Risk Assessments and 
Future Challenges 
By W. DEAN LEE, Ph.D. 

Background image of Chessboard
© Digital Vision 

By recognizing existing 
and emerging threats,
law enforcement agencies 
can improve their risk 
assessment and management 
programs. Too often, for example, 
security risk assessments 
focus mostly on identifying 
flaws in physical security (e.g., 
perimeter barriers and screening 
visitors) without fully recognizing 
the impact of other security 
challenges (e.g., internal people 
problems and cyberthreats). 
Applying a systematic approach 
of fact finding and balancing 
costs and benefits should lead 
to better security and operational 
decision making. 

The analytical risk management 
(ARM) process is a 
systematic and interactive 
approach for identifying and 
evaluating assets, potential 
threats, and existing vulnerabilities, 
along with calculating risks 
and determining requisite 
countermeasures.1 Departments 
can view the ARM process as 
three interacting spheres of 
assets, threats, and vulnerabilities. 
Where these three areas 
merge, or overlap, are the 
calculated risks. Once a 

department’s risk managers 
determine the risks, then they 
can select appropriate countermeasure 
options to mitigate 
them. Most important, ARM 
can service both security and 
operational assessments. 

The ARM process expresses 
risk, defined as the potential 
destruction, disruption, or 
denial of essential assets, in the 
formula Risk = Impact of Loss 
of Asset x Threat x Vulnerability 
or R = I x T x V. In other 
words, a risk assessment (R) 
determines the possibility of an 
adversary’s (T) successful 

July 2005 / 1 


"Applying a 
systematic approach 
of fact finding and 
balancing costs and 
benefits should lead 
to better security 
and operational 
decision making." 


Dr. Lee, the architect of the FBI’s 
Security Risk Management 
Program and Continuity Assurance 
Planning Strategy, leads 
the Bureau’s Security Risk 
Analysis Staff. 

Image of Dr. Lee


exploitation of an identified 
vulnerability (V) and the 
resulting degree of damage or 
impact (I) on the asset. Basically, 
risk management constitutes 
the continuing process of 
selecting and applying explicit 
countermeasures to achieve 
optimum results while balancing 
acceptable risks and costs. 
By developing a full-spectrum 
risk assessment and management 
program, a department 
can discover its security and 
operational strengths and 
weaknesses. In addition, it can 
determine how best to maximize 
asset usage. 

ASSETS 

For the ARM process, 
assets comprise resources of 
essential value that a department 
must protect to effectively 
fulfill its essential public safety 
and law enforcement responsibilities, 
a definition that differs 

from that traditionally used 
in law enforcement and intelligence 
circles. Assets include 
people, information, operations, 
equipment, facilities, and 
social-psychological resources 
(PIOEFS). 

Assessing assets involves 
three sequential actions. First, 
a department’s risk managers 
identify all important local 
organizational and operational 
PIOEFS resources requiring 
protection. Second, they write a 
brief statement for each describing 
the worst undesirable event 
should some adverse situation 
affect that asset. For example, 
within the people category, a 
department should include law 
enforcement officers as a 
critical asset, and an applicable 
undesirable event would be 
criminals or terrorists attacking 
with improvised explosive 
devices that could result in the 
loss or injury of the officers. 

Third, the risk managers assign 
a linguistic rating (value/ 
criticality) to each asset based 
on the impact of loss or damage. 
This means that risk mangers 
first assess an asset according 
to one of the four defined 
criticality ratings of critical, 
high, medium, and low and then 
further refine the resource into 
three values of low, medium, 
or high. 

• 
Critical: grave effects leading 
to loss of life, serious 
injury, or mission failure. 
• 
High: serious effects resulting 
in loss of highly sensitive 
resources that would 
impair operations affecting 
public safety and community 
interests for an extended 
period of time. 
• 
Medium: moderate effects 
resulting in loss of sensitive 
resources that could impair 
operations affecting public 
safety and community interests 
for a limited period 
of time. 
• 
Low: little or no effects 
impacting human life or the 
continuation of operations 
affecting public safety and 
community interests. 
In the example of officers as 
a critical asset, the department 
might assign an impact rating 
of low/critical, meaning that it 
deemed the resource as overall 
critical but at the lower end of 
that category. Finally, the risk 
managers convert the linguistic 

2 / FBI Law Enforcement Bulletin 


ratings into numeric impact 
values. The numeric value will 
be impact (I) in the equation I x 
T x V = R. Chart 1 and Table A 
illustrate this process. 

