The lone actor
As everyone knows, lone actors such as active shooters and bombers target public places like schools, malls and movie theaters and public events like speaking engagements. In many cases, threats of violence posted to social media precede these attacks.
With this in mind, CSOs and CISOs should consider complementing security measures with social media monitoring and response efforts designed to address the potential that lone actors will carry out threats of violence against the enterprise or any of its employees.
Posted threats and enterprise responsibility
Authorities have uncovered strange and threatening behaviors that lone actors have exhibited on social media prior to acts of violence such as mass murders. Jared Lee Loughner, the man who killed six and injured thirteen including U.S. Representative Gabrielle Giffords in Tucson, Arizona on January 8, 2011 is a clear example.
After the shooting, news media reported that police found more than a hundred disturbing gaming forum posts from 2010 at the Earth Empires Massive Multiplayer Online game site (beware graphic language) and half a dozen bizarre YouTube videos that Loughner authored prior the attack (these are still posted on YouTube).
According to numerous media reports, Loughner's shocking posts included statements such as, "I know how to cut a body open and eat you for more then [sic] a week." He also posted about feeling aggression "24/7." Mental health issues and previous threats give credence to concerns over future violent acts, according to W. Scott Lewis, J.D., President, NaBITA (The National Behavioral Intervention Team Association).
Certainly, not everyone whose Internet communications are continually bizarre and violent is going to target people with bombings and shootings. But given the current environment and the frequency of loan shooter and bomber incidents, no enterprise wants to miss a case of social media threats against its people, or catch one and fail to act on it.
In all this, the CISO's role is to assess the risk from threats of violence that people post to social media, to communicate that to executive management and to help decide what the risk tolerance is for the company, says Dennis Devlin, CISO, SAVANTURE. Then, the enterprise must create and institute policies and programs to make sure that it carries out the executive management's intent.
Enterprise social response
The enterprise has several tools at its disposal in case of threats of violence on social media. The enterprise should monitor social media to uncover threats. Monitoring social media for threats of violence includes sentiment and keyword monitoring using social media monitoring tools such as Hootsuite, according to Max Goldberg, Social Media Expert, Shmedia Media. Hootsuite enables users to create streams of keywords and phrases to monitor and follow.
Similar to how typical social media management governs outbound content, the enterprise can monitor inbound content, according to Goldberg. Applications such as Bottlenose and SocialMention also use search-based filtering techniques to monitor social media and are useful for spotting threats of violence. Google and Google Alerts www.google.com/alerts are also useful for social media monitoring.
In addition to watching the company's brand name, the name of the corporation and trademarks and slogans, the enterprise can automate alerts that include executive and employee names and words and phrases commonly used in threats.
Enterprises should prepare individual executives and employees to catch instances of social media-based threats by training them so they can recognize potentially serious threats and respond accordingly. It's important to have a clear triage of actions based on company policy that every employee can follow in relation to social platforms, according to Goldberg. The policies should provide examples of threats that people could make and carry out along with examples of what to do about it.
Threat assessment
"Public Safety should always be the first contact for threats of violence," says Devlin. Upon the appearance of threats of violence on social media, public safety, public relations, legal, executive management and law enforcement need to work together to assess the threat. The enterprise needs a well-established plan to facilitate this. Threat assessment needs to be a collaborative effort that starts with the public safety organization and closely coordinates with information security, HR and the office of general counsel.
"The threat assessment team has to determine whether this is someone acting up or there is some legitimacy to the threat," says Devlin. Get the IT department to look at where it came from since the source of the threat will clue the enterprise into other factors for threat assessment. To determine how genuine it is, get public safety involved. They would potentially get law enforcement involved.
Ensuring physical safety is the highest priority, stopping further threats is next, and thereafter is the determination of whether or not someone is breaking a law or policy, and with that the potential for prosecution or HR action. "An after action review should follow that to see whether the whole thing could have been prevented," says Devlin.
Enlist legal expertise
Any threats of physical violence are easier to deal with from a legal standpoint than other types of threats, according to Tomas M. Flores, Esq., Attorney. "You have a civil injunction for the individual if you can identify them, and if the threat is sufficient enough, that is now a criminal matter and you should bring it to the attention of your local police or prosecutor," says Flores.
Information security and perhaps external law enforcement will have to collaborate to discover the identity of a person posting an anonymous threat on social media. The information security group is accustomed to dealing with the social media aspect and can look into technical evidence pointing to the perpetrator. The police now have tools for tying social comments to real world crime including LexisNexis' new Social Media Monitor.
The prosecutor can ask the judge for a criminal protective order prohibiting the offender from contacting or coming within 300-feet of the intended victim. And violation of these court orders is a crime. "Prosecutors love violations of court order crimes," says Flores. All the person or the enterprise needs is a court order and evidence that the offender is making contact or coming within 300 feet. If the victim can produce a photo of the person 20 feet away, then the prosecutor picks up the phone. "The police go to the defendants house, cuff him and throw him in jail until the hearing," says Flores.
Steps for in-house counsel
Unprepared victims often limit police and prosecutors. In-house counsel should keep meticulