|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Speak the Language of Payroll0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465New Technology with a Personal Touch|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Put Training to the Test|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Evolving Biothreats|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Find the Fire|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The CPP Turns 402017-09-25T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Evolution of Airport Attacks2017-04-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Dangers of Protection: What Makes a Guard Firm Low- or High-Risk?2016-03-15T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Intelligent Design2005-08-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Brief History of Bullying2017-05-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Training to the TestGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The classroom door flies open. An emotionally distraught student rushes into the doorway, produces a semiautomatic pistol, presses the muzzle of the gun to his temple with his finger on the trigger, and proclaims, "I can't take it anymore."</p><p>How will the teacher respond to this stressful, high-stakes situation? Will she intervene with verbal tactics or physical ones? Will she inadvertently put other students in danger by reacting too quickly? </p><p>An analysis by school security firm Safe Havens International found that teachers and administrators who had undergone traditional active shooter training were more likely to react to this situation by opting to attack the student or throw things at him, rather than taking the action steps outlined in the school's policies and procedures, such as calling 911 or instigating a lockdown. In other scenarios, trainees reacted in a similar manner that could intensify and aggravate the situation when time allowed for safer policies and procedures to be applied.</p><p>In the wake of high-profile massacres at schools and college campuses, institutions are preparing themselves for the emergency situations with scenario-based training programs. </p><p>The percentage of U.S. public schools that have drilled for an active shooter scenario rose from 47 to 70 percent from 2004 to 2014, according to a study by the National Center for Education Statistics. But the intensive search for solutions to these deadly events can lead to hasty planning and decision making, ultimately resulting in an ineffective response. </p><p>The number of teachers and administrators who opt to attack or otherwise approach the armed perpetrator indicates that current active shooter programs may be overwhelming for participants, causing them to respond to threatening scenarios in a dangerous way. Schools have also become narrowly focused on active shooter scenarios, when most deaths and accidents on campuses do not involve an active shooter. </p><p>Taking these factors into consideration, an all-hazards approach to scenario-based training allows schools to prepare for a range of incidents, including bullying, sexual harassment, and natural disasters. Fidelity testing then allows administrators and teachers to put those plans to the test and see how participants apply the training under stressful scenarios. </p><p>School leaders can then learn to rely on the solid foundational principles of policies and procedures, as well as communications and emergency plans, to diffuse potentially hazardous situations. Using these basic elements of active threat response and evaluating training programs to identify gaps could save lives.​</p><h4>Evaluations</h4><p>During the stress of an actual crisis, people often react differently than they have been trained to do. Fidelity testing of a training program can help determine if there are gaps between what the trainer thinks the trainees will do, and what actions trainees will take in real life. This was the aim of evaluations completed by campus security nonprofit Safe Havens International of Macon, Georgia. </p><p><strong>Methodology.</strong> Analysts conducted the evaluations at more than 1,000 K-12 public, faith-based, independent, and charter schools in 38 states. More than 7,000 one-on-one crisis scenario simulations were conducted by Safe Havens International in a series of school safety, security, and emergency preparedness assessments over the last five years. The participants were observed and scored by analysts who had completed a 16-hour formal training program and one day of field work. </p><p>Prior to running the scenarios, analysts came up with several action steps that should be taken in each scenario. These steps included initiating a lockdown, calling 911, sheltering in place, or pulling the fire alarm, for example. Based on those steps, the analysts developed a standardized scoring system to keep track of participant performance in the scenarios. </p><p>This type of training is known as options-based active shooter training because it gives the participants various responses to choose from. Many popular options-based programs are based on the U.S. Department of Homeland Security's Run. Hide. Fight. approach.  </p><p>Drawing from Safe Havens International's repository of more than 200 audio and video crisis scenarios, analysts ran the simulations and let administrators, support staff, and teachers respond accordingly. These simulations covered a range of scenarios, which were presented in several formats. </p><p>For example, some participants were guided through an audio narration of a school bus taken hostage by an armed student. The audio was paused, and the trainees were asked what they would do next in that situation. </p><p>Similarly, video scenarios depicted potentially violent situations that left participants with a number of choices on how to react. </p><p>In one scenario, a woman screams at staff in the school office while brandishing a claw hammer. In another, a student on a school bus jumps up with a gun and yells, "Nobody move, and nobody gets hurt!" The video is stopped and trainees are prompted to say how they would react. </p><p>Based on action steps that were predetermined to be ideal, analysts then scored the trainees' responses on tablet devices. The scoring was be tailored to individual clients. For instance, if analysts were training a school district that has a police officer on every campus, its response would be different from that of a rural district that does not have a law enforcement officer within 20 miles.</p><p><strong>Results. </strong>The results of the evaluations consistently showed that participants who were provided with options-based active shooter programs had lower scores than those who had not completed any type of training. </p><p>This outcome shows that current active shooter training methods may be overwhelming for administrators and teachers because they provide too much information—prompting them to attack when it is not necessary.</p><p>In an assessment in the northeastern United States, test subjects completed an options-based active shooter training program that was three and a half hours long. Evaluators found that the 63 administrators and staff members from 28 schools missed 628 out of 1,243 critical action steps that should have been implemented. That's more than 50 percent.</p><p>For example, participants failed to initiate or order a lockdown when it was appropriate 70 percent of the time. More than 55 percent of participants failed to call 911 or the school resource officer in scenarios depicting a person with a weapon, and 39 percent of participants failed to pull the fire alarm in situations involving fire. </p><p>During an assessment of a school district in the southwestern United States, 32 people from two groups participated in scenario simulations. One group completed a five-hour live training program based on the Run. Hide. Fight. video, developed by the district's school resource officers. The second group did not receive the training or view the video. </p><p>The simulation results revealed that none of the top five scoring participants had received any type of active shooter training. All five of the lowest scoring participants, on the other hand, had completed the training program. </p><p>The overall score was also significantly lower for the group that had completed training than it was for the untrained group. The lower scoring participants often opted to attack in situations where it was not the best option. </p><p><strong>Opting to attack. </strong>For the scenario described in the beginning of the article, where a student is potentially suicidal, analysts found that in one out of every four incidents, a school employee who had completed an options-based active shooter training would try to throw an object at or attack the student armed with a weapon. </p><p>Many of the participants in the simulations responded by opting to use force for almost any scenario involving a subject depicted with a gun. If the student in question was suicidal, such a reaction could be deadly, possibly leading to the student to shoot himself or others. </p><p>Participants who had not received formal training began talking to the student, encouraging him to put the gun down, and asking if it was okay for the other students in the classroom to leave. These basics of communication are essential in an active suicide threat situation and can help defuse possible violence.  </p><p>Another scenario featured a drunk man who was 75 yards away from a school at the same time that a teacher and her students were 25 yards from the school building at recess. The analysis found that 30 percent of participants playing the teacher chose to approach—and even attack the drunk man—even though he was three-quarters of a football field away from the school.</p><p>The best option in this scenario is for the teacher to instruct the students to go into the school and put themselves in lockdown, then go into the building and ask the office to dial 911. </p><p>In November 2017, a school in Northern California initiated its lockdown procedure when the school secretary heard gunshots nearby. The gunman tried to enter the campus but could not find an open door. Because school faculty followed policies and procedures, countless lives were saved.</p><h4>Active Threat Approach</h4><p>The narrow focus on active shooter incidents has left many schools ill-prepared for other active attacker methods, including edge weapons, acid attacks, and fire. Relying on active shooter training also neglects response to incidents that often go undetected, such as bullying and sexual harassment. </p><p>The Safe Havens International assessments revealed that many K-12 schools lack written protocols for hazardous materials incidents or do not conduct any training or drills for these easy-to-orchestrate, devastating types of attacks. Evaluations also revealed an unwillingness among some school staff to report incidents of sexual harassment.</p><p>Policies and procedures. Edu­cational institutions have written policies and procedures on a range of issues, including bullying, sexual misconduct, signing in visitors, and traffic safety. Scenario-based training will help demonstrate whether staff are prepared to apply those policies appropriately. All staff should be included in this training, including bus drivers, cafeteria employees, and custodial workers.</p><p>Scenario-based training can reveal the gaps between what procedure dictates and what staff would actually do when confronted with a threat. </p><p>For example, in one simulation conducted by Safe Havens International, a student sat in a classroom with a teacher after hours. The teacher stroked the pupil's hair inappropriately and used sexually explicit language. Some custodial staff faced with this scenario responded that they did not feel comfortable reporting what they saw to school administrators. Janitors, who may be more likely to witness such incidents, said they felt an imbalance of power among the staff, leaving them unwilling to speak up. </p><p>Administrators should address such issues by using multiple scenarios related to sexual misconduct to demonstrate to employees that they are not only empowered but required to report these situations. Reviewing these policies and procedures as part of scenario-based training, and incorporating possible threats other than active shooter, will bolster preparation among staff. </p><p><strong>Attack methods. </strong>While mass shootings garner the most media attention, most recent homicides at schools were caused by attacks that did not involve active shooter events, according to Relative Risk of Death on K12 Campuses by school security expert Steven Satterly. </p><p>The 2014 study revealed that of 489 victims murdered on U.S. K-12 campuses from 1998 to 2013, only 62 were killed by active shooters. The Columbine, Sandy Hook, and Red Lake Reservation School shootings made up 74 percent of those 62 deaths.</p><p>Several weapons possibilities exist, and should be acknowledged in training programs, including edged weapons, explosive devices, and fire. </p><p>There have been dozens of mass casualty edged weapons attacks in schools, and serious damage can occur in a matter of minutes. A mass stabbing and slashing incident in Franklin, Pennsylvania, in April 2014 left 21 victims injured when a sophomore began attacking other students in a crowded hallway. Similar attacks have occurred in China, Japan, and Sweden that have killed and seriously injured students and school employees.  </p><p>Acid attacks are occurring more frequently in the United Kingdom, as well as in India, East Africa, Vietnam, and other regions. </p><p>For example, in September 2016, a student rigged a peer's violin case with acid at a high school in Haddington, Scotland. The victim's legs were disfigured as a result.  </p><p>These types of attacks are relatively easy to carry out because acid is inexpensive and can be concealed in bottles that appear harmless. The injuries sustained in these attacks are gruesome and irreversible, and there are concerns that this attack method may become more common in the United States. </p><p>Many active shooter training approaches also fail to address combination attacks, in which the perpetrator uses two or more attack weapons, such as firearms and explosives, firearms and fire, and so forth. </p><p>In the 2013 attack at Arapahoe High School in Colorado, a student shot his classmates and a staff member several times before throwing three Molotov cocktails that set part of the library ablaze. The student then shot himself. </p><p>Combination attack methods can present complications for first responders who may have to decipher where each threat is located and which one to deal with first. These campus attacks demonstrate the danger of training concepts that focus intently on active shooter incidents, while not offering viable options for other extreme attack methodologies.</p><p>There are ways to better prepare school staff to react to violence and reduce the chance of unintended consequences. Scenarios that present a range of threats and situations help trainees learn to react in the most effective manner, and remind them to rely on existing policies. </p><p>Fidelity testing that includes a scoring system for action steps will help determine whether active shooter and active threat training concepts have been received by the faculty. Including all staff members who have contact with students creates an inclusive environment where everyone feels empowered to report misconduct. </p><p>Putting a mirror to current school emergency preparedness will reflect where changes need to be made. If there are significant gaps between the training concept and application of those concepts when reacting unscripted to scenarios, improvements are in order. By applying these principles, schools can prepare themselves for the common emergencies, the worst-case-scenarios, and everything in between.  </p><p>-- </p><h4>​Sidebar: keeping simulations safe<br></h4><p>​Even the most well-intentioned scenario-based training can result in injuries. Training programs that teach throwing of objects, taking people to the floor, punching and kicking, or similar uses of force can wind up hurting trainees and trainers alike.</p><p>At least one popular active shooter training program has resulted in high rates of serious injuries among trainees, according to Jerry D. Loghry, CPP, loss prevention information manager for EMC Insurance.</p><p>Loghry verified that EMC Insurance has paid out more than $1 million in medical bills to school employees for injuries sustained in trainings from one active shooter program over a 22-month time period. In addition, one police department is being sued due to those injuries. </p><p>Instructors can be trained on how to engage participants in use-of-force in a safe way. Reasonable safety measures should be put into place, such as floor mats, and participants should wear protective padding, goggles, and even helmets if necessary. </p><p>Safety rules should be written in advance and observed during training simulations. </p><p>Local law enforcement can be a valuable resource for simulating active threat situations in a safe manner, because police officers complete similar close-quarters combat training on a regular basis. Observing these best practices can help prevent litigation and liability issues, as well as enhance the overall experience of participants and instructors.