|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465GSX 20180,-Secure-Spaces.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Open Doors, Secure Spaces|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Failure to Plan|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Stay,-Hard-Challenges.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Soft Targets, Hard Challenges|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Dual Use Problem2018-09-01T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ASIS 2017 Product Showcase2017-09-19T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465GSX 2018 Product Showcase2018-09-01T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Keynotes to Address Security Challenges2018-09-24T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465GSX 2018

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Dual Use ProblemGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A researcher in Canada with $100,000 to spend ordered bits of horsepox DNA from a commercial vendor on the Internet and introduced it to cells, successfully turning the previously eradicated virus into an infectious agent. In China, 36 people had cells removed from their bodies, which were then altered and infused back into them.</p><p>Such experiments sound straight out of a sci-fi movie, but they are being carried out with more frequency by experts worldwide—and drawing a precarious line between using the technology for noble or nefarious purposes. Fortunately, these examples were for good—the Canadian experiment is paving the way for effective vaccines and gene therapy, and the Chinese clinical trials were used to treat patients with cancer.</p><p>However, even these well-intentioned scientific experiments could inadvertently cause harm down the road. The Canadian horsepox reconstitution raised concerns that the relatively simple and legal process could be used for darker purposes—the researchers admitted that the same process could be used to bring back small­pox, one of the deadliest diseases in history.</p><p>"Have I in­creas­ed the risk by showing how to do this? I don't know," the lead virologist of the experiment told Science magazine. "Maybe yes. But the reality is that the risk was always there."</p><p>This concept is known as the dual use problem, and it's what is spurring the U.S. government to quietly increase research and spending into unrealized biothreats stemming from scientific advances that are intended to be used for good. Studies hone in on seemingly far-flung biological threats, such as antimicrobial resistance, chemical inhibitors used to pacify populations, cyberattacks on people, and nanoweapons—microscopic poisons, drones, or bombs. </p><p>"The same methods that might be used to defeat cancers could be used to destroy adversaries through virulent pandemics," notes the Lexington Institute's 2018 report, Invisible Scourge, on the danger of chemical or biological attacks. "Breakthroughs in microbiology might thus become major threats to national security."</p><p>The U.S. Department of Defense (DOD) recently commissioned a report by the National Academies of Sciences, Engineering, and Medicine to determine the top emerging synthetic biology threats. The 234-page report details high-risk technologies based on their ease of use, the ability for use as an effective weapon, expertise and resources required to carry out an attack, and the ability to mitigate an attack.</p><p>Three potential capabilities stood out to researchers as high-risk: recreating known pathogenic viruses, making existing bacteria more dangerous, and making harmful biochemicals via in situ synthesis. While the scenarios discussed in the report are unlikely or impossible today, they are expected to become more feasible as research—often conducted for beneficial purposes—continues.</p><p>"Some malicious applications of synthetic biology may not seem plausible now, but could become achievable if certain barriers are overcome," the report notes. These include knowledge or technological barriers.</p><p>"Since synthetic biology-enabled weapons might be unpredictable and hard to monitor or detect, DOD should consider evaluating how the public health infrastructure needs to be strengthened to adequately recognize a potential attack," the report states.</p><p>Michael Imperiale, a University of Michigan professor and chair of the committee that wrote the report, tells Security Management that while most of the results were predictable, there were threats that he had not previously thought of. Imperiale has studied the biology of viruses and their effect on biosecurity for more than 30 years and says that one of the highest-risk capabilities surprised him.</p><p>"Using bacteria to deliver chemical or toxins in situ—that's not something I'd previously thought of," Imperiale says. "As we discussed it, I think most of us became surprised at what the potential problems could be with that. It would be relatively easy to engineer, and how would we know?"</p><p>This capability involves a microbe that enters a person's gut and makes biochemicals out of the infected person's microbes. It is particularly sinister because it masquerades as a naturally-occurring pathogen—similar to e. coli—and would be extremely difficult to recognize as an intentional attack. </p><p>"Imagine we could engineer a bacterium to synthesize some toxic chemical, something that makes people ill, and somehow had a way to introduce that into a person's microbiome—their gut—in an organism, maybe by contaminating a food supply," Imperiale explains. "The person would get sick, and the signs and symptoms would be those of a chemical exposure, but the causative agent is an infectious agent. How do you treat that, and how do you deal with that from an epidemiological point of view in terms of preventing potential spread? And if you're looking for a chemical [in the infected person] but not finding it, what do you do? It presents a lot of problems. In effect what you've done is turned a biological organism into a chemical attack. You've blurred the lines between bio and chem."</p><p>Even if the suspect bacteria were identified, it would still be difficult to figure out where the attack originated and who was responsible. The other two high-risk capabilities pose similar challenges—the Canadian horsepox experiment was a textbook case of recreating a known pathogenic virus, Imperiale says, and modifying bacteria to make it more dangerous has a relatively low technological threshold. There are no tools in place that would deter or prevent the development of modified bacterial pathogens. </p><p>The report identifies several other potential capabilities that are of lower concern but are still notable for the type and span of damage they can cause. For example, while the current ability to develop a new pathogen is low, it can easily be weaponized—and in an especially insidious way. Pathogens can be created with never-before-seen features, the report notes, including the ability to target specific ethnicities. </p><p>"Such features include, for example, the ability to target specific tissues or cell types using genetic logic, or the ability to produce aberrant neurological effects," the report states. "Similarly, such pathogens could employ novel timing mechanisms, creating a delay between the time of exposure and the onset of symptoms."</p><p>Imperiale notes that this type of attack would be less effective in the United States due the diversity of the population. "But, obviously, there are other reasons someone might want to attack specific ethnic groups as opposed to an attack on the U.S.," he says.</p><p>While Imperiale notes that the focus of the report was emerging synthetic biology threats and not the government's ability to address them, an overarching recommendation is to build a framework to assess synthetic biology capabilities and their implications. To prepare for such threats, the government needs to strengthen its preparedness against existing, nonmalicious biological threats.</p><p>"The nation's experience preparing for naturally occurring diseases provides a strong foundation for developing strategies to prevent and respond to emerging biologically enabled threats, particularly those based on naturally occurring pathogens," the report notes.</p><p>"Even though we didn't go into mitigation capabilities, we talked about how some of the existing public health infrastructure can play a very important role here," Imperiale says. "It's primed to look for these kinds of things, and that can certainly help out."</p><p>Another recommendation suggests that the government should not rely so heavily on its Select Agents list, which notes potentially harmful bio-agents and dictates the possession, use, or transfer of them. </p><p>"Strategies based on lists…will be insufficient for managing risks arising from the application of synthetic biology," the report says. "While measures to control access to physical materials such as synthetic nucleic acids and microbial strains have merits, such approaches will not be effective in mitigating all types of synthetic biology-enabled attacks."</p><p>Indeed, the horsepox DNA used in Canada could be obtained legally because it is not on the list, and the report notes that one of the most high-risk biological capabilities—modifying bacteria—would render the list useless. "The Select Agents list and voluntary screening guidelines are not likely to be sufficient to deter or prevent the development of modified bacterial pathogens," according to the report. </p><p>"We're not telling the government to throw the lists away. We're saying it's not enough, and the question is, what do you do next?" Imperiale says. "Ideally, if I could create something, it'd be some sort of means for detecting when a DNA sequence is going to encode something harmful, and you could screen for that."</p><p>While the DOD-commissioned study focuses on emerging technology that could be used for nefarious purposes, biological warfare has been around for a long time. The Lexington Institute notes that the technology needed to deploy such weapons is readily available. "The precursors for chemical weapons—choking agents, blister agents, blood agents, nerve agents—are manufactured at thousands of sites around the world," the Lexington Institute report states. "The technology needed to edit or synthesize organisms so that they can be used to spread disabling disease is now widely available in global commerce, and inexpensive."