Business Continuity and Terrorism Part 1: Assessing the Threat

This was written before the Paris attacks of 2015. I was hoping for a quiet period to publish it. Sadly, it looks increasingly unlikely that there will be one.

The past year has seen several terrorist attacks in major cities throughout Europe and North America. Primarily these have been organized and executed by small relatively unsophisticated groups — sometimes as simple as one man with a gun — rather than large groups co-ordinated and controlled by a central organization.

One interpretation of events is that these represent a success on the part of intelligence agencies in disrupting the command and control of organizations such as al Quaeda.

An alternative view is that these groups are evolving and changing tactics. No longer are terrorist organizations attempting to organize spectacular and sophisticated attacks such as those in New York (2001) and Mumbai (2008). Instead they are concentrating on inspiring the disaffected in target countries to organize and execute attacks without central direction. There may be some assistance with the provision of weapons (Charlie Hebdo attack, Paris, 2014), but in the main part the actors involved choose their own targets and make their own plans without any central direction (London, 2005; Ottawa, 2014; Saint-Jean-sur-Richelieu 2014). There is no prior direct communication required, and the only direct role of the terrorist organization in a particular attack is to either claim responsibility or to disavow the operation after it has occurred.

The limitation for a terrorist organization in this scenario lies in its ability to attract and inspire actors with the motivation and skill-set necessary to carry out the attacks. (Fortunately any idea set which requires martyrdom in a suicide attack both severely reduces the pool of potential candidates as well as limiting their ability to learn from their mistakes).

The implication of this is that while the terrorist organization's ideas remain attractive to a small segment of the population, it will be impossible for any government to prevent all terrorist attacks. There is no practical way a government can (or should) control its population to the extent that a person cannot learn of an idea, pick up a weapon (gun, improvised explosive, knife, or speeding car) and kill someone.

So can we determine if our company or organization is at risk from a terrorist attack?

Assessing the Risk

Assessing the risk involves identifying what groups might be currently motivated to attack us, determining whether they are likely to specifically target us (as opposed to choosing us from a list of potential targets), or are just interested in attacking a target like ours, and determining what the commitment, sophistication, resources and tactics are likely to be.

The first step is to try and identify potential attackers

Potential attackers can be divided into three groups:

  • Attackers who are specifically motivated to attack "us". For example, our company or organization may be highly symbolic, or have been involved in some controversial work which invites unwanted attention.
  • Attackers who are interested in attacking targets like ours. E.g. they may be targeting all foreign owned businesses, or places where people of a particular ethnic or religious group gather. The attackers here may choose us because we are a convenient target, but would be equally happy targeting a similar business or organization.
  • Attackers interested in attacking a target which is near our location, and for which any damage or injury to us may be viewed as collateral damage.

Let's look at these in turn.

Identifying Attackers who may specifically target us

Attackers who are likely to specifically target us are clearly the greatest problem. Security measures to prevent an attack from this group need to do more than simply persuade a potential attacker to "try elsewhere". Can we identify such groups?

If we can assume that the potential attackers represent the more violent fringe of some larger diffuse group (as is often, but not always, the case) then there is a good chance that we can. In this case the larger group is likely to contain many members who are less motivated than the potential attackers. Rather than taking up arms and attacking us with guns or explosives, this group will try threats and minor vandalism. Monitoring for mail, email, telephone or verbal threats received by staff can give an indication that we are now viewed as a potential target of a particular group.

While this seems easy to do, it is important to realize that if we are part of some larger organization we may not be aware of such threats. Members of a group may threaten a head office, but attack a branch location. Alternatively our less motivated attacker may threaten the most visible parts of an organization: the more motivated attackers may take the time to identify the most susceptible location. It is therefore important that any threats received are collated and communicated to locations which may otherwise be unaware of the threats.

We should also note that smaller groups and lone individuals are less likely to give any prior warning of their intention to attack in this way.

A special case here is if we host or hold events or meetings for third parties. The organization holding or promoting the event may receive the threats, rather than us. Fortunately it is far simpler to provide extra security for a single event than it is to maintain long term vigilance.

