Skip to content

Illustration by L.J. Davis

Science and Experience Produce Measured Security Strategies

As the interconnectedness of the world increases, increasingly complex yet similar challenges stretch across sectors and geography. Like their public safety colleagues in the military, law enforcement, and fire services, private security professionals are increasingly recognizing the need for evidence-based practices. Such methods can improve the efficiency and effectiveness of their operations, to avoid wasting limited assets and resources, and to satisfy executive demands for data-driven programs and projects while preventing the implementation of well-intentioned but ill-informed executive directives that are destined to fail.

Violent global incidents—amplified by the 24-hour media news cycle, social media, and citizen journalism—create a false sense of urgency to implement new, irrelevant, ineffective, or unnecessary initiatives in the organizations we protect.

Highly publicized events—such as stabbings in North London, kidnapped tourists, or the discovery of unexploded improvised explosive devices (IEDs)—are frequently overgeneralized to misrepresent broader security threats. Media coverage of violent incidents is often highly disproportionate to the probability that individuals or organizations will likely experience such violence firsthand.

Despite this, decision makers often attempt to address the emotional and psychological distress that ripples from tragic events through knee-jerk security responses—regardless of whether the solution in question may be ineffective or, worse, counterproductive. Lone incidents, while shocking, do not necessarily indicate trends that require changes in programs and priorities. While convincing employees, stakeholders, and ourselves not to react hastily is challenging, being armed with appropriate and objective knowledge can help.

Research serves as a valuable tool in helping security leaders fulfill their roles in creating, maintaining, and evolving security programs. Scientific insights can aid in creating effective, appropriate, and sustainable security responses—ones that are not usurped by emotionally galvanized reactions to a single event or generic, traditional security plans that do not fit the current risk landscape.

Finding or developing evidence-based practices is particularly important in relation to prevention and preparedness efforts, where security and law enforcement personnel’s investigative and after-action experience does not translate as readily. Using research to confirm, supplement, or replace traditional responses to security incidents is critical in budget-based decision-making processes.

Combining science with professional experience to prevent and assess violence risk has proven more effective than reliance on either one alone. While a singular focus on research overlooks the dynamic and contextual factors that influence risk levels, depending solely on one’s professional judgment or experience narrows options to personal knowledge, experience, biases, and skill sets, which may not be the most advantageous in a situation. Nor is personal opinion a very compelling argument for securing vital assets in most resource-competitive environments.

Fortunately, there are numerous immediate, low-cost—if not free—resources available to security professionals.

Theory into Action

Say that you are the vice president for security of a rural hospital system. The chief information officer calls you into her office to report that Human Resources has been “flooded” with calls from staff following an active shooter incident at a nearby hospital that dominated the news. A 32-year-old gunman confronted, shot, and killed his ex-fiancé, a doctor, in the parking lot. When law enforcement responded, the gunman fled into the hospital, where he killed a pharmacy intern and a law enforcement officer before killing himself.

The event echoed another highly publicized hospital-based shooting that occurred several months prior, heightening hospital staff’s anxiety—despite the fact that this incident was later determined to be a murder–suicide; the shooter was a 71-year-old male who, distraught over the illness that plagued his 70-year-old patient wife, murdered his spouse before killing himself in the hospital.

Although the CIO appreciates your efforts to standardize and elevate the hospital’s emergency operations plan over the past year, the feedback she received indicates that workers feel more prepared to deal with a pandemic outbreak than violence, “particularly if it is someone’s ex or a guy who comes in with a gun.” The CIO asks whether it would be worth reallocating your hard-won funding—originally intended to hire three new security personnel—to purchase metal detectors. Furthermore, the CIO suggests that she plans to take the issue to the CEO to ensure swift action is taken.

If staff are not feeling safe, some steps will need to be taken. However, while the concerns of the CIO and staff are important, your experience tells you the suggestions are unlikely to address the root issue. Instead, they will probably needlessly disrupt the current risk mitigation implementation plan. You believe there are better approaches to take, and you seek to make a case for them.

The key is finding the right course of action—one that maximizes current resources, does not unduly demand new resources, and for which an effective case can be made. This is where readily available research comes into play.

Credible Sources

You do not have to become an academician—or even be particularly tech-savvy—to access research relevant to informing strategic security decisions. In fact, the skills needed to conduct effective research parallel those utilized by effective security professionals.

During the initial stages of an investigation, the security professional narrows the list of individuals to either interview or consult, making the most of limited time and resources.

Likewise, when engaging in research, it is important to have a reliable and relevant pool of sources, particularly in a world where a simple Internet search can yield hundreds of thousands of hits.

Begin by narrowing down your search with some basic parameters. The research you use should be recent—at minimum published within the last 10 years, ideally within the last five.