</p><p>While international conventions have banned the manufacturing of chemical weapons, more than 30,000 chemicals can be used to manu­facture choking, blister, blood, or nerve agents—and many of those are manufactured commercially. "Sub­stances that might be turned into lethal tools of war are so commonplace in modern industry that diversion to illicit purposes is difficult to prevent," the report says. "The majority are dual-use chemicals produced at commercial sites that might be diverted to destructive ends." </p><p>The dual use problem creates a challenge for government and industry to monitor or stop the production of such commonplace substances or emerging technologies that can provide beneficial, meaningful advances in sciences. And, while many of the biological capabilities listed in the DOD-commissioned report still feel like science fiction, Imperiale says the effects may be all too real.</p><p>"It's hard to guess when someone might try to do this," Imperiale says. "On the other hand, if someone did it and were successful, you could imagine the implications of that. It's like a movie scenario, with a biological attack—and there's something about a biological attack that I think raises a special level of fear. It's something that might be able to spread and carry on, as opposed to someone blowing up a bomb. I think it is really something we need to pay attention to as a country, and as a world. I think the DOD is going to take this very seriously, and hopefully they will be able to take care of us." ​</p> ManipulationGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>Chief financial officer Malcolm Fisher never thought he would be victimized by cybercrime—until a social engineer successfully impersonated him and bilked his company out of more than $125,000. </p><p>It was relatively easy for the criminal to identify Fisher as a high-value target given his key position within the company—his bio was readily available on the company website. And Fisher's social media profiles on Facebook, Twitter, and LinkedIn revealed several bits of information that marked him as a dream target for a diligent social engineer.   </p><p>Fisher frequently participated in poker tournaments and was not modest in describing his success at the table. He posted about attending an upcoming tournament in Las Vegas and catalogued his travel plans across social media platforms. Shortly after his arrival to Las Vegas, Fisher received a text message from what appeared to be the tournament organizer providing a link to the updated schedule. When he clicked on the link, nothing seemed to happen—but he had just unwittingly provided the social engineer with entry into his company-issued mobile device. </p><p>Knowing that the tournament started at 11 the next morning, the fraudster hijacked Fisher's email account and sent an urgent message at 11:15 a.m. to a colleague. The email—supposedly written by Fisher—instructed the employee to immediately wire $125,000 to a vendor, noting that he would be out of touch for several hours because he was attending the tournament. </p><p>The employee, never questioning his boss's instructions, immediately processed the wire transfer. While Fisher left Las Vegas very pleased with his tournament winnings, he soon learned that he was the one who got played.   </p><p>This scenario is not unusual. With more focus than ever on enterprise cybersecurity and preventing data breaches, many executives believe that technology alone provides sufficient protection against such threats. </p><p>But sophisticated threat actors—whether they be nation states, criminals, activists, or disloyal competitors—will frequently target the most significant vulnerability found in most organizations: the human factor. The interaction between human beings and the technology meant to protect the organization is frequently referred to as the weakest link in security.</p><p>The most common method used by these threat actors to exploit the human factor vulnerability is social engineering. In fact, according to the 2018 Verizon Data Breach Investigations Report, more than 90 percent of successful security breaches start with some aspect of social engineering.  </p><p>Social engineering is the skillful manipulation of organizational insiders to undertake certain actions of interest to the social engineer. Insiders are not only employees of the organization—they include anyone who may have unescorted access into a target organization, including service providers such as the guard force, cleaning crews, catering companies, vending machine stockers, maintenance contractors, and more.</p><p>Greater awareness and insight into this process provides a better opportunity to mitigate the risk of social engineering attacks.   </p><h4> Collecting the Data</h4><p>Prior to launching any type of attack against the target, a professional social engineer will spend time collecting available open source information. While such collection may be from a variety of resources, the most frequent medium is simple online research. </p><p>Almost every organization has a website with information about the company, its products and services, executive profiles, press releases, contact information, and career opportunities. <br></p><p>While all such sections may provide useful information to a social engineer, executive profiles—which often contain full names, titles, pictures, and a brief biographic sketch—provide considerable insight into key insiders and where they fit into the organizational structure. </p><p>Career opportunities, along with company contact information, provide exploitable details and a portal through which a social engineer may seek direct or indirect contact with the organization.        </p><p><strong>Job postings and reviews. </strong>Whether posted on the organization's website or advertised on online job boards, job postings can provide a wealth of information. At a bare minimum, such postings will usually reveal the basic preferred IT qualifications sought from an applicant, providing valuable insight into the operating systems and software programs the organization uses. The job description might also provide insight concerning potential expansion of the organization, whether it be geographically or through a new product or service.  </p><p>With a job posting, an organization is inviting contact with someone from the outside. It provides social engineers an opportunity to electronically submit a cover letter or resume—either directly through human resources or to someone else within the organization chosen by the social engineer to forward the resume onward. The email, along with attachments, can be a medium to introduce malware into the target's system. </p><p>While less frequently exploited, such job postings can also create opportunities for social engineers to interview with the employer and elicit sensitive information. </p><p>Employer review sites such as Glassdoor can provide useful workplace insights posted by employees. These reviews inform the social engineer about the pulse regarding the morale within the organization. Generally, it is much easier to manipulate a disgruntled employee than someone who is happy and loyal to his or her employer.  </p><p><strong>Social media and search engines</strong>. While an organization may aggressively use social media to help promote their products and services, an unintended consequence can be the leakage of exploitable information. </p><p>Employees often upload photographs of themselves and coworkers in the workplace, revealing information about physical workspaces to include actual floor plans, office configurations, security system hardware, IT systems, employee badges, or employee dress. Much of this information can be extremely useful if planning an actual physical intrusion into the company.    </p><p>Creative Google searches will take the social engineer well beyond the most popular entries surfaced regarding the organization's name. </p><p>For example, a simple yet creative search of the company's name and the words "pdf" or "confidential" may surface documents such as employee manuals, employee benefit packages, IT user guides, or contracts. These searches can identify companies subcontracted by the target company for services such as janitorial, trash disposal, security, catering, or temporary staff. </p><p>A search for public court records will provide access to nationwide criminal and civil court documents. These documents will frequently contain operational details regarding the target company or officials that the company would have preferred to maintain confidential.  </p><p>A common misconception regarding the Internet is that once a company has deleted or modified information previously contained on its corporate website, the original information is no longer available. This is false. </p><p>The Wayback Machine is a digital archive of the World Wide Web and enables users to see archived versions of web pages as far back as 1996. Even if an organization's new security director decided to remove potentially sensitive information from the entity's website, the social engineer can attempt to use the Wayback Machine to retrieve it.  </p><p>Sites such as Google Maps help the social engineer virtually conduct reconnaissance—if the social engineer considered launching an intrusion into target offices, he or she would want to learn as much as possible about access points, access control including badge readers or other access systems, surveillance cameras, and guards. </p><p>The social engineer could also use the maps to identify businesses near the target location that employees may frequent and orchestrate a run-in, resulting in a onetime casual conversation with an employee to carefully gather information not available via open source. It could also be an opportunity to develop an employee for use as a future insider source. </p><p>A second potential objective for the reconnaissance is the identification of locations in the vicinity that make deliveries to the target's office, such as flower shops or restaurants. With this information in hand, the social engineer may decide to impersonate someone making a delivery to obtain unescorted access onto the premises. </p><p><strong>Insiders. </strong>Beyond collecting information on the organization, social engineers also target insiders in these entities. There could literally be several thousand employees in a medium to large organization, but the social engineer only needs to collect useful data on one or more well-placed individuals. </p><p>He or she will want to know as much as possible about targeted insiders' personal and professional backgrounds, as well as an indication of what their motivations may be. With this information in hand, the social engineer can better manipulate them.  </p><p>The most common starting point for data collection on insiders is through social media sites. While there are hundreds of such sites bringing together more than 3.3. billion users, social engineers will typically use sites providing the most prolific information.   </p><p>Facebook can be used to find pictures of a targeted insider and their network of contacts. Here one can learn where the targets live, their age and birthdate, where they went to school, their hobbies and interests, and past and future travel plans. When faced with a target who may enact privacy settings, the resourceful social engineer will turn to the accounts of the target's spouse or children that may lack such privacy settings.    </p><p>Twitter can provide play-by-play action of where the target is and what they are doing at that moment. And on LinkedIn, a social engineer will learn about the target's professional, academic, and work profile; professional interests; and network of contacts.​</p><h4>Manipulating Targets</h4><p>Social engineers use four types of attack vectors to scam companies out of money, intellectual property, or data.</p><p><strong>Phishing. </strong>Phishing currently represents more than 90 percent of all social engineering attacks. This includes typical spam emails requesting that the recipient click a link or open an attachment embedded in the email, which could lead to the downloading of malicious tools that could potentially compromise the recipient's computer, if not the entire IT network. </p><p>While such emails do not target specific people and are literally sent out by the thousands, even a small percentage of recipient victims who click on the link may provide the sender with a viable return on investment. </p><p>Professional social engineers will use spear phishing, which effectively tailors the email to a specific target leveraging information previously gleaned from data collection. This will greatly enhance the likelihood that the chosen target will click on the link or open the attachment. </p><p>Another variation would involve the social engineer creating a fictitious LinkedIn account and engaging the target on a specific issue. If the target has a tendency of not accepting invitations from unknown individuals, the social engineer will first invite the target's peers to connect. Then, when the target sees that several of his industry peers are already connected to this fictitious profile, he will also likely accept. </p><p>Once successfully linked, the social engineer will exchange a few emails with the target, leading to one hosting the link or attachment containing the malware. As their previous exchanges have likely resulted in the building of rapport and trust, the target will likely fall vulnerable to the attack.    </p><p><strong>Smishing. </strong>This technique is similar to phishing, but instead of using email as a medium to deliver the attack, the social engineer will send a link or attachment via text message. The result is the same. While smishing is not yet as common as its phishing cousin, it is expected to begin mirroring trends in mass marketing, which is moving more and more to SMS due to the high open rates.  </p><p><strong>Vishing.</strong> For professional social engineers, vishing can be fun and exhilarating. While requiring a little more skill, vishing is typically much more effective than the previously mentioned techniques. Here the social engineer will telephone the target using any one of several ploys or pretexts. To increase credibility, the social engineer will spoof the call and manipulate the caller ID seen on recipient's end.  </p><p>Say a social engineer wants to collect protected information regarding the status of a new product at a target company headquartered in Chicago. Posing as a new assistant to the company's vice president of operations, the social engineer will call the operations manager for one of the target firm's laboratories in Los Angeles. </p><p>To add credibility, the social engineer will spoof the call, making it appear as though the telephone number is from the vice president's Chicago office. She will state that the vice president is making final preparations for a meeting about to take place and urgently needs updates on the product's rollout date and expenditures compared to budgeted figures. As the request appears to be genuinely coming from someone in a position of authority, combined with urgency, the social engineer will likely be successful. </p><p><strong>Direct intrusion. </strong>While considered the most difficult of the four techniques to execute, this is usually the most successful. It involves face-to-face interaction with the target. </p><p>The social engineer can choose from a variety of pretexts for attempting this contact, including posing as someone with an appointment inside of the building, IT support, a fire inspector conducting a survey, or a member of contracted service providers. </p><p>The social engineer could easily pose as someone making a delivery of a package requiring the recipient's signature, even going so far as to procure a FedEx or UPS uniform online. After reviewing the identified locations near the target facility, the social engineer could also pose as someone making a delivery of flowers, office supplies, or fast food. </p><p>Once inside the facility with unescorted access, the social engineer may emplace listening devices in conference rooms or keyboard loggers to capture specific information, such as network usernames and passwords. </p><p>How difficult would it be for a social engineer to leave several thumb drives around the premises marked "Confidential Payroll?" Betting on the nature of human curiosity, the social engineer would expect that at least one of the employees would find and insert one of the drives into the computer, hoping to see what compensation others are receiving in the company. When they do, the social engineer is successful in uploading malicious files, potentially compromising the network.  </p><p>Another successful ploy involves the social engineer posing as an executive recruiter. Without a need to divulge the name of a specific client, the "recruiter" can directly contact the target insider, saying that they were impressed by the insider's professional background as seen on LinkedIn and believe that the target may be a great candidate for an attractive position they are trying to fill. </p><p>Feeling nothing to lose, the target will frequently allow the social engineer, either over the telephone or during a personal meeting, to elicit considerable information regarding the target's own background, as well as confidential information regarding current and past employers.        </p><h4>​Influence Techniques</h4><p>Perhaps the main character trait that makes humans so vulnerable to a social engineering ploy is the tendency to blindly trust everyone, even people they do not know. This blind trust can be fatal to an organization's security posture. It is this trust that makes it easy for social engineers to convince their victims that they are whoever they pretend to be.  </p><p>In addition to leveraging trust, professional social engineers will also exploit any number of influence techniques. As victims are more likely to assist someone they find to be pleasant, the social engineer will attempt to develop strong personal rapport prior to making the request. Similarly, if the social engineer conducts a significant courtesy or kind deed for the victim, the target will often feel a strong sense of obligation to reciprocate by performing a deed for the social engineer.  </p><p>Victims are more likely to comply if they believe that the request is coming from someone in authority, or if the social engineer pressures the target by implying that refusing to assist will be seen by others as socially unacceptable. Another tactic involves the social engineer asking for something that the victim initially finds implausible to comply with. The victim will subsequently agree to comply with a request from the social engineer which appears to be meeting halfway. </p><p>The social engineer may also take advantage of the perception of scarcity, putting pressure on the victim to make a quick decision as the perceived window of opportunity for the victim is about to close.  ​</p><h4>Mitigating Attacks</h4><p>There are basic measures that can significantly lower the risk that an organization will be victimized. </p><p>First, the amount of unnecessary, yet exploitable, data about organizations that can be found online needs to be minimized. In addition to establishing clear policies regarding what employees can post online regarding the organization, there must be someone responsible to periodically scan key sites to ensure compliance. The more data available to social engineers, the more likely the organization will be on a list of targets. </p><p>While unenforceable, this same practice should be encouraged among the organization's employees regarding the personal information they post on social media.      </p><p>A second measure is establishing social engineering awareness training within the organization. Such training will sensitize employees to recognize potential social engineering attacks and what specific actions they should take. </p><p>Warning signs of a potential social engineer at work may involve a caller refusing to give a callback number, making an unusual request, or showing discomfort when questioned. Employees should also take note if a caller makes claims of authority, stresses urgency, or threatens negative consequences if the employee doesn't act. And if a caller engages in name dropping, flirting, or complimenting, that could be a red flag as well.</p><p>Once alerted, employees need to know what actions to take—simply not complying with the social engineer's request is not enough. Organizations need to have a system in place where the employee can promptly bring such attacks to the attention of security, via incident reports.  </p><p>Employees need to receive this type of training on a periodic basis, ideally annually. To be truly effective, the training should be accompanied by social engineering penetration testing, which mimics potential ploys used by threat actors to breach the organization's security. </p><p>By conducting a social engineering awareness campaign, employees will remain alert to such threats and undertake appropriate actions, thereby decreasing existing vulnerabilities. </p><p>In all interactions—whether via email, text, over the phone, or in person—employees must first verify that the person is who they say they are and that they have a legitimate request. Remember this slogan: verify before trusting. n</p><p><em>Peter Warmka, CPP, is director of business intelligence for Strategic Risk Management and an adjunct professor for Webster University's cybersecurity masters program. He is a frequent speaker on social engineering threats at conferences for trade associations and wealth management advisory firms. Warmka is a member of ASIS International.</em></p>|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Roughly 42 million U.S. employees, or more than one in four workers, will leave their jobs this year to go work for another company, according to the recently released 2018 Retention Report: Truth and Trends in Turnover.