Suppose you’re in charge of security for a big community event. Your organization is hosting an appearance by a prominent speaker and you’re made aware that a threat has been made against the speaker. To save time while screening people streaming into the event, you focus on individuals who meet a certain ethnicity and/or gender profile. You and your team are thorough. Yet, by happenstance, only because a bystander noticed a person behaving oddly and reported it, weapons are found on a person who didn’t fit the profile.
That lucky break prevented a tragedy, but counting on lucky breaks is not a sound security strategy. Where did you and your team go wrong?
The mistake was in profiling, a mental shortcut rooted in group stereotypes and bias. The belief that individuals within one group are more prone to particular actions isn’t grounded in sound evidence. The view that one group is more prone to anger or is more likely to attack others may just as likely be based on ignorance or prejudice. The appeal of profiling is potentially saving time and resources. That’s a faulty assumption. In fact, profiling may cost you more in time and resources – and result in reduced security for your organization.
A far more reliable and less problematic security strategy is to focus on the behavior of individuals. Let’s unpack these issues and learn why focusing on behavior is the right security strategy. First, let’s understand what happens when profiling is based on stereotyping and bias.
Stereotyping generally refers to a mental image of a particular social group and thinking about what that imagery implies. As you look out over a general group of people, you may form stereotypes of people you see. The words “hippie,” “socialite,” or “yuppie,” for example, create a mental image, because of something you might have witnessed personally or seen in the media. Stereotypes are mental shortcuts – they are cognitive schema to process information about those we see around us.
Bias is discrimination that stems from imagery you might have about certain groups. Bias generally refers to inappropriate and potentially unfair treatment of individuals based solely on membership in a group. Behavior rooted in bias may involve active, negative behavior toward a member of that group or, more subtly, behaving toward them with a less positive attitude than you might display towards an individual from a group you regard more favorably. Bias can be present in two ways. Explicit bias shows up in conscious attitudes and deliberate behavior. Implicit bias can be present without a person being consciously aware of it.
Stereotyping and bias are the raw ingredients that go into profiling people who are perceived to be security risks and those who are not perceived as such. When a threat is communicated to you and your security team, profiling may govern how you respond to the threat. Going back to our example of a threat against a prominent speaker at a community event, you may order your team to base their observations on profiling. You may, for example, direct your team to focus on members of one group and dismiss members of other groups, such as women or people in their 70s or older. Think of all the possibilities. Think of the consequences of your choices. What if the person making the threat is a member of a group you have just told your team to dismiss as a threat?
Consider this scenario. Suppose you are a terrorist and in your pre-attack surveillance, you have determined that security is profiling people based on race and gender. In your surreptitious tests of security, you have found that women of European descent are waved through security checkpoints with minimal scrutiny. You plant weapons on an individual meeting that profile and she enters the crowd undetected. Clearly, you can see in this scenario that profiling is self-defeating. Reliance on profiling does not improve hit rates that lead to an arrest or other formal law enforcement measure.
That’s not all. Profiling can lead to unintended consequences that diminish your organization’s reputation and weaken security. People at an event who are pulled aside for questioning because they fit a certain profile will feel embarrassed, humiliated, or even traumatized. Those who are regularly stopped for that reason will lose trust and confidence in your security team or those in the law enforcement community who engage in such practices. They will tell their family, friends, and others in their personal networks. The result: decreased cooperation that could have risky consequences.
Instead of profiling rooted in stereotyping and bias, focusing on behavior is more reliable for detecting threats and preventing trouble. Most criminal behavior is observable and generally plays out during pre-attack activity. What you are looking for are behaviors associated with target selection, surveillance, rehearsal, and the act itself. This is where the See Something, Say Something campaign comes in. You are watching for behavior that implies criminal intent.
For example, suspicious behavior includes questioning of individuals associated with your facility at a detailed level that is beyond mere curiosity about particular facets of a facility's or building's purpose, its operations, security procedures, or how many staff and personnel are in the building at any particular time. You are looking for anything that would arouse suspicion in any reasonable person. This qualifies as suspicious behavior and should be reported.
Another example would be an interaction or challenge to a facility's installation, its personnel, or its systems that reveal physical, personnel, or cyber security capabilities or vulnerabilities. This would include testing through unscheduled deliveries of materials or equipment, unattended or unauthorized vehicles coming to the entrance and sitting for extended periods, or individuals leaving an unfamiliar vehicle in place near your facility and walking away to see what happens. Other suspicious activities include scans of your computer network: pinging the gateway with a high number of packets, or running discovery port scans for cyber intrusion tests. Testing of such security measures is suspicious behavior that you should report.
Other types of behavior you should watch for are information gathering or recruiting, such as a person trying to gather information on personnel, bank data, or travel data. Observable actions can be taking pictures of your facility, taking notes outside it, dumpster diving, attempting to measure distances, documenting security patrols, spending time looking at fences, gates, and security tools such as cameras and access controls, and calling and asking questions about general staff or certain staff members and their availability. Other indicators of suspicious behavior are an attempted breach of security, trying to enter the building by piggy-backing behind a badged visitor, seeking additional access to secured areas, and attempting to use vehicles, uniforms, or cloned or stolen forms of identification or key cards to gain access to secure areas.
In conclusion, behaviors are what we have to watch for. We cannot rely on the outdated and ineffective profiling methods, or judge others based on stereotypes or biases.
For keeping our facilities and community secure, we must look at people as individuals, consider circumstances, and weigh the potential consequences of behaviors and actions. We should report behavior that is reasonably indicative of criminal activity or terrorist intent by those who mean to do us harm.