THREATS 

Threats are general situations 
with the potential to cause 
loss or harm to essential assets, 
whereas adversaries constitute 
specific hostile individuals or 
groups with the intentions, 
capabilities, and histories to 
conduct detrimental activities 
against law enforcement agencies 
and public safety. Conventional 
external threats involve 
individuals, domestic groups, 
and sometimes foreign entities. 
Individual dangers include 
street criminals of varying 
sophistication; computer hackers 
intent on penetrating, stealing, 
altering, controlling, or 
deleting law enforcement 
data; insiders, such as corrupt 
officers, supervisors, and 
administrators; and people 
with personal, emotional, or 
psychiatric crises. Group threats 
can involve regional and international 
organized crime figures; 
left-wing, right-wing, 
and special interest extremists; 
and foreign, domestic, and 
transnational terrorists. Foreign 
perils can comprise foreign 
intelligence services masquerading 
as business persons, 
visiting delegations, false-front 
companies, travelers, journalists, 
scientists, students, and 
diplomats; state-sponsored 
entities attempting to influence 
the American public through 
the media and select organizations 
and to acquire U.S. research 
and development technology; 
and foreign economic 
menaces endeavoring to control 
U.S. industrial, banking, and 
commercial interests. 

Assessing threats involves 
identifying and assessing all of 
the threats associated with each 
asset. For example, law enforcement 
officers might face two 
main street hazards: criminals 
and irate citizens. First, a 
department identifies the specific 
potential adversaries for 
each threat. Criminal adversaries 
could include local street 
gangs and organized crime 
figures, whereas irate citizens 
could comprise spouses engaged 
in chronic and escalating 
domestic violence. Next, the 
risk managers write a brief 
statement highlighting each 
adversary’s intent, capability, 
and history of violence. Then, 
they assign a linguistic rating 
(value/criticality) to each danger 
based on the adversary’s overall 
intent, capability, and history. 
The risk managers assess a 
threat according to one of the 
following four defined criticality 
ratings and then further 
refine it into three values of 
low, medium, or high. The 
definitions for threats differ 
greatly from those for assets 
and vulnerabilities. 

• 
Critical: a definite danger as 
the adversary has both the 
intent and capability to 


Text Box:
Common Threats Facing Law 
Enforcement Agencies 
• Criminal: menacing, assaults, vandalism, thefts, 
arson, and computer hacking 
• Natural: fires, floods, power failures, and storms 
• Domestic: civil disturbances and special event 
problems 
• Terrorist: bombings, sabotage, hostage taking, 
kidnappings, and homicides 
• Internal: corrupt officers, misuse of authority or 
resources, and malicious acts by disgruntled workers 


July 2005 / 3 


Chart 1 - Asset Assessment Example 

For converting linguistic ratings into numeric 
impact values for assets and for converting 
numeric values into linguistic ratings for risks. 

4 / FBI Law Enforcement Bulletin 


launch an assault and a 
history of conducting 
similar incidents. 

• 
High: a credible danger as 
the adversary has either 
the intent or capability to 
launch an assault and a 
history of conducting 
similar incidents. 
• 
Medium: a potential danger 
as the adversary has the 
intent and the potential to 
receive the capability 
through a third party to 
launch an assault and has a 
history of similar incidents. 
• 
Low: little or no credible 
evidence of the adversary’s 
intent or capability to 
launch an assault and no 
history of conducting 
similar incidents. 
In the example of street 
gangs as a threat, the department 
might assign a threat 
rating of medium/critical, 
meaning that a department 
considers the threat as overall 
critical and at the center of the 
category. Finally, the risk 
managers convert the linguistic 
ratings into numeric threat 
values and record the results for 
each identified adversary. The 
numeric value will be threat (T) 
in the equation I x T x V = R. 
Table B and Chart 2 illustrate 
this process. 

