Terrorist & Criminal Attack Planning

“Terrorists often keep several potential targets in mind & choose the one with the relatively fewest risks.”

“The cost–benefit analyses differ across terrorist groups & terrorists because risk preferences differ.”

“Prior successful experiences decrease averseness to risk.”

Terrorist attacks are the culmination of a 6-stage attack cycle: target selection, planning, deployment, the attack, escape & exploitation.

Terrorists most commonly prepared for their attacks with surveillance & intelligence gathering, robberies & thefts to raise funding for the group, weapons violations & bomb manufacturing. Most of these behavior took place relatively near their homes, which were close to the targets. Among single-issue terrorists in particular, 71% of the preparatory acts occurred within 12 miles & 92% within 28 miles of the target. Terrorists may stay close to home because of new immigration status, lack of transportation, lack of knowledge of the urban landscape or a desire to avoid attention.

Research has shown that traditional criminals are spontaneous, but terrorists seem to go to great lengths preparing for their attacks & may commit other crimes while doing so.

In the initial planning stage (target selection) of a terrorist attack, the terrorists will consider many targets based on a variety of factors including personal beliefs, inspiration from terrorist groups or individuals in the way of propaganda, or a reaction to an event in their life. In the process of whittling these choices down, the terrorist will need to identify which target represents the best opportunity to achieve their desired objective, whether that is to inflict a desired amount of damage and bring notoriety to themselves or their cause. The terrorist will conduct initial research to identify basic background information about each potential target prior to ultimately selecting a target. This research will be done through a variety of means but will most likely start off with online searches through various social media platforms or a target’s website. Once that research is done, the terrorist needs to validate his research through physical target surveillance.

This is just the beginning, the foundation for all that is to come. Initial target considerations provide why they want to conduct the attack & for what purpose. After they have conducted some preliminary research, they will need confirm the validity of their initial research. They will need to understand whether this target is viable & what the security setup looks like.

Similarly, all crimes begin with selecting the type of crime that will be committed & where it will be committed. The criminal must decide which house to burglarize, which purse to snatch or who to abduct & rape. During the target selection phase of the criminal planning cycle, the criminal will perform a rough risk-benefit analysis to determine if the risk of obtaining the target is worth the eventual payoff. All things being equal, a criminal will attempt to obtain the object of the crime with the smallest risk. Therefore, they will tend to divert from a target that presents more risk if they can obtain a comparable payout from a target that is easier to acquire. 

Criminal planning must be viewed as a continuum rather than a planned versus unplanned dichotomy. The extent of the variance was largely due to the levels of complexity. First-hand accounts of terrorist attack planning report similar variances. At one end of the spectrum are accounts of attacks being “more or less spontaneous” & involving “no great pre-planning.” Whereas at the other end, attack plans developed for up to 6 months & required an ongoing & sophisticated intelligence gathering process:

The priority should be to develop & plan combat intelligence & in particular target intelligence - information unit commanders would need to mount successful operations against enemy personnel or to sabotage enemy installations. It is estimated that something like 85% of the intelligence collected comes from media & other open sources.

This reminds security teams that threats are always evaluating potential targets. Employing random measures that change security patterns & conducting vulnerability assessments of all phases of an organization, from online presence to physical security on the ground can help create enough doubt in a terrorist’s or criminal’s mind to change their selection of target(s).

Initial surveillance is when the terrorist/criminal goes out to physically observe the potential target(s). This is required to validate the information already collected through open-source research, identify & collect new information not available through research (such as physical security measures deployed), as well as eliminate potential targets prior to settling on a final target. Through direct surveillance, the terrorist/criminal gets a first-hand look at the outward-facing security measures such as guard posts, security patrol & countermeasures such as ID checks, bag checks or other screening measures. If the target is a person or group, the terrorist/criminal may use surveillance to monitor routes to & from various locations - the common travel or movement patterns of the target(s).

Both the terrorist & criminal needs to determine if the target fits their criteria & if the benefit of committing an attack/crime against the target is worth the risk associated with such an attack/crime. Sometimes the target helps by posting his running routes & times on Facebook or a potential burglary victim announces on Twitter that he is halfway across the world & his home is empty.

Such helpful intelligence can be useful in reducing the amount of surveillance required. There is no substitute for having eyes on the target. The criminal will want to surveil the target before conducting the crime. There are things you simply cannot observe & understand from online sources.

Surveillance is conducted through various means. Static surveillance is done from fixed positions (vehicle, or buildings adjacent to the target) in order to observe & detect patterns. If the attack/criminal action location is in a remote area, static positions can include observations posts which are hastily set up using the natural scenery as cover & concealment. Surveillance can also be done via mobile means, which includes observation from cars, on foot or via drones. The attacker can pass by the target location or position during various times to observe behavior during specific points in time. 

