Category Archives: Threat Assessment

After Action report on LAX Shooting Recommends Risk Assessments

Posted on by 0 Comments

The Los Angeles World Airports (LAWA) released the long-anticipated After
Action Analysis on the LAX Active Shooter Incident in 2013.

The 83-page report was written by an independent consultant who analyzed
all aspects of the Shooting incident and includes a list of “Major Observations
and Recommendations.”   The recommendations are “to provide focus for
LAWA’s efforts toward continuous improvement in it’s security and emergency
preparedness programs.  

These areas were highlighted in the report as “7 priority observations that merit
special consideration.

Recommendation 1.1:  Evolve the LAX Security Program to reflect a more
integrated assessment of security risk and provide for the ongoing development
and management of mitigation measures.

Recommendation 1.2:  Based on the RISK ASSESSMENT and updated security
plan, consider the focus and structure of security functions to determine whether
realignment and integration are needed.

Recommendation 1.3:  With the benefit of recent vulnerability and risk assessments,
take a risk-based approach to evaluating current security programs and explore
intelligent use of technology.”

Once again, doing frequent Security Risk Assessments and managing the security
program and enhancements to follow the recommendations of the Risk Assess-
ment are the first recommendations in the After Action Analysis of an Active
Shooter Incident.

In my experience, in most organizations, Facility Security Risk Assessments are
not conducted correctly, are not reported to senior management, and not used as a
tool to ADJUST AND FOCUS the security program based on RISK.

Why aren’t security risk assessments done more often?  

1.  People don’t have the right expertise to do a full risk assessment.

2.  Security managers view Security Risk Assessments are too difficult
     to undertake.

3.  Law enforcement personnel still do not understand the concept of risk 
     assessments and instead, tend to rely on checklists of controls or
     security elements, rather than integrating all the information to
     create a true Risk-Based model for security.

The solution to this problem is to use affordable, easy to use software tools, like
the Risk-Pro Application for Facilties Security Assessment  and their Risk-Pro
Application for Active Shooter Incident to simplify the process of doing more
frequent risk assessments and using them as a management tool to focus
security so it will be able to recommend the security enhancements that are
needed, and not only how MUCH to spend, but actually dictate the order
of necessary controls.

Far from being a boring, intellectual exercise, well done security risk 
assessments can dramatically reduce the possibility of an active shooter
event, and also mitigate the many negative consequences that come
from such disruptive incidents.

 

 

 

Got a House near the Coast? The Storm Surge Lessons we’re Learning from the Philippines Disaster and Hurricane Sandy…

Posted on by 0 Comments

You already know that the climate is getting progressively warmer, and sea levels around the world
are rising.

This new climate reality played out last week in the Philippines, an archipelago nation with over 7000 islands, as a giant typhoon smashed into the central Philippines districts and destroyed everything in its path, including housing for millions of people living near areas around the cities of Tacloban and Cebu and other islands.

With thousands already dead and thousands more in  island areas that have not been reached yet,
the ultimate death toll may be weeks in coming, but some experts think it could top over 15,000 people.

If, like me, you live near an ocean coast anywhere, you have to wonder how future storms may affect your region.

The rising sea levels are already invading fresh water wells along Florida’s east coast, polluting the fresh water with salt, and forcing cities to find new fresh water sources.  Saltwater seeping in from the ocean keeps spreading farther west, threatening to ruin the freshwater supplies that provide most of South Florida’s drinking water.

Even though the US doesn’t get typhoons, it does get hurricanes, and what we learned in this typhoon, just like we learned in Hurricane Sandy in October, 2012, was that it’s not the wind, it’s not the rain,
it’s the STORM SURGE that creates the disaster. 

In the recent typhoon, the storm surge, while not technically a tsunami, pushed up an enormous amount of water on shore, that destroys everything it touches and pushes the water inland, dragging along houses, trees, cars, people, animals, giant ships, hotels and anything else it finds on it’s path.

“As a nation we don’t understand storm surge well, nor do coastal communities understand storm surge risk,” said Jamie Rhome, a storm surge specialist at the Hurricane Center. “It’s one of the hardest things to communicate.”

Storm surges can travel inland up to thirty miles and can quickly push up rivers, and bays. “People
don’t understand how far inland storm surge can go,” Rhome said. “It penetrates well inland, goes up rivers, into bays. It goes wherever it can, and people don’t realize they are at threat of flooding.”