VULNERABILITIES 

Vulnerabilities represent 
weaknesses that an adversary 

can exploit to gain access to an 
asset. In essence, vulnerabilities 
are pathways leading to 
PIOEFS assets that include 
people, information and information 
systems, operational 
procedures and personnel 
practices, equipment characteristics, 
facility locations and 
building features, and social-
psychological weaknesses. 

“ Vulnerabilities 
represent 
weaknesses that 
an adversary can 
exploit to gain 
access to an asset.”

 
Assessing vulnerabilities 
involves first identifying the 
specific potential weaknesses 
for each asset. For example, 
law enforcement officers might 
experience human temptations 
to misbehave or become hampered 
by obsolete departmental 
policies and procedures. Next, 
the risk managers determine the 
existing countermeasures for 
each asset and their level of 
effectiveness in reducing vulnerabilities. 
Then, the risk 
managers assign a linguistic 
rating (value/criticality) for each 
according to one of the following 
four defined criticality 

ratings and further refine the 
vulnerability into three values 
of low, medium, or high, which 
differ significantly from those 
for assessing assets and threats. 

• 
Critical: no effective countermeasures 
currently are in 
place, and known adversaries 
would be capable of 
exploiting weaknesses to 
reach the asset. 
• 
High: some effective 
countermeasures exist, 
but the asset has multiple 
weaknesses that adversaries 
could exploit to their 
advantage. 
• 
Medium: some effective 
countermeasures exist, 
but the asset has at least 
one weakness that adversaries 
could exploit to their 
advantage. 
• 
Low: multiple layers of 
effective countermeasures 
exist, and few or no known 
adversaries could exploit to 
their advantage. 
Finally, the risk managers 
convert the linguistic ratings 
into numeric vulnerability values 
and record the results for 
each identified weakness. The 
numeric value will be vulnerability 
(V) in the equation I x T 
x V = R. Table B and Chart 3 
present examples of this step. 

RISK 
CALCULATION 

Risk is the likelihood that an 
undesirable event will occur. By 

July 2005 / 5 


Chart 2 - Threat Assessment Example 


For converting linguistic ratings into numeric 
threat values and for converting linguistic 
ratings into numeric vulnerability values. 

6 / FBI Law Enforcement Bulletin 


calculating the risk, the department 
may obtain an estimate of 
the potential severity or outcome 
of an undesirable event. 
Calculating the risk for each 
identified asset involves recording 
the degree of impact relative 
to each asset (value of I), the 
probability of attack by a potential 
adversary (value of T), and 
the possibility of a vulnerability 
being exploited (value of V) 
and then multiplying I x T x V. 
After this, the risk managers 
would convert the numeric 

values into ratings and prioritize 
the risks based on findings, 
remembering that higher values 
indicate higher risks. Table A 
and Chart 4 illustrate this 
process. 

COUNTERMEASURES 

Countermeasures are actions 
taken to prevent, mitigate, or 
eliminate vulnerabilities and to 
enhance security or operations. 
Universal methods include 
improving training and awareness, 
modifying policies and 

procedures, practicing and 
enforcing discipline, controlling 
and monitoring accesses, 
installing new security or 
operational measures, improving 
overall conditions, and 
realigning efforts. Departments 
can identify and assess many 
potential countermeasures that 
they may use to reduce vulnerabilities 
by exploring as many 
solutions as possible; by developing 
a comprehensive strategy 
toward risk reduction; by 
discovering countermeasure 

Chart 3 - Vulnerability Assessment Example 


July 2005 / 7 


Chart 4 - Risk Assessment Example 

costs, including tangible training, 
additional personnel, 
materials, installation, operations, 
maintenance, and replacement 
requirements; by conducting 
cost-to-benefit analysis for 
each option and comparing 
appropriate alternatives; and by 
prioritizing options based on 
one or a combination of factors, 
such as cost, time, effort, organizational 
impact, resources 
available, and other specified 
criteria. Chart 5 presents an 
example and the following are 
universal countermeasure 
options to enhance the security 
of PIOEFS assets. 

