In protective security operations routine activities are easily exploited by Threat Actors. Sometime routine habits can get you killed.

On 21 August 2018, The Canberra Times published a story written by Sally Rawsthorne which outlined how a former Outlaw Motor Cycle Gang’ leader was ‘gunned down’ in front of the Rockdale Fitness First centre that he habitually used. With due respect for the deceased’s family, the story does highlight how a routine habit can get you killed.

The story tells how gang leader Mick Hawi, had gone to the fitness centre for his morning workout. Following his workout, Hawi went back to his car, that was reportedly parked in an illegal spot that he habitually used. When Hawi was in his car, a person walked up to the former OMCG member’s car and shot Hawi several times.

But how did the assassin know that Hawi would be at the gym? How did the assassin know where Hawi had parked his vehicle?

For surveillance operatives to first identify the location of their desired target, the operative will often commence their surveillance at known locations that the target visits. Locations such as the person’s home, their place of work, and other locations that the person may usually visit. In the above case such as Hawi’s regular gym.

According to reports the assassin conducted surveillance outside the Fitness First gym for several days prior to the attack. On the day of the attack Hawi illegally parked his vehicle in his usual spot, did his workout, and returned to his vehicle. It was at this time that the assassin, who would have been able to confirm Hawi’s location was able to walk up and make the attack.

Habit got Hawi killed.

But what can professional security managers learn from this painful lesson? How can security professionals make it difficult for hostile surveillance operatives to gather information regarding the security professional’s location responsibilities?

As humans we tend to like some elements of structure in our lives. And for many people change can be very uncomfortable. Therefore, it must be remembered that with any proposed change to normal routines there will be some ‘push back’. Additionally, change that is implemented in a proactive way can also relieve the boredom that comes with over familiarity.

For the security manager changing patrol routes and times, changing procedures on how a particular activity is carried out, or changing guard rosters all will have a hindering effect to someone conducting hostile surveillance, or about to implement an attack based on previous intelligence gathered regarding previous methods used by the facility.

Changing procedures like those mentioned above, will often necessitate the hostile surveillance operatives to recommence their surveillance operation. This will also give the security manager the opportunity to commence counter-surveillance operations that may identify hostile surveillance.

In the world of protective security operations, the conducting of a routine habit, will make you predictable. Being predictable provides Threat Actors with the knowledge of what a party will do and when they will do it. Thus, making it easy for the Threat Actors to plan their attack. Ultimately, within the protective security space, habits can get you killed.

Defining the distinction between Risk and Threat

I was recently involved in a discussion on the differences between Risk and Threat. During the discussion I realised that there is a misconception regarding the two terms. With this in mind I am starting a series of blog posts on the difference between the two concepts. This week, I will start by looking at how each term and concept is different. In the following weeks why each term should be considered differently and how the assessment of each is different will be reviewed. Finally, there will be a discussion on how the management of Risks and Threats should be different.

Risk is defined by the International Standards Organisation AS/NZS ISO 31000:2009 Risk management-principles and guidelines, as “the effect of occurrences on objectives”. Risk therefore focuses on incidents and the effects of those incidents. Risk can have either positive or negative effects, but most people generally see risk as a negative. In addition, risk is generally measured as the likelihood of a particular incident occurring combined with the harm that that incident could cause.

Threat is generally defined as the intention to cause harm. Threat therefore is about intentions and the harm that those intentions could cause. Because Threat is about intentions, it implies that Threats are made by those who possess some form of rational thought. Depending on a person’s philosophical beliefs, threats can be made by Gods, humans or animals. For the purpose of this blog post, Gods and animals will be left to philosophers and scientists. This post and the ones to follow will focus on threats that are made by humans.

When Risk is compared to Threat, Risk looks at different types of events, and the effect those events could cause if they occur. Risk is very event focused. Threat focuses on a person’s or group’s intentions, and the harm those intentions could cause if they are actioned. Threat focuses on the rational actor’s intentions, showing that the two concepts are quite different.

Although many people commonly see Risk and Threat to be the same, they are in fact quite different to each other. In the following blog posts I will review how Risk and Threats are assessed and then how each can be managed.