</p><p>It doesn't have to be this way. "More than three in four employees (77 percent) who quit could have been retained by employers," write the authors of the study, which was conducted by the Work Institute using data from more than 234,000 exit interviews.</p><p>Turnover trends such as these are compelling many companies and managers to up their games when it comes to their employee retention strategies. And through better retention, these firms are hoping to avoid the high costs of turnover. For example, the retention report finds that U.S. employers will pay $600 billion in turnover costs in 2018. Companies can expect that annual cost to increase to $680 billion by 2020, according to the study. </p><p>But achieving success in retaining talent can be challenging for another reason: the current labor market, which by historic standards is in a very tight, low unemployment phase. In early June, the U.S. Labor Department announced that, for the first time on record, jobs outnumbered job seekers. </p><p>"We now have more jobs than people to do them, which means our labor [shortages] are going to get worse," Society for Human Resource Management (SHRM) President and CEO Johnny C. Taylor said in his opening address at the SHRM 2018 annual meeting in Chicago.</p><p>That development is a "really alarming" one for organizations who are trying to retain talent, says Gabriel Stavsky, a talent management consultant with Retensa Employee Retention Strategies. "Think about the implications of that. Employees will have that upper hand," Stavsky says.  </p><p>Why do employees leave? According to the Retention Report, the three top specific reasons for employees to leave jobs in 2017 were career development (21 percent), work-life balance (13 percent), and manager behavior (11 percent). Experts say these reasons all fall under one broad umbrella reason of why employees leave companies: their employer is not meeting their expectations and needs. </p><p>Armed with this knowledge, managers can strengthen their retention strategies and efforts and retain more employees by focusing more on the needs and expectations of the workers. Some best practice guidance on how to do this follows.  ​</p><h4>Retention Starts Early</h4><p>Most experts agree that retention efforts should start on day one, and this makes the onboarding process crucial to retention success—and, sometimes, a predictor as to whether the employee will be short-term or long-term. Yet only 12 percent of U.S. employees strongly agree that their company does a good job of onboarding new employees, according to a Gallup poll released last year. </p><p>Successful onboarding should accomplish three things, according to Gallup workplace consultant Robert Gabsa: employees learn what makes the company unique, employees learn exactly how their jobs help fulfill the company's mission, and employees experience the mission and values of the company. "Employees yearn to feel connected to their roles, colleagues, managers, and companies," writes Gabsa in a recent article for "By creating better experiences in the onboarding phase, companies can build these emotional connections early in the employee journey."</p><p>Given this, the onboarding process should be a two-way one, says Amy Hirsh Robinson, a principal with Interchange Consulting Group who discussed retention strategies recently in a presentation at SHRM 2018. Managers should communicate the company's story and accomplishments to new employees, but they should also focus on the new employee by communicating how his or her skill sets and work accomplishments will help the firm. </p><p>But this is where many firms fall down, says Robinson, who has worked with many large companies on onboarding issues and observed a common trend in those assignments. Companies are often good at telling their own story, but a continual focus on the company makes the employee feel left out–especially younger workers who want to be recognized. "None of the companies focused on the new employee as an individual," she says. "It was falling flat, especially on the Millennials."</p><p>So, Robinson recommends a different approach: early in the onboarding process, managers should sit down with new employees and discuss their background and previous experiences, and how those may fit in to their current job and the organization's mission. "Companies need to connect the employee to the organization's mission or purpose and demonstrate how that employee personally impacts the brand or customer experience," Gabsa writes. "Feeling like your job matters is an underrated aspect of performance."</p><p> Some firms that pride themselves on best practice onboarding will even have managers sit down with the employee and draft a sample career path, based on the employee's future goals. "The employees are so appreciative," Robinson says. And managers can supplement this career path exercise by relating examples of former employees who held the same position as the new employee and went on to have a successful career, she adds. </p><p>Robinson also advises managers to give new employees meaningful work as early as possible; this shows trust in their abilities and engages them from the start. And managers should not simply rely on organizational charts to explain work flow and reporting structures. Instead, they should try to explain the unwritten rules and process quirks regarding how things work.</p><p>On a more granular level, managers should make the effort to ensure that common onboarding pitfalls are avoided, Robinson says. Orientation sessions should not be overloaded with detailed policy information. She cited one company that held a four-hour orientation session that consisted almost exclusively of policy and benefit information discussed in excruciating detail. "It felt so penalizing to the new employees," she says. Instead, companies should try to communicate policy details through online or printed materials and focus on overviews during in-person meetings.   </p><p>Another common pitfall is not having a clean work station ready for the employee on the first day, Robinson says. "It happens all the time," she says. Finally, managers should not assume that what worked for them when they were hired will work for all new employees. Some new employees prefer a more hands-off "sink-or-swim" approach, while others like to be more actively guided, so managers should tailor their approaches to whichever style will work best for the employee.   </p><h4>Culture, Connection, Contribution</h4><p>Let's say that a new employee emerges from a successful onboarding process and continues to work for the organization. Company leaders and managers should continue to focus on the employee's needs and expectations to maximize the firm's chances of retaining the employee.  </p><p>However, these needs and expectations change across the lifecycle of the employee, Stavsky says. "At two weeks, they are different from what they will be at two years," he explains. </p><p>Workers from different generations sometimes have different needs, says Jo Danehl, a retention expert and global practice leader with Crown World Mobility, an international management consulting firm. "Elder Gen X employees are often driven by stability and financial security," Danehl says. "However, in my experience, I see Gen Y to be more interested in company qualities like its approach to corporate social responsibility (CSR) and global citizenship, while also highly focused on their growing career path. </p><p>"We're still getting to know the younger generations, but they're adding elements like purpose, communication, and overall experience," she adds. "Finding the right balance to each one of these motivations is key to a sustainable culture."</p><p>Indeed, many if not most experts cite company culture as a key factor in retaining talent by successfully meeting an employee's expectations and needs. However, exactly what constitutes a company's culture can be hard to define. "Culture is one of those catchall terms, a nebulous term for the feel and experience of working somewhere," Stavsky says.  </p><p>A company's culture is created through experiences that employees have with peers, managers, and executives. And maintaining a positive employee experience is highly effective retention strategy, says Greg Stevens, an industrial/organizational research consultant with Globoforce. "The key to that is a more human workplace," explains Stevens, who also spoke at the SHRM 2018 conference. And culture is one of the three pillars of a more human workplace, with connection and contribution being the other two, he adds. All three pillars support successful retention. </p><p>Connection, the second pillar, is supported in two ways. One is through positive and productive relationships with coworkers, Stevens says. The other involves work-life balance, so that the employee is not overwhelmed by work but stays connected with his or her life outside of work. This means that job responsibilities cannot be 24/7; there is enough flexibility to "offer chances to recharge and disconnect," he explains. </p><p>Thus, even meaningful work done in a workplace with a positive culture can become too all-consuming, and this can work against retention efforts because the employee may look for a position that offers more time for personal matters. "We all have lives outside of work," Stavsky says. "You want to have balance, and the autonomy to live it effectively."</p><p>The third pillar, contribution, can be supported by careful efforts by management to find out where an employees' abilities are especially strong, and then to make good use of them. "To retain talent, a company has to identify and capitalize on the skills of its talent," Danehl says. "It is critical to articulate skills…and show that the contribution is valued."</p><p>However, sometimes managers fail to do this because they are fixated on improving what they consider to be the weaknesses of the employee. "Let's think about how we develop talent. A lot of focus is put on areas for performance improvement, while the areas of strength remain largely untouched," Danehl explains. "How much better would it be for both employee motivation and retention to leverage employee skills—which are, after all, why they were probably hired in the first place," she says.​</p><h4>Power Should Seek Truth</h4><p>Another key factor in effective retention is opportunity, experts say. Employees need opportunities to grow as an employee and opportunities to advance their career.   </p><p>Danehl says that all thriving company cultures boast two attributes—effective leadership and opportunity. "Retention will suffer if these two qualities are not positive, present, and evident in the workplace," she explains. </p><p>In Robinson's view, once a career plan has been sketched out for an employee, managers should continually help the employee support it by assigning them to strategic projects or rotations and giving them opportunities to showcase their ideas via new platforms. "Train your managers to be good career developers," Robinson says.</p><p>Finally, the Retention Report finds that effective employee retention strategies must be built on accurate knowledge and understanding of employees needs and expectations. "Employers must not limit the extent to which employees can express their ideas, preferences, expectations, and intents," the authors write.</p><p>This means that managers and company leaders should "ask for feedback in a way that brings out the truth," according to the report. So, employees should not only be asked to rate aspects of their job and the workplace on a numerical scale of 1-10. They should also be asked why they rate as they do, what improvements they would like to see, what is important to them, and more. </p><p>"All managers and companies should know why their employees join, why their employees stay, and why their employees leave," Stavsky says.  ​ ​</p> 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​An Experience Like No Other</h4><p>In the first year of its rebrand following a 63-year history as the ASIS Annual Seminar and Exhibits, Global Security Exchange (GSX), the security industry's flagship event, is set to open its doors later this month. Thousands of security professionals, allied partners and organizations, exhibitors, media, and thought leaders will gather at the Las Vegas Convention Center September 23–27 for an event unlike any other in the industry.</p><p>All aspects of the event have been revamped and revitalized, and GSX is already exceeding records from previous events. GSX education features a record 300+ sessions. The allied partners program unites nearly three dozen organizations to advance security best practices. Record numbers of media representatives have already registered. And, the expo hall—home to thousands of security products, technologies, and service solutions—will be transformed into a learning lab environment. </p><p>"We have completely re-engineered GSX to provide more opportunities for security practitioners, solution providers, students, military, and first responders to learn and engage with each other and our partner community," says Richard E. Chase, CPP, PCI, PSP, 2018 president of ASIS International. "From Career HQ and the International Trade Center to our three theaters of education and live demos, attendees will find tremendous value in our immersive, engaging, and informative expo hall." </p><p>Monday, September 24 will feature </p><p>a full day of education. The expo, which takes place September 25–27, will include: </p><p>•             Three X Learning Theaters  </p><p>X Stage—features programming focused on leading-edge technologies including blockchain and cryptocurrencies, AI, drones and robotics, social media, and the digital self; </p><p>Xcelerated Exchange Stage—provides a forum for discussions between practitioners and solution providers to address the current and future security landscape; and</p><p>Xperience Stage—showcases case studies and other tried-and-true best practices that address challenges facing practitioners across all sectors including active shooter scenarios, bullying in the healthcare industry, and risks associated with hosting a public event at cultural institutions. </p><p>•             Career HQ, with new career fair and enhanced career center learning.</p><p>Attendees looking to strengthen their professional profiles will have access to résumé reviews, a headshot studio, career coaching, professional development sessions, and networking opportunities with employers and peers. The new career fair, taking place September 26–27, will have top organizations looking to hire talent, such as the U.S. Department of Homeland Security and Apple. </p><p>•             GSX D3 Xperience (Drones, Droids, Defense)</p><p>Supported by Association for Unmanned Vehicle Systems International, GSX D3 Xperience will deliver an immersive learning experience focused on the impact of unmanned systems on the security industry. Education and demos will showcase the emerging technology around the use of drones, droids, and counter-UAV defense systems. </p><p>•             Innovative Product Awards Showcase</p><p>The 2018 Innovative Product Awards highlight the new products and services on the GSX show floor that are poised to disrupt the security marketplace. Look for more details on these products and services in the show guide and mobile app. </p><p>In addition to these features, the exhibit floor will house an International Trade Center and the ASIS Hub, which includes access to ASIS council representatives, live streaming interviews, and fireside chats.</p><p>"There is no other event that compares to what GSX is offering this year in terms of education, networking, and marketplace, and we're just getting started," notes Chase. "We will continue to evolve and grow GSX in the years ahead as a part of our new brand promise to unite the full spectrum of security professionals to create the only global 'must attend' security event."</p><p>There is still time to secure a free expo-only pass. Visit to view registration options. Can't make it to Las Vegas? Global Access Live offers access to a full track of education and keynote remarks. In addition, keep up with livestream interviews from the expo hall and read show headlines at or by following #GSX18 on social. </p><h4>ESRM in Action</h4><p>In 2016, ASIS made enterprise security risk management (ESRM) an organizational priority and has begun infusing this management philosophy into all the Society's programs and services. In the months ahead, we will provide updates, as well as showcase how members are implementing ESRM in their organizations. <em>By Tim Wenzel, CPP</em></p><p>I entered the security industry as a paramedic transitioning into protective security services. In the medical field, treatment plans are constructed to treat the patient's current condition while predicting the expected outcomes and complications. As you initiate treatment, you also prepare for the outcomes while documenting any variances from the plan. Progress is made by studying these variances to understand why they happen.</p><p>As I got started in the security profession, I couldn't understand a few things. </p><p>1.            Everything was done to handle the here and now. Contingencies were always planned for, but not outcomes. Outcomes were expected to be good, and when they weren't, they were bad. There were no degrees of success or concrete reasoning for failure.  </p><p>2.            Security operations were based on "the way security is done." There is a way. When you do not do it that way, the protection of assets could not be guaranteed.</p><p>3.            Success, failure, and change orders always came from "the client." We weren't allowed to speak with "the client," but they were not happy and wanted things done in a certain manner. </p><p>As I began to design my security plans, I was often told, "You're doing it wrong. We don't work this way." As I asked questions, I became unpopular with many in leadership. </p><p>I concluded that there are three main problems with the security industry: lack of vision, lack of understanding, and lack of meaningful feedback. Together, these lead to inconsistency and frustration. When frustration is the theme of each day, policy is written by knee-jerk reactions.</p><p>Then, in 2013, I was hired as a management-level consultant. My boss told me that we were not going to make these mistakes with this client. We would build a strategic program that was tailored to the needs of this company by establishing open dialogue with the business. On top of that, we would create metrics that made sense to the company.</p><p>Several months later I acquired a mentor who began to put a name and definition to the things I had been trying to accomplish: enterprise security risk management, or ESRM.</p><p>I've been practicing ESRM principles in the programs I've built over the last five years. While I don't lead a global security organization, I recognize how to design real business value into the security programs I create. Programs must address business pain and deliver clarity back to the business leaders. The business should better understand its risk portfolio based on your work.</p><p>So how can you start your ESRM journey? </p><p>Ask these questions: Why are we doing these things? How can we do them better? Who are the business leaders that I am providing this service for? Talk to them about their experiences with your programs. Discuss opportunities to make that experience better. Implement. Repeat.</p><p>Tim Wenzel, CPP, is program manager, special projects at Facebook.​</p><h4>CSO Breakfast Tour</h4><p>By Michael Gips, CPP</p><p>How does a company deal with an active assailant when the open office offers no place to hide? What challenges do cryptocurrencies pose for financial firms? What can be done to protect the supply chain? And how can NGOs and other organizations battle corruption in developing countries?</p><p>These are just a few of the many concerns and challenges that have surfaced in breakfast sessions held in cities around the world by the CSO Center for Leadership and Development for members and eligible prospects. Beginning in April in London, these get-togethers have encouraged security executives to surface and discuss security and business trends and developments and what "keeps them up at night" in a friendly atmosphere. The events have also served as a listening tour for staff to learn how the CSO Center can better support its constituents and add value to the membership. Attendees also learn about new initiatives at headquarters, including the development of a certification for employees new to security, a curriculum for career pathing, an emerging new membership model, and refreshed CPP study materials.</p><p>Since the original breakfast at The Wolseley in downtown London, other events have been held in Atlanta, Seattle, San Francisco, Madrid, Los Angeles, Chicago, and Minneapolis—the latter in the form of a breakout session at the CSO Summit at Target Plaza Commons. Participation so far has been capped at about a dozen participants to keep everyone involved and active.</p><p>Forthcoming events are being scheduled for Philadelphia, Silicon Valley, and elsewhere. The CSO Center is looking at partnering with a sponsor to host other CSO events—breakfasts, lunches, receptions, and so on—that bring in thought leaders as speakers, then evolve into organic conversations about security matters.