People 

Members of the law enforcement 
community (e.g., 
officers, joint task force members, 
technicians, support 
personnel, administrators, 
and their families) comprise 
the primary asset. But, history 
has shown that some people 
also may pose prominent 
threats and vulnerabilities. The 
more people an organization 
employs, the higher the probability 
of more security and 
operational challenges. However, 
law enforcement agencies 
can mitigate people-generated 
problems by providing 

comprehensive indoctrination 
and recurring refresher training 
vital to proactively preventing 
violations, detecting abnormalities, 
and minimizing damages; 
by gaining positive leadership 
involvement and group support 
for all programs; and by scrutinizing 
all individuals who have 
direct and indirect access to 
essential PIOEFS assets. 

Information 

The increasing proliferation 
and circulation of large volumes 
of sensitive law enforcement 
data from multiple channels has 
grown progressively more 

8 / FBI Law Enforcement Bulletin 


susceptible to exploitation by 
adversaries using human, electronic, 
and cyber-based means. 
To reduce these threats, departments 
should promote security 
awareness to decrease carelessness; 
identify and eliminate all 
known susceptible points of 
intercept in the communication 
network; and provide and 
enforce secure storage and 
proper disposal of accumulating 
information material, media 
devices, and sensitive trash. 

Operations 

Law enforcement operations, 
such as active investigations, 
security at high-profile 
events, and surveillance assignments, 
have become more 
geographically dispersed and 
increasingly reliant on computers 
and cellular communication 
connections, which then creates 
greater vulnerabilities for 
adversarial espionage and 
sabotage. Departments can 
lessen such dangers by inculcating 
operational security 
(OPSEC) early into all facets 
of individual daily affairs and 
special activities; enforcing 
strict need-to-know requirements; 
practicing OPSEC, 
especially at off-site and undercover 
locations; and integrating 
security compliance into all 
plans, policies, procedures, 
and performance reviews. 

Equipment 

Screening, accessing, and 
monitoring systems rapidly 

become obsolete in countering 
new and evolving multidimensional 
threats. To reduce security 
and operational failures, 
departments can integrate 
multiple resources to enhance 
security (e.g., physical barriers, 
electronic sensors, monitors, 
alarms, and human systems); 
program into future budgets the 
cumulative expenses for backup 
equipment, supplies, maintenance, 
repair, upgrades, and 
replacement systems; and 
exploit available off-the-shelf 
equipment to reduce internal 
research and development 
expenses. 


“ By calculating the 
risk, the department 
may obtain an 
estimate of the 
potential severity or 
outcome of an 
undesirable event.” 

Facilities 

Centralized facilities and 
decentralized law enforcement 
activities present unique cooperative 
security and operational 
challenges. Departments can 
mitigate these by improving 
three-dimensional security perimeters 
with multiple rings and 
layers of mutually supporting 

protection; by assessing adjacent 
establishments as pathways 
for attacks and correcting gaps 
where possible; by protecting 
off-site locations with complementing 
security measures; 
and by providing separate 
visitor- and package-screening 
accommodations. 

Social-Psychological 
Factors 

Adversarial manipulations 
of public and organizational 
perceptions affect community 
support and internal morale. 
Departments may lessen social-
psychological threats by recognizing 
the importance of community 
and individual concerns; 
by earning and preserving the 
public’s trust and confidence; 
by understanding the impact of 
social, cultural, political, religious, 
and psychological influences 
in daily operational 
security practices; and by 
deterring, detecting, and defeating 
internal security and operational 
problems promptly and 
decisively. 

RISK ASSESSMENT 
REPORTING 

Producing a comprehensive 
security risk assessment (SRA) 
report highlighting all findings 
and recommendations can 
enable senior officials to make 
well-informed mitigation 
decisions. Accurate judgments 
are based on methodical assessments 
of known factors and on 
harnessing the collective input 

July 2005 / 9 


Chart 5 - Countermeasure Assessment Example 
 
from subject-matter experts to
derive acceptable levels of risk
and courses of action.
Based on available and
projected resources, decision
makers may implement countermeasures
in varying intensities
or at select locations, or they
may accept risk conditions
based on existing priorities,
resources, and threat status.
An SRA report should contain
several components.
• Executive summary highlighting
the major findings,
requests, and suggestions
• Background information
defining the purpose of
the assessment
• Overview describing ARM
to familiarize readers with
the process
• Status of any related assessment
reports received

