Probability: Looking at Likelihood When Assessing Personal Risk


There is a tendency to be drawn to the more exotic, spectacular or exciting threats when considering personal risk rather than the more likely but more mundane threats.  In many parts of the developing world your greatest risk is a vehicle accident.  Poorly maintained vehicles, lack or total absence of professional driver training and licensing, bad roads and sometimes a lackadaisical attitude towards safety in general make this a real concern many places.  This is often compounded in places where modern medical care is severely lacking and all but the most minor medical issues require evacuation.  In an environment like this injuries sustained in a traffic accident that might be very manageable elsewhere in the world can be fatal.

While conducting a recent threat assessment in East Africa following the Westgate Mall attack, it was difficult to get the consumers of the report to appreciate the full spectrum of threat that exists apart from terrorism.  Yes, terrorism is a very real concern and the relative success of the Westgate attack (a low tech attack using limited numbers that produced high casualties and went on for days capturing worldwide media attention) may encourage further, similar actions.  Any further attacks will likely occur at soft targets where visitors and expatriates are likely to be such as hotels, transit hubs, shopping venues and so forth.  That said, Nairobi is a city racked by violent crime and for the average visitor or resident this is a much greater risk than terrorism.  There is a much greater chance of being carjacked, and possibly murdered in the process than there is of being present during a terrorist attack.

When assessing your personal risk in a particular location and perhaps basing whether or not you will go or what mitigation measures you will put in place, it’s important to consider the full threat spectrum and consider the likelihood or probability of each type of threat so that you don’t get so caught up with the more spectacular threat that is receiving massive coverage on CNN that you ignore the more probable threats that might be right in front of you.

Dangerous Business

Hole - Peter Shaw


If you do business in an international environment then chances are you deal with a wide range of people with different ideas about acceptable business practices, business ethics, conflict resolution and competition.  While some of these people may hold views very similar to yours many others may have a different perspective.   Generally speaking the further you go off the beaten path the more pronounced these differences may be.

Whether you are aware of it or not you may run afoul of one of these people.  Either by posing competition to their business, refusing to pay bribes or engage in corruption, by choosing or failing to choose a certain vendor or business partner.  In many places members of the police, military and security forces also have private sector business interest and can present a formidable threat if you find yourself in a business dispute with them.

Consider the story of Peter Shaw, a Welsh banker working for the European Commission in Tbilisi, Georgia.  Shaw was in Georgia providing consulting to the Georgian banking sector.  In June 2002, just days before he was supposed to complete his assignment and leave Georgia, Shaw was kidnapped off a Tbilisi street by heavily armed attackers in paramilitary uniforms.  He was then held captive for five months, four of them in a subterranean cell in the Pankisi Gorge under deplorable conditions, the details of which he recounts in his book Hole: Kidnapped in Georgia.  While it was never conclusively proven that his kidnapping was related to his work in banking there were strong indications that it was.  It’s possible that Shaw’s work to improve the Georgian banking sector put him at odds with powerful people who were using the financial system for their own enrichment.

While Shaw’s case is an extreme example, it’s important to be aware of potential pitfalls that may exist in the country or countries where you are conducting business.   How do you counteract this risk?  It’s difficult but due diligence on potential partners and associates and a thorough assessment of the business sector in that country is one initial step you can take.  Knowing who the key players are and what businesses they are in is a good beginning.  Another is a simple awareness of the threat and practicing good personal security measures and operational security.


Lessons Learned vs. Armchair Quarterbacking

One of the best ways to develop new countermeasures and enhance your personal or your organization’s security is by studying security incidents that have occurred to learn both from the mistakes of others and also from what they did well.  Rightly or wrongly there is often a tendency to focus on the mistakes and things that went wrong as these sometimes provide the most cogent lessons learned.  When doing this we need to do it dispassionately and we need to avoid the appearance of blaming the victim.  All hindsight is 20/20 and it is easy to look at all the details of an event after it has transpired and pontificate about what someone did wrong and why we would have done it differently.  It is much different when the event is unfolding and you are wrapped in uncertainty and trying to make decisions under pressure.  It is also different when you don’t have the ability to see a threat clearly due to other events or distractions that may be going on.