</p><p>Breakfasts so far have yielded vibrant discussions on all manner of security, business, leadership, and management issues. They have also given members and prospects the opportunity to request resources from the CSO Center, including refreshed policies and procedures, summaries of benchmarking surveys, data and presentations that can be used to present to the C-suite, and continued executive development training and resources.</p><p>CSO Center members who would like to bring an event to their area may contact Manuela Turner at </p><p><em>Michael Gips, CPP, CSyP (Chartered Security Professional), is chief global knowledge and learning officer at ASIS International.​</em></p><h4>School Safety and Security Council Spotlight</h4><p>ASIS School Safety and Security Council Chair Mark Berger was a middle school student when the Ma'alot massacre in Israel resulted in the loss of 25 lives at the Netiv Meir Elementary School. "I remember sitting in class, thinking about what I would do if someone came through the door to my classroom with a machine gun, and how I would try to escape or ensure my personal safety," he says. "I hadn't thought about it for quite some time, but hearing stories of students in Parkland and other recent events reminded me of the effect an event like this has on students and their ability to learn."</p><p>Creating safe and secure learning environments where students, faculty, and staff can excel is at the heart of all the ASIS School Safety and Security Council does. Comprised of experts with deep public and private-sector school security experience, the council delivers education, develops industry best practices, and provides a community of expertise that ASIS members can draw on year-round. Whether school security is your primary job responsibility, you're providing consulting services to a local school, or you oversee a major metropolitan campus, the council is here to provide the insights, education, and professional network needed to achieve your goals.</p><p>This summer, the council launched a webinar series led by Council Vice Chair Jason Destein that provided strategies around preventing the next school shooting, soft-target protection, and security for after-school/out-of-school time. The recordings are available online and accessible at any time. In addition, council white papers cover topics from active shooters to bullying to school bus safety.</p><p>Council members have a full agenda at this month's Global Security Exchange (GSX) in Las Vegas. On Friday, September 21, council member Rick Shaw will deliver remarks at the 2018 School Funding Competition ceremony at Miley Achievement Center in East Las Vegas. A video with event highlights will be available online. </p><p>In addition, the council will sponsor four education sessions at GSX, including "Creating a Realistic Active Shooter Response Training Program," "School Emergency Preparedness Using a Tabletop Exercise," "Countering Violent Extremism: Why and How Do People Radicalize," and "All-Hazards Risk Tabletop Exercise Development." And finally, as part of Security Cares, the ASIS free community safety and security program at GSX, several council members will participate in a school security panel session on Tuesday, September 25, that will be livestreamed from the expo hall. Topics to be discussed include prevention, active assailant, event response, and more.</p><p>GSX attendees are encouraged to stop by the ASIS Hub on the show floor to connect with council representatives and learn more about current and upcoming activities and how to get involved.</p><p>Berger invites all practitioners with an interest in school security to join. "Our council is a sounding board for various ideas and perspectives," he says. "We're happy to welcome all worker bees who are dedicated to helping us share best practices, react to the latest developments, and create safe and secure learning environments."</p><p>To learn more about the council, search "School safety and security" on and ASIS Connects.​</p><h4>ASIS LIFE MEMBER</h4><p>ASIS congratulates Stephen L. Huss, CPP, and Paul Stewart Barker, CPP, on becoming Life Members. </p><p>Huss is an active member of the San Fernando Valley Chapter, where he served for many years as the chapter certification representative, chapter law enforcement liaison, and chapter secretary. He has been a dedicated member of ASIS for 30 years. </p><p>Barker was honored for his many contributions to the United Kingdom Chapter, and he was instrumental in bringing ASIS to the United Kingdom and forming the UK Chapter in 1993. He also helped bring ASIS certification to the country, and he mentored more than 100 CPP candidates. He has served as the chapter's certification representative and is a member of the advisory council that supports the chapter's senior leadership. Barker was awarded the Mervyn David prize in 2003 in recognition of outstanding contributions to the UK Chapter.</p> in Violence PreventionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It has happened at an outdoor concert in Las Vegas. A work meeting in San Bernardino, California. A nightclub in Orlando. A high school in Parkland, Florida. A church in Sutherland Springs, Texas. An elementary school in Newtown, Connecticut. A movie theater in Aurora, Colorado. An Army base in Fort Hood, Texas. A college campus in Blacksburg, Virginia. And a newsroom in Annapolis, Maryland.</p><p>We can't forget Umpqua Community College in Roseburg, Oregon; the Emanuel African Baptist Church in Charleston, South Carolina; the U.S. Navy Yard in Washington, D.C.; an adult school classroom in Binghamton, New York; a restaurant in Killeen, Texas; a McDonald's in San Ysidro, California; post offices in Dana Point, California; Edmond, Oklahoma; Escondido, California; and Royal Oak, Michigan; a law office in San Francisco; and a beauty salon in Seal Beach, California.</p><p>The first modern-day mass shooting in the United States occurred in 1966 when Charles Whitman killed 16 people and wounded 30 with a rifle from the clock tower on the University of Texas (UT) Austin campus. His murder spree remains one of the top 10 deadliest active shooter attacks in the United States. And active shooter incidents are on the rise—a new FBI report found that 2017 saw the most incidents and most people killed in any one year since 2000.</p><p>Active assailant events have killed too many people to still refer to such workplace violence, school campus violence, or mass shootings in public places as rare. But while horrific incidents in the last several years make the news and keep police, politicians, parents, business owners, and employees awake at night, recall that this has been going on since Whitman fired that first shot from the UT clock tower so long ago. What has happened then will certainly happen again, despite the best efforts of law enforcement responders and security professionals around the country and internationally. These cases deeply scar the cities, schools, campuses, and communities where they happened, forever. The anniversary dates get further and further out as the years and even the decades pass, but no one associated with these events ever forgets. </p><p>How safety and security officials plan for and respond to these incidents, though, has continuously evolved over the decades, and will continue to do so as new research, best practices, and lessons learned are adopted.</p><p>Ticking bombs. Defusing Violence in the Workplace—which the author co-wrote in 1994 with then-San Diego Police psychologist Dr. Michael Mantell—was one of the first business books on active shooters. The book set out a 21-step profile of a potential workplace shooter based on many of the cases that happened up to 1994—usually at U.S. Post Office facilities. The postmaster general at that time even wrote the foreword for our book, showing how attached experts were to the idea that workplace violence was mostly committed by white males in their 30s to 50s, with a military history and access to guns. </p><p>However, it soon became clear how wrong these profiles were. The April 1999 Columbine High School shooting changed collective thinking away from the focus on profiles toward the current emphasis on preattack behaviors and information leakage to third parties about the attackers' preferred targets and plans.</p><h4> Evolving Perceptions</h4><p>For threat assessment experts and security management professionals, the shootings that took 13 lives at Columbine High School were the equivalent to the 9/11 attacks—they completely changed the thinking about how to respond to these types of events. Much like the United States' post-9/11 terrorism fight around the world, engaging an active shooter on sight became the new normal post-Columbine.</p><p>Law enforcement had to change its tactical response to what were now being called active shooters, because at Columbine there were multiple perpetrators who were not there to take hostages and make demands, but to kill others and then themselves. Security experts will never forget hearing recordings of shots fired and the anguished cries inside those buildings as the officers on scene followed their usual protocol: set up a perimeter and wait for the SWAT team to arrive. </p><p>Columbine taught security practitioners about preattack behaviors, the leakage of information by the perpetrators, and the need for arriving police officers to respond quickly, form into tactical teams, and use whatever firearms they had to enter the building and stop the attackers. This model has become standard police procedure for active shooters and mass attackers at schools and businesses in the United States.</p><p><strong>Research and models. </strong>Two U.S. Secret Service (USSS) reports—Protective Intelligence and Threat Assessment Investigations from 2000 and the 2004 Safe School Initiative, authored by USSS Supervisory Special Agent Bryan Vossekuil and psychologists Dr. Robert Fein and Dr. Marisa Reddy—have contributed immensely to the understanding of planned attacks against protected targets, workplace violence, and school violence prevention. These two comprehensive reports should be studied by every security practitioner who faces the potential for violence at their facilities. </p><p>Protective Intelligence and Threat Assessment Investigations was also known as the Exceptional Case Study Project (ECSP) because it focused on data from assassinations of political figures as far back as Abraham Lincoln in 1865, as well as research into school and workplace violence attacks and interviews of surviving political assassins and school and workplace attackers in prison. </p><p>The ECSP laid out the concept that some people make threats and some people pose threats. There should be more focus on people who pose threats and less on those who just make verbal or written threats, because the presence of such threats is not the best indicator of a pending attack. The ECSP also discussed the idea that people who engage in lethal violence often engage in third-party leakage—they warn other people such as coworkers, family members, or students of their plans, but not the targets they intend to harm. The student that wants to shoot his teacher rarely directly threatens that teacher, because it would lead to consequences such as being arrested or suspended, thereby interrupting the opportunity to attack.  </p><p>In the early years of threat assessment and management, there was a tendency to overreact to direct verbal or posted threats and underreact to third-party threats. While all threats need to be investigated, the new emphasis is on listening more closely for these leakage events, and training employees and students to have the courage to report them to the safety and security stakeholders for the business or school.</p><p>The Safe School Initiative, also coauthored by Dr. Randy Borum from the University of South Florida and Bill Modzeleski from the U.S. Department of Education, offered the conclusion that there is no known or useful profile of a school shooter. This research also showed that most perpetrators are on a path from ideas to actions, meaning they follow a distinct process that starts with a grievance, followed by a violent ideation that may last for weeks, months, or even years. They begin to make a plan, acquire or practice with a weapon, stalk their targets, make a series of dry runs, and then attack.</p><p>Two recent reports by the FBI's Behavioral Analysis Unit expand on this concept, detailing preattack behaviors of active shooters based on a study of incidents from 2000 to 2013. The active shooters examined in the study could not be identified prior to attacking based on demographics alone, but concrete patterns emerged in their preattack behaviors. A majority of attackers acquired their firearms legally, and more than three-quarters of attackers spent a week or more preparing. The average attacker had experienced multiple stressors in the year before they lashed out, but only 25 percent had ever been diagnosed with a mental illness. And in the majority of attacks, at least one of the victims was specifically targeted—the most common grievance reported was adverse interpersonal or employment action taken against the shooter. </p><p>A key to identification and resolution of threat cases is early identification of such attack-related behaviors. Perpetrators of targeted acts of violence engage in covert and overt behaviors prior to their attacks: they consider, plan, prepare, and share—and not with their target, but usually with third parties. One challenge security faces is educating scared, concerned, or anxious employees or students on how to disclose what they have heard and to whom, so security stakeholders can assess the information in context, formulate a deterrence plan, and take proactive steps.​</p><h4>Defining Threat Assessments</h4><p>In the post-Columbine world, we began to define a series of investigative processes as a threat assessment—a way to interpret data gathered from a wide variety of sources such as direct observation, records reviews, witness reports, past behaviors, and potential current targets, to form an opinion about the seriousness of a situation. </p><p>Conducting threat assessments became both a science and an intuitive art, and moved away from the limits of profiles, demographic characteristics, or historical statistics. Threat assessment activities underwent a shift from predicting violence—which is not possible—to identifying the behaviors of potential attackers, their targets, and the means and methods for harming those targets as a "window in time." The concept of threat assessments began to take on a new professionalism, moving beyond the realm of just mental health clinicians or law enforcement and into areas crossing over into the fields of security, human resources, prosecution, corrections, educational facilities, and research.   </p><p>Efforts in preventing mass shootings, stopping active shooters, and workplace and school violence prevention continue today, especially in light of recent attacks. We stand on the shoulders of researchers and threat assessment practitioners who were doing this work long before Columbine. Their work supports today's active assailant best practices and is based on extensive research.</p><p>Early researchers—including Dr. Fred Calhoun's work on threats against federal judges and Steve Weston's research on threat assessment—teach the theory that Howlers howl and Hunters hunt, meaning that there is more to worry about from the potential perpetrator who works in stealth than the person who "howls" and wants to be seen as intentionally provocative, disruptive, or sinister. The Hunter wants to be successful and not be stopped by security or the police, so this attacker does not warn. In the past, a lot of investigative energy, security assets, and resources were put towards threats made by Howlers who would say, "I've put a bomb near the loading dock!" or "I'm gonna come there and shoot up the whole school!"</p><p>Security and human resource-related associations are taking the lead in providing research, analysis of incidents, training, and the creation of national standards related to workplace violence and school violence prevention. Such organizations include ASIS International, the Association of Threat Assessment Professionals, and the Society for Human Resource Management. Other groups with input into the prevention of workplace and school violence include the International Association of Chiefs of Police, the National Sheriffs Association, and the National Association of School Resource Officers.​</p><h4>Threat Assessment Teams</h4><p> The biggest shift in the movement towards making the threat assessment process more professional and structured was the emergence of Threat Assessment Teams (TATs). These groups are also called threat management teams, crisis response teams, or critical incident response teams, and they now populate private-sector businesses, school districts, college and university campuses, and public-sector entities ranging from utilities to cities and counties.</p><p>TATs don't need to be formally appointed, but they must be staffed by the organization's safety and security stakeholders. This often includes representatives from executive management, human resources, security, legal counsel, facilities, IT, communications, safety, and risk management. The team can also benefit from support by local law enforcement commanders, mental health clinicians or Employee Assistance Program (EAP) providers, or labor relations or union representatives.</p><p>The function of the TAT is to discuss its coordinated, measured—but urgent— responses to potential crisis situations, including threats or violence towards the organization or its employees, employee-to-employee bullying, high-risk employee discipline or terminations, domestic violence crossovers with employees, threats to the organization's facilities, cyberthreats, and vexatious litigants.</p><p>The value of TATs—which are often run by human resources or security representatives, because of their familiarity with employee-related issues—is to take the best advice from the group and not get manipulated into "seeing the ocean through one drinking straw." In other words, the police may have strong feelings about making an arrest; the threatening employee's manager may want to terminate; and the facilities representative may want to lock the building down. These are all potential solutions and should be put up for group discussion before a final decision is made.</p><h4>Run. Hide. Fight. </h4><p>The Run. Hide. Fight. video created in 2012 by the U.S. Department of Homeland Security (DHS) and the City of Houston is short and to the point. If you are ever confronted by an active shooter, run out of the building, taking as many people as safely as you can with you; hide out in the best room you can barricade; and be ready to fight back if the shooter breaches your room. This active shooter protocol is designed to get employees out of the way of the attacker and the responding police by leaving the facility or locking the room down. In most cases, attackers have a short window of time to carry out their plan—usually five to 10 minutes—before police arrive.</p><p>All of the videos and training programs that have emerged as a response to workplace or campus shooters have the same goals: don't wait for the police to rescue you, get out of their way while they confront the attacker, and be prepared to fight back or provide first aid to save your life and help save the lives of your coworkers, customers, or students.</p><h4>​Domestic Violence in the Workplace </h4><p><strong></strong>One exception to Calhoun and Weston's Howlers vs. Hunters model is called the Intimacy Effect. In cases where there has been previous sexual intimacy between the suspect and the victim, the chances for fatal violence go up dramatically. These perpetrators are Howlers who become Hunters because they are obsessed with hurting or killing their former partner. </p><p>Murder is still the leading cause of death for women in the workplace, and has been for decades, according to the U.S. Occupational Safety and Health Administration. Most women who are killed on the job are shot during robberies at retail facilities or attacked by their former partners while working. As a workplace issue—one that many managers, supervisors, and human resources professionals are still reluctant to address—domestic violence crossover from home to work continues to take the lives of many female employees, especially in states where there are no laws preventing employees from being fired for revealing their victim status to their employer. </p><p>In California, legislation was passed in 2013 that gives domestic violence victim-employees protected class status—like age, race, or gender—and dictates that employers not only cannot fire an employee who brings a domestic violence issue to their attention but must also help create a workplace safety plan to provide protection and support. Fewer than 10 states in the United States offer similar supportive legislation, which is something domestic violence advocacy groups are trying to change.</p><h4>Continued Evolution </h4><p><strong></strong>Progress is being made to thwart potential workplace, school, and mass attackers, but there is still a long way to go to stop future perpetrators. These attackers learn from the methods and mistakes of their predecessors—but so do threat assessment experts and security practitioners. Threat assessment experts need to continue to develop new strategies for schools and businesses.