The terrorist/criminal uses surveillance to augment their research & further refine operational planning. The terrorist/criminal may draw maps or diagrams of target locations & continue to refine & refocus further collection. It is also during initial surveillance that the terrorist/criminal is vulnerable to detection from security elements, employees & other personnel who are alert & aware of suspicious incidents, not just recognizing suspicious incidents, but knowledgeable on reporting those incidents to the appropriate people.

While discreet surveillance is a very skilled operation, not everyone is capable of executing it properly. They may remain on location for too long, they may not have answers to questions if questioned by security or building managers; they may ask too many questions in an attempt to gain more information than needed.

Another important factor to consider is who the terrorist/criminal may use to help surveil or collect information. They may use social engineering or elicitation techniques to engage unwitting employees to provide information pertaining to security measures. The terrorist/criminal may co-opt employees to serve as their eyes & ears, inadvertently helping the planning process. Every employee, whether a parking attendant, retail worker, or cleaner has information that can aid an attacker. The intimate knowledge that employees have of an organization's security programs, policies & procedures put them in a position to cause significant damage.

“Third-parties often play key roles in gaining intelligence for an attack.”

The amount of time devoted to surveillance varies, depending on the type of crime & the type of criminal. A criminal who operates like an ambush predator, such as a rapist, may lie in wait for a suitable target to come within striking distance. The criminal may have only a few seconds to size up the potential target, conduct the risk-benefit calculation before formulating his plan, getting ready & striking.

Kidnappers or high-end jewel or art thieves are criminals who stalk their prey. It might require weeks or months to select a suitable target & then even more time to conduct follow-on surveillance, assess the target's vulnerabilities & develop a detailed plan to conduct the crime. Normally, such criminals will prey only on targets they feel are vulnerable & can be successfully hit, although they will occasionally take bigger risks on high-value targets.

There can be fundamental differences in the amount & type of surveillance that is required. A bank robber with plans to rob a bank has very different intelligence needs from a bank robber intent on tunneling into the bank’s vault.

Attack recognition can sometimes help alert victims anticipate the crime & take immediate action to get away from the target zone before the terrorist/criminal can succeed. It is imperative to detect terrorists/criminals as early in the cycle as possible - in the surveillance phase.

People need to realize that terrorist attacks/crimes are the result of a process. This means that terrorists/criminals conducting the process can be identified by their behavior & the process can be thwarted before a terrorist attack/crime is committed.

It was found that preparations generally began less than 6 months before the attack & ended with a flurry of actions a day or so before. This pattern varied by group type. Single-issue & right-wing terrorists engaged in substantially less preparatory crime over a shorter period — once again, most likely reflecting the use of "leaderless resistance" & lone-wolf strategies. The planning cycle of international terrorists tend to be longer

International terrorists, on the other hand, engaged in nearly 3 times as many preparatory acts per incident as their environmental counterparts. This may be due to the larger number of people usually involved in international incidents, the size & scope of the planned incident or simply a longer planning cycle. Comparing 10 international terrorist incidents that occurred on American soil, it was found that the average planning cycle for international terrorists was 92 days, as opposed to 14 days for environmental terrorists. Whereas environmental terrorists committed an overwhelming majority of their preparatory activities in the week before the incident, international terrorists took up to 6 months to prepare.

For law enforcement agencies, the implications of these patterns are not insignificant. Committing an act of terrorism will usually involve local preparations. Although much of this conduct will not necessarily be criminal, early intelligence may give law enforcement the opportunity to stop the terrorists before an incident occurs. Knowledge of the threat - understanding how long environmental or international terrorists prepare for their attacks - will affect the manner in which local officials respond. Identifying preparatory actions by environmental extremists may signal that an attack is imminent, whereas similar behavior by an international group might suggest that an attack is still several months away.

Understanding that most terrorists "act locally" can be important to know as investigative agencies seek to prevent terrorism & arrest perpetrators. These local patterns may be used by agencies to more efficiently patrol known, high-risk target areas & gather intelligence on suspected actions within a specific distance from potential targets.

Cumulative Percentage of Preparatory Attacks Over Time

International Terrorists. By the day of the incident, international terrorists had completed all but 5% of their preparatory acts; by the day before the incident, they had completed all but 9%; by 2-3 days before, they had completed all but 13%; by 4-7 days before, they had completed all but 21%; by 8-14 days before, they had completed all but 32%; by 15-30 days before, they had completed all but 55%; within 1-3 months of the incident, they still had 6% of their preparatory acts to complete; within 4-6 months, they still had 84% to complete; at 7-12 months, they had 89% to complete; between 1-3 years, they had 97% to complete; and at 3+ years, 100% of their preparatory acts were not yet completed.

Right-Wing Terrorists. By the day of the incident, right-wing terrorists had completed all but 15% of their preparatory acts; by the day before the incident, they had completed all but 26%; by 2-3 days before, they had completed all but 31%; by 4-7 days before, they had completed all but 44%; by 8-14 days before, they had completed all but 49%; at 15 to 30 days before the incident, they still had 67% of their preparatory acts to complete; within 1-3 months, they had 94% to complete; at 4-6 months & 7-12 months, they had 96% to complete; & between 1-3 years, 100% of the preparatory acts were not yet completed.

Left-Wing Terrorists. By the day of the incident, left-wing terrorists had completed all but 50% of their preparatory acts; on the day before the incident, they still had 75 % of the acts to complete; at 2-3 days, 4-7 days, 8-14 days & 15-30 days before, they had 88% to complete; & within 1-3 months, 100% of their preparatory acts were not yet completed.

All Terrorists. By the day of the incident, all terrorists had completed all but 13% of their preparatory acts; by the day before the incident, they had completed all but 27%; by 2-3 days before, they had completed all but 40%; by 4-7 days before, they had completed all but 48%; by 8-14 days before, they had completed all but 57%; at 15-30 days before the incident, they still had 72% of their preparatory acts to complete; within 1-3 months, they still had 85% of their preparatory acts to complete; within 4-6 months, they had 93% to complete; at 7-12 months, they had 95% to complete; between 1-3 years, they had 99% to complete; and at 3+ years, 100% of their preparatory acts were not yet completed.

The closer one gets to the point in time when the terrorist act/crime is to be committed, the more difficult it is to prevent it. Once the terrorist/criminal has selected his target & deployed, it is exceedingly difficult to stop or thwart the attack/crime.

Terrorists make cost–benefit decisions in much the same way as ordinary criminals. The field of crime prevention evaluation is testament to the vast potential for situationally focused crime prevention approaches to reduce crime. This means focusing on the settings in which offenses take place, rather than the underlying motivation or criminal disposition of the individual.

"The weighing of security features necessitates hostile reconnaissance which itself offers risk to the terrorist in terms of detection."

Each type of terrorist attack, be it a vehicular assault or a bombing, depends on a crystallization of multiple opportunities. In turn, each specific attack type offers its own set of particular environmental opportunities that can be manipulated with the intention of impacting the terrorist cost–benefit calculus. Such endeavors increase the effort via target hardening, controlling access to facilities, deflecting offenders & controlling access to the necessary weapons.

They also increase the risks by extending guardianship, assisting with natural surveillance, reducing anonymity, utilizing place management & strengthening forms of formal surveillance. They may also reduce the rewards of an attack by concealing or removing potential targets. The results also highlight the opportunity to manipulate emotions in order to disrupt terrorist decision making.

"What matters are perceptions of how effectively deployed security is."

Fear appears to be ubiquitous in offender decision making. This is true across a wide range of crimes. Fear functions to ensure a state of readiness among those contemplating crime & as a compensatory mechanism to alert individuals to the potential risks. Interventions that aim to increase such fear during situational decision making should therefore be beneficial. The sources of fear are multiple. They include objective features such as fear of detection by police/security, fear of detection by conscientious bystanders, fear of the unknown, fear of co-conspirators being deceptive & fear of interaction with others.

Fear of the “unknown” is also paramount. The source of fear also includes subjective features of the environment that the would-be offender cannot formalize but subjectively “feels.” Such feelings can be multiplied if the would-be offender believes the ability of security to detect suspicious behavior is high. Interventions that therefore highlight, embellish & evidence the ability of security, staff, &/or bystanders to detect suspicious behavior should have a positive net benefit. As hostiles are assessing a scene for security weaknesses & opportunities, they are just as likely to witness such communications if properly displayed. This helps to persuade the would-be offender into objectively, bringing these factors into their risk/reward calculation.

Interventions that also minimize the volume of available information for hostiles should also therefore increase uncertainty & either lead to full disruption or the hostiles taking ever greater risks to minimize their uncertainty & in turn, maximizing the chances of detection.

Finally, the fact that fear is ubiquitous may improve the likelihood of detection. Fear may lead to suspicious behaviors, consciously “acting normally,” which itself may appear suspicious & lead to poor decision making.

---------------------------

Endro Sunarso is an expert in Security Management, Physical Security & Counter Terrorism. He is regularly consulted on matters pertaining to transportation security, off-shore security, critical infrastructure protection, security & threat assessments, & blast mitigation. He is also a Certified Identity & Access Manager (CIAM).

Endro has spent about 2 decades in Corporate Security (executive protection, crisis management, business continuity, due diligence, counter corporate espionage, etc). He also has more than a decade of experience in Security & Blast Consultancy work, initially in the Gulf Region & later in SE Asia.