Protective Intelligence Fundamentals and Challenges

by Thomas Kopecky

What is “Protective Intelligence?”

To the executive protection analyst plugging away in a 24-hour operations center, protective intelligence is one thing.

To the security consultant with an MA or MS in psychology, protective intelligence means something else.

And to the US Department of Justice, or the US Secret Service, it takes on another meaning.

So, a discussion of protective intelligence could be confusing without properly defining the term.
Therefore, let us examine three separate, frequently cited definitions and how they manifest in the day-to-day processes of protective intelligence programs.

“Protective intelligence—a less visible aspect of protection—consists of programs and systems aimed at identifying and preventing persons with the means and interest to attack a protected person from getting close enough to mount an attack and, when possible, reducing the likelihood that they would decide to mount an attack. Protective intelligence programs are based on the idea that the risk of violence is minimized if persons with the interest, capacity, and willingness to mount an attack can be identified and rendered harmless before they approach a protected person.” [1]

“In simple terms, PI is the process used to identify and assess threats. A well-designed PI program will have a number of distinct and crucial components or functions, but the most important of these are countersurveillance, investigations and analysis.” [2]

“Similarly, protective intelligence requires gathering information about potential threats; in this case the threats of interest are those against key public figures (protectees). Collection methods include a variety of investigative avenues and open source information, along with queries of specialized databases and other records.” [3]

For simplicity, we will define protective intelligence as the investigative and analytical process used by protectors to proactively identify, assess, and mitigate threats to protectees.

The Three Key Phases of Protective Intelligence
Armed with our simplified working definition of protective intelligence, we can now visualize and explain the full process by viewing it as three key phases: Identify, Assess, and Mitigate 

Identify: How Do Protective Intelligence Teams Identify Threats?
The first step in identifying threats to key assets/personnel is conducting a thorough Risk Vulnerability Threat Assessment (RVTA). This allows the security leader to implement proactive measures at various levels and for the efficient allocation of finite security resources.

After an RVTA is conducted, and appropriate security controls are implemented, the protective intelligence program may then take advantage of observations from security and non-security staff. This may include any combination of the following: static security staff, counter-surveillance personnel, executives, executive assistants, household staff, corporate security staff (other than executive protection), and more.

This leads us to one of the biggest obstacles in the protective intelligence process: data. What types of data do protective intelligence professionals need to collect and how can they store it for current and future analysis?

All of the information that the protective intelligence team gathers is data: security officer reports, person of interest (POI) descriptions, field observations,[4] vehicle descriptions, license plate information, and written communications to the protectee, etc.

All of today’s protective intelligence literature places great emphasis on data storage. If a protective intelligence team does not have the ability to retrieve data on past incidents or POIs, then any possible response will be largely reactionary—acting on whim of the moment, masquerading as proactive security. The ability to retrieve data on past incidents or POIs provides critical references in the protective intelligence program: (1) accurately assess the behavior of POIs over long periods of time (2) reliable data for potential litigation, or law enforcement action against POIs (3) hard evidence to support security program effectiveness (4) identify trends and patterns over time.

Assess: Are They a Threat, or Not?
Protective intelligence researchers begin their assessment process by outlining their research project: problem/definition, data collection, data analysis, and report preparation. This process is summarized in a series of quick questions:

  • What does the executive protection manager need to know? For example, a common answer is that management needs to know if the POI is a threat and if so, to what degree, and what recommendations does the analyst have?
  • What data is needed, from where can it be collected, and how can it be collected efficiently and systematically?
  • What hypotheses does the data support or discount?
  • What report structure does the consumer prefer?

After protective intelligence researchers have outlined their project and reviewed data from the Threat Identification Phase, they can begin their investigation. This may include, but is not limited to, the following sources: security officer reports/chronologies, human resources reports, open source intelligence (OSINT) research, proprietary database research, and consultation with psychology professionals.

Mitigate: What Strategy Will Create the Safest Outcome for the Protectee?
The final product of the research phase will give the protective intelligence team an objective basis on which to determine why or why not a POI is a threat, and to what degree. Decision makers will now have the reliable information needed to choose the preferred course of action that will most likely produce the safest outcome for the protectee.