​</p><h4>sidebar: fidelity Testing<br></h4><p></p><p>For stereo systems, fidelity means that the sound generated by the speakers is nearly identical to the sound of the music that is recorded. In marriage, fidelity means that a person will be faithful to their promises to another.</p><p>In the world of school safety, fidelity indicates a close alignment between what is intended by safety policies, plans, drills, and training, and what people do in reality. Fidelity testing is the best way to verify the level of alignment between intentions and reality.</p><p>In the case of active shooter preparedness, fidelity testing involves efforts to measure whether there is a close match between theory and what people will actually do under the stress of a violent incident.  </p><p>With properly designed active shooter preparedness approaches, practical application under extreme stress should mirror, to a reasonable extent, the theoretical expectations of the approach. If people cannot correctly apply the active shooter survival options they have been provided under simulated conditions, their performance will likely not improve when they are placed under extreme stress. </p><p>A high degree of fidelity helps reduce the distance between what people ideally do under stress and what they are likely to do. A reasonable level of fidelity testing of active shooter survival concepts should document that people are able to:</p><p> </p><p>•             Demonstrate the ability to identify when they are in an active shooter situation.</p><p>•             Apply each option they are taught in an appropriate fashion when tested with scenarios they do not know in advance.</p><p>•             Apply each option under limited time frames with incomplete information.</p><p>•             Demonstrate knowledge of when applying each option would increase rather than decrease danger.  </p><p>•             Demonstrate the ability to identify when they are in a situation involving firearms that is not an active shooter event.</p><p>•             Demonstrate the ability to properly address a wide array of scenarios involving weapons other than firearms.​</p><p>​<br></p><p><em><strong>Michael Dorn </strong>is the CEO of Safe Havens International. He has authored 27 books on school safety and emergency preparedness, and his work has taken him to 11 countries. He has provided post-incident assistance for 12 active shooter incidents at K-12 schools, and helped coauthor a u.s. government IS360 Web training program on active shooter events. He can be reached at ​</em></p> Event SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The ASIS 2017 Book of the Year is <em>Managing Critical Incidents and Large-Scale Event Security</em> by Eloy Nuñez and Ernest G. Vendrell. The authors spoke to <em>Security Management </em>about security trends and challenges in the event industry.</p><p><em><strong>Q. </strong>What are some of the biggest challenges facing the event security industry today?</em></p><p><strong>A. </strong>An overreliance on technology is a major challenge. We tend to think that a wall or a fence will keep the bad guys out, and it does help a lot, but in and of itself it's not going to solve our problems. We know that every fence and wall can be breached, and every technology that one can think of can be counteracted. It takes an active observation of the technology and how it's working. Another challenge is a sense of complacency–the idea that someone else is watching. That tends to make us less alert. Communication also becomes so important, especially when you're dealing with a variety of participants. It's essentially impossible to achieve requisite levels of coordination and collaboration without that effective communication.</p><p><em><strong>Q. </strong>How has the event security space evolved over the last few decades?</em> </p><p><strong>A. </strong>Three factors have made us more effective and efficient than in the past: computer processing speed, the miniaturization of technology, and the interconnectedness of people via devices. The improvements to technology have been outstanding. We're now able to process information more quickly. The interconnectedness allows us to communicate, collaborate, and crowdsource for information. There are so many different people from disparate backgrounds and agencies. We all get together and plan things out, and the byproduct is that we learn from each other.</p><p><em><strong>Q. </strong>Your book draws on lessons learned from past events. What are some of the overarching themes in those lessons?</em></p><p><strong>A.</strong> Given the complexities of critical incident management and large-scale event planning, we try to simplify things as best we can so that everyone is able to execute those plans. It takes a well-trained, diversified, and committed team that has clear goals and objectives. Have the team that you put in place practice as much as possible, and institute training that's relevant, realistic, and replicates the environment that you're working in. </p><p><em><strong>Q. </strong>Given the range of threats to the live event industry, how can security professionals share information to help mitigate those challenges?</em></p><p>A. Networking is so critical. One thing we wrote about was that, in the public safety arena, we were great at identifying lessons learned, but the problem was that we weren't applying those lessons. Conferences like the ASIS annual seminar and exhibits), where you have professionals sharing lessons learned and how they applied them, are so important in terms of professionalization and collectively doing a better job moving forward. Identifying contacts ahead of time and getting to know them before there's a problem is critical. That way when an unforeseen incident occurs, you have the right parties on speed-dial.</p> to Hack a HumanGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It all started innocuously with a Facebook friend request from an attractive woman named Mia Ash. Once her request was accepted, she struck up a conversation about various topics and showed interest in her new friend's work as a cybersecurity expert at one of the world's largest accounting firms.</p><p>Then, one day Mia shared her dream—to start her own company. She had one problem, though; she did not have a website and did not know how to create one. Surely her new friend could use his expertise to help her achieve her dreams by helping her make one? </p><p>Mia said she could send him some text to include on the new site. He agreed, and when he received a file from Mia he opened it—on his work computer. That simple act launched a malware attack against his company resulting in a significant compromise of sensitive data.</p><p>Mia was not a real person, but a care- fully crafted online persona created by a prolific group of Iranian hackers—known as Oilrig—to help this elaborate spear phishing operation succeed. </p><p>Due to his role in cybersecurity, the target was unlikely to have fallen for a standard phishing attack, or even a normal spear phishing operation. He was too well trained for that. But nobody had prepared him for a virtual honey trap, and he fell for the scheme without hesitation.</p><p>This case is a vivid reminder that when cybersecurity measures become difficult to penetrate by technical means, people become the weakest link in a cybersecurity system. It also illustrates how other intelligence tools can be employed to help facilitate cyber espionage.</p><p>While many hackers are merely looking to exploit whatever they can for monetary gain, those engaging in cyber espionage are different. They are often either working directly for a state or large nonstate actor, or as a mercenary contracted by such an actor tasked with obtaining specific information.</p><p>This targeted information typically pertains to traditional espionage objectives, such as weapons systems specifications or the personal information of government employees—like that uncovered in the U.S. Office of Personnel Management hack. </p><p>The information can also be used to further nondefense-related economic objectives, such as China's research and design 863 program, which was created to boost innovation in high-tech sectors in China. </p><p>Given this distinction and context, it is important to understand that hacking operations are just one of the intelligence tools sophisticated cyber espionage actors possess. Hacking can frequently work in conjunction with other intelligence tools to make them more efficient.