Before we dive into this topic, we must acknowledge a great article from AIRIP published in October 2016, by Shana Tarbell. She wrote an article that outlined specific responsibilities and initiatives set by her organization’s risk intelligence program. I highly recommend reading her article: “What Does A Risk Intelligence Analyst Do In A Non-Profit Organization?

In today’s article, we will touch on a similar topic, but from a security-centric perspective rather than that of a non-profit.

Each organization has its own unique structure and processes, but we have identified 4 primary areas in which protective intelligence analysts across large and small organizations support protective security programs:

  1. Ongoing Assessments of Threat/Vulnerability
  2. Investigations
  3. Auditing Protective Intelligence Data
  4. Travel Risk Research

#1. Ongoing Assessments of Threat/Vulnerability

The most fundamental functions performed by protective intelligence analysts, are those that supplement the security program’s evolving assessment of threat/risk to the principal. Below, we make a distinction between that which we have the most influence over (activity of the principal/organization) and that which we have less control over (general population sentiment/activity).

Greater Control

This process begins with analysts taking a deep dive into the principal’s comprehensive online and open source presence, allowing analysts to see exactly what a determined person of interest (POI) would see. Comprehensive research of this kind would generally include all open sources which are available online (surface and deep web), as well as all public records connected to the principal. By having an accurate, up to date picture of the principal’s outward presence, as viewed from the perspective of an adversary, protection specialists are able to incorporate this potentially critical information into the security program’s overall risk mitigation strategy.

What does it mean to take a deep dive into the principal’s presence online and in other open sources? Simply stated, it means analyzing the digital privacy practices of the principal and their closest associates (including family members and linked employees). Since we know that the two most important pieces of information that the adversary needs to aggress against the principal are (future) time & place, analysts have a heightened sense of awareness for these elements as they conduct their research. Secondly, expanding the analysis to include close associates is necessary because when an adversary concludes that a principal has a security conscious approach to online activity, they will then tend to target by proxy.

The adversary will target those associates closest to the principal, who we find typically have less regard for security.

Following completion of this research and analysis, protective intelligence analysts are able to propose a range of prescriptive disciplines to minimize and limit open source information that potential adversaries can use to aggress against a principal. Often, these prescriptions take the following forms: strict privacy settings on social networking platforms (to include refraining from using geotagging), eliminating time & location specific information in public posts, refraining from posting sensitive content (and deleting past instances), use of PO Box/LLC for all forms requiring personal information/payment, etc.

Less Control

Up to this point, we have discussed a comprehensive analysis of the principal’s presence, as presented by open sources—elements that we generally have significant influence over. Now, we will transition in to an area that we have less control over, which is public discourse related to the principal. Our experience in this field has confirmed that no matter what magnitude of resources a principal invests in altruistic causes, there will be an audience that opposes them.

Our research activity will then logically expand into all public discourse about the principal and their interests (business ventures, philanthropy, etc.). It is common to find hate sites or online personalities that are specifically opposed to initiatives of the principal’s many organizations and foundations. These sites and the individuals that operate them should be assessed and monitored regularly. At the conclusion of this research, the analyst will have a broad understanding of the current and historical sentiment of the public toward the principal, all of which will supplement the reassessment of threat/risk to the principal.

It is important to note that this step is also part of our education in viewing the principal from the perspective of the adversary. We have found that this aspect of protective intelligence often lacks creativity on behalf of security professionals, lest they propose an unpopular perception of their principal. Our viewpoint is that this area of protective intelligence requires an unbiased approach. While this type of desktop exercise may be initially painful and awkward, it will lead to a much healthier organization and enhance your team’s ability to provide security. In having this information available in our minds, other areas of our intelligence collection will be supplemented. For example, if you know that a particular hashtag is associated with those that oppose the principal, why not set up geographic-specific alerts for those Tweets? Or, why not monitor the Facebook group of local activists that oppose the principal?

Continued Monitoring

As you have guessed, this comprehensive analysis of the principal is not something that is conducted once. It requires constant upkeep. Upkeep for many protective intelligence analysts includes continuous review of the principal’s social media activity, monitoring of designated POIs, monitoring of mentions of the principal in news media (local and abroad), monitoring of company press releases (as this may have implications for security), and more as deemed necessary by the threat matrix.

#2. Investigations

Following closely behind threat/vulnerability related research, investigation specific activities typically consume significant time and energy of protective intelligence analysts. But who are they investigating?

  • Assessment & reassessment of POIs
  • Threatening communications
  • Due diligence/background investigations as necessary

Similar to our research about the principal, our investigation here would include open source information (online and public records), proprietary data sources, field observations & surveillance activities, cultivation of third party monitoring assets, and more.

#3. Auditing Protective Intelligence Data

For most protective security programs, they each have a mountain of protective intelligence data sitting dormant in their company Intranet platform. This data includes all information attached to POIs, suspicious people/vehicles, vendor & employee information, surveillance detection repositories, suspicious communications/contacts with the principal, and more. Unless an organization has proprietary technology to supplement the work of their analyst, then an analyst will have to review this data manually to discover patterns and trends that may indicate increased threat to the principal.

As an aside, this is one of the problem areas that we are addressing with the Ontic platform. We are leveraging the power of machine learning to multiply the efficiency and effectiveness of protective intelligence analysts. In the example above, where no analyst can possibly retain 1,000’s of pieces of data in their mind at a single time to make connections between each data point, computer learning can overcome the cognitive weaknesses of human analysts. It must be reiterated, that this will never replace the analyst. Instead, this augments their ability to identify patterns and trends in the data that indicate increased threat to the principal.

#4. Travel Risk Research

Colloquially referred to as travel intelligence, protective intelligence analysts are responsible for producing comprehensive security & safety assessments for key personnel traveling domestically and internationally. The components of these research products vary by consumer. However, they generally include the following: basic jurisdiction & country information (entry requirements, required/recommended immunizations, aggregate crime & safety, infrastructure, State Department alerts/warnings, etc.), risk profile of the principal, geopolitical concerns & forecasts, social unrest, terrorism, reliability of security & medical services, evacuation protocols, as well as recommendations from the security staff.

Concluding Thoughts

Protective intelligence is our primary means in taking a proactive approach to protecting critical personnel and assets. Individual analysts play a fundamental supporting role in protective security programs, starting with the foundation of the security program (assessments of threat/vulnerability), then expanding into narrow functions such as travel risk research. Not every organization can afford to have a large team of dedicated analysts, but no organization can afford to ignore the essential functions of protective intelligence specialists.

In our upcoming set of writings, we will expand on the key functions played by protective intelligence analysts, their training & education, and how their role is evolving in our organizations.

Author Credit: This article was written by the Protective Intelligence contributor, Travis Lishok.


See how The Ontic Center for Protective Intelligence can help you