Bear in mind that professional journals, which are peer reviewed, inherently provide a greater level of quality control compared to other sources, such as blogs, newspapers, or magazines. If you find information in a more informal source, such as a news article about a research report, it is always best to verify the information from the original source.

For example, a Google search of the murder–suicide referenced by the hypothetical CIO unearths research published by the Johns Hopkins Office of Critical Event Preparedness and Response (Hospital-Based Shootings in the United States: 2000 to 2011). The report confirms that most hospital-based active shooter deaths transpire outside of the physical facility, suggesting that metal detectors would be of limited use in preventing this type of violence. This research can be used to justify an objection to reallocating funding earmarked for personnel to metal detectors.

The Hopkins research also confirms that most hospital-based active shooter incidents target a specific victim, with interpersonal or domestic violence between a staff member and the shooter as one of the most common precipitating dynamics. This validates staff’s concerns: Employees are vulnerable to coworkers who may be experiencing interpersonal relationship conflict. Addressing staff perceptions of their own vulnerability is equally critical to the security professional’s success in creating a safe environment.

Beyond Internet searches, traditional academic research is also within your reach. With an increasing number of colleges and universities offering security programs or majors, security and risk management professionals are in demand as adjunct professors or affiliated faculty. These appointments often are associated with access to a significant number of e-journals in a variety of topics and fields, so it is also beneficial to inquire about this access if accepting one of these positions.

If you are not directly affiliated with a college or university, cultivating relationships with those who might be willing to access this research on your behalf—whether colleagues or interns—is beneficial. If you find a particularly relevant research article, you can also generally purchase or rent the article online from the publisher for a relatively nominal fee.

Consider taking on an intern to assist with research for your program. Internships are important avenues of experience for graduate or undergraduate students and often excellent resources in research assistance. Additionally, interns do not need to be enrolled in a security program. There are many opportunities for research in behavioral psychology and sociology that would link well with studying human reactions during adverse events. Hiring a research intern outside of the security profession can broaden your view of the issue and create a stronger business case that resonates with nonpractitioners.

Authors of articles in professional journals are required to be transparent about their research endeavors. Consequently, most research articles include an abstract that briefly summarizes the research and its findings, an overview of the issue and why it is important, details about the research methodology, details about the findings, a discussion section, and a conclusion. Unless you have an interest in becoming a researcher yourself, you can skip the detailed methodology sections and usually find the information you seek in the abstract and discussion sections. The overview often also provides a wealth of supplemental content regarding an issue.

Finding evidence-based practices does not need to be a solitary endeavor. Professional networks, including ASIS International, also provide support. Asking fellow security practitioners for input or trusted research sources is a valuable force-multiplier when developing a reasoned business case for security solutions. Recent discussion posts on an ASIS Open Forum, for example, suggested several evidence-based active shooter training resources geared toward civilian populations (REACT Smarter  Civilian Active Shooter Response Instructor Training Program and Civilian Response to Active Shooter Events).


Although security plans often adopt an all-hazards approach to addressing incidents, research can assist in identifying context-specific nuances that can help inform resource allocation, training plans, and intervention strategies.

The active shooter training programs referenced above are civilian-focused and would not necessarily translate as well when training security staff with law enforcement or military backgrounds. Likewise, such training would not be appropriate in addressing middle school students’ safety concerns. Searching for studies specific to middle school security, however, quickly yields advice on practical and effective bystander intervention programs. It also provides relevant facts to use in community education and awareness campaigns, such as the prevalence rates for mass shootings, which are frequently subject to distortion given their shock value and media attention.

Research can also assist the security professional seeking to engage in more-targeted violence prevention. For example, a basic search of “middle schools” and “school shootings” in the U.S. National Center for Biotechnology Information’s online research archive, PubMed, yields research on the contagion effect of these events and the window during which copycat acts are most likely to occur. This, in turn, can assist in informing the security response. For example, security leaders can suggest allocating limited resources toward the retention of additional personnel during the time period at highest probability for similar acts—two weeks, according to the research.

Another way research can be contextualized is by providing information most relevant to your audience. If discussing active assailant preparedness with the chief financial officer for a public school system following a string of shootings, for example, quantifying the additional personnel costs during the contagion risk period is both concrete and justified by the research.


A single research article can lead to useful data. The process of chasing down supplemental information, however, can result in data paralysis. This phenomenon occurs when the data becomes the focus rather than a means to an end, obscuring the original problem and hindering engagement in needed action.

Returning to the hypothetical hospital security example, reviewing bystander intervention literature with research relating to four D methods (direct, distract, delegate, and delay) uncovers a relevant violence intervention strategy that translates well to a hospital environment. Conversely, the same search results brought up a successful gun prevention program targeting urban youth and physical self-defense programs for survivors of sexual assault—clearly not pertinent to the goal of supporting hospital staff.