</p><p>Hacking into the social media accounts or cell phone of a person targeted for a human intelligence recruitment operation can provide a goldmine of information that can greatly assist those determining the best way to approach the target. </p><p>For instance, hacking into a defense contractor's email account could provide important information about the date, time, and place for the testing of a revolutionary new technology. This information could help an intelligence agency focus its satellite imagery, electronic surveillance, and other collection systems on the test site.</p><p>Conversely, intelligence tools can also be used to enable hacking operations. Simply put, if a sophisticated cyber espionage actor wants access to the information contained on a computer system badly enough, and cannot get in using traditional hacking methods, he or she will use other tools to get access to the targeted system. A recent case in Massachusetts illustrates this principle.</p><p>Medrobotics CEO Samuel Straface was leaving his office at about 7:30 p.m. one evening when he noticed a man sitting in a conference room in the medical technology company's secure area, working on what appeared to be three laptop computers.</p><p>Straface did not recognize the man as an employee or contractor, so he asked him what he was doing. The man replied that he had come to the conference room for a meeting with the company's European sales director. Straface informed him that the sales director had been out of the country for three weeks.</p><p>The man then said he was supposed to be meeting with Medrobotics' head of intellectual property. But Straface told him the department head did not have a meeting scheduled for that time. </p><p>Finally, the man claimed that he was there to meet the CEO. Straface then identified himself and more strongly confronted the intruder, who said he was Dong Liu—a lawyer doing patent work for a Chinese law firm. Liu showed Straface a LinkedIn profile that listed him as a senior partner and patent attorney with the law firm of Boss & Young. </p><p>Straface then called the police, who arrested Liu for trespassing and referred the case to the FBI. The Bureau then filed a criminal complaint in the U.S. District Court for the District of Massachusetts, charging Liu with one count of attempted theft of trade secrets and one count of attempted access to a computer without authorization. After his initial court appearance, Liu was ordered held pending trial.</p><p>Straface caught Liu while he was presumably attempting to hack into the company's Wi-Fi network. The password to the firm's guest network was posted on the wall in the conference room, and it is unclear how well it was isolated from the company's secure network. It was also unknown whether malware planted on the guest network could have affected the rest of the company's information technology infrastructure.</p><p>The fact that the Chinese dispatched Liu from Canada to Massachusetts to conduct a black bag job—an age-old intelligence tactic to covertly gain access to a facility—indicates that it had not been able to obtain the information it desired remotely.</p><p>China had clear interest in Medrobotics' proprietary information. Straface told FBI agents that companies from China had been attempting to develop a relationship with the company for about 10 years, according to the FBI affidavit. Straface said he had met with Chinese individuals on about six occasions, but ultimately had no interest in pursuing business with the Chinese.</p><p>Straface also noted that he had always met these individuals in Boston, and had never invited them to his company's headquarters in Raynham, Massachusetts. This decision shows that Straface was aware of Chinese interest in his company's intellectual property and the intent to purloin it. It also shows that he consciously attempted to limit the risk by keeping the individuals away from his facilities. Yet, despite this, they still managed to come to the headquarters.</p><p>Black bag attacks are not the only traditional espionage tool that can be employed to help facilitate a cyberattack. Human intelligence approaches can also be used. </p><p>In traditional espionage operations, hostile intelligence agencies have always targeted code clerks and others with access to communications systems. </p><p>Computer hackers have also targeted humans. Since the dawn of their craft, social engineering—a form of human intelligence—has been widely employed by hackers, such as the Mia Ash virtual honey trap that was part of an elaborate and extended social engineering operation.</p><p>But not all honey traps are virtual. If a sophisticated actor wants access to a system badly enough, he can easily employ a physical honey trap—a very effective way to target members of an IT department to get information from a company's computer system. This is because many of the lowest paid employees at companies—the entry level IT staff—are given access to the company's most valuable information with few internal controls in place to ensure they don't misuse their privileges.</p><p>Using the human intelligence approaches of MICE (money, ideology, compromise, or ego), it would be easy to recruit a member of most IT departments to serve as a spy inside the corporation. Such an agent could be a one-time mass downloader, like Chelsea Manning or Edward Snowden. </p><p>Or the agent could stay in place to serve as an advanced, persistent, internal threat. Most case officers prefer to have an agent who stays in place and provides information during a prolonged period of time, rather than a one-time event.</p><p>IT department personnel are not the only ones susceptible to such recruitment. There are a variety of ways a witting insider could help inject malware into a corporate system, while maintaining plausible deniability. Virtually any employee could be paid to provide his or her user ID and password, or to intentionally click on a phishing link or open a document that will launch malware into the corporate system. </p><p>An insider could also serve as a spotter agent within the company, pointing out potential targets for recruitment by directing his or her handler to employees with marital or financial issues, or an employee who is angry about being passed over for a promotion or choice assignment.</p><p>An inside source could also be valuable in helping design tailored phishing attacks. For instance, knowing that Bob sends Janet a spreadsheet with production data every day, and using past examples of those emails to know how Bob addresses her, would help a hacker fabricate a convincing phishing email.</p><p>Insider threats are not limited only to the recruitment of current employees. There have been many examples of the Chinese and Russians recruiting young college students and directing them to apply for jobs at companies or research institutions in which they have an interest.</p><p>In 2014, for instance, the FBI released a 28-minute video about Glenn Duffie Shriver—an American student in Shanghai who was paid by Chinese intelligence officers and convicted of trying to acquire U.S. defense secrets. The video was designed to warn U.S. students studying abroad about efforts to recruit them for espionage efforts.</p><p>Because of the common emphasis on the cyber aspect of cyber espionage—and the almost total disregard for the role of other espionage tools in facilitating cyberattacks—cyber espionage is often considered to be an information security problem that only technical personnel can address. </p><p>But in the true sense of the term, cyber espionage is a much broader threat that can emanate from many different sources. Therefore, the problem must be addressed in a holistic manner. </p><p>Chief information security officers need to work hand-in-glove with chief security officers, human resources, legal counsel, and others if they hope to protect the companies and departments in their charge. </p><p>When confronted by the threat of sophisticated cyber espionage actors who have a wide variety of tools at their disposal, employees must become a crucial part of their employers' defenses as well. </p><p>Many companies provide cybersecurity training that includes warnings about hacking methods, like phishing and social engineering, but very few provide training on how to spot traditional espionage threats and tactics. This frequently leaves most workers ill prepared to guard themselves against such methods. </p><p>Ultimately, thwarting a sophisticated enemy equipped with a wide array of espionage tools will be possible only with a better informed and more coordinated effort on the part of the entire company.  </p><h4>Sidebar: The Mice and Men Connection</h4><p> </p><p>The main espionage approaches that could be used to target an employee to provide information, network credentials, or to introduce malware can be explained using the KGB acronym of MICE.</p><p>M = Money. In many cases, this does equal cold, hard cash. But it can also include other gifts of financial value—travel, jewelry, vehicles, education, or jobs for family members. Historic examples of spies recruited using this hook include CIA officer Aldrich Ames and the Walker spy ring.</p><p>A recent example of a person recruited using this motivation was U.S. State Department employee Candace Claiborne, who the U.S. Department of Justice charged in March 2017 with receiving cash, electronics, and travel for herself from her Chinese Ministry of State Security handler, as well as free university education and housing for her son.</p><p>I = Ideology. This can include a person who has embraced an ideology such as communism, someone who rejects this ideology, or who otherwise opposes the actions and policies of his or her government.</p><p>Historical examples of this recruitment approach include the Cambridge five spy ring in the United Kingdom and the Rosenbergs, who stole nuclear weapons secrets for the Soviet Union while living in the United States.</p><p>One recent example of an ideologically motivated spy is Ana Montes, who was a senior U.S. Defense Intelligence Agency analyst recruited by the Cuban DGI, who appealed to her Puerto Rican heritage and U.S. policies toward Puerto Rico. Another ideologically motivated spy was Chelsea Manning, a U.S. Army private who stole thousands of classified documents and provided them to WikiLeaks.</p><p>C = Compromise. This can include a wide range of activities that can provide leverage over a person, such as affairs and other sexual indiscretions, black market currency transactions, and other illegal activity. It can also include other leverage that a government can use to place pressure on family members, like imprisoning them or threatening their livelihood.</p><p>Historic examples of this approach include U.S. Marine security guard Clayton Lonetree, who was snared by a Soviet sexual blackmail scheme—a honey trap—in Moscow, and FBI Special Agent James Smith who was compromised by a Chinese honey trap.</p><p>More recently, a Japanese foreign ministry communications officer hung himself in May 2004 after falling into a Chinese honey trap in Shanghai.</p><p>E = Ego. This approach often involves people who are disenchanted after being passed over for a promotion or choice assignment, those who believe they are smarter than everyone else and can get away with the crime, as well as those who do it for excitement.</p><p>Often, ego approaches involve one of the other elements, such as ego and money—"I deserve more money"—or ego and compromise—"I deserve a more attractive lover."</p><p>A recent example is the case of Boeing satellite engineer Gregory Justice, who passed stolen electronic files to an undercover FBI agent he believed was a Russian intelligence officer. While Justice took small sums of money for the information, he was primarily motivated by the excitement of being a spy like one of those in the television series The Americans, of which he was a fan.​</p><p>​<br></p><p><em><strong>Scott Stewart</strong> is vice president of tactical analysis at and lead analyst for Stratfor Threat Lens, a product that helps corporate security professionals identify, measure, and mitigate risks that emerging threats pose to their people, assets, and interests around the globe.</em></p> 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Shifting into High Gear</h4><p>Enterprise security risk management (ESRM) activity at ASIS is moving into high gear. The ASIS Board of Directors approved a plan for ESRM principles to be infused into the DNA of the Society. Designating ESRM a priority strategic initiative, the ASIS Board created the ESRM Commission in July 2016. In the year plus since, the commission inventoried ESRM content, identified subject matter experts, developed a primer, and interviewed members on how ESRM should be worked into ASIS's activities.</p><p>For the first time, in 2017, the ASIS Annual Seminar & Exhibits featured a full track of sessions devoted to ESRM. Sessions included a preseminar program on IT security for physical security professionals and an intensive interactive two-hour tabletop exercise in which attendees represented various departments of an organization and used ESRM principles to deal with an evolving crisis scenario. Earlier in the year, ASIS Europe 2017 focused on enterprise-level risks and featured master classes on implementing integrated enterprisewide security teams. </p><p>On November 15, the board approved the commission's request to transform into four workstreams that will develop appropriate ESRM material for their particular areas. The workstreams cover standards and guidelines, education and certification, marketing and branding, and creation of a digital maturity model tool. Each workstream includes a board member sponsor, an ASIS staff member, an ESRM subject matter expert, and a team of member volunteers.</p><p>Are you an avid ESRM advocate? Have you put ESRM into practice? There's still room in the workstreams for your expertise. Please contact Chief Global Knowledge and Learning Officer Michael Gips at <a href=""></a>.​</p><h4>Adams to Lead 2018 Professional Certification Board</h4><p>The ASIS Professional Certification Board (PCB) will be led in 2018 by Dana Adams, CPP, director of corporate security for TELUS, a telecommunications company headquartered in Vancouver, Canada. Adams has served on the PCB for six years and was the board's vice president in 2017. William Moisant, CPP, PSP, will assume the role of vice president in 2018.</p><p>The PCB oversees the ASIS board certification program and ensures that the domains of knowledge and the exams reflect the duties and responsibilities of security professionals. Adams succeeds 2017 President Per Lundkvist, CPP, PCI, PSP. </p><p>"I would like to thank Per for his able leadership of the PCB, as well as for his guidance, support, confidence, and friendship," Adams says. "In 2018, priorities include continuing the work to establish an entry-level certification, maintaining the leadership role of ASIS board certifications across our profession, and ensuring global representation and diversity of the PCB."</p><p>New to the PCB in 2018 are Kevin Peterson, CPP, president, Innovative Protection Solutions, LLC; Jeffrey Leonard, CPP, PSP, area vice president, Securitas Critical Infrastructure Services, Inc.; and Vasiles Kiosses, CPP, PSP, physical security services manager, Schlumberger Oilfield Services. ASIS extends its thanks to departing PCB members, James Bradley, CPP, PCI, and Ann Trinca, CPP, PCI, PSP.​</p><h4>ASIS Europe 2018: From Risk to Resilience</h4><p>Now is the time to register for ASIS Europe 2018, taking place 18-20 April in Rotterdam, The Netherlands. The event focuses on securing organizations in the era of IoT and highlights how enterprise security risk management approaches can protect an organization's full range of physical, digital, and human assets.</p><p>The "From Risk to Resilience" event format, launched in Milan in March 2017, will be repeated, with its mix of conference, training, technology and solutions, exhibition, career center, and exclusive networking.</p><p>At the conference, themed "Blurred Boundaries—Clear Risks," attendees will tackle the impacts of Big Data and artificial intelligence, and examine up-to-date risk outlooks, case studies, and analysis across the full range of key security management issues. </p><p>ASIS Europe will help attendees navigate a broad sweep of risks, from the malicious use of the latest emerging technologies to the threat of low-tech attacks, particularly on soft targets in public spaces. </p><p>Conference highlights include:</p><p>•             Opening keynote on Big Data, automation, and artificial intelligence from a business perspective</p><p>•             Digital asset valuation and risk assessments by Carl Erickson, CPP, and Gal Messinger of Philips Lighting</p><p>•             The EU General Data Protection Regulation (GDPR) by Axel Petri of Deutsche Telekom and Christoph Rojahn of PricewaterhouseCoopers</p><p>•             Jihadi terrorism trends in Europe by Glenn Schoen of Boardroom@Crisis </p><p>•             Virtual security operation center transformation by Michael Foynes of Microsoft</p><p>•             Public spaces as the front line against extremist violence by Thomas Vonier, CPP, of the American Institute of Architects</p><p>•             Understanding business resilience by Laura Poderys of Danske Bank</p><p>The conference is geared towards professionals who need to understand the full spectrum of physical and cyberthreats. Both established and aspiring security leaders can create learning paths through the program.</p><p>Register at Advance rates are available until March 8, and group packages are also available. Contact directly for more information.​</p><h4>New ASIS Website, Community</h4><p>Digital transformation is at the forefront of many organizational discussions, and the need for innovation has never been greater. Remaining relevant in today's on-demand, content-driven world means that associations must be hyper-connected and agile. </p><p>With a clear directive to transform the organization through the strategic use of technology, ASIS is currently engaged in a broad range of innovative projects—including a major redesign of its primary website,, and the underlying technologies that support online and mobile experiences.</p><p>This month, ASIS launches Phase One of a multiyear project focused on improved and personalized content access, user-centric search and commerce, online community, and integrated systems for learning and certification. </p><p>One of the key strategies driving the new site is to create a powerful search function that will unify content from a variety of ASIS sources, including Security Management offerings and Seminar sessions. By creating a search-centric site that allows users to filter results, ASIS will meet its goal of helping members at their "moment of need." The website facelift includes a more graphical and modern interface for both desktop and mobile devices.</p><p>It is important to understand that this is just Phase One of the process. With a critical emphasis on design, taxonomy, search, and commerce, both functionality and content are priorities. Additionally, some functionality will be moving to other platforms, such as the new community site, launching in February. Two other phases are planned for 2018.</p><p>ASIS is also upgrading the membership database, including new functionality for engagement, certification, profile management, and data analytics. The system will be tightly integrated with the website to ensure a seamless user experience across platforms. As a part of the new launch, ASIS will be engaging members to fully update their online profiles, both to help drive online personalization and to comply with the EU General Data Protection Regulation in 2018. </p><p>When the online community is launched, ASIS will provide security professionals with a secure platform to network, share ideas, access resources, and stay connected with peers, chapters, ASIS staff, and industry thought leaders.</p><p>Get ready, the launch of a new digital ASIS will be here soon!</p><p>Note: The ASIS website may be inaccessible for a few days at the end of January to facilitate the launch.​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Manager's Handbook for Corporate Security</em>, Second Edition. By Edward P. Halibozek and Gerald L. Kovacich. Butterworth-Heinemann;; 498 pages; $120.</p><p>Whether the reader is an aspiring security management student or a seasoned veteran, the second edition of <em>The Manager's Handbook for Corporate Security </em>provides a comprehensive look at the past, present, and future of the security industry—a world that experiences both operational and functional changes at light speeds. Using a mythical organization called International Widget Corporation to illustrate problems and solutions, it creatively brings theory to life as it transforms the difficult concepts of "what should be" into "what is." Throughout the book, risk management is enlisted to transform security from a reactive process to a dynamic proactive endeavor.  </p><p>The authors do a masterful job of taking the reader on a journey through various contingencies, and stress the importance of being proactive through key loss prevention programs, security awareness training, and developing strategic, tactical, and annual plans to combat risk and mitigate losses. Chapter after chapter, the authors emphasize that planning and preparedness strengthen the organization's overall security program and keenly integrate all layers within the organization. This approach helps solidify the security department's role in asset protection and keeps the security department where it should be—leading the effort. Adding value to an already solid effort, the authors consider new elements such as background checks, insurance, training, and cybersecurity—functions that are increasingly becoming part of the security department's portfolio. </p><p><em>The Manager's Handbook for Corporate Security</em> is a must for any serious security professional and would be a valued addition to any security leader's professional bookshelf.  </p><p>Reviewer: Terry Lee Wettig, CPP, is an independent security consultant who served 10 years as director of risk management with Brink's Incorporated. A retired U.S. Air Force chief master sergeant, he is currently a doctoral candidate specializing in organizational psychology. He is an ASIS member.</p> Technology with a Personal TouchGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As a financial services organization, Northwestern Mutual helps clients plan now to prepare for the future. And at the end of 2014, the Milwaukee-based company took that goal to task when planning a security strategy for a new building in the heart of the city. The 32-story, 1.1 million-square-foot Northwestern Mutual Tower and Commons houses about 2,400 Northwestern Mutual employees and signals a shift in the organization's approach to business.</p><p>"In essence, it was revolutionizing our organization from an insurance and financial investment company into a financial tech-savvy organization," explains Bret DuChateau, corporate security consultant at Northwestern Mutual. "How do we position ourselves over the next few years to build this brand new state-of-the-art building to attract the workforce of the future, and how leading up to that do we design and integrate systems into that building that will set us up for the future?"</p><p>DuChateau has been on Northwestern Mutual's security team since 2004, and the new building presented an opportunity to not only update the technology but position the organization's security approach as one that will be cutting-edge for years to come. </p><p>Key to this concept was considering how technology could augment a physical security presence through digital guest registration systems, data analytics, and streamlined command center protocols. First, however, DuChateau had to get the entire campus on the same security platform.​</p><h4>COME TOGETHER</h4><p>"The tower is a learning center for all of our financial representatives and employees, designed in a very open and collaborative way from an organizational and customer experience standpoint," DuChateau says. "It certainly positions us where we want to be in the future, but is also designed to connect better with the community here in Milwaukee."</p><p>The new facility connects to three existing Northwestern Mutual buildings via skywalk and also boasts a public commons area featuring gardens, restaurants, and coffee shops, and an interactive museum of the organization's history. With the combination of old and new buildings, as well as public and private areas, it was critical for the campus's access control to work as a unified solution.</p><p>"We had multiple campuses all under one corporate security team, but we were talking two different languages," DuChateau explains. "You would have one system and one set of rules at one campus, and one system and set of rules at the other, and there was no data exchange, so you were always trying to manually keep databases in sync. If someone leaves one site, we have to manually take them out of the other site. Just onboarding and offboarding people, manually entering their first name, last name, and employee number in one system, assigning them access, and then turning to the next computer and entering them in another system. I could go on and on."