Cities and regional planning groups need to re-examine the storm surge threat in their areas, and make plans to deal more effectively with these lethal storm surges that may come from hurricane and typhoons in the future.

The LAX Shooting and the Active Shooter Threat

Posted on by 0 Comments

With the 3rd Active Shooter incident in less than 45 days, you are probably wondering what is happening here?  Why are we having so many active shooters?

There are not any easy answers, but one thing is certain, all the shooters in the Navy Yard Shooting, the Sparks Middle School shooting, and the LAX Shooter all suffered from psychological problems.

In the LAX shooting, the shooter ‘s parent had tried to contact the police because of a suicide text they had received, but it was already too late.

Police red tape being what it is – thorough, the urgency was lost and the incident was already in process before anything had been done.

BUT NOTE: The text was a HELP ME.  And it was noticed, but not followed up in time.

All these shooters had major mental issues, that people had noticed, and
that people had remarked on, and that people had worried about.

We don’t know where all the guns in the incidents were purchased, or just picked up at home and taken to the scene.

BUT we know that most of the active shooters had mental issues, which means that the screenings must be approved, and more help available for these individuals, before they can kill or hurt others.

 

New Active Shooter App Announced on October 20, 2013

Posted on by 0 Comments

FOR IMMEDIATE RELEASE

New Active Shooter app released to reduce likelihood of an Active Shooter Incident.

Active Shooter incidents have increased both in the number of incidents, as well as the number of people killed and injured in the last five years.  As an aspect of  workplace violence, the active shooter has become is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 injuries were annually during this time.

The latest figures show that high-risk organizations like hospitals, schools, malls, universities, military installations and even hair salons have experienced an active shooter incident and are likely to have a dramatically increased risk for experiencing an active shooter incident in the future.

Risk & Security LLC has released a new web-based app, Active Shooter Risk-Pro©, which offers an easy to use risk assessment program that assesses your organizational risk of an active shooter incident, as well as recommending solutions to prevent an incident from occuring in the future.

In additional to using the Department of Homeland Security (DHS) Guidelines on Active Shooter Response, the OSHA standard 3148 (Guidelines for Preventing Workplace Violence for Health Care, the FBI and Secret Service Guidelines on Active Shooter Incidents, and the new OSHA Inspection Directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, from September, 2011, are both included in the new, easy-to-use application.

The program has been tested on some of the largest organizations in the US, and runs on a laptop, PC or tablet, and even on a smartphone!.  Active Shooter Risk-Pro©  is built to be affordable and simple to use.

The web 2.0 program, includes newly compiled, updated threat databases, new active shooter incident analysis metrics, and automated web-surveys based on the DHS Guidelines..

The new program gives human services and security professionals a quick and easy way to conduct a active shooter, or general workplace violence that will recommend that will pass an audit!

The Risk-Pro©  model has been used for easy software applications by the Department of Defense and over hundreds of organizations, hospitals, and local, state and federal government agencies.

About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk assessment. It develops specialized programs and applications which are easy to use, affordable and which help organizations assess their risk, the likelihood of becoing a target, and which recommend cost-effective solutions.

Risk & Security offers full service consulting on critical risk assessments including HIPAA Risk Analysis, Facilities Security Assessments, Hospital Security Assessments, Workplace Violence, Active Shooter Incident Assessment, Environment of Care and more.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective security controls justified by return on investment metrics.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 40 software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world, including in Abu Dhabi, Hong Kong, Japan, South Africa and Qatar.

Contact Information:

Caroline Ramsey-Hamilton, CHS III

Email:  caroline@riskandsecurityllc.com

Phone:  301-346-9055

Twitter:  www.twitter.com/riskalert

 

Has it Been Only Two Weeks since the Navy Yard Shootings?

Posted on by 0 Comments

 

When i wrote my blog about the Shootings at the Washington Navy Yard on September 16th, I got some nasty notes about “Why did you have to write about this so soon after it happened?”

Well – I guess the fact that after about 15 days, no one can even remember the incident (8 people shot to death); the name of the shooter (Aaron Alexis), or much of the details.  It seems that people have decided that it was a mentally distributed person, so couldn’t have been prevented.  This is completely wrong.

One of the issues that security directors have is how to make their organization aware of the active shooter threat without terrifying them.  How do you get a large group of people out of the “It can’t happen here” mindset?   One of the main ways to bring an issue back home is by using the incident as a security awareness notice.