As in other aspects of security decision making, the ability to quickly set aside irrelevant information is as important as competently utilizing applicable data.

Avoiding Tunnel Vision

An additional benefit of incorporating research in decision making is that it helps avoid confirmation bias—the all-too-human tendency to “see what we believe” or, more accurately, to only heed information that aligns with what we already think.

Our minds use “templates” to prevent us from becoming overloaded by the incredible amount of information and stimuli we are subject to on a daily basis. If we experience something new that is similar to something we learned in the past, we quickly file the new experience in the existing template and move on with our day. Our typical “top-down” cognitive processing can be useful, such as when we use context clues or patterns to decipher difficult handwriting or fill in missing letters.

This highly efficient way of processing the world also has a potential downside—when we file new experiences with previous ones, we assume that the new experiences will share the characteristics and behaviors of the prior ones. Research has repeatedly shown that individuals engaged in familiar tasks, particularly when multitasking, fail to perceive hazards in their midst, including oncoming traffic or potential assailants. And in the case of people, we tend to make similar associations: If a stranger reminds us of our kindly grandmother, we will tend to be favorably disposed to like them. If the stranger reminds us of a litigious neighbor, we are more likely to take offense. What we have previously learned or thought—even if it is inaccurate, incomplete, or irrelevant—influences future thinking.

The impact of this process on security is often seen after mass shooting events, when the public demands a response that addresses a perceived association between extreme acts of violence and mental illness. However, research shows that a minority of lone actors (32 percent) and significantly fewer group actors (3 percent) suffer from a mental illness. Left unchallenged, the bias that links mental illness with mass violence could result in threat assessments that overlook nuanced—and more relevant—risk factors, such as situational stressors, social isolation, and an absence of constraints.


Do not generalize research beyond its limits. Risk factors for violence in hospital settings, for example, vary by country. A quick Google search of workplace violence rates against hospital staff in Europe yields a National Institutes of Health article about assault prevalence rates across several nations. Knowing that the annual prevalence rate for assault among hospital workers in Germany is 56 percent, compared to 11.5 percent in Italy, suggests that the probability for assault on German hospital workers warrants prioritization of violence prevention efforts to support these staff. In Italy, however, other risks could outweigh workplace violence. Of course, location is only one context that merits consideration when determining the relevance of research data or findings.

Also consider whether the research concerns relevant or similar facilities. For example, regarding settings that are open to the public such as an entertainment venues, transportation hubs, retail stores, or other public spaces, there is growing research on the ways in which social media has created disembodied bystanders—people who will record violent incidents rather than intervene or call for help—and effective strategies for encouraging a more active, security-conscious response. This may not be applicable in an area with restricted access, such as an access-controlled office building or factory.

In general, the more closely the population studied matches the population you are seeking to protect, the more useful the research will be.

Expanding Options

Perhaps the most significant benefit to combining research with professional experience and judgment is that it expands options for effectiveness. Research confirms what works, or it presents better solutions.

The security professional seeking to engage hospital staff in strengthening workplace violence prevention efforts, for example, can demonstrate successful efforts with existing research and internal metrics. A simple and effective research approach is the pre- and post-test design (see the sidebar, “Practice into Research,” for more information).

In the hypothetical hospital, the security leader can survey staff on what factors they believe pose the greatest risk of workplace violence—such as patients, domestic violence, or outside violence—as well as their knowledge of effective interventions. This provides a baseline for gauging staff members’ understanding of the two elements of violence risk assessment: forecasting probable acts of violence at the hospital and identifying appropriate practical interventions for that setting. Then, provide factual data regarding violence risk (such as prevalence rates for violence subtypes and historic reports of violence in various departments) and evidence-based training in violence prevention and risk mitigation (such as early identification and notification of peer substance use, domestic violence reporting, and resiliency building). The original survey is re-administered after training to identify the improvements made in the staff’s levels of knowledge, preparedness, and anxiety about their safety.

By applying research—particularly in areas that are extensively and continuously studied, such as risk assessment—security’s efforts remain informed, contemporary, and dynamic.

Dr. Diana M. Concannon is a forensic psychologist, associate provost at Alliant International University, and dean of the California School of Forensic Studies. She is a member of ASIS International’s Professional Development and School Safety and Security Councils.

Michael Center is a regional security advisor for the United Nations Department of Safety and Security based in Brussels, Belgium. He is vice chair of the ASIS Professional Development Council and vice chair for subject matter expertise of the Global Terrorism, Political Instability, and International Crime Council.

The views expressed in this article are the authors’ own and are not reflective of their organizations.