Regardless of the type of mitigation strategy chosen and implemented, consistent monitoring and reassessment is required. Monitoring can take many forms. The protective intelligence research process typically reveals public social media profiles of POIs that can be monitored daily for updates. However, some organizations may see a benefit in conducting physical surveillance on POIs, or seeking assistance from a third-party that is close to the POI.

Another potential obstacle to overcome in the protective intelligence process is Case Management. At any given time, there may be 5, 10, 20, or more active threat cases to monitor. How does one allocate resources to track active threat cases, and what systematic process is used to reassess them?

For protective intelligence teams, monitoring and reassessment are an ongoing process, and often, there is no clear-cut indicator for when a particular threat case can be put to rest. It will depend on the judgement of protective intelligence analysts and decision makers.

Challenges Facing Your Protective Intelligence Program

A protective intelligence program is made up of dynamic processes that runs parallel with other organizational factors, presenting a number of challenges to overcome. We have identified 10 common challenges and classified them in two categories, although they aren’t perfectly distinct and mutually exclusive.

Category One includes all of the challenges that are inherent in the process of an organization carrying out the sequential steps of the intelligence cycle: Planning and Direction, Collection, Storage, Analysis, Production, Dissemination, and Feedback.

Category Two includes the challenges that fall outside of the intelligence cycle, but influence inputs and outputs of the overall program.

Category One Challenges

#1 Planning and Direction
If protective intelligence is the process of identifying, assessing, and mitigating threats, then heavy consideration needs to be given to the planner’s Risk Vulnerability Threat Assessment (RVTA). A faulty or poorly conducted RVTA will result in a substandard foundation for the protective intelligence program. The RVTA ought to highlight those threats that that are especially likely, potentially impactful, and facilitated by present vulnerabilities. Those threats can be used as a basis for focusing the finite resources of the protective intelligence program, for maximum efficiency.

Questions for Consideration

  • Does the protective intelligence program have a clear focus, and do individual team members understand their role in supporting the overall mission? [5]
  • Is the program grounded by a sound Risk Vulnerability Threat Assessment?
  • Are individual intelligence issues clearly defined (problem definition + scope) for analysts to succeed?

#2 Collection
Data collection is supported by security team members in the field, static security posts, counter-surveillance operations, open source/closed source intelligence, and more. Once an organization’s most relevant threats are outlined, it is easy to identify what information needs to be collected regarding specific threats. For example, if you have assessed the threat of inappropriate pursuers contacting the CEO at their office as being high, then you could identify specific information sets that would be highly relevant to you such as the campus’ suspicious vehicle log, license plate information, incidents of trespassing, etc.

Questions for Consideration

  • What types of information are critical to anticipate and mitigate the specific threats that have been identified.
  • Is information collection guided by a systematic methodology?
  • How, at what frequency, and from who/where is information collected?
  • Have investigators received adequate training in assessing potentially violent individuals? Simply stated, do they know what indicators are most relevant to search for?

#3 Storage
Data storage is a fundamental part of protective intelligence. Reassess and reevaluate is the name of the game when it comes to threat assessment investigations. Making accurate assessments over time, without the ability to retrieve data, would be nearly impossible. 

Questions for Consideration

  • How is information stored, categorized, and retrieved?
  • Who is authorized to access information, and does everyone that needs access, have access?
  • Are there special considerations for the storage of information for use in court?
  • How is information protected?
  • What are the weaknesses of that particular method of information storage?

#4 Analysis
“What does it mean?” That’s the question that intelligence analysts seek to answer, by breaking down complex problems into digestible components.

Questions for Consideration

  • Which team members have appropriate training to provide recommendations based on current threat assessment or related literature?
  • At what temporal intervals are specific intelligence problems revisited? For example, auditing records, reassessing persons of interest, reassessing travel risk, etc.
  • Is the work environment conducive to quality analytical judgements?
  • Are current technologies being used to augment analysts’ collection and analysis methods? [6]

#5 Production
The final form that protective intelligence takes is dependent on the organization’s standards and most importantly, the consumer’s preferences. The corporate officers are unlikely to read the 30-page report prepared by the analyst for the security manager, just as the security staff at the parking lot entrance don’t care much for 30-page reports.