Write a “Lessons Learned” email and send it to everyone in the organization.  Follow it up with a purse and wallet card with reminders on what to do when faced with an Active Shooter situation.

NavyYard-smallKeep everyone informed on what happens after the incident – how the injured are doing, and more importantly, what changes the organization has made to ensure that it won’t happen again.

Try doing a simple threat-risk assessment to illustrate to management what the chances of having an active shooter incident actually are, based on the industry, the region, and the number of problems/complaints that employees have expressed in the past.

Don’t let anyone forget that this can happen to any organization, no matter how well funded, or how secure they think they are.  Remember, if it could happen in a DOD military facility – it could happen to YOU!

Is Extreme Heat a New Deadly Threat?

Posted on by 0 Comments

We are currently in the grip of a terrible heat wave in the western states.  Death Valley, California almost beat it’s previous record of a 130, with a National Weather Service Thermometer recording 129.9.   The highest temperature ever recorded on Planet Earth is 132.

Despite all the news coverage of hurricanes, homes torn apart by tornadoes, and tropical storms, the deaths from excessive heat kill more people annually than almost all the other natural disasters (except for tsumanis and 7.0 and above earthquakes).

Deaths from excessive heat include both cardiac arrest and breathing issues.  “Heat-related illnesses and deaths are preventable. Taking steps to stay cool, hydrated and informed in extreme temperatures can prevent serious health effects like heat exhaustion and heat stroke,” said lead author Ethel Taylor, a researcher who works with the CDC.

Because extended heat waves put a strain on electrical loads and may trigger power outages, it is important for companies to have a Plan for Extended Extreme Heat.
Plan for a situation without electricity for 3 or more days.

Having just survived a week in south Florida without AC, and growing in Los Angeles, also
without air conditioning, here are a few tips to stay cool:

1.  Stay wet to facilitate evaporate cooling.  Wear a wet T-shirt and keep your clothes
damp.

2.  Make sure pets are ALWAYS in a shady place and give them plenty of cool water.

3.   Buy ice and use it to rub on children’s arms and legs to keep them cool.

4.   Use fans and swamp coolers if electricity is available.  Coleman makes fans that
run on batteries if electricity goes out during a heat wave.

5.   Wake up earlier and use the cooler morning hours for outside tasks and stay
indoors during the heat of the day.

And, if it’s blistering hot where you are — DO NOT USE FIREWORKS.  Areas that
are already dry, including shake roofs, will burn more easily under such extreme heat!

AND wherever you are, STAY COOL.

 

Oklahoma Tornado, Boston Bombing, Young Soldier Killed – It’s time to do a Security Risk Assessment!

Posted on by 0 Comments

More Tornado victims will be buried this week.   Including many children who died at their schools because the school district didn’t spend the extra $3000 to have a storm cellar/safe room available.

One month ago, we watched as victims of the Boston Marathon Bombings were buried.

Yesterday, we watched an Islamic Jihadist savagely kill a  young British soldier with knives.

What other events do we have to witness before we start taking security assessments seriously?   How many more grieving parents do we have to watch crying on TV and, in my opinion, the casualities did not need to be so high and the aftermath so catastrophic.

If you group all these disasters together, you can that at the root of each one, is the feeling that, “IT CAN’T HAPPEN HERE”…..    Britain, for example, has tolerated mosques preaching hate, thinking that nothing like the knife attack could happen in civilized London.

In Moore, Oklahoma, people thought, “we already had a major tornado, so IT CAN’T HAPPEN AGAIN”!  Well, surprise – it happened again.  While forecasters cannot dictate the exact path of a tornado, they can get close, and with just fifteen minutes advance warning, there is  time to get everyone into storm cellars, safe rooms and underground shelters.  BUT IF THERE IS NO SHELTER AT A SCHOOL…….

Many obvious solutions-controls-safeguards were missed in these recent tragedies because proper, formal security risk assessments weren’t done effectively.  If they had been done, perhaps the London police could have picked up someone who touted murder and hate.

If a risk assessment had been done in Moore, OK, maybe the high risk of a tornado would have allowed the schools to all add the safe rooms they needed, and in Boston, the older brother Boston bomber, should have been in jail already for his participation in a previous murder – or at least actively monitored based on his facebook postings.