Identifying Attackers interested in attacking targets like ours

Our best hope with groups interested in attacking targets like ours is that we are unlikely to be the first target attacked. Monitoring recent terrorist activity can suggest what groups are active, and what types of targets are being chosen.

Prior assessment of what target categories we may represent (e.g. place where foreign nationals gather, place where religious group gathers, arms manufacturer, live animal researcher, etc.) and monitoring for attacks against locations or people in the same target category can give some indication of elevated risks.

Despite the complex scenarios beloved of television and movies, most attacks are not original. Terrorist groups learn from their mistakes, and repeat and adapt methods which work. If a particular tactic works well, we can expect to see it repeated. Thus looking at previous attacks will often given a good indication of the types of weapons and tactics which may be involved.

Identifying Attackers for whom we may be collateral damage

The only way to to identify such attackers is to consider (and talk to) your neighbors. Is your neighbor likely to be the subject of a bombing attack? Then you are too. Indeed, if your security is substantially worse than that of your neighbor, the easiest way to attack their location may be to place a bomb in yours.

Quantifying The Risks

The Global Terrorism Database (see below), maintained by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) , is your friend here.

This database tracks terrorist incidents worldwide, and can be used to identify trends in your country. A quick division of the number of relevant incidents in a recent year by an estimate of the number of potential targets similar to yours will give a gross estimate of the likelihood of an attack. Remember that while governments and the media worry about all potential incidents, you only need to be concerned an incident that will affect you.

Future Trends

The number of people attracted by terrorist ideals is small in most western countries, and the number of attacks is therefore low compared with elsewhere.

However, the trends for many countries are worrying: the total number of incidents per year has more than doubled since the United States declared its War on Terror in 2001. There were 619 suicide attacks in 2013: in 2010, there were less than 200, and ten years before that there were just 37. It's easy to underestimate how quickly new threats can emerge. The sudden influence of ISIL was not predicted, and indeed, the group itself was only formed in 2006.


Terrorism is always changing.

At the national level it may be unpredictable, but organizations can go some way towards estimating the risks that they face based upon past events.

Unless an idea attracts very few followers, threats and acts of vandalism by non-terrorists will probably give prior warning that a threat exists, and examination of previous attacks by similar groups may give a reasonable idea of the type of tactics and weapons that may be employed.

Attacks can be completely novel, but (unless there are very few potential targets) we are still unlikely to be the first victim of such novelty.

However, the future trends are worrying. In 2003, there were 1,262 terrorist incidents worldwide. In 2013 — the last year for which figures are available — there were 11,952. With this increase in terrorism comes an increase in suicide attacks, and of attacks inspired by rather than organized by terrorist organizations, leading to a greater difficulty in defending potential targets and identifying possible terrorists.

In Part Two we will look at some of the ways your organization can mitigate the terrorist threat and handle its aftermath.


One of the problems with terrorism is disagreements about its definition. Are they freedom fighters, insurgents, or terrorists? Is an attack against soldiers who aren't on duty terrorism or merely tactics? Are all attacks against civilian targets terrorism, or do oil refineries or government offices not count?

While the effect on the victims may be the same, be aware that this definitional problem does influence statistical studies and government reports.

  • Country Reports on Terrorism 2013 (Executive Summary) or (Full Report).
    Published by the US State Department, this is an overview of global terrorism. Note that the definition of terrorism in this report includes attacks against non-deployed military personnel, rather than purely attacks against civilians.
  • Global Terrorism Database
    This database tracks terrorist incidents worldwide since the 1970s. It is useful for establishing trends.
  • Canadian Incident Database (CIDB)
    A database of world terrorist incidents with a Canadian perspective curated by the Canadian Network for Research on Terrorism, Security and Society (TSAS).
10 December 2015

To get notified when new articles appear, subscribe to the Risky Thinking Newsletter. It's low volume: we don't send out an issue unless there is something interesting to say. You can also subscribe to our RSS Feed

Recently published articles can also be found here.

Agree or disagree? I'd like to hear your thoughts. Please initially use the contact form to get in touch.