The Emotional Traps of Soft Target Security
As security professionals, we see vulnerabilities every day: homeowners who don’t arm their security systems; businesses with inoperable cameras and propped open back doors; unaccounted–for keys, missing badges, broken locks, and no visitor control; work computer passwords that are weak, reused, shared, or written on a sticky note; no emergency plan, practice, or provisions. Despite regular reminders about the risks in the world, why do these lapses keep happening? Perhaps the increasing number of security breaches and violent attacks leave us numbed to their significance. Or the topic is purposely avoided, when confronting the rising threat feels overwhelming or uncomfortable.
Many industry insiders see security from a data-driven perspective—there is risk probability, which is lowered by the effectiveness of an array of countermeasures. However, most risk models are not holistic, because they don’t address the important psychological and sociological factors at play. The human element is perhaps the most difficult to address in the security realm, yet the one that can make or break our efforts.
Consider the vulnerability mitigators—the site managers and security teams who have assumptions, biases, and blind spots, unconsciously impacting their decisions and compounding risk. There are five emotional traps in soft target security: hopelessness (“There is not much we can do to prevent or mitigate the threat.”), infallibility (“It will never happen here.”), inescapability (“It is unavoidable, so why even try?”), invulnerability (“It cannot happen to me.”), and the most dangerous, inevitability (“If it is going to happen, there is nothing I can do about it anyway.”). These beliefs, even if subconscious, can sabotage security efforts. Vulnerability mitigators are just as susceptible to these traps as average people.
Wait, there’s more! Adding to this complex brew is security fatigue, a phenomenon first observed in the cyber realm. A security study conducted by the U.S. National Institute of Standards and Technology (NIST) in 2016 sought to measure respondents’ online activities, computer security perceptions, and the knowledge and use of security icons, tools, and terminology. Unexpectedly, many participants mentioned “security fatigue,” along with a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance when it came to cyber hygiene.
This very same security fatigue is now reflected in the general populace, weary of inconvenient physical security measures and now facing a loss of personal communication and online privacy in the name of an often abstract concept: the greater good.
Now factor into the equation a palpable sense of denial about the threat, manifested by a lack of urgency to mandate changes in the wake of a massacre. There is a persistent belief an attack was a “one-off” event which won’t occur again, with a unique and lone attacker. Mass shooting events are often hastily put behind us, and society moves on quickly to resume normalcy. Consider that London, with one of the best counterterrorism programs in the world, fell victim to two ISIS terror attacks by vehicle on adjacent bridges within a 10-week period. Lessons learned from the first attack on the bridge near Westminster on 22 March 2017 did not translate to robust security measures on other bridges.
The location of the second attack on 3 June 2017, the London Bridge, was a stated target of both al Qaeda and ISIS for more than a decade. Typical of copycat attacks, terrorists learned from the first attack and improved their methods, using a larger vehicle to mount the London Bridge curb and mow down pedestrians on the sidewalk. They also left the vehicle in a popular restaurant district and went on a stabbing rampage, while wearing fake suicide vests to amplify the terror effect.
Although contradictory to denial, there seems to be a new level of acceptance regarding mass attacks, seeing their near daily occurrence as a “new normal.” During the mass shooting at a STEM school in Colorado in May 2019, none of the major national news networks broke away from political coverage to report on the unfolding crisis. On the first anniversary of the Santa Fe High School shooting in Texas (10 killed, 14 wounded), many social media comments indicated people did not recall the event. Perhaps society has numbed to the point where extremely violent events are no longer shocking. This complacency is dangerous; it means we’ll settle for security that is “good enough” and take the more comfortable path of least resistance. Organizations may choose to roll the dice, and just deal with an event if it arises.
The bottom line is that this cauldron of emotions and behaviors is not only a dangerous and exploitable phenomenon, but also extremely detrimental to our efforts to secure venues and protect people. Acknowledging the existence of these behaviors and mindsets is part of the solution, but there are tangible steps we can take in our work to meet them head on and mitigate.
Seek First to Understand…
Not everyone shares our sense of urgency, scope, or motivations about security. Several years ago, I consulted on a federally funded project in a U.S. city to secure several high-density commercial public buildings from terrorist attack.
One of the site managers resisted our efforts and did not embrace recommendations coming from a thorough vulnerability assessment. Frustrated, I asked: “What will you say to family members if an employee or customer dies during an attack on your property, one you could have prevented with enhanced security measures?” He looked me in the eye and said: “Why would I talk to the family members?”
