Skip to content
Menu
menu

Illustration by Security Management; iStock

Active Threat Attacks by Lone Actors: A New Category of Risk to Anticipate for Effective Prevention

Active assailants have typically come in different categories: psychological disorder-driven active shooters, ideologically extremist-driven terrorists, vengeful employees (or ex-employees), and insiders who are known as troubled individuals to at least some of their intended targets. But a recent wave of violent attackers crosses these separate categories, vastly complicating traditional threat assessment practices.

In these active threats where several distinctive categories of threats converge, there is a direct relationship between the attacker and at least some of the intended targeted victims. Such attacks often fall into one of two categories: workplace violence type 3, when the attacker intentionally targets his or her coworkers (or ex-coworkers) at their places of employment, or workplace violence type 2, when a customer or patient targets a retail, entertainment, hotel, or other facility where some of the employees may recognize the attacker as a regular customer or patient.

These violent assailants are lone actors, as opposed to members of an organized terrorist group, although some members of groups might be known to some of their intended victims.

To effectively anticipate and counter the multidimensional nature of this broader category of attackers, it is crucial to expand the professional security community’s analytic lenses. It is helpful to apply a multidisciplinary approach to identify potential perpetrators because they now exhibit the characteristics of several categories of threat actors, rather than solely one category.  


As insiders, these assailants have numerous advantages that other threat actor categories lack, especially in their ability to easily approach targets without arousing suspicion.


Defining Active Threat Lone Actors

To be defined as active threat lone actors (ATLAs), these attackers either are psychologically disordered active shooters or ideologically extremist terrorists who have a direct relation to at least some of their intended targeted victims and their workplaces, whether as fellow (or former) employees or as customers or patients who are known to at least some of the staff, with their attacks considered workplace violence-related. Knowing at least some of their intended targeted victims also makes the violent assailants insiders.

To qualify as ATLAs, at least three of the four categories of the violent characteristics of such perpetrators need to converge:

  • Active shooter. Psychologically disordered assailant.
  • Terrorist. Ideologically motivated assailant.
  • Workplace violence. Targeted a place of employment.
  • Insider. Knows at least some of the victims.

In some of the incidents, the perpetrator might be both a terrorist and an active shooter, as some lone actor terrorists are considered to exhibit a higher degree of mental disorder than those who join terrorist groups. (For more on this, see A false dichotomy? Mental illness and lone-actor terrorism, by Emily Corner and Paul Gill.) The insider dimension of such lone attackers is the most crucial because it characterizes perpetrators who will conduct attacks at a workplace, whether as employees (current or former) or as customers or patients.



Significance of ATLAs

What makes this new threat category especially significant is that it applies both to ideologically driven terrorists and psychologically disordered active assailants. The perpetrators primarily operate as lone actors (and, in a few cases, they might have a co-attacker), and they generally do not belong to an organized group, according to the Handbook of Terrorism Prevention and Preparedness.

The attacker’s insider status makes it easier for such ATLAs to thwart some strict security mechanisms that might be in place to prevent an attack. As a result, such a direct authorized access at the targeted area enables an active threat attacker to potentially inflict a higher level of fatalities and injuries than other types of lone actor attackers. An outsider would have difficulty entering their targeted facility with their firearms and ammunition.

This multidimensional nature of ATLAs, therefore, requires a more complex awareness, preparation, and response cycle by the professional security community.



ASIS POA

ASIS Protection of Assets (POA)

Prepare. Predict. Prevent.

Advance your mission. Accelerate your career. Security professionals worldwide rely on the Protection of Assets (POA) to navigate their toughest challenges and increase capacity to assess and mitigate risk. 

0722-SM-Online-Active-Threat-Lone-Attackers-SharkFin.jpg0722-SM-Online-Active-Threat-Lone-Attackers-SharkFin.jpg

Chronology of Significant Active Threat Actors Worldwide, 2009-2022

To understand how pervasive the threats by active threat lone actors (ATLA) pose to public safety, this chronology provides a list of their significant attacks globally from the mid-1990s to mid-2022. The categories of each incident are listed at the end, noted as: terrorist (T), active shooter (AS), insider (I), and workplace violence (WV), whether as type 2 (customer/patient) or type 3 (worker-on-worker).