The horrific school shooting in Newtown, Connecticut brings this principle to the forefront.  While information and details are still coming in as of this writing it demonstrates the need to study these events to look for areas of improvement and consider how things can be done in the future to mitigate the risk.   This is not intended to be a discussion of the Sandy Hook massacre as this is being covered extensively in other venues and discussed by people much more knowledgeable about school security and active shooter situations than I am.   Those of us who are parents though are searching for information and perhaps answers and solutions to make our children safer.   Interestingly it appears from current information that the Sandy Hook Elementary School did a whole lot right in terms of their security program and perhaps exceeded what is in place at many schools.  Still we need to do a close examination to see what might be implemented to reduce the risk at other schools in the future.

One of the most valuable things we can do is to look at case studies concerning criminal and terrorist incidents and look at why the victim was vulnerable and what they might have done to reduce or even eliminate that vulnerability.  If we are looking at confrontational crimes targeting individuals we might look at a robbery incident where the victims was distracted and fumbling with her car keys when she was approached and victimized.   Looking at a kidnapping we may find the victim habitually departed for work each day at the same time and used the same route.  We should also look at our own experiences where we had near misses or close calls and look at areas where we could have done something differently.  In these cases we need to be frank with ourselves if we were lazy, complacent, overconfident, disregarded our own intuition, or whatever.

What separates armchair or Monday morning quarterbacking from thoughtful lessons learned?  As much as anything it’s the spirit in which it’s done and the mindset.  Armchair quarterbacking is pontificating, sometimes accusatory and not done with a constructive goal in mind.  Analyzing lessons learned on the other hand is thoughtful, constructive and done with the intent of not repeating past mistakes or missteps – others or our own – but rather learning from them to develop new procedures tactics and approaches that will reduce the risk and make us more effective.




Hard Skills vs. Soft Skills

Most of the material covered in Protective Concepts relates to soft skills such as awareness, avoidance, risk assessment and intelligence and there is little detailed discussion of hard skills such as shooting, evasive driving, close quarters combat and so forth. This is for a couple of reasons:

(1) The soft skills, when applied correctly will greatly reduce the likelihood of you needing to employ the hard skills.

(2) The soft skills can be applied by virtually anyone, regardless of age, sex, physical condition, etc. They are truly “life skills” where are proficiency at many of the hard skill types will be based on physical ability and may be perishable with age.

(3) There are frankly times where some of the hard skills, in particular shooting may not be applicable due to local restrictions on firearms, etc.

(4) Many of the hard skill subjects are well covered elsewhere by very knowledgeable people.

That said we will touch on some of the hard skills in the near future.


Unsolicited Approaches

Consider possible ulterior motives when approached by a stranger

In keeping with the themes of social engineering and elicitation its a good point to discuss the need to be wary of unsolicited approaches.  We also need to be mindful that these approaches are not necessarily made in person although they can be. In today’s technological world they are frequently also made via email or through social media.

These types of unsolicited approaches are made by criminals and other dangerous people for a variety of reasons.  Their objective is often fraud or theft of proprietary or classified information or other sensitive data.  Sometimes – as we saw in the case of the Colombian Facebook kidnapping gang it can be to facilitate more violent crimes such as kidnapping, armed robbery or rape.  Anytime people you don’t know seek you out – whether in person or online – you should look at the situation with a critical eye and question their motivation.

I once attended a counterintelligence presentation that addressed this issue.  The instructor – a short, overweight middle-aged man with a beard and glasses wearing suspenders and a bowtie – stepped to the podium.  He began by saying how when he was at home in the US he couldn’t get an attractive women to give him the time or to even spit on his shoes.  But when he goes overseas its another story.  He turns into Brad Pitt and beautiful women at the bar flock around him.  He gets phone calls from women and has them knocking on his hotel room door at all hours of the night.