As a military officer, I prepared for and performed casualty notifications, and the welfare of my troops and their families was my responsibility. I found the manager’s statement shocking, but instructive. My paradigm and principles about security might not be shared by others, and that’s alright.
Prior to presenting ideas or solutions, we can ask questions to clarify cultural nuances at the worksite that may impact our work. Perhaps the most important yet underrated communication skill is listening. Engaging in a true dialogue will help clarify and build trust before introducing ideas and solutions.
…Then to Be Understood
I teach a graduate level communications course for security professionals, and the curriculum includes aptly packaging and marketing the message. Why? Because of the aforementioned psychological factors like security fatigue, combined with the standard resistance to change. The way you communicate your security recommendations will change how those recommendations are received.
In the last year, I have worked with religious leaders, luxury hotel managers, hospital administrators, high school principals, and security leads for professional sports teams. Security is not a one-size-fits-all proposition, yet the same methodologies apply. For instance, we encourage churches, which are soft targets, to simply lock their doors during services, when the majority of fatal attacks occur. Businesses, on the other hand, have different vulnerabilities; they might install a 24/7 access control system to prevent unauthorized entry and protect proprietary information.
To determine what communication strategies to deploy, assess the client’s biases, assumptions, and concerns. Do they demonstrate any of the five emotional traps when talking about the security environment? Understanding these complex behavioral and emotional responses is important when tailoring the security message. Message delivery is also critical—how can the client best process our information? I have my security students take a learning preference instrument called VARK (Visual, Aural, Read/Write, and Kinesthetic). Understanding learning styles helps us access information in a way where we will not only gain knowledge, but internalize and retain it for a longer period of time. As a professor, I deliver course material based on the student’s VARK preferences for improved learning and retention of information.
Once the students realize that even our small classroom of security professionals consists of a variety of learning styles, they understand the importance of tailoring the security message and delivering it to their supervisors, coworkers, or clients in a way that will be understood and acted upon.
For example, a few years back, I visited a “megachurch” just for a quick walk around with the head of security. They had a good security plan, including gated entry and license plate scanners. However, the two-story glass atrium of the main church building was unprotected on both sides, and vehicles had an unobstructed approach from the main road. The security team approached the pastor with a proposal to harden the area, but the pastor didn’t read past the first sentence, stating he was opposed to “ugly barricades.” Based on his love of photography, we decided the visual approach might work best to tell the story; the pastor agreed to fund the project after seeing photographs of attractive bollards such as fountains, benches, planters, and lighting. By tailoring our communication approach to connect with this particular person’s interests, we could overcome misconceptions about security and produce a safer environment.
We can help clients and stakeholders out of their emotional traps and still accomplish our security goals. One approach is to identify the reason for pushback, and then adjust language to better connect with the audience. For example, I was contacted by a local emergency preparedness agency regarding a “Stop the Bleed” (STB) initiative, generously funded by the state government. Although the group was offering training for free, they were unable to find any school, church, or business willing to host the program. Upon further questioning, we learned the venues associated STB with active shooter training, which they were also resisting out of fatigue and fear.
I provided talking points to the agency with compelling reasons for STB training, avoiding the active shooter perspective. I used plain language and included data regarding the increase of stabbing attacks in our country and how taking immediate action could have saved lives. The paper also covered travel safety and how stabbings are on the rise worldwide, appealing to those who travel internationally for business or leisure. I relayed a story regarding an American man who was trapped in the rubble after the devastating earthquake in Haiti; by properly dressing a heavily bleeding wound on his leg, he was able to stay conscious and facilitate his rescue, as well as save the limb. I actively sought to remove “active shooter” and related trigger words from the STB equation without watering down the need for the STB program. It worked.
Substituting the word “safety” for “security” is another tactic. For instance, a local church is located on a blind curve, next to a very busy, dangerous road. From a counterterrorism perspective, I was concerned about a vehicle purposely driving into the crowded parking lot or the building. Instead of talking about terrorist tactics with the pastor, I presented data regarding the rise of distracted drivers in our area and the number of fatalities in the vicinity of the church. He decided to install an attractive bollard system to protect churchgoers and the structure from an out-of-control vehicle. This is another example of tailoring the message to the audience to bypass an emotional trap, without downplaying the need for preparedness.