</p><p>Northwestern Mutual chose AMAG Technology for its Symmetry access control enterprise system and Symmetry GUEST visitor management system to streamline the flow of employees and visitors alike throughout the campus. Now with all buildings on the same platform, and the ability to automate several of the processes that had previously been manual, Northwestern Mutual estimates it saves about 14 hours a month when it comes to managing the access control system.</p><p>"You're not only looking at a security process efficiency, but a support process," DuChateau explains. "Now we have dedicated IT teams that help us from an infrastructure standpoint—they don't have to remember which system they are working on, because we're all working on one system across the enterprise. We're in a virtualized server environment so everyone is seeing and touching the same thing, and just from a staffing standpoint, we have people who can bounce between multiple campuses and they are not having to relearn everything."</p><p>Comparing the response to a standard door alarm before and after the technology upgrade shows the efficiency of the new system, DuChateau points out. When multiple security systems were in place, a door alarm would be automatically logged into a database and a patrol officer would be dispatched to where the alarm went off. Employees in the command center would open up an Excel spreadsheet and document the date, time, and location of the alarm and how it was resolved. At the same time, the responding officer would record the same information into his or her own response log.</p><p>"We'd have this incident documented in five or six places," DuChateau notes. "In our traditional mindset a few years ago, we just kept doing it because it was the process. None of the documentation was coalesced into a common system, it was just out there."</p><p>After the AMAG upgrade, the process has become more streamlined. The access control system will register the door alarm and immediately display a notification on video monitors in the command center. The situation can often be resolved just by looking at the video of what is going on, and the system allows employees to document the alarm in the system itself. </p><p>"It's pretty hands-off, we put a heavy lift into the programming," DuChateau says. "We went from logging 1,400 different entries on a shift down to 200 just by taking a step back. When you're saving 800 steps from a shift, that equates to time, so we gained about six hours out of an eight-hour shift by freeing someone up from documenting everything." ​</p><h4>WATCHFUL AND WELCOMING</h4><p>Northwestern Mutual's corporate security team is blended, with about 40 in-house employees and another 40 contracted officers. The organization switched from another contract security provider to G4S at the end of 2016 due to its familiarity with the AMAG systems—AMAG is a subsidiary of G4S.</p><p>"That was a factor in identifying this relationship," DuChateau says. "We could have the benefit of G4S folks coming to us that have familiarity with their own products already, so we don't have to spend as much time as we normally would with someone coming in cold and having to train them on the solutions."</p><p>DuChateau points out that, despite the addition of the tower and commons to the campus, Northwestern Mutual did not need to bring on any additional in-house or contracted security personnel, thanks to the augmented technology.</p><p>"When you talk about opening a 1.1 million-squarefoot addition, you would think that it's a given that we'd need extra security people, but we didn't because we became more efficient," DuChateau says.</p><p>G4S officers have become a more integral part of Northwestern Mutual's security approach and are primarily in charge of the visitor management system, which is critical for the new facility—employees from all over the country flock to the Milwaukee campus every week for training. The increase in traffic required DuChateau to rethink the visitor registration process.</p><p>"We had five buildings that were all interconnected, but we had five separate lobbies, five separate ways to process visitors, five separate ways to get employees in and out, so we wanted to make some conscious decisions on where to direct people," DuChateau explains. "We just built this brand new beautiful tower and connecting commons and training space. Do we have to process visitors at every single building or can we direct them to the tower lobby? If we direct them to one main entry point, then we can deploy technology in these other lobbies and move resources where they're needed. We changed a little bit of behavior and moved some of the operations more towards a centralized location than doing everything everywhere."</p><p>AMAG's visitor management system allows guests to preregister, making it easy for officers to look up the guest and print a barcoded badge that permits visitors access to specified areas. The system also runs guests' names against a list of restricted visitors. DuChateau says that in the future the system will allow preregistered guests to print off a QR code that would produce a badge upon being scanned at the facility. "There are some cool things on the horizon as far as the efficiency standpoint goes," he says.</p><h4>ALL IN THE NUMBERS</h4><p>While DuChateau is glad to have a 21st century, enterprise-level security system in place, he says he is most looking forward to what the system can do for Northwestern Mutual in years to come. Already, data mining has made the security approach more efficient and intuitive.</p><p>"We have two cafeterias on our Milwaukee campus, so we can start gathering access control data and say at 9:30 a.m. here's a snapshot of the number of people on campus, give that to the restaurant team, and they can use it and plan to feed that many people for lunch that day," DuChateau says. "We want to use this data to say, 'okay, are we using our facilities how we had intended three years ago?' We start looking at singular systems, gathering data, and making that data actionable in a business sense. Data is data, but if you don't use it, what good is it for besides investigations?"</p><p>Preregistration data also helps the security team manage the flow of visitors each day. Employees can look at the guest database and estimate when and where large groups of visitors will arrive, and plan accordingly. "We get a couple more laptops, badge printers, and patrol people to help process visitors, versus having a bad customer experience and having 200 people lined up out the door just to get in to a training event that we're hosting," DuChateau explains. </p><p>That's just the tip of the data-mining iceberg, and the more Northwestern Mutual's security arm works with the rest of the organization, the more the data can be employed to the organization's benefit. "Our information resource management and cybersecurity folks look at it from a different perspective, and maybe our privacy people ask how the data is going to be used and what kind of data is gathered," DuChateau says. "Now that we're standardized on an enterprise-class solution, how can that data benefit the business? How can we slice and dice that data down the road? Maybe we can take snapshots of our environment across all of our facilities, not only in Wisconsin but in Arizona and New York—can we feed that information to our workforce planning people?"</p><p>DuChateau says he wants Northwestern Mutual's intelligent security control centers to take the heavy lift off of employees and use built-in analytics to proactively identify strange behavior, and instead use security personnel to respond to exceptions.</p><p>"For the longest time, our control centers had this big screen up with all card access activity in the environment, thousands and thousands of people badging in and out—all of this data is scrolling by and it's just noise," DuChateau says. "Why do we even care what these people are doing in real time? Let's care about the people who are badging into areas that they aren't supposed to be badging into, or someone who has a multifactored device and is putting in the wrong PIN code, and start dealing with the smarter security approach to a secure environment."</p><p>While the new technology and data augment Northwestern Mutual's security posture and reduce the workload on guard services, DuChateau says that does not mean technology will replace people. "Maybe we want to pull some people because we've deployed technology, but we will direct them to a different part of the operation that looks at metrics, or quality assurance, or all of these things that really build up those parts of the program, because we don't have to be so labor intensive on physical access control or checking IDs or things like that—we can look at resource management in a different lens."