The point is well made.  If these types of things don’t happen to you regularly at home why are they suddenly happening when you arrive in country X?  His presentation was focused on counterintelligence but the motivation may be different and probably related to separating you from your money in some way.  The broader concept is that you should be cautious of someone’s potential ulterior motives if you are approached unexpectedly.

Sometimes these are “cold approaches” that come largely out of the blue and some are “warm approaches” where the person may have gathered some basic information on you (often through social media or other Internet resources) and has – or purports to have – something either professional or personal in common with you.  This is one of the risks of posting too much on social media sites, especially concerning hobbies, interests and other things that can be used as a vehicle to get in contact with you, establish rapport and so forth.

These warm approaches can take places over time and may be very effective in getting you to gradually lower you guard.  It appears that was the case in the Colombia Facebook case.  The kidnap gang was apparently successful in convincing their wealthy male victims via Facebook that they were attractive women and by cultivating an online discussion and ultimately enticing them to come to a physical meeting where they were subsequently drugged and kidnapped.

There can also be “cold approaches” where you are approached by a stranger who initiates conversation without any prior connection of any sort.

Be wary – but not paranoid – if you are approached by a stranger.  Always look at the situation with a critical mind and ask yourself what ulterior motives or hidden agendas might exist.  You do not need to be rude but be cautious, especially if the situation seems unusual or outside your usual frame of reference.

Loose Lips — Recognizing and Avoiding Elicitation

In discussing social engineering and threats to your personal security we mentioned elicitation.  Elicitation is a technique that is used by an adversary to get a person to unintentionally divulge more information about a particular subject than they normally would.  Its used to gather confidential or proprietary information and in the realm of personal security it can be used by an adversary to gather information for use in targeting you or to build rapport with you or someone close to you.

While we are not going to attempt to teach elicitation or counter-elicitation here we are going top briefly outline some of the common techniques that are used so that you can recognize them being used against you.  Remember these can be employed in person, over the phone or through electronic communication of various types such as email, online chat, etc.

This is by no means an exhaustive list but these are some of the key elicitation techniques you may encounter:

Flattery: The adversary will complement you on personal and or professional aspects of your life to build rapport and increase your likelihood to talk openly.  This may include requests for advice based on your “expertise”, etc.

False Statements:  The adversary may make statements he or she knows are incorrect in order to prompt you to correct them by providing the correct information.

Provocative Statements: Similar to the false statement the adversary may make a statement that he or she knows will initiate an emotional response on your part an a desire to either strongly agree or disagree with them.

Disbelief:  The adversary will feign disbelief at a statement you make to prompt you to elaborate more fully.

Naivete: Similar to disbelief the adversary will feign ignorance to get you to “educate” him or her.

Quid pro Quo: The adversary may volunteer some innocuous or more likely false information about themselves so that by social convention you feel compelled to reveal something to them.

These are just some techniques that may be used to get information about your schedule, your security profile, your business dealings, you personal wealth, your employer and so on.  By recognizing  when you might be encountering them you can make a conscious decision to reduce the amount of information you provide or break off the conversation.

While some of these are relatively sophisticated methods they have been and may be employed by foreign intelligence agencies and internal security units, organized crime groups, terrorists and others.  Keep in mind as well that they may be aimed not only at you directly but also at your employees, associates, domestic staff, etc.  Its important to train these people — even if its just at a very rudimentary level — to be cautious about people asking questions or try to get them to divulge information about you or your activities.

Personal Risk Assessment

Considering that personal and travel security rely heavily on context its important to consider how the threat relates to you
whether at home or abroad.  Understanding this contextual relationship let’s you realistically determine how much effort, energy and possibly money you should invest in your security.

