The human brain is exquisitely wired to react to immediate threats. When an object is thrown at our head, we instinctively duck.
Unfortunately, neuroscientists inform that most of us are not wired as well to respond to long-term or imminent threats. The part of our brain that manages that kind of threat hasn’t evolved much beyond the time when we lived in caves. As a result, we often don’t recognize threat until it’s too late. We go outside to watch tornadoes. We walk toward the beach when water recedes in advance of a tsunami. We are slow or fail to recognize, or just ignore, danger signals. Our fatal flaw is that, by waiting until imminent becomes immediate, when it happens our only option is to react rather than respond – duck!
Moreover, technology has outpaced the evolution of our innate ability to recognize threat signals which has only compounded our vulnerability. Humans have a greater technological capability to inflict harm than our brains can keep up with in terms of sensory recognition. We don’t always realize when something, even out of the ordinary, is potentially harmful because catastrophic events are nearly always a surprise and our brain wants to make logical sense out it. “How could this happen?”
Fortunately, the advanced part of our brain and command of technology give us the capacity to compensate for our innate deficiencies. We can plan in advance a response to threats, and make preparations to execute those plans when threats occur.
The path to effective security includes assessing risk and vulnerability. We assess the risks that might cause loss, and assess our vulnerability to those risks. A third task, the threat assessment, synthesizes the findings of the other two into a comprehensive, proactive, and strategic action plan.
In their whitepaper, “Threat Assessments: The Final Pillar of a Tailored Security Program,” David L. Johnson and Gale R. Erickson, CPP make a compelling case for conducting threat assessments. The result, they say, will move an organization from a reactive to responsive posture that “will deter, avert, or mitigate the damages that could result from the threat being enacted.”
They contend there are two occasions that justify a threat assessment: after the completion of a risk assessment, and upon receipt of a threat. Too many times, they point out, polices are developed only after a crisis or incident. At that point the organization has the benefit of hindsight and post-incident analysis. But during the event, it was chaos and the loss was greater than it might have been had there been a response plan rather than an ad hoc reaction.
The authors acknowledge that advance warning of an impending attack is available in only about 13 percent of cases. They argue that fact does not negate the value of a threat assessment. Instead, it underscores the value and benefit of a threat assessment in making plans that will mitigate the damage caused by an attack.
Furthermore, their model for conducting a threat assessment gives the organization the ability to formulate response plans in advance to threats identified in the risk assessment, and in an instant, when confronted with an impending threat not previously detected.
They illustrate the threat assessment process with a hypothetical case of workplace violence. The case is particularly useful in that it incorporates the various internal assets and outside assistance that would be involved in the planning and execution of a planned response. It is a case that could apply to businesses, schools, and government entities.
It might, but there is no guarantee that a threat assessment will inoculate an organization from attack. But at a minimum, it will empower the organization with a plan to respond and minimize the damage. The only other alternative is to just hope there’s enough time to duck!
Michael Nossaman is founder of the PSC
Image courtesy of FreeImages.com/Nelson Syozi