The Lafayette, Louisiana movie theater shooting was methodically planned. The shooter, John Russell Houser, is reported to have visited other theaters prior to the attack and had been to the Grand 16 movie theater in Lafayette at least once prior.  So, why did he choose this Lafayette theater over the others that he visited? Did the others have better security or at least portray that they were more secure and better prepared?

When analyzing cases like Lafayette, we often hear about what a person with malicious intentions did in the build up to the attack. This can be a physical or a digital (cyber) related event. The hostile might want to kill, or he could be looking for trade secrets and intellectual property, or to cause embarrassment in the case of most cyber-attacks. Whatever the reason, they all have one thing in common – they conduct a period of digital surveillance as part of their initial planning process.

What can movie theaters and other businesses do to help protect themselves against such tragedy and threats against their employees, customers, and other assets? Evaluating your organization’s digital profile is the first place that you can start to protect yourself against hostiles.

  • How do we know if our digital profile is weak or strong?
  • Do we really understand the types of hostiles that are probably already planning to attack?
  • Does our social media consider security-related communications?
  • Are our employees divulging information about our business that could be used against us?

The Hostile Attack Planning Process

  1. Target Identification – From a list of potential targets (buildings, individuals, processes, organizations, events), one or more targets are chosen through reconnaissance – both online and at the physical location.
  2. Detailed Planning – Online reconnaissance and physical surveillance at the location(s) are used to confirm if an attack is viable. Necessary resources are identified and obtained at this time.
  3. Confirmation – The moment of attack is preceded by some form of final confirmation (online and at the location) that everything is as expected. If it is not, a hostile may call off or abandon the attack.

Two more examples:

Anders Breivik v Norwegian Society

Anders Breivik went on a killing rampage in Norway on July 22nd, 2011 killing 77 people and injuring over 240. It is noted in several findings that he conducted extensive online research as well as eight physical reconnaissance visits prior to the attack.

Pakistan Terror Group v Mumbai

NYT Article:

In the fall of 2008, a 30-year-old computer expert named Zarrar Shah roamed from outposts in the northern mountains of Pakistan to safe houses near the Arabian Sea, plotting mayhem in Mumbai, India’s commercial gem.

Mr. Shah, the technology chief of Lashkar-e-Taiba the Pakistani terror group, and fellow conspirators used Google Earth to show militants the routes to their targets in the city. He set up an Internet phone system to disguise his location by routing his calls through New Jersey. Shortly before an assault that would kill 166 people, including six Americans, Mr. Shah searched online for a Jewish hostel and two luxury hotels, all sites of the eventual carnage.

If you analyzed your organizations digital profile, what would you find?

This digital analysis should be the first step in understanding if and how your organization is vulnerable to potential hostile attacks.  Your second step is to analyze physical vulnerabilities. You accomplish this by conducting penetration testing to assess how easy would it be to gain access and cause harm.

A combination of digital and physical assessments and subsequent corrective measures will strengthen your organization’s ability to prevent hostile attacks or reduce their damage should they occur.

Related: PX Podcast – How Hostiles Prepare to Attack