Skip to content

Illustrated by Michael Morgenstern

A Barometer of Behavior

​It’s almost a cliché: a horrific workplace violence incident shocks a community, and those who know the perpetrator eventually come forward and describe red flags they had seen in the weeks or months leading up to the attack. Neighbors, friends, coworkers, or doctors might mention witnessing instances of aggression, mental illness, disturbing comments, or odd activity from the suspect—all textbook high-risk behaviors.

This scenario seems to play out repeatedly on military installations. U.S. Army Major Nidal Hasan opened fire at Fort Hood in 2009, killing 13 people and injuring more than 30 others. Former employers had repeatedly expressed concerns about Hasan’s poor work ethic, and a group of Army officials, psychologists, and teachers even gathered at one point to discuss Hasan’s troubling behavior.

Four years later, former Navy sailor Aaron Alexis shot and killed 12 people and injured three others at the Washington Navy Yard. During the month before the shooting, Alexis had filed police reports about being harassed and hearing voices, and he had visited multiple doctors about the issue. On the day of the shooting, Alexis used his pass as a government subcontractor to gain access to the base.

And in 2015, Muhammad Abdulazeez went on a shooting spree in Chattanooga, Tennessee, targeting a military recruiting center and a Navy Reserve center. Abdulazeez killed five and injured three before police shot and killed him. After the rampage, it was revealed that Abdulazeez abused prescription drugs, was planning on filing for bankruptcy, suffered from depression, and appeared to be self-radicalized.

At least 41 people have been killed during attacks at military installations since the 2009 Fort Hood shooting, according to media estimates. Seemingly countless programs, guidance documents, and policies have been developed to address detecting an insider threat on military installations and preventing further tragedies. Ultimately, though, experts agree that the best—and the most challenging—way to do this involves sharing actionable information on individuals displaying high-risk behaviors.

“There are all of these information points out there in various locations that would help the right people at the right time understand where the potential for some of these incidents might be,” explains Joseph Kirschbaum, director of Defense Capabilities and Management at the U.S. Government Accountability Office (GAO). “It could be very mundane data points in a criminal database, or indications of mental health instability, or troublesome behavior on base, but how do you connect the dots?”​


Kirschbaum is the author of a July 2015 GAO report, DoD Should Improve Information Sharing and Oversight to Protect U.S. Installations. For years, GAO has been tracking Department of Defense (DoD) efforts to implement insider threat detection recommendations following both federal and independent investigations into the 2009 Fort Hood shooting and the 2013 Navy Yard shooting. 

That’s a tall order—there were 79 recommendations stemming directly from Fort Hood alone, and GAO researchers noted that “we were unable to identify the number of Fort Hood recommendations fully implemented because DoD and the military services had inconsistently reported this information.”

Kirschbaum acknowledged that it was easy to get caught up in tracking the number of recommendations implemented and how, but ultimately it was more important to make sure that changes to insider threat policies were being made at the installation level.

“You can have the best policies and projects and plans in the world at the military service headquarters level, but if they’re not being implemented in installations, you’ve done the next best thing to nothing,” Kirschbaum says. 

The GAO’s goal with this latest report was to review programs the DoD already has in place and how the department can optimize the programs to deter an insider threat, Kirschbaum explains.

“We’re not actually finding gaps that the department doesn’t know about,” he says. “We tend to end up reminding the DoD of their own policies and doctrine and training, and that’s what happened here. There’s a whole series of really robust, tried and true DoD policies on force protection. Insider threat programs could take advantage of a lot of those policies, but obviously it’s a much more hairy problem because now you’re talking about threats from people to whom you’ve given access.”

GAO visited eight installations throughout the United States to understand how they have moved to protect against insider threats, and Kirschbaum says researchers encountered a lot of “top-down guidance”—military services at the highest levels have worked to implement actions associated with recommendations, but the degree to which those actions were carried out at the installation level varied.

For example, it was common to find that departments did not have a complete definition of what constitutes an insider threat within their guidelines, Kirschbaum notes. On the other hand, researchers found that some individual installations had taken the initiative to develop their own robust insider threat detection policies.“There are outstanding practices being implemented that weren’t being shared with other installations, or even up to military leaders,” Kirschbaum says. “That’s a hindrance to progress overall.”

There are a number of information-sharing mechanisms, such as working groups and antiterrorism Web portals, intended to help with top-down communication, that are not being used to their potential, the report found. For example, officials at one base never received an after-action report regarding a shooting on the installation—officials were unaware of the report and its recommendations, GAO found. And officials at multiple installations were not aware of a Joint Staff antiterrorism Web portal that has been around since 2003.

