Skip to content

Photo by iStock

Four Elements of Security Planning for Crowd Emergencies

As much of the world has emerged from COVID-19 pandemic quarantine, large cultural gatherings are back. While that’s happy news for many, it also means a return to elevated security risks.

A Halloween 2022 crowd surge in Seoul, South Korea, left more than 150 dead and many more injured. Violence at an October Indonesian soccer match resulted in more than 100 people being killed in a stampede. With the American NFL Super Bowl coming up on 12 February, authorities need to be on high alert for any number of scenarios.

Crowd safety is a complex issue. Physical incidents have been the most problematic to date, but the digital environment is also a critical, if less visible, concern. Event sponsors and safety officials, as well as the attending public, need to understand their surroundings, their exposure to risk, and the digital and physical steps required to reduce and mitigate that risk.

There are four key elements to consider:


For events like the Super Bowl, the large crowd of ticketholders in the stands is the obvious top-of-mind security concern. But there are also high-visibility executives from corporate sponsors, celebrity entertainers and their staffs, the team owners, and other guests of honor who could be at elevated risk.

At large events, organizers have personnel standing by and monitoring the venue section-by-section. Significant efforts have been made to establish multiple security checkpoints, limit personal belongings carried in, impose bag size and transparency limits, and other best practices. But with tens of thousands of people pouring into a stadium, there are just a few seconds per person to assess whether an individual could pose a security concern.

As a result, risk mitigation techniques are mostly personal. Event goers must understand that there will be risk factors authorities simply cannot control, and that they must think carefully about how to protect themselves in the event of an emergency.

The best course of action is to maintain a reasonable amount of situational awareness, which makes an individual a “hard target” vs. someone who loses focus on their surroundings. Personal electronic vigilance will also help ensure attendees don’t fall victim to social engineering or phishing schemes. For example, using hover techniques will expose unfamiliar links before an individual clicks on something potentially malicious.


One of the uncontrollable crowd risk factors is connected devices. Nearly everyone entering a stadium, heading to a rally, or attending a large cultural event is carrying at least one mobile device. Those devices connect to cellular networks or venue-provided Wi-Fi. There are also various connected corporate devices and broadcast communications devices in use. The very presence of these devices is a risk, as they can enable coordinated lines of effort, such as bad actors using them use to communicate about threats. The 6 January 2021 attack on the U.S. Capitol offers a clear example of attackers digitally coordinating over social media and private chat groups.

Then there is the cyber dimension. With such a large number of connected devices, the attack surface is vast. This poses risks not just to device owners (particularly those using open stadium Wi-Fi), but also to venue infrastructure. For instance, a malicious actor who gained unauthorized access through a network hack could impact specific infrastructure components (think Jumbotron, cameras, radios, or digital signage) or digitally shut down the entire stadium.

A pre-event vulnerability assessment can show where venue infrastructure vulnerabilities exist and what preventive steps can be taken to harden infrastructure against an attack launched onsite or even remotely.

There is also the gargantuan task of locating digital bad actors onsite. Through pre-event intelligence activities, authorities might know if there is a threat actor in the stadium. But determining where or who they are is extremely difficult. The effort to collect and assess device data is challenging, although capabilities to do so are advancing. Emergency 911 capabilities are providing better high-resolution location data to aid in emergencies. That same data is available to law enforcement officials through warranted requests. Not only can cellular location data be obtained but assisted GPS data (where available) can provide high-confidence location information.


It is certainly necessary to take preventive steps, but the scope of large events means safety guarantees aren’t possible. The best line of defense is to prepare a response plan that considers multiple scenarios and to have a trained response team ready should it be needed.

First and foremost is the physical safety and security of everyone present. When an emergency occurs, there may be a knee-jerk reaction to immediately cancel the event, which may not be the appropriate course of action. For instance, planning needs to account for preventing the choking up of egress points so that first responders have free access as needed.

The response plan must also consider what technologies will be required to support responders’ needs in the moment. That includes how to best leverage existing digital infrastructure, and what new tools will be needed to ensure that help and support are available during an emergency incident. Those range from digital forensic tools to extract data from devices to network location tools that are available through lawful warranted requests for information.


There are many steps for investigation teams to take after an incident. Triage starts with quickly examining what happened and where. That involves analyzing collected data for a snapshot-in-time and examining video surveillance footage.

To streamline the investigative effort, it is optimal to feed collected data into additional technology that can analyze and visualize it. Overlaying multiple pieces of intelligence enables funneling a large macro area to a micro area; then, the incident can be stepped backwards through conducting personal interviews, device examination, and the like. The ultimate goal is identifying those responsible and gaining insights to minimize residual risk in the future.

Our modern digital environment poses unprecedented complexities but also offers powerful defensive capabilities for security personnel and first responders to employ. Thoughtful vulnerability assessment, mitigation strategies, cyber analysis, technical surveillance, and digital forensics can fortunately help create a safer, more enjoyable environment for any public event.

Jeremy Jones is executive vice president of mission services and support at Knowmadics. He is a cyber and electronic warfare expert with more than 25 years of highly skilled experience in private and public sector global operations, including 15 years in operational cyber, electronic warfare, leadership, and research and development experience in U.S. Special Operations Forces.

© Jeremy Jones, Knowmadics Inc.