarded our own intuition, or whatever.

What separates armchair or Monday morning quarterbacking from thoughtful lessons learned?  As much as anything it’s the spirit in which it’s done and the mindset.  Armchair quarterbacking is pontificating, sometimes accusatory and not done with a constructive goal in mind.  Analyzing lessons learned on the other hand is thoughtful, constructive and done with the intent of not repeating past mistakes or missteps – others or our own – but rather learning from them to develop new procedures tactics and approaches that will reduce the risk and make us more effective.

 

 

 

Hard Skills vs. Soft Skills

Most of the material covered in Protective Concepts relates to soft skills such as awareness, avoidance, risk assessment and intelligence and there is little detailed discussion of hard skills such as shooting, evasive driving, close quarters combat and so forth. This is for a couple of reasons:

(1) The soft skills, when applied correctly will greatly reduce the likelihood of you needing to employ the hard skills.

(2) The soft skills can be applied by virtually anyone, regardless of age, sex, physical condition, etc. They are truly “life skills” where are proficiency at many of the hard skill types will be based on physical ability and may be perishable with age.

(3) There are frankly times where some of the hard skills, in particular shooting may not be applicable due to local restrictions on firearms, etc.

(4) Many of the hard skill subjects are well covered elsewhere by very knowledgeable people.

That said we will touch on some of the hard skills in the near future.

 

Unsolicited Approaches

Consider possible ulterior motives when approached by a stranger

In keeping with the themes of social engineering and elicitation its a good point to discuss the need to be wary of unsolicited approaches.  We also need to be mindful that these approaches are not necessarily made in person although they can be. In today’s technological world they are frequently also made via email or through social media.

These types of unsolicited approaches are made by criminals and other dangerous people for a variety of reasons.  Their objective is often fraud or theft of proprietary or classified information or other sensitive data.  Sometimes – as we saw in the case of the Colombian Facebook kidnapping gang it can be to facilitate more violent crimes such as kidnapping, armed robbery or rape.  Anytime people you don’t know seek you out – whether in person or online – you should look at the situation with a critical eye and question their motivation.

I once attended a counterintelligence presentation that addressed this issue.  The instructor – a short, overweight middle-aged man with a beard and glasses wearing suspenders and a bowtie – stepped to the podium.  He began by saying how when he was at home in the US he couldn’t get an attractive women to give him the time or to even spit on his shoes.  But when he goes overseas its another story.  He turns into Brad Pitt and beautiful women at the bar flock around him.  He gets phone calls from women and has them knocking on his hotel room door at all hours of the night.

The point is well made.  If these types of things don’t happen to you regularly at home why are they suddenly happening when you arrive in country X?  His presentation was focused on counterintelligence but the motivation may be different and probably related to separating you from your money in some way.  The broader concept is that you should be cautious of someone’s potential ulterior motives if you are approached unexpectedly.

Sometimes these are “cold approaches” that come largely out of the blue and some are “warm approaches” where the person may have gathered some basic information on you (often through social media or other Internet resources) and has – or purports to have – something either professional or personal in common with you.  This is one of the risks of posting too much on social media sites, especially concerning hobbies, interests and other things that can be used as a vehicle to get in contact with you, establish rapport and so forth.

These warm approaches can take places over time and may be very effective in getting you to gradually lower you guard.  It appears that was the case in the Colombia Facebook case.  The kidnap gang was apparently successful in convincing their wealthy male victims via Facebook that they were attractive women and by cultivating an online discussion and ultimately enticing them to come to a physical meeting where they were subsequently drugged and kidnapped.

There can also be “cold approaches” where you are approached by a stranger who initiates conversation without any prior connection of any sort.

Be wary – but not paranoid – if you are approached by a stranger.  Always look at the situation with a critical mind and ask yourself what ulterior motives or hidden agendas might exist.  You do not need to be rude but be cautious, especially if the situation seems unusual or outside your usual frame of reference.

Loose Lips — Recognizing and Avoiding Elicitation

In discussing social engineering and threats to your personal security we mentioned elicitation.  Elicitation is a technique that is used by an adversary to get a person to unintentionally divulge more information about a particular subject than they normally would.  Its used to gather confidential or proprietary information and in the realm of personal security it can be used by an adversary to gather information for use in targeting you or to build rapport with you or someone close to you.