Communication lapses are not limited to small-scale campaigns or proposals, either. The U.S. government, with its massive public relations machine, has failed at times to convey security messages in the appropriate manner for the topic at hand. After the attacks on 9/11, the Department of Homeland Security (DHS) tried to educate the public on how to protect themselves. On 10 February 2003, in response to intelligence indicating terrorists were planning a weapons of mass destruction attack against the United States, DHS issued an advisory directing Americans to prepare for a biological, chemical, or radiological terrorist attack by assembling a disaster supply kit. Panicked citizens cleared store shelves of duct tape and plastic to seal homes and offices against nuclear, chemical, and biological contaminants. The DHS eventually faced ridicule over what was seen as an over-reaching response to a veiled threat, and the advisory was jokingly referred to by comedians as “duct and cover.”
A DHS Ready.gov campaign in 2004 with amateurishly drawn cartoon characters was also mocked and rendered ineffective. It was the wrong tone and method to communicate about this topic, and therefore the campaign fell flat.
The language we use is as important as our actions; it can either motivate or repel.
Since these DHS communication challenges, the threat has not been adequately portrayed to the public, perhaps to not cause alarm. Despite terrorist attacks and hundreds of foiled plots in the United States from 2005 to 2011, the color-coded alerts of the Homeland Security Advisory System (HSAS) never budged from yellow (elevated threat). In 2011, DHS replaced HSAS with the National Terrorism Advisory System (NTAS), which was meant to address criticisms of HSAS, providing alerts specific to the threat with a specified end date. However, the NTAS is also rarely used to communicate with the public. Social media platforms are dormant, and NTAS advisories average one every six months.
My work is predicated on the idea that if citizens are aware of the threat and educated to respond, they are less afraid. They become force multipliers for law enforcement and first responders.
Fear, Uncertainty, and Doubt
Using internal security language heavy on acronyms or lingo is not always helpful with stakeholders and clients, nor is fearmongering. The saying “It’s not a matter of if, but when” is often heard among security professionals when discussing the likelihood of another cyberattack, active assailant incident, or terrorist attack. However, depending on the audience, we should avoid these euphemisms in the consultative environment. Illustrating this point, an elementary school teacher recently tweeted her dismay that a security contractor made this statement during active shooter training. She didn’t find it motivational in the least, but overblown and hysterical.
Remember that the fear of a violent incident or attack is not always top-of-mind for people. The Chapman University Survey of American Fears provides an annual look into the fears of average Americans, using a random sample of 1,190 adults from across the United States. In 2017 and 2018, terrorism and crime fears dropped out of the top 10, now replaced by government corruption, environmental, medical, and personal financial concerns. Whether fatigue, denial, acceptance, or feelings of invulnerability have played a role, or Americans would merely rather focus elsewhere, data indicates terrorism and crime are not at the forefront of concerns for the average American.
Certainly, the odds of being part of a terrorist attack or mass shooting are extremely slim. The CATO Institute studied terrorist attacks perpetrated in the U.S. by foreign-born actors, including the 9/11 attack, and found that from 2001 through 2017, the chance of an American being murdered by a foreign-born terrorist was one in 1,602,021. On the other hand, the odds of dying from a car accident is one in 102; assault by firearm, one in 285; lightning, one in 114,195; and aircraft accident, one in 205,552, according to the National Safety Council. However, that does not mean that we should neglect to prepare for violent incidents.
It’s essential to understand people’s practical fears and concerns so we can properly tailor and package the security message. Residents who ignore risks of terrorism, active assailant incidents, and crime are not security’s eyes and ears. They won’t see threats or connect dots; they are the not the force multipliers we hoped for. Since fear can paralyze people instead of motivating them to action, language is again the game changer. For instance, the “lone wolf” moniker is sensationalistic and causes fear. The word “wolf” conjures a stalking, stealthy, hungry predator roving about, acting at will. In the security research realm, we are now addressing the lone wolf as a lone actor.
In my work, I use an effects-based system with my clients so they can visualize violent scenarios in an unemotional, data-driven way. Think of ways to lessen fear in your security work to enhance your message and motivate people to take action.
The underlying message to soft target organizations is that security professionals acknowledge their fatigue, fear, and hope that the storm clouds will pass them by. However, doing nothing because it’s easier than confronting the rising threat is not only naïve, it is irresponsible. A permissible environment is exactly what bad actors want, will wait for, and exploit. It is our job to continue fighting societal trends and underlying psychological impulses driving people away from security and into danger. Understanding our role and how to best engage is crucial.
Dr. Jennifer Hesterman is a retired Air Force colonel. Her book, Soft Target Hardening: Protecting People from Attack (2nd edition), is the ASIS Security Industry Book of the Year for 2019 and the Social Sciences Professional Book of the Year for Taylor & Francis Group.