The best way to do this is to conduct a personal risk assessment.  This can be done yourself or you can hire a consultant to do
it for you and it can be as detailed as you want to make it.  If you do it yourself its important to be as brutally honest with yourself as you can for the assessment to be accurate and have value.  This assessment can be done from a lifestyle perspective for an at-risk person or a person living in a high-risk area or it can be done for a particular event like an overseas business trip.  It can also be done using qualitative or quantitative methods or a combination of the two.  Most people will be more likely to use qualitative

The standard formula for a risk assessment is that Risk = Threat x Vulnerability.  For our purposes this means you need to begin by identifying a threat or threats that exist and then look at vulnerabilities in their schedule, routine or lifestyle where their exposure to this threat is increased.

As an example a businessman traveling to a two-day meeting in Johannesburg might identify threats such as carjacking and armed robbery.  In particular he may look at the practice of criminals following people from the airport and robbing them en route or at their destination.  He might also consider the high level of gratuitous violence often involved in these crimes.
On a review of his itinerary he notes that the meetings will all be held at a 5-star hotel adjacent to the airport terminal and that he will be staying at the same hotel.  In this case the threat level is high but his vulnerability is low so the risk is relatively low.

Another aspect to consider is the probability vs. criticality or impact.  Some events are more likely but the consequences are not too severe.  Others are less likely but the consequences may be devastating.  Two examples to look at:

A photographer is going on an assignment in Barcelona that will involve a lot of work in public venues.  The threat of ickpocketing and petty crime may be high but the criticality of these types of incidents is relatively low — unless of course his cameras are

Taksim Square – Istanbul. This is a frequent location for protests and occasionally civil unrest.

stolen and he can’t complete the job.

On the other hand an engineer has a 2-week assignment in Islamabad, Pakistan.  He will be staying at a western brand hotel that has been previously attacked with a massive vehicle bomb.  Hotels of this type are targeted for spectacular attacks by militant groups. In this case the relative probability that the hotel will be attacked while he is there is relatively low.  However based on past incidents if the hotel is attacked the impact is likely to be severe.

Using this information you can determine the level of risk you face – either daily or for a specific activity or event as well as the likelihood and potential impact of an event occurring.  Using this information you can determine what countermeasures if any you should implement to mitigate the risk.

4 Steps to Taking the Adversary’s Perspective and Enhancing Your Security

Nairobi (aka Nairobbery)- Understanding carjacking tactics can be critical


When you are evaluating your own personal security its very useful to take the perspective of your adversary — for most of us that is the common criminal but depending on your location it may also include terrorists, militants, members of organized criminal groups or others.  Traditionally most people and most organizations have viewed their security from the inside looking out.  However it might be better to look at it from the outside in – the same way a predator looks at it.

Here is a four-step process you can use:

(1) Consider your attractiveness as a target.   Are you well-known, wealthy or perceived as wealthy, politically active, involved in a business dispute or is there another reason you might be specifically targeted?  Beyond that are you someone who is likely to be targeted in a crime of opportunity due to your physical appearance?  In 1984 Betty Grayson and Morris Stein published a now-famous study about physical signals that potential victims unwittingly to their assailants.  The Grayson Stein study involved videotaping pedestrians on the streets of New York City and then subsequently showing the videos to inmates incarcerated for violent assaults.  The inmates were split into different groups and told to rate the people videotaped on a scale of 1 to 10 with one being the most attractive target and 10 the least.  The inmates responses were shockingly consistent with regard to who the most attractive victims were.

On further review Grayson and Stein determined that the more likely victims differed in stride, fluidity of movements, head position, etc from those who were deemed the toughest targets and not desirable.  While these nonverbal cues may not be characteristics that can be readily changed – just be aware of them will be an asset in protecting yourself.