While we are not going to attempt to teach elicitation or counter-elicitation here we are going top briefly outline some of the common techniques that are used so that you can recognize them being used against you.  Remember these can be employed in person, over the phone or through electronic communication of various types such as email, online chat, etc.

This is by no means an exhaustive list but these are some of the key elicitation techniques you may encounter:

Flattery: The adversary will complement you on personal and or professional aspects of your life to build rapport and increase your likelihood to talk openly.  This may include requests for advice based on your “expertise”, etc.

False Statements:  The adversary may make statements he or she knows are incorrect in order to prompt you to correct them by providing the correct information.

Provocative Statements: Similar to the false statement the adversary may make a statement that he or she knows will initiate an emotional response on your part an a desire to either strongly agree or disagree with them.

Disbelief:  The adversary will feign disbelief at a statement you make to prompt you to elaborate more fully.

Naivete: Similar to disbelief the adversary will feign ignorance to get you to “educate” him or her.

Quid pro Quo: The adversary may volunteer some innocuous or more likely false information about themselves so that by social convention you feel compelled to reveal something to them.

These are just some techniques that may be used to get information about your schedule, your security profile, your business dealings, you personal wealth, your employer and so on.  By recognizing  when you might be encountering them you can make a conscious decision to reduce the amount of information you provide or break off the conversation.

While some of these are relatively sophisticated methods they have been and may be employed by foreign intelligence agencies and internal security units, organized crime groups, terrorists and others.  Keep in mind as well that they may be aimed not only at you directly but also at your employees, associates, domestic staff, etc.  Its important to train these people — even if its just at a very rudimentary level — to be cautious about people asking questions or try to get them to divulge information about you or your activities.

Personal Risk Assessment

Considering that personal and travel security rely heavily on context its important to consider how the threat relates to you
whether at home or abroad.  Understanding this contextual relationship let’s you realistically determine how much effort, energy and possibly money you should invest in your security.

The best way to do this is to conduct a personal risk assessment.  This can be done yourself or you can hire a consultant to do
it for you and it can be as detailed as you want to make it.  If you do it yourself its important to be as brutally honest with yourself as you can for the assessment to be accurate and have value.  This assessment can be done from a lifestyle perspective for an at-risk person or a person living in a high-risk area or it can be done for a particular event like an overseas business trip.  It can also be done using qualitative or quantitative methods or a combination of the two.  Most people will be more likely to use qualitative
means.

The standard formula for a risk assessment is that Risk = Threat x Vulnerability.  For our purposes this means you need to begin by identifying a threat or threats that exist and then look at vulnerabilities in their schedule, routine or lifestyle where their exposure to this threat is increased.

As an example a businessman traveling to a two-day meeting in Johannesburg might identify threats such as carjacking and armed robbery.  In particular he may look at the practice of criminals following people from the airport and robbing them en route or at their destination.  He might also consider the high level of gratuitous violence often involved in these crimes.
On a review of his itinerary he notes that the meetings will all be held at a 5-star hotel adjacent to the airport terminal and that he will be staying at the same hotel.  In this case the threat level is high but his vulnerability is low so the risk is relatively low.

Another aspect to consider is the probability vs. criticality or impact.  Some events are more likely but the consequences are not too severe.  Others are less likely but the consequences may be devastating.  Two examples to look at:

A photographer is going on an assignment in Barcelona that will involve a lot of work in public venues.  The threat of ickpocketing and petty crime may be high but the criticality of these types of incidents is relatively low — unless of course his cameras are

Taksim Square – Istanbul. This is a frequent location for protests and occasionally civil unrest.

stolen and he can’t complete the job.

On the other hand an engineer has a 2-week assignment in Islamabad, Pakistan.  He will be staying at a western brand hotel that has been previously attacked with a massive vehicle bomb.  Hotels of this type are targeted for spectacular attacks by militant groups. In this case the relative probability that the hotel will be attacked while he is there is relatively low.  However based on past incidents if the hotel is attacked the impact is likely to be severe.

Using this information you can determine the level of risk you face – either daily or for a specific activity or event as well as the likelihood and potential impact of an event occurring.  Using this information you can determine what countermeasures if any you should implement to mitigate the risk.