10 / FBI Law Enforcement Bulletin 


from other agencies and 

substations 

• 
Detailed findings of 
assessed assets, threats, 
and vulnerabilities 
• 
Review of calculated security 
or operational risks 
• 
Countermeasure options, 
including the types and 
quantities desired 
• 
Critical concerns and prioritized 
specific problems 
• 
Detailed recommendations 
and external support 
requests 
• 
A security program plan 
describing the department’s 
plan of action (e.g., goals, 
objectives, and actions) to 
mitigate risks 
• 
Discussion of planning, 
programming, and budgeting 
requirements 
• 
Overall lessons learned and 
information for sharing 
• 
Predictive risk analysis 
discussing future risks 
and preventive measures 
• 
Summary and conclusion 
recapping major findings 
and recommendations 
FUTURE CHALLENGES 

The character of emerging 
threats is changing rapidly. 
Today, law enforcement agencies 
are challenged by multiple 
asymmetric perils: domestic 
violence, criminal enterprises, 

white-collar crimes, cyber-
based offenses, transient agitators, 
public corruption, and 
assorted threats of terrorism. 
Emerging threats include old, 
reemerging dangers, such as 
increasing street gang violence 
and the influence of incarcerated 
criminals continuing to 
conduct unlawful enterprises 
from prisons; the use of assorted 
improvised explosive 
devices (IEDs); the increasing 
menace of weapons of mass 
destruction potentially involving 
chemical, biological, radiological, 
nuclear, and high-explosive 
devices; new alliances and 
symbiotic relationships between 
criminals, terrorists, and foreign 
governments, in which criminals 
and foreign intelligence 
services exchange resources 
(e.g., weapons, information, 
money, and hostages) with 
terrorists; and still-undetected 
hidden dangers. 

“ 
Conventional 
external threats 
involve individuals, 
domestic groups, and 
sometimes foreign 
entities. 

” 

Detecting, identifying, 
and neutralizing threats and 

adversaries require a holistic 
approach by assembling separate 
pieces of the puzzle to see 
the big picture of the hostile 
forces (e.g., criminals, extremists, 
and terrorists). Common 
profiles of antagonists include 
a thorough understanding of 
the following: 

• 
Goals: What specific objectives 
are the adversaries 
trying to achieve (e.g., 
to influence, disrupt, or 
destroy)? 
• 
Motivation: What stimulates 
them to do what they do 
(e.g., for domination, fear, 
greed, or prestige)? 
• 
History: What are their 
social, cultural, political, 
religious, and psychological 
influences (e.g., based on 
animosity, vengeance, or 
ideology)? 
• 
Funding: What are their 
sources of monetary resources 
(e.g., foreign sponsors, 
criminal enterprises, 
or false fronts)? 
• 
Support structure: What 
basic framework supports 
their operations and daily 
living activities (e.g., lodging, 
training, transporting, 
and sustaining)? 
• 
Skills: What are their 
technical and tactical skills 
(e.g., weapons, explosives, 
specialized training, and 
language)? 
July 2005 / 11 




• Collection: What are their
intelligence collection
sources and methods (e.g.,
insiders, visitors, or open
sources)?
• Knowledge: What do
they know about their
targets (e.g., their assets,
vulnerabilities, and
countermeasures)?
• Tools: What specific tools
do they possess (e.g., identity
papers, vehicles, and
computers)?
• Weapons: What specific
weapons do they have (e.g.,
small arms, IEDs, or weapons
of mass destruction)?
• Opportunities: What opportunities
may be or become
available to strike (e.g.,
mass public gatherings,
visiting dignitaries, building
repairs, or open gaps)?
• Action: What are their
action capabilities (e.g.,
Are they motivated,
organized, equipped,
trained, supported, knowledgeable,
and readied
attackers?)?

In assessing emerging
threats, law enforcement agencies
can target and exploit some
of an adversary’s common
operating methods and techniques.
These include increased
use of physical, imagery, and
technical surveillance to identify
the target’s vulnerabilities;
applied use of long-term
meticulous planning and preparation;
attempts to control
circumstances and timing of
when operations will commence;
use of multiple independent
cells with the same target;
simultaneous attacks of softtarget
and high-payoff objectives
to create mass fear, havoc,
and casualties; and increased
support networks for funds,
recruitment, contacts, safe
houses, false identities and
cover stories, training, weapons,
explosives, intelligence, communications,
transportation, and
escape plans or death benefits
for surviving family members.