20 June 1994: Dean Mellberg, a 20-year-old U.S. airman who had recently been dishonorably discharged, attacked the Fairchild Air Force Base hospital complex in Spokane, Washington, killing four—including the psychologist and psychiatrist whose diagnosis led to his discharge—and wounding 23. [AS, I, WV-3]

5 November 2009:  U.S. Army psychiatrist Major Nidal Malik Hassan, 39, killed 13 people and wounded 39 others in a shooting at Fort Hood military base in Killeen, Texas. Throughout his career, colleagues and superiors expressed concern about his low job performance and extremist views. [T, AS, I, WV-3]

27 September 2012: Andrew Engeldinger, 36, attacked the Accent Signage Systems company outside of Minneapolis, Minnesota, after he was told he was about to be fired. Throughout his employment at the company, he had been repeatedly disciplined for “offensive behavior, tardiness, and poor job performance.” Engeldinger killed six people and wounded two others. [AS, I, WV-3]

16 September 2013:  Aaron Alexis, 34, had worked for a company that provided IT contract services to the U.S. Navy, which provided him access to the guarded Naval Sea Systems Command headquarters at the Washington Navy Yard in Washington, D.C. Alexis had learned he was about to be fired, which led him to target his coworkers. By the end of the attack, 13 people were killed, including the perpetrator. [AS, I, WV-3] 

2 December 2015:  Husband and wife Syed Rizwan Farook, 28, and Tashfeen Malik, 29, attacked his workplace holiday party at the Inland Regional Center in San Bernardino, California, killing 14 people and wounding 22 others. The couple considered themselves jihadists. [T, AS, I, WV-3]

12 June 2016:  Omar Mateen, age 29, carried out a mass shooting at the Pulse Nightclub, in Orlando, FL, killing 49 people and wounding 53 others. Mateen killed himself following a three-hour standoff with the responding Orlando Police officers. He was reportedly a customer at the club and was known to some of the employees, and in the course of his attack he announced his ideologically extremist views. [T, AS, I, WV-2]

14 June 2017: James Hodgkinson, 66, wounded six people during a mass shooting at a practice session for the annual Congressional Baseball Game for Charity in Alexandria, Virginia. He was reportedly a left-wing political activist from Belleville, Illinois, who had spent several days at the park’s recreation center before the attack. [T, AS, I, WV-2]

26 September 2017:  Nimer Mahmoud Ahmad Jamal, 37, a Palestinian laborer, carried out a shooting attack against security guards at the entrance gate of Har Adar, an Israeli settlement outside Jerusalem. Jamal killed three Israeli security guards and wounded a fourth before he was killed in a shootout with the security guards. Jamal held a license to work in Israeli settlements, and he was known to the guards at the town’s entrance gate, so his attack took them by surprise. The Times of Israel reported that Jamal, who had been radicalized into violent extremism, also suffered from severe personal and family issues, including engaging in domestic violence against his wife. [T, AS, I, WV-3]

1 October 2017: Stephen Paddock, 64, used his vantage point on the 32nd floor of the Mandalay Bay Hotel and Casino in Las Vegas, Nevada, to fire more than 1,000 bullets down on the Route 91 Harvest Music Festival, killing 60 people and wounding 411. The ensuing panic injured several hundred more. [AA, I, WV-2]

7 October 2018:  Ashraf Waleed Suliman Na’alwa, 23, a Palestinian, worked at the Barkan Industrial Park in the West Bank as an electrician. He entered the factory with a Carlo sub-machine gun and killed two Israeli coworkers, wounding a third. It was reported that he had trained for his attack for two weeks, with his mother indicted by Israeli authorities for knowing about his intended attack but not reporting it. [T, I, WV-3]

3 October 2019:  Mickael Harpon, 45, an IT worker at the police headquarters in Paris, France, used a kitchen knife to fatally stab four coworkers, while wounding an additional worker. Harpon had worked at the police headquarters for several years. He had converted to Islam some 18 months earlier and was reportedly radicalized into religious extremism, with some of his colleagues alerting managers to his suspicious opinions and behaviors, but no formal investigation was launched. [T, AA, I, WV-3]

6 December 2019:  Mohammed Saeed Alshamrani, 21, a second lieutenant in the Saudi Arabian Air Force and an aviation student, carried out a mass shooting attack at Naval Air Station Pensacola, in Pensacola, Florida. Three U.S. Navy sailors were killed, and eight others were injured. It was reported that he had become radicalized into jihadist extremism in Saudi Arabia as early as 2015.  [T, AA, I, WV-3]

30 October 2021:  Ethan Crumbley, 15, carried out a mass shooting attack at the Oxford High School in Oxford, Michigan, where he was a sophomore student. Four students were killed and seven others injured, including a teacher. Crumbley was previously known to his school authorities as psychologically problematic. In addition to criminal charges, he was also indicted with a terrorism charge, under Michigan law, for “an act that is intended to intimidate or coerce a civilian population.”  [T, AA, I, WV-2]

1 June 2022:  Michael Louis, 45, used an AR-15 style semiautomatic rifle to kill four people at St. Francis Hospital, in Tulsa, Oklahoma. He shot himself to death immediately after targeting his victims. He had been a patient at the hospital and allegedly intentionally targeted his former physician and nursing staff because he was unhappy about his earlier treatment for back problems. [AA, I, WV-2]



Anticipating ATLA Attacks      

To effectively preempt ATLA perpetrators at the earliest pre-incident phases, it is crucial to collate at least three out of four of their characteristic types and the pre-incident early warning signs associated with each of them and how they might converge into active threat assailants, to be aware of the category of violent attacks they might carry out as troubled insiders.