The report also reviewed key DoD force protection-related policies that “clearly needed to be updated,” Kirschbaum explains. One such policy requires all supervisors to report threats of workplace violence to management, but the policy only applies to DoD civilian employees and not to military and contractor personnel who could also display high-risk behavior, GAO notes. DoD is planning on expanding the policy to apply to all employees.

Another issue highlighted during the Washington Navy Yard shooting is that DoD does not have a policy on what to do if an individual is seen carrying a weapon onto an installation. “One of the concerns during the Navy Yard incident is that people may have identified someone with a weapon on the base, and they weren’t sure who to report that to,” Kirschbaum explains. “This is a case where it’s unclear whether contractors are under an obligation to report if they see something, and who they report to. Those things need to be normalized.”​


Although several federal policies and guidance documents address how to detect an insider threat on a military installation, it’s up to each facility to develop and implement its own program. 

Identifying and acting upon high-risk behavior displayed by someone on a military base can be a subjective process that requires information and reports from multiple sources. Many installations have programs in place that look for a combination of red flags based on personal, organizational, and behavioral factors. If a person of interest reaches a threshold of high-risk behavior indicators, the case is sent to the installation’s leaders, who may ban the person from the base if appropriate.

“It’s all about people’s behaviors,” Kirschbaum says. “No matter what it is, whether it’s a terrorist, someone who’s not mentally stable, or, frankly, someone who’s doing something completely unintentional and leaving their computer subject to a network attack.”

The FBI lists family problems or domestic violence, poor workplace behavior, physical or mental health problems, and anger issues as common indicators of high-risk behavior. The problem is that, in the military, this type of information isn’t always evident and can’t easily be shared among relevant parties, Kirschbaum notes.

When it comes to a member of the military, high-risk behavior is commonly detected by behavioral health counselors, military chaplains, unit commanders, and outside law enforcement. But infor­mation-sharing barriers are in place: chaplains cannot lawfully share information that they have learned in a pastoral counseling context. Medical privacy laws prohibit doctors or behavioral health professionals from passing on troubling information. Some classified information can’t be shared with people who don’t hold clearances. And there is no required information-sharing mechanism between on-base leaders and off-base law enforcement.

“This is very classic for the military: you have an established series of laws that set up what you do with information, how you treat it, and who you can share it with, and those all still have to be adhered to,” Kirschbaum explains. “That’s one of the challenges that the department faces. What is the right level of information, and what’s the right way to share it with appropriately cleared individuals?”

Mike Stehn, a security and marketing consultant who previously worked as a counterintelligence officer for the U.S. Army, explains that there is no central database shared between local law enforcement and installation officials.

“If a soldier is charged with domestic issues outside the base, who’s telling the military that it happened?” Stehn notes. “The police aren’t necessarily notifying base officials about this stuff all the time. It’s that balance of the police and military having to do a better job of communicating.” The criminal history of military members is typically only revealed during a background check, he says.

Stehn was on a force protection working group in the Army and said there was rarely a list of high-risk personnel or people who had been banned from the installation. “We always limit the knowledgeability of an investigation, and I’m sure the police are the same way,” he notes. “If I was investigating you for a crime, I wouldn’t go around telling everyone.”

And if a contractor or member of the military does get banned from an installation for poor behavior, there’s no follow-up. It’s up to an installation commander or general officer to ban someone from the base, and that person’s military ID is revoked and they are sent on their way, Stehn says. 

The murky nature of punishing high- risk behavior means that, even with a background check, nonmilitary personnel may not know why someone has been banned from a base. If the person in question had repeated issues with anger in the workplace, or a domestic violence incident where the victim didn’t press charges—in other words, behaviors that don’t have official records or legal repercussions—there are no concrete avenues for the military to legally communicate these concerns to local law enforcement or future employers.

“Let’s say a guy is barred from his base because of an intelligence incident,” Stehn says. “We couldn’t prosecute him because of the circumstance of what happened, but the general banned him from the installation. The same individual, once we investigated, had a history of domestic violence and a gun charge. Now, all of that was at the sheriff’s office—none of that was in his military record. So you can see where the disconnect is, between the military and local law enforcement. A lot of it is going to rely on the standard operating procedures of that particular base, and the liaison they have with the police, the local sheriff, and state authorities.”​


Some experts say that due to the current information-sharing barriers, bad actors will always be able to slip through the cracks. But Robert Vickers, chief of the plans and programs branch at Joint Base San Antonio-Randolph, says that focusing on risk factors and prevention can stop potential active shooter scenarios on military installations before they happen.