(2) Aggressor Tactics, Techniques and Procedures and Modus Operandi.  After considering your attractiveness or likelihood as a potential target you should consider the methods a potential attacker might use.  Look at what type of tactics are common in the area where you live or work.  In a previous post we discussed common carjacking techniques in use in Nairobi.  This is a good example to use.   Many carjackings and armed robberies in Nairobi have occurred when the victim drove up to the vehicle gate at their home.  While they are waiting for the gate to be opened another vehicle – which has either been following them or parked nearby observing their residence — will pull up and block them in.  The assailants will deploy from the vehicle and rob their victim.  Understanding the tactics used by criminals and threat groups in your area of operation is a critical component of this process.  In a broader sense its helpful to know that targeted attacks – both assassinations and kidnappings frequently occur in the morning as the victim is leaving their residence.  This is largely true worldwide.  One if the more notable examples is the kidnapping of Exxon executive Sidney Reso as he left his New Jersey home in 1992.

(3)  Develop a predatory mindset.  This is anethmatic to most people but its one of the best ways to understand how criminals and other hostile people and groups view the world.  To gain an understanding of this do a simple mental exercise:  the next time you are in a public place such as a shopping district, mall, etc. try to identify people who would be good victims to assault and rob.  By the way – this is not an original idea.  Many instructors and writers on this topic have advocated the same exercise for the same reason.  The one who comes most readily to mind is Rory Miller but there are several others as well.  Once you have identified likely victims think how you would isolate and attack them in a way that would give you the best chance or success and the ability to escape.  Don’t take notes — this is a mental exercise.  By doing this occasionally – and in conjunction with your knowledge of assailant tactics –  you will develop a greater appreciation for the adversary’s perspective and the steps he will take in selecting a victim and carrying out an attack.

(4) Look at yourself and your routine through the adversary’s eyes.  Where are you vulnerable in your day-to-day life?  Where are you time and place predictable?  Where and when are you likely to be distracted or unaware?  Where on your routes are likely attack sites?  Ask yourself these questions and try to view yourself through the adversary’s perspective.  Once you begin to answer these you can develop countermeasures to make
yourself a harder target.

Always Have An Exit Plan

When traveling or living in the politically unstable regions it’s important to always have an exit plan.  After assessing the potential threats from coups, civil unrest or conflict you should consider several methods of egress from the country, different transportation modes that could be used and also the possibility of sheltering in place.

You should consider some tripwires or triggerpoints that might indicate a deterioration in the security situation and be a signal to you to act on. your exit plan.  These vary greatly depending on the country and the situation there but some examples might be: departure of dependents and non-essential personnel from diplomatic missions,  imposition of martial law, previously peaceful demonstrations turn violent, etc.

The events of the Arab Spring taught us – tripwires can be much more compressed than anticipated.  With the introduction on social media in particular political and security conditions can change very rapidly.

Under ideal circumstances your exit plan is to go to the airport before the situation becomes too bad and board a scheduled commercial flight and leave the country.  You do need to consider other options should the airport be closed or unreachable.  Other possibilities might be traveling overland across the border to a neighboring country or even a maritime mode of departure such as hiring a charter boat if the country isn’t landlocked and if there is a safe haven country reachable by boat.

You should stay in contact with your Embassy or Consulate if they have representation locally.  The US State Department issues messages to it citizens who have registered with the Embassy and prepares to conduct evacuations should the situation warrant it.  This can also be a good indicator or tripwire to use.  The US State Department, British Foreign and Commonwealth Office and other countries foreign ministries try to encourage their citizens to depart the country as soon as they feel the situation is becoming critical in order to ease the burden should an evacuation be necessary.

In some cases immediate exit may not be possible or safe. Borders maybe closed as occurred during and after the coup in Mali in 2012 or the situation may have destabilized so rapidly that it is not safe to be out on the streets or moving around.   In those situations its important to look at sheltering in place.
When preparing to shelter in place you should stockpile enough food and water in your hotel room, house or apartment to sustain you for several days.  Its difficult to determine what length of time to anticipate but 72-96 hours is a good general rule.  You will also want to have a flashlight, batteries, possibly a battery powered radio, cell phone and or Sat/com phone and associated chargers.  A portable battery-powered cell phone charger is also a good option as well.

