The Intelligence Impact on How Organizations Manage Business Disruptions

The ASIS International Threat Intelligence: Understanding How Threat Management Supports Resilient Organizations study, sponsored by Esri, provides a ton of findings on how organizations find and use threat intelligence. One of the research aims was to understand the impact intelligence management has on disruptive incidents and organizational resilience.

This article pulls from the research as presented in the report, provides some additional findings from the study, and adds context to illustrate the relationship between threat intelligence and specific types of disruptive incidents, as well as how organizations can use intelligence to get better strategic outcomes.

About the Study

A small group of ASIS members volunteered to serve in an ad hoc capacity on the project to help build a survey instrument. The survey launched in June 2025 and was promoted to ASIS members and customers for several weeks.

Overall, 813 people—mostly security professionals—answered at least some of the questions. Security consultants and business partners had the option to answer an alternate set of questions. Overall, 427 people completed the main survey, and 104 consultants completed the alternate survey. This yields a margin of error of ±5 percent at the 95 percent confidence interval for most of the questions in the main survey. The consultants survey should be taken as an estimation only. For more information, including the survey demographics, see the full research report.

What Did Organizations Face?

The survey asked security professionals if they had experienced incidents in any of 12 categories that caused a significant business disruption. Approximately one in five (21 percent) were the lucky ones who did not experience a significant disruption in any category. Most security professionals reported significant disruptions in two or three of the categories (with a maximum of three being allowed in the survey).

The table below presents the results with civil or political unrest incidents (30 percent) and natural disaster-related incidents (28 percent) leading the way and climate change-related incidents (7 percent) and major robberies or burglaries (9 percent) at the bottom.

A note on climate change: The term is politically charged in the United States to a greater extent than much of the rest of the world. However, comparing answers to climate change-related-questions from North America to answers from Europe showed no significant difference. A likely stronger reason for the low number for climate change in the table is that most if not all climate change incidents would fall under the natural disaster category.

How Well Did Organizations Respond?

The survey then asked the security professionals who had experienced disruptions if specific factors contributed to making the incident harder to manage or more disruptive. For example, they were asked if not identifying the threat or potential threat quickly enough contributed to the disruption. In this case, the responses can be broken into two groups with 50 percent being the demarcation line.

At the top of the list of categories that were relatively harder to identify quickly are workplace violence incidents (58 percent), major robberies or burglaries (58 percent), and physical perimeter breaches (57 percent). Supply chain disruptions fell below the 50 percent threshold, but at 48 percent it was statistically closer to the difficult-to-identify categories than most of the easier-to-identify categories. The incident categories that were relatively easier to identify were civil or political unrest (35 percent), political instability incidents (34 percent), and regulation or standards changes (33 percent).

Another potential breakdown the survey asked about was whether failing to effectively communicate the threat to affected business units made the business disruption worse.

Relative to being able to quickly identify the threat, security professionals were more confident in the effectiveness of their communication. There is still a nice demarcation in which some incidents were relatively harder to communicate effectively and incidents that were relatively easier, but the demarcation line is at 40 percent rather than 50 percent.

Incidents related to regulation or standards changes (54 percent) and economic instability (46 percent) were more likely to have communication issues than climate change, major robberies or burglaries, or workplace violence incidents (all at 19 percent).

The report also measured whether breakdowns in emergency management or business continuity processes made the incident worse.

Once again, the demarcation line lowers, signifying that security professionals think emergency management or business continuity breakdowns were even less of a cause for concern than communication issues or the ability to quickly identify a threat. Five of the categories are at or above 30 percent, with climate change at the top at 42 percent. Seven of the categories fell below 30 percent; only 19 percent said breakdowns in emergency management or business continuity processes made economic instability incidents more disruptive.

Finally, the survey asked security professionals to rate how effective their organizations were at the whole process of managing business disruptions, from identifying the threat to responding to the incident to ultimately recovering from the incident.