</p><p>Scheduling yearly Run. Hide. Fight. drills that focus on the value of the first two steps is becoming more common, as is training employees and students to listen for—and properly report—preattack leakage threats from potential perpetrators. More organizations and school districts are establishing TATs to address crises, and there has been a bigger emphasis on getting funding for more well-trained school resource officers. </p><p>When it comes to addressing a potential active shooter who is moving on the path from ideas to action, proactive interventional responses by mental health clinicians and law enforcement officers alike is becoming an established best practice. Open dialogue about teaching all parents who own guns to practice safe storage in their homes is more common as well. And if a mass shooting is successfully carried out, there has been a greater emphasis on encouraging national media to not cover the attackers by name and face.</p><p>While facility security has evolved from the model of relying on gates, guards, and guns, it is still important to install appropriate security devices and update procedures periodically.</p><p>How security practitioners handle the threat of mass attackers on campuses and active shooters in workplaces, churches, and malls has changed over the past 25 years. There are many committed people who have made it their life's work to help stop these attacks, and the fight for peace at businesses and schools will continue.  ​</p><p>​ <em>Dr. Steve Albrecht, CPP, is a 22-year member of ASIS. As a keynote speaker, author, and trainer, he specializes in violence prevention. He has written 18 books on business, security, and criminal justice subjects. he can be reached at</em></p><h4>Resources Mentioned in this Article</h4><p></p><p>Dr. John Monahan, from the University of Virginia Law School is regarded as the "the leading thinker on the issue of violence risk assessment." </p><p>Hollywood security expert and threat assessment pioneer Gavin de Becker is best known for his groundbreaking work in protective intelligence gathering and his best-selling 1997 book, <em>The Gift of Fear.</em></p><p>Dr. Reid Meloy and Dr. Kris Mohandie are known for their research and speaking work on stalking perpetrators, "predatory versus affective violence," and their widely-used violence risk assessment models, methods, and practices.</p><p>The FBI's Behavioral Analysis Unit has often provided critical research, including two highly-detailed recent reports edited by Supervisory Special Agent Andre Simons: "<a href="" target="_blank">A Study of Active Shooter Incidents in the US Between 2000 and 2013</a>" and "<a href="" target="_blank">A Study of the Pre-Attack Behaviors of Active Shooter Incidents in the US Between 2000 and 2013.</a>" Supervisory Special Agent Eugene Rugala edited the FBI's 2004 report, "<a href="" target="_blank">Workplace Violence: Issues in Response</a>."</p><p>Dr. Ted Calhoun and Steve Weston's threat assessment books, presentations, and research and development of the concept known as "Hunters versus Howlers." Calhoun's seminal 1998 book, written for the US Marshals, <em>Hunters and Howlers: Threats and Violence Against Federal Judicial Officials in the United States, 1789 to 1993</em>, taught us to pay more attention to people who don't just draw attention to themselves by making verba​l or written threats.</p>,-Hard-Challenges.aspxSoft Targets, Hard ChallengesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Soft targets pose a particularly difficult protection challenge. Take, for example, the 2017 Las Vegas shooting, when concertgoers enjoying a music festival at the Las Vegas Village open performance venue suddenly became targets for an active shooter firing more than 1,100 rounds from his hotel suite.</p><p>The scope of the tragedy—the deadliest U.S. mass shooting committed by an individual, which left 58 dead—made a deep impression on many interested in security, including officials at the U.S. Department of Homeland Security (DHS). "The Las Vegas shooting was really a catalyzing moment for our department," Bob Kolasky, DHS deputy assistant secretary for infrastructure protection, tells Security Management.  </p><p>Ten days after the shooting, U.S. President Donald Trump nominated Kirstjen Nielsen to be the new secretary of homeland security. When Nielsen took over the position, one of her first priorities was to raise awareness of DHS' existing security guidance and resources, so that they could be well-used by those who need them, Kolasky says.   </p><p>"We want to make sure our security resources are publicized, so they can help," he explains. As the Vegas shooting illustrated, soft targets seemed to be a good initial focus for DHS "to advance the security of things that traditionally haven't been that secure," he adds. </p><p>And so earlier this year DHS issued a resource guide and security plan overview for Soft Targets and Crowded Places (ST-CPs). In the overview, DHS defines ST-CPs as "locations that are easily accessible to large numbers of people and that have limited security or protective measures in place making them vulnerable to attack." This includes spaces such as schools, sports venues, transportation hubs, shopping venues, bars, restaurants, hotels, places of worship, tourist attractions, theaters, and civic spaces, according to DHS. </p><p>"ST-CPs do not have to be buildings and can include open spaces such as parks and pedestrian malls. ST-CPs will not necessarily be crowded at all times—crowd densities may vary," DHS says in the overview. "Securing these locations and venues is essential to preserving our way of life and sustaining the engine of our economy."</p><p>The guide is a catalog of soft target resources for businesses, first responders, government, and the general public. It is broken up into action categories such as identify suspicious behavior; protect, screen, and allow access to facilities; prepare and respond to active assailants; prevent and respond to bombings; and protect against unmanned aircraft systems (UAS).</p><p>DHS decided to include the latter category on UAS because of two recent developments, Kolasky says. First, various incidents overseas have demonstrated that some terrorists have the capacity to use UAS to cause harm. "We see that the threat is real," he explains. Second, for some U.S. sports facilities, defending against UAS "is something that is a top-of-mind concern," he says. </p><p>"There's demand from the security profession and there's a threat that warranted it," Kolasky explains.</p><p>The resources that the guide links to in each action category vary, and include informational materials, in-person and online training opportunities, videos, websites, and other tools. Although some of the resources were created in collaboration with partners, the DHS guide does not link to any resources that have no government connection. "That would be a more time-consuming effort and one that is fraught, at least a little bit, with the implications that recommending suggests endorsement," Kolasky says. "For now, we haven't worked through that."</p><p>One soft target expert, Jennifer Hesterman, says she was "really surprised" when the resource guide and overview were made public, because previously the agency had not been active with resource promotion. "They have been pretty quiet on the DHS side," says Hesterman, the author of Soft Target Hardening: Protecting People from Attack, which won ASIS International's 2015 Security Book of the Year Award.</p><p>Nevertheless, Hesterman says she is pleased with the issuance of the guide, for a few reasons. One is that it is a valuable public acknowledgment by the federal government of the risks of attacks. This is helpful at a time when some members of the public suspect that security professionals sometimes overplay risk because it benefits them professionally. "I've been called a merchant of doom," she says. "People think we just want to generate business, and so we will tell them horrible and scary things."  </p><p>Moreover, given the frequency of attacks like school shootings, some people are experiencing "security fatigue," and they simply do not want to discuss the topic any more, Hesterman explains. And to avoid causing widespread panic among the citizenry, federal officials are often measured in their communications about risk, so sometimes no sense of urgency comes through.</p><p>This is understandable, she says, but it's also important to realize that growing threats are out there, such as more attacks on critical infrastructure facilities. Citizens have the right to understand such risks, so in that respect the new DHS guide is helpful, she adds.</p><p>As for the section on UAS, Hesterman says it is a valuable asset for security practitioners. "Terrorists are already using drones to advance their goals," she explains. She also emphasizes that, on this issue like many others, "we have to think about what's next." Drones are also being used for security purposes, "but we have to think about how drones can be hacked. They can he hacked and grounded," she says. </p><p>Another growing area of vulnerability for soft targets is insider threats, she adds. In part, this is driven by a principle she explains as: "People have a public life, a private life, and a secret life." That secret life could include a gambling problem or another secret addiction that could push the person to extreme actions, and even those close to them may not realize that they are unraveling. "Insider threat is huge, and it's totally overlooked," Hesterman says.</p><p>Finally, Hesterman says the potential soft target threat of terror groups like ISIS has also grown.  Overseas, these groups have attacked soft targets like schools, whether it be Boko Haram kidnapping students in Nigeria or the Taliban killing more than 100 in an officer school in Pakistan. For these militant groups, soft targets are legitimate ones. "Terror groups and lone actors can leverage those to fit their agenda," she says. In fact, one statistic holds that 90 percent of war casualties are civilians, she adds. "Now it's like downtown is where the battle is."</p><p>The soft target guide and overview may turn out to be the first in a series of efforts by DHS to better leverage its preventative resources, officials say. The department released a similar guide and overview for school shootings in August (which will be covered in a future issue of Security Management), and officials are con­ducting a departmentwide review to determine what other resources can be promoted. ​</p>


​​11 September 2018
Campus Security and Real-Time Information​ (Webinar)

​18 September 2018
​Migrate, Mitigate, Manage (Webinar)

​19 September 2018
CSO as Steward of Corporate Security (Webinar)

23 - 27 September 2018
GSX​ (Las Vegas)

21 -26 October 2018
Wharton/ASIS Program for Security Executives (Philadelphia, Pennsylvania)

​More Events>>​​​