</p><p>For now, DuChateau says the security team is still getting used to the new facilities and platforms at Northwestern Mutual's Milwaukee campus and is learning to rely on the data the systems collect. But within a few years, he foresees a "phenomenal expansion" of leveraging the platforms to guide the team's efforts.</p><p>"We've really begun to scratch the surface on the potential of all of this technology," DuChateau says. "We're in a good spot because we did it early enough and we have people familiar enough with the technology. Now we can ask, okay, what else can we do and how else can we move the vision of our company forward?" ​</p> DominoesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​"I've been doing this close to 40 years, and there has not, in my career, been a hurricane season anything like this," disaster response expert Jerome Hauer explains in a recent interview regarding the unprecedented 2017 Atlantic hurricane season.  </p><p>Given his experience base, that is saying something. Hauer has led the homeland security and emergency services department for the state of New York, the office of emergency management in New York City, and Indiana's department of emergency management. On the federal level, he has served as assistant secretary for the U.S. Office of Public Health Emergency Preparedness (OPHEP). He is also a longtime member of ASIS International, and is now a professor at Georgetown University's Center for Security Studies. </p><p>But despite all those years in the field, Hauer cannot recall a storm season like the one that just passed. Starting with Hurricane Franklin and ending with Hurricane Ophelia, the 2017 season featured 10 consecutive hurricanes—the greatest number in the satellite era, all of which were marked by winds of at least 75 miles per hour. It may also have been the costliest season on record, with a preliminary total of more than $186 billion in damages, nearly all of which resulted from the three most devastating hurricanes: Harvey, Irma, and Maria. </p><p>Each of these massive hurricanes had its own profile. Harvey, for example, came with flooding of biblical proportions, and Irma devastated portions of Florida's power grid. Experts like Hauer say that these two hurricanes illustrated some lessons for emergency preparedness and response. (Experts interviewed for this article did not focus on Hurricane Maria, because the response to that storm was complicated by political and geographic factors.) </p><p>For example, while emergency management leaders in localities and states understand the importance of planning, they do not have the time nor resources to plan for every possible scenario, and so they normally do not plan for the unprecedented—such as three Category 4 hurricanes that make landfall within the span of four weeks. </p><p>"This many hurricanes that impact the United States and its territories in a single year is something that you couldn't contemplate," Hauer says. "Particularly since the hurricanes were catastrophic. The strength of the hurricanes, the volume of rain in some areas—we haven't seen anything like this that I can remember."</p><p>And even if a sole visionary emergency manager formulated a plan to protect all affected places from an unprecedented hurricane season, in the real world no jurisdiction or state government would have the billions needed to actually implement and fund the required costs of reinforcing, rebuilding, or replacing the various infrastructure systems that would be affected, says emergency management expert Harry Rhulen. Rhulen is CEO of the crisis management firm Firestorm and a member of the ASIS International Crisis Management and Business Continuity Council.</p><p>Nonetheless, the series of devastating hurricanes did illustrate another emergency management lesson, Rhulen says: proper disaster preparedness and response means planning for multiple disasters, not just one. "It's one of the most important things to account for—when you are doing business continuity and disaster planning, in general, you should assume multiple events," Rhulen says.  </p><p>Indeed, Hauer says that's a critical element of disaster response management—planning for the potential second- and third-level disasters. "We did that on a regular basis, both when I was in federal government and on the city level," Hauer says. "You can't just say we have flooding, and say how you deal with the flooding, but also how you will deal with the secondary effects, such as the health effects." </p><p>For example, during Hurricane Sandy, mosquitoes used overflowing reservoirs as a breeding ground, running the risk of the spread of West Nile virus. Similarly, after Hurricane Harvey, flooding in Houston raised the risk of health issues stemming from human contact with floodwater, which can harbor bacteria, viruses, and fungi.</p><p>Potential health risks like this mean that environmental experts from groups like the U.S. Army Corps of Engineers should be "part of the process" in disaster preparation, Hauer says. It is also important that hospitals take seriously the requirement to hold emergency exercises and drills. "Some take it seriously, but some don't, and they just go through the motions," he explains. And whether it be a locality or a state, drills by emergency personnel should be critiqued by elected officials who should ask some "tough questions" afterward, he adds.  </p><p>Another challenge in dealing with cascading disasters is that "the first crisis lowers your ability to perform all of the functions that you normally perform," Rhulen says. For example, a fire that destroys some computer hardware can hinder a company's efforts to protect itself from cyberattacks. And storm damage can increase vulnerability to thievery or other types of criminal activity. "You automatically have to bump up security," Rhulen says. </p><p>In addition, resources are finite, so in the case of responding to Hurricane Harvey's effects in Texas, "it stretches resources to the point where you are way behind, and near the breaking point," Rhulen explains. This could hamper the response to any disaster that happens in the near future. "It makes their overall exposure for the next year go up dramatically," he says.   </p><p>Given that government resources were stretched thin by the double blow of Harvey and Irma, the active volunteer response during the storms was especially critical and "really impressive," Rhulen says. These volunteers, ranging in scope from formal groups to neighbors helping neighbors, beefed up a responder workforce that would have been inadequate without them. "People need to understand—you're really your own first responder," he says.  </p><p>In the future, the unprecedented hurricane season of 2017 may be looked upon for another historically significant feature. It elicited an unusual type of response—and one that may serve as a closely watched model of resiliency planning in the future—by the island nation of Dominica.</p><p>Maria was the worst natural disaster in the country's recorded history. With sustained winds of nearly 160 miles per hour, the storm made landfall on September 19, 2017, as a Category 5 hurricane, forcing the majority of the country's 72,000 residents into homelessness and leaving the island without communication for more than 30 hours. More than 90 percent of the population was left without food, power, or shelter.</p><p>In the wake of this devastation, Prime Minister Roosevelt Skerrit said that he does not want to build on old vulnerabilities, but instead develop a targeted resilience strategy so that Dominica becomes the first "climate resilient" nation. "Our desire [is] to be the captains of our fate, and to choose the shape of our recovery," Skerrit said in a statement after the storm.  </p><p>To do so, Dominica would have to rebuild so that its infrastructure could withstand the type of extreme weather events that may become more common due to climate change. Exactly how the country would do that, and how it could fund such an undertaking, is not yet clear. But Dominican officials are appealing to global organizations for future assistance, and they say that they may have some international partners in their venture. </p><p>"The World Bank and European Development Agency have pledged considerable sums to back our vision as the first climate resilient nation of the climate change era," Skerrit said in a recent address to the United Nations General Assembly. "To deny climate change is to procrastinate while the earth sinks." ​</p>