In all of the 14 incidents included here, the perpetrators were known to at least some of their intended victims, and in many cases they were considered highly problematic individuals. This is a crucial early warning indicator because such insiders are aware of how to exploit an organization’s security vulnerabilities in order to smuggle their firearms and ammunition for their intended attack. Lone attackers without a similar direct link would have a harder time accessing facilities and reaching targets.

Anticipating how pre-incident activities might lead to perpetrators’ engagement in violence requires a multifaceted forecasting approach.

If the attacker’s activities were viewed as largely singular in nature—preparing for a terrorist attack in general, but not an attack against one’s coworkers as well—their activities would be more difficult to monitor unless those associated with the potential perpetrator would be aware of the early warning signs to collate into an actionable threat assessment. Otherwise, such perpetrators would benefit from the shorter timeframe available to their targeted adversaries to prevent, preempt, or halt their pre-incident attack preparations. As three or four of these types of threats converge, the magnitude of the overall threat becomes exponentially greater (e.g., combining workplace violence’s insider access with a terrorist or active assailant’s vengeful motivation, attack capability and arsenal of weaponry and ammunition).


Anticipating how pre-incident activities might lead to perpetrators’ engagement in violence requires a multifaceted forecasting approach.


To anticipate and prevent potential attacks by such active threat perpetrators, security professionals must aggregate their previously separate threat assessment methodologies to forecast how an individual in their midst might become an active threat lone actor (ATLA):  an active shooter (psychological disorder and disposition to violence), a terrorist (radicalization into violent extremism and acquisition of arms as a lone actor or joining a terrorist group), perpetrator of workplace violence (vengefulness towards coworkers accompanied by acquisition of weapon and ammunition), and an insider (someone who is known to associates, including coworkers, with a possible disposition to become an active threat-type perpetrator).

But gathering threat information is not enough. To preemptively prevent potential active threat incidents, public safety responders in government, law enforcement, and the private sector need to be knowledgeable about how to respond to each of these threats and to prepare tailored and customized responses to comprehensively respond to several threats in combination.

For example, it is legitimate in a democratic society for an employee to espouse an extremist ideology. But when it is accompanied by angry and vengeful expressions towards coworkers and increasing isolation from them, it should at the very least be reported to an organization’s human resources department for an appropriate counseling measure. If it is discovered that the employee is also accumulating firearms and ammunition under suspicious circumstances, then the local police department should be contacted for a follow-up measure. The organization’s security department should be made aware of each development, while ensuring the employee’s privacy rights are protected to the extent possible.

Promoting such an enterprise-wide situational awareness of active threat risks will also resolve any definitional confusion that may arise when multi-type perpetrator incidents occur. For example, if a workplace violence incident is caused by an employee’s ideological extremism, as opposed to dissatisfaction with one’s job, then the early warning signs associated with ideological extremism need to be monitored. This will help avoid the confusion of having to come up with a single threat term to define the underlying causes for such violent attacks, since several threat types will converge for them in a combustible mix.

Such early warning risk-based mind-sets and behaviors were not reported to appropriate authorities, signaling a reluctance to get involved, a fear of being wrong and liable for a counter-suit, or lack of awareness of proper reporting mechanisms that would still maintain privacy and civil liberties provisions for all concerned.

While it is still important to be aware that a violent assailant, such as a terrorist, might attack a target with no direct tie to it, an assailant might be someone who is known to its intended target as well. Security professionals should adopt an expanded 360-degree threat awareness aperture that takes multiple and multilayered threat pathways into account. For upgraded threat awareness, therefore, the construct of an enterprise-wide security focus on an imminent active threat situation must become pervasive for all those tasked to preempt such attacks at the earliest pre-incident attack phases.

Dr. Joshua Sinai is a professor of practice, intelligence and security studies, at Capitol Technology University, in Laurel, Maryland. He also serves as Senior Analyst at TorchStone Global, a firm that provides security consultation to government, corporate, and individual clients.

arrow_upward