The level of planning and preparation will vary greatly depending upon the conditions in the country you are in and your personal situation.  Even giving this tppic some thought and some minimal planning will give you a head start should things turn bad and you will be better off that if you were caught totally unprepared.

Using Threat Information in the Context of Business Operations


When evaluating threat information, especially information received from subscription security intelligence services which are produced for a broad audience, it is essential to view them in the context of your company’s operations.  Many, if not most providers, use a color and/or numerical rating to designate the risk level of a particular city or country.  Different firms use different methods to determine their risk ratings.  Regardless of the method used it is important to realize that while these risk ratings have their uses, especially as a starting point when evaluating risk, they can be very misleading depending on the nature of your organization’s operations.  There are simply too many variables to use this as a cut and dried definitive resource.  Not only do different neighborhoods and areas of a city or country frequently present greatly different levels of risk, so do different types of activities.  An executive flying into the capital city of a developing country for a meeting, being picked-up at the airport by a company representative and staying at a five star hotel for two days for a meeting typically faces a very different risk level than an engineer traveling to the interior of the country for two weeks to review a new hydroelectric dam project.


The same is true of the travel advisories posted by the US Department of State, UK Foreign & Commonwealth Office, Australian Department of Foreign Affairs and Trade, etc.  It is useful to be aware of these as part of the framework of your risk assessment but these are directed at far too general an audience to be useful in and of themselves in the decision-making process.  It is also worth mentioning that these do warrant attention because the company’s employees have access to them and may have questions and concerns that need to be addressed by the company’s security department.  As an example, the US State Department has a Travel Warning posted for thePhilippines.  The warning correctly states that terrorist groups such as Abu Sayyaf and Jemmah Islamiya are active in planning and carrying out attacks and warns against all but essential travel throughout the country.  Under most circumstances a business traveler could visit much of thePhilippines– particularly popular destinations likeManilaorCebuCity- and providing that they use care in selecting hotels and transportation options and practice basic personal security measures do it relatively safely.  What is not mentioned in the Travel Warning is the high level of crime in many areas and the innumerable scams that exist to separate the traveler from his or her money, although these are mentioned in the State Department’s Consular Information Sheet for thePhilippines.  Given the wide audience that these government bulletins address there is sometimes an “err on the side of caution” approach that may not realistically match your organization’s operations.


Regardless of the source, all security intelligence should be viewed through the prism of how it relates to your organization, its operations and its employees.  To be effective, security measures should be tied to the threat situation in the locations where you have operations and travelers.  It is very likely there will be some generic aspects that may apply across the board such as basic access control measures or policies relating to displaying ID on company premises, etc.  Whether or not to utilize close protection teams or simply trusted transportation, as an example, should be based on the threat information received from security intelligence resources and perhaps in some cases augmented or validated by an on-the-ground assessment.  Building effective and applicable security measures for facilities and for employee protection, developing policies governing employee travel and planning contingencies for likely events all require an in depth knowledge of the threat situation.  This knowledge cannot be gained by solely from mass media like CNN or the New York Times because these media outlets tailor their coverage to aUSand/or European mainstream audience and do not cover all corners of the world or provide coverage and insight in all regions where an organization may have interests or travelers.  How much coverage did we see on television or in the major newspapers devoted to civil unrest in Bangladesh throughout much of 2006 and early 2007?  It is also problematic to get all information from one retained provider – even if that provider is capable and competent.  A more effective approach is to engage several providers with strengths in different areas, participate in private-public partnership organizations, solicit information and opinion from sources on the ground and after gathering all this information view it in the context of your organization’s operations and business activities to develop the most accurate picture of how events effect you and your people and what steps need to be taken to provide a reasonable level of protection to your organization’s employees and assets.