Questions for Consideration

  • Is there a standard format within the organization for intelligence reports such as BOLO [7] profiles, threat assessment investigations, background investigations, etc.?
  • Are analysts following industry best practices in terms of substance, structure, and presentation of their written products?
  • What does the consumer prefer?

#6 Dissemination
When the final product is reviewed and meets the standard of the security manager, it is ready to be delivered to all of the appropriate staff.

Questions for Consideration

  • Who needs to be informed?
  • What barriers exist to inter-organizational information sharing, and how does one overcome these when safety and security depend on it? For example, corporate headquarters vs regional offices vs family office.
  • Post dissemination: what policies are in place for information security and protecting sensitive data?

#7 Feedback
Adequate feedback on the analyst’s work ensures continuous quality improvement of future reports in terms of value to the end-user/security manager.

Questions for Consideration

  • What assessments merit feedback from the consumer?
  • How is success/failure and improvement evaluated by the consumer?
  • Does the consumer clearly demonstrate how future intelligence products can be improved?

Category Two Challenges

#8 Organization
Organizational challenges can take many forms. Most are familiar with fighting to secure adequate resources to fuel the security program: hiring qualified personnel, technology/tools/IT support, and keeping personnel trained with regular participation in professional development programs.

A secondary challenge may be selling the benefits of a protective intelligence program to reluctant executives or a board of directors.

Lastly, getting cooperation from inter-organization groups may be the toughest challenge for security program proponents. For example, is the security staff at the corporate office communicating relevant threat information to the protective intelligence staff?

#9 Analysts
Analysts are essential and integral participants in the intelligence cycle, and have significant influence at each stage of the process. Their role merits extra attention and deliberation.

Questions for Consideration

  • How are analysts trained and developed?
  • Are analysts attached or detached from the day to day security operations, and how does that influence the quality of their analyses?
  • What measures are in place to account for and correct for cognitive biases of the analyst?
  • How do overseers and analysts avoid analyst-burnout?

#10 Case Management
Depending on organizational structure, the management of individual cases will vary by the personnel involved, time and energy committed, and urgency of the task.

Questions for Consideration

  • What caseload can a single analyst adequately support?
  • Do analysts receive assistance and support from other security staff?
  • What standards are used to evaluate the continued assessment or closure of a particular case?

Protective intelligence is an essential element of a proactive approach to protecting critical personnel and assets. It is the medium for understanding not only threat matrix and risk level, but also trends, problems, solutions, and ideas to support the mission. Not every organization can afford a large team of dedicated analysts, but no organization can afford to ignore the value of protective intelligence.


Thomas Kopecky is the CEO and Co-Founder of Ontic Technologies. He has over 20 years’ experience working as a security consultant—specifically focusing on protective intelligence issues. In addition, Thomas founded, where he and his team share big ideas about the future of protective intelligence and how it will best support organizations like yours.

His latest project, Ontic Technologies, has developed a proprietary software solution for corporate security, executive protection, global travel / risk intelligence teams, as well as schools and universities. Their Machine Assisted Protective Intelligence interface was designed by security intelligence experts to augment security professionals when they need to sift thru noise and big data overload, to ensure complete risk event comprehension, speed of execution, team collaboration, and communication.

Contact Thomas at [email protected]

Endnotes and References

[1] Robert A. Fein and Bryan Vossekuil, Protective Intelligence & Threat Assessment Investigations: A Guide for State and Local Law Enforcement Officials, (U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, 2000), 24

[2] Fred Burton and Scott Stewart, “The Proactive Tool of Protective Intelligence,” Stratfor Worldview: Security Weekly, (2007)

[3] Rick Malone, “Protective Intelligence: Applying the Intelligence Cycle Model to Threat Assessment,” Journal of Threat Assessment and Management, (2015) Vol. 2, No. 1, 53-62

[4] Ami Toben, “Protective Intelligence And Surveillance Detection,”, 2017

[5] “How Do Protective Intelligence Analysts Support Security Programs?,”, 2017

[6] “An Introduction to Machine Learning for Protective Intelligence Professionals,”, 2017

[7] BOLO. Common abbreviation for “Be On the LookOut” for _____________

Maze photo: Steven Goodwin

Print Friendly, PDF & Email

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.