What is “Protective Intelligence?”


To the security intelligence analyst plugging away in a 24-hour operations center, protective intelligence is one thing.

To the security consultant with an MA or MS in psychology, protective intelligence means something else.
And to the United States Department of Justice or the U.S. Secret Service, it takes on another meaning.

While the term protective intelligence is not used every day in an average security professional’s vocabulary, it is the most defining element of a program’s success in being proactive rather than reactive. It can be defined as:

Protective intelligence is an investigative and analytical process used by protectors to proactively identify, assess, and mitigate threats to protectees.

In Security Weekly’s article, “The Proactive Tool of Protective Intelligence,” authors Fred Burton and Scott Stewart share their definitions:

“In simple terms, [protective intelligence] is the process used to identify and assess threats. A well-designed [protective intelligence] program will have a number of distinct and crucial components or functions, but the most important of these are countersurveillance, investigations, and analysis.”

However, in order to implement an effective security program it’s essential to first understand the potential threat. Structuring a protective intelligence program because others in the industry are doing it is not enough. Knowing the threats you’re facing should be the “center of gravity” for your security program. (Read Fred Burton’s article 3 Questions to Understand and Analyze Any Threat for more information.)

Breaking “Protective Intelligence” into Digestible Components

Now that we understand the protective intelligence definition, let’s walk through the full process, phase by phase:

Identify: How Do Protective Intelligence Teams Identify Threats?

The most fundamental step in identifying threats to key assets/personnel is conducting a thorough risk threat vulnerability assessment (RVTA). This allows the organization’s entire security apparatus to implement proactive measures at various levels and quickly share information before a threat materializes. They can see through the noise to know what to act on and when. As Fred Burton shares in his October 2020 Security Magazine article, “The ability to see around corners has never been more important.” In addition, it makes it easier to know where threats are and where they’re being directed so resources can be allocated efficiently.  

Once a protective intelligence threat assessment has been conducted and appropriate security measures are implemented, then the protective intelligence team may rely on observations from both security and non-security staff. These may include any combination of the following, as an example: static security staff, counter-surveillance personnel, executives, executive assistants, household staff, corporate security staff (other than executive protection), and more.

This leads us to one of the biggest obstacles in the protective intelligence process: data. What types of data do protective intelligence analysts need to collect and how can they store it for current and future analysis?

When it comes to proactive threat management, there is no shortage of data to assess. All of the information that the security team comes in contact with is valuable data — from security officer reports, to person of interest (POI) descriptions, to field observations (including vehicle descriptions), to written communications directed at protectees, and more.

However, protective intelligence is only as valuable as it is available and accurate. Security teams need the ability to retrieve data quickly on past incidents or POIs to avoid the all-too-common reactionary approach. The best protective intelligence platforms leverage a database of information, allowing teams to: 

Accurately assess the behavior of POIs over long periods of time

Reliably capture information for potential litigation (or law enforcement action) against POIs

Collect hard performance data to support security program effectiveness

Identify trends and patterns over time

Assess: Are They a Threat, or Not?

Security practitioners begin the assessment and management process by outlining their research, which can be summarized in a short series of questions:

  • The problem: What does the executive protection manager need to know? (ex: Threat level of POI and recommended action)
  • Data collection: What additional data is needed, where can it be collected from, and how can it be collected efficiently / systematically?
  • Data analysis: What hypotheses can be supported or discounted given the data?
  • Report preparation: What report structure does the consumer (executive protection manager) prefer?

After the case is outlined and inputs from the Threat Identification Phase are factored in, the investigation can begin. To bring color to the threat(s) in need of attention, protective intelligence investigations may include (but are not limited to) any of the following: 

  • Security officer reports/chronologies
  • Human resources reports
  • Open-source intelligence (OSINT) research
  • Proprietary database research
  • Consultation with psychology professionals

Mitigation: What Strategy Will Create the Safest Outcome for the Protectee?

At the conclusion of the assessment phase, the security team should have sufficient support for why or why not the POI is a threat, and to what degree. Now, the decision-makers can use that information to decide on the preferred course of action — one that will produce the safest outcome for the protectee.

Here’s the catch: A security program may have 5, 10, 20, or more active threat cases to monitor at any given time. How does one allocate resources to track active threat cases, and by what systematic process are active cases reassessed? Finding a protective intelligence platform that surfaces alerts according to the level of priority is one way to help. (Check out the questions around case management within 10 Challenges Undermining Your Protective Intelligence Program.) It is an example of how technology has freed up space for security teams to be the eyes and ears of the company, providing intelligent security protection versus being buried in data. 

For protective intelligence teams, monitoring and reassessment are an ongoing process. Monitoring, also referred to as threat tracking, can take many forms — from social media, to physical surveillance, to third-party monitoring programs. Many times there is no clear-cut indicator for when a particular threat case can be put to rest. It will depend on the judgment of those who know best — protective intelligence analysts and leaders.

Read Now

The Guide to Establishing an Intelligence Baseline