Vickers has been working for six years—since the Fort Hood shooting—to create an insider threat program that assesses the potential risk for workplace violence within military units. The program, which is still in pilot testing, is based on successful government programs, models, and research. Right now it’s being tested at Randolph Air Force Base, which is one of three installations at Joint Base San Antonio, the largest single DoD enterprise. Vickers says he hopes the entire Air Force will adopt the program in the future. 

Because it is difficult to predict an individual’s intentions, especially without a well-organized staff or working group solely dedicated to that task, the program quantifies a particular unit or facility’s risk of a workplace violence incident. 

The program was built using industry and government guidelines, including a Bureau of Justice Statistics report on workplace violence, Office of Personnel Management studies on violence in the federal work space, and an ASIS International risk assessment template. 

“We assess the risk of a certain type of violent event, calculate the value of what we’re trying to protect, and determine vulnerabilities based on what that threat actor can do,” Vickers explains. “I came to that conclusion because the insider threat-turned-active shooter situation is basically the same as a terrorist attack—they’re both intended violent acts.”

The program has three aspects: a workforce violence risk assessment of every facility or unit on the installation, threat management based on the results of the assessments, and active shooter tactics training for the public.

Vickers says an assessment is conducted on a specific unit to identify its vulnerabilities and is compared to known attack tactics. Using an algorithm, a numerical value is assigned depending on how high-risk the unit is.

Instead of focusing on an individual’s red-flag behavior, Vickers says the assessment portion is based off of known attack tactics. “I believe that an active shooter should not be thought of as a threat, but as a tactic used by the threat,” he notes. “Someone can open fire on a crowd, or use a car to drive into a crowd. The result is the same, that person is looking for death.”

The risk assessment takes into account the potential impact of an attack on each asset’s function. Vickers also includes incident behaviors, such as harassment or intimidation, in the assessment. But instead of trying to determine why an individual behaved in a certain way, the assessment analyzes the workplace environment of the unit or facility where the behavioral issue took place. 

“We take into account the actual policies and procedures that that particular unit commander has in place,” Vickers explains. “Do they have a workplace violence prevention policy letter that the entire unit knows about, and if so, do they follow it? Do they have a workplace violence response plan and recovery plan?” 

Members of each unit are interviewed, as well. “It’s almost a climate assessment—how are folks enjoying their work environment, do they get good guidance, things of that nature,” Vickers explains. By taking all physical, behavioral, and environmental risk factors into account, each facility will be assigned a numeric value, which allows leaders to address the level of risk in their unit or facility. 

Beyond reducing overall risks through the assessment, Vickers has also developed a more traditional threat management approach that addresses individuals of concern based on reports or behaviors. This part of the insider threat program hasn’t entered the pilot phase yet, but Vickers says that after commanders and threat management staff have been trained, he hopes the program can be implemented fully. 

The third aspect of the base’s insider threat program is engaging the public— “they are the actual ‘first responders’ that are capable of taking action” during an active shooter or similar situation, Vickers notes. The voluntary three-hour session is interactive and addresses all aspects of an active shooter scenario: the psychological response and how the attacker might react; the process of avoiding, denying, and defending against a threat; and more. 

“We start the class off with simulated gunfire to get folks’ attention, and it’s quite effective—usually they’ll flinch and wait for someone else to do something,” Vickers says. “Then we go through the class and address how they reacted.” 

Later in the class, attendees must react to the scenarios presented to them, including escaping the training facility, barricading themselves, or even using defense tactics on an instructor wearing a padded suit. More than 200 people in the community have gone through the program, and Vickers says he’s had nothing but positive feedback. 

Vickers is putting together and training a team that will gather information for automated risk assessments on individual units, as well as developing a threat assessment guide for commanders so they can properly address the assessment results. Vickers also wants to educate everyone, from commanders to chaplains to doctors, on how to identify intended violence. 

“Any individual who is going to commit violence has to enter a certain path, and that starts with a grievance and ends with the violence itself,” Vickers notes. 

GAO’s Kirschbaum says that to track a person’s path to violence, installations must find a way to do it appropriately and legally. “If you can get to the point where you’re sharing this type of information objectively, and not focus on sources or where it came from, that’s one of the best ways to properly do this,” he says.

Cooperation between military officials and local law enforcement is also paramount, Kirschbaum stresses. If someone on base is displaying high-risk behavior, it can have serious consequences both on and off the installation. 

“It’s got to be a two-way street, you’ve got to share information about what potential actions have happened, what issues might be flagged for both civil and military authorities,” Kirschbaum explains. “For both military and civil law enforcement, there should be notifications about any personnel actions taken, and that should be consistently shared with appropriate authorities.”