Overall, they rated their organizations as fairly effective. Every category of incident received a rating of highly or mostly effective by nearly 50 percent or more of security professionals. Economic instability incidents, political instability incidents (both at 48 percent highly or mostly effective), and regulation or standards changes (50 percent) were the most difficult types of incidents to handle through the entire process.

Organizations were most effective at handling labor unrest incidents (73 percent highly or mostly effective), civil or political unrest (67 percent), and workplace violence incidents (65 percent), respondents said.

How can security professionals steer their organizations even more toward the highly or mostly effective side of the equation?

“I think it’s really important in business today to have situational awareness,” says Mike Moorman, CPP, PCI, CSMP, the senior manager of corporate security at automobile component manufacturer Yazaki North America and one of the ASIS volunteers who assisted with this research project. “I’m sorry I’m using military terms, but you need that awareness so you can establish a common operations picture. You need to know what’s going on in your own house as well as what’s going on next door and down the street. And not just that, what’s going on two or three blocks over?

“Our footprint is in North and Central America, but things going on in Europe, in Asia, in China, can absolutely cause a disruption for us, too,” he continues. “You need to have wide visibility because you need all of that information if you’re going to make the best decisions you can make for your company.”

Said another way: Never stop learning.

How Did Organizations Learn from Business Disruptions?

Whenever an incident causes a significant business disruption, the organization should consider conducting a formal after-action review. The U.S. Army has a simple approach to after-action reviews, one that stands as the basis for the way many approach the practice. The person conducting the review leads discussions with all who were involved in the events that led to the disruption, working to answer these four questions:

• What was supposed to occur?
• What did occur?
• What went right and what went wrong?
• What should be done differently next time?
  
  

A Harvard Business Review article expanded on this rubric, giving ideas to ensure after-action reviews lead to meaningful change:

Influence a community, not a process. Make your focus the team, the customers, and other members of a community. Identify their motives for wanting change. Uncover the stories of how the event affected them personally.

Spend most of your effort on describing what occurred. The authors found most organizations emphasized the last two questions. As a result, pertinent information never surfaced, and outcomes tended to support the review leader’s preconceived notions of the incident.

Tell the whole story. Most reviews stressed candor by strenuously avoiding assigning blame. The authors said this was a singular source of after-action review failure. Rather than invite actual candor and uncovering the whole story, it tended to shut down investigative avenues when someone accepted responsibility for a shortcoming. Instead, whenever anyone expresses culpability, investigate it thoroughly—review leaders will gain a fuller picture as a result.

The survey asked participants who reported business disruption incidents what changes they made because of the incident and whether or not their organizations would perform better if faced with a similar incident again. Four in five reported making changes in how they manage threat intelligence, especially changing how threats are communicated to other business units. They also prioritized changes to emergency management or business continuity processes. Nearly all security professionals said their organization’s response to a similar incident would likely improve.

According to Tim McCreight, CPP, founder of TaleCraft Security, who also assisted on the project, it’s critical for corporate security to build its proactive capacity. Security professionals “need to think about things outside a traditional security program. What can they be doing to be more proactive in their company? Security can’t be looked at as just physical or just cyber. It needs to be looked at as a risk-facing part of the organization.

“Intelligence can be a powerful force in this area,” McCreight continues. “Intelligence can help us understand the types of risks that are impacting us or could potentially impact us. It gives us the chance to identify those risks, and, more importantly to build resilient organizations. Organizations that can detect, contain, eradicate, recover, and bounce back better—and then rinse, repeat, and do it again.”

The survey asked about some of these proactive organizational disciplines, including business continuity, enterprise risk management, and organizational resilience. Security professionals reported that their organizations had established formal processes in these areas, and that threat intelligence was an important contributor.

Scott Briscoe is the content development director at ASIS International. He served as project lead on the Threat Intelligence: Understanding How Threat Management Supports Resilient Organizations study.