The clues are all there, and, looking backwards, you can see the pieces that SHOULD HAVE BEEN ENOUGH TO PROMOTE some kind of action to either:

        1. Eliminate the threat  or, 

              2. Reduce the severity of a potential threat in case it occurred.

Security risk assessments gather the numbers and the information organizations need to make better choices about how to protect people’s lives, facilities, and organizations.  I hope these events will prompt more Security Directors to take an objective and unbiased look at their own organizations, and the controls they have in place, before you end up on CNN!

 

Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Posted on by 0 Comments

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 

Why the FBI and DHS Need Google’s Help to Track Potential Terrorists

Posted on by 0 Comments

The Boston Marathon bombings were bad enough.  The loss of life was terrible, but the runners and their families who lost legs and feet because they wanted to give their Dad a hug at the finish line were worse.

One week later, we all watch with trepidation as the first bomber is killed and the second captured bleeding in a boat in Watertown.

THE MOST TERRIBLE NEWS OF ALL IS THAT IT MIGHT HAVE BEEN PREVENTED!!  This is EXACTLY the situation that DHS was supposed to catch.  This is EXACTLY why the agencies were ORDERED to share information, and still these guys can tweet all they want, show violent Islamic videos on their web sites and call for Jihad and NOBODY NOTICES!!

This is made even more incomprehensible because the U.S. government was ALERTED BY THE RUSSIANS that one of them was DANGEROUS.

What do we need to do to get these agencies to start paying attention to these potential terrorists?  DO WE NEED TO MAKE THEM WEAR A RED SHIRT?

If the IRS can keep track of every American and in 2 minutes call up their entire history of taxes, and the Department of Labor can calculate your benefit rates in less than 1 minute, and Social Security keep track of all your information – why can’t DHS and the FBI  keep a contact database current?

Why can’t they have a person who scans these web sites and Facebook sites for Jihadist pages and then cross-references them with the site’s owner?   Why can’t a trip to a violent region of the world trigger a PING, as I heard one congressman call it.

Every company in the world has a simple Contact database on their own customers and suppliers that gives them years of data.   WHY CAN’T WE BE PROTECTED FROM THESE TERRORiSTS.

This one wasn’t hiding in the shadows – he was ON SOCIAL MEDIA!   He wasn’t locked up in a cabin – he was traveling internationally,   his brother was getting a scholarship.  And they did this FOR YEARS!!

This intelligence failure is just exactly like 9/11 all over again.  These agencies are so procedural that they cannot connect the dots.  Ok – they’re human. But we have super computers that CAN connect the dots and do profiles and create alerts…

Maybe we should call Google and get some help.  We obviously need it.

 

 

Tragedy at the Boston Marathon – What Went Wrong?

Posted on by 0 Comments

Looking at the CNN footage of the Boston Marathon finish line yesterday, I was struck by the shock of the bystanders and the chaos that followed the blasts.

Having just giving two seminars on security controls, I pulled out my list to see what could possibly have been done differently to prevent this devastating outcome, and there was the first word on the list ACCESS CONTROL.

After thirty years as a security expert and risk-threat analyst, I am about 85% sure that this was a lone wolf attacker who made his crude bombs to address some personal perceived problem, whether it was fear of gun legislation, spillover from the Israeli-Palestinian conflict, the Neo Con torture initiative, or something else.

Putting the attacker aside for a moment, the tragedy happened because SOMEONE WAS ABLE TO WALK RIGHT UP TO THE FINISH LINE AND PUT AT LEAST 3 BOMBS right near the finish line!   THiS IS NOT RIGHT.

There has to be SCREENING and ACCESS CONTROL PROCEDURES IN PLACE!  You can’t have security if you have open access to a major event like the Boston Marathon.  For year, security experts have cautioned that large crowds make a great target, and so events have paid lip service to this concept, without staying on the task, and making sure that SECURITY CONTROL NUMBER ONE –  ACCESS CONTROL  is ALWAYS in place.

But people don’t like access control, it’s too much trouble, they say.  They don’t like metal detectors, too expensive, too much trouble, too intrusive.  Well, it’s not as intrusive as having a major injury.   There are ways to secure these high profile sites, but the security community has to lead on this.

Yes, it is very sad and depressing that the world has come to this — but it has.  And it will happen again.  As long as security is perceived as too much trouble, too expensive, too tough to do, and too intrusive, there will be more tragic events like this one.