First and foremost, mitigation
of emerging threats requires
the ability to think and


Text box:
A New Generation of Adversaries
The acronym CAS-DRI-VARS may characterize some fundamental operating methods
that free-ranging adversaries exploit throughout the world.
• Creative: applying innovative use of the ancient arts of unconventional warfare
• Asymmetrical: launching multifaceted physical, political, informational, and cyberattacks
• Secretive: cloaking in multiple layers and compartmented cells
• Deceptive: misleading and manipulative in their intent and behavior
• Resourceful: maximizing the use of available resources to achieve their objectives
• Intelligent: capitalizing on detailed planning and orchestration
• Visionary: foreseeing the third and fourth order of effects of their actions
• Adaptable: evolving and adjusting with each new countermeasure
• Ruthless: striking with brute violence against the innocents
• Sophisticated: employing intricate ploys and strategies


act beyond conventional wisdom. 
That is, risk managers 
and key decision makers must 
assess the last attack, but not 
plan exclusively for the same 
attack. Law enforcement officials 
should enhance their 
abilities to be— 

• receptive to both new innovations 
and old solutions; 
• thorough in assessment, 
planning, and execution; 
• resourceful in synergizing 
use of all assets; 
• unpredictable in overt 
behavior; 
• uncompromising in maintaining 
the highest security 
and operational standards; 
• practical in applying preventive 
measures; and 
• flexible and bold in countering 
new challenges. 

CONCLUSION 

Identifying and thoroughly 
understanding local and regional 
threats give law enforcement 
agencies a distinct advantage 
in better preparing for a 
wide range of risks and challenges. 
Today’s criminals, 
extremists, and terrorists continue 
to practice the ancient 
principles of lawlessness: 
striking when and where they 
are most ready and when they 
perceive that the law is absent 
or its enforcers are least prepared. 
Departments must be 

able to recognize potential 
threats and have plans of action 
to counter a myriad of internal 
and external risks. 

Assessments can provide 
risk managers and decision 
makers with a baseline of vital 
information and collective 
trends that ultimately impacts 
strategic planning efforts. 

“ Assessing threats 
involves identifying 
and assessing all 
of the threats 
associated with 
each asset. ”

 
Reports give focus for future 
security and operational initiatives 
via the opportunity to 
realign priorities, update monetary 
funding, and share lessons 
learned with the public safety 
community. 

Law enforcement agencies 
should perform risk assessments 
annually and whenever a major 
adverse incident occurs, key 
leadership changes, operations 
relocate, and physical or procedural 
security modifications 
transpire. Analytical risk management 
(ARM) assessments 
and accompanying security risk 
assessment (SRA) reports 
support planners and managers 

in developing comprehensive 
security programs to mitigate 
risks, justify budget and resource 
requests, and identify 
ways to improve security 
departmentwide. 

ARM assessments and SRA 
reports are a snapshot of current 
assets, threats, vulnerabilities, 
and risks. ARM offers a flexible 
method for examining security 
and operational readiness and 
for developing cost-effective 
countermeasure options, 
whereas SRA reports provide 
a formal audit trail leading to 
well-informed decision making. 
Together, these tools can help 
the law enforcement community 
enhance its ability to face the 
rigors of tomorrow’s world of 
uncertainty. 


Endnotes 

1 The FBI recently completed an 
assessment to evaluate its own security 
posture using ARM, which the U.S. 
Security Policy Board’s Risk Management 
Training Group developed. The FBI’s 
version of ARM involves a six-step 
process that identifies an organization’s 
assets, threats, vulnerabilities, risks, and 
needed countermeasures and then develops 
a security risk assessment (SRA) report. 

Please forward questions, comments, 
and suggestions to deanlee@leo.gov 
or phone Dr. Lee at 202-324-3173. 
The FBI’s Security Division fully 
supports the dedicated law enforcement 
professionals serving communities 
throughout the United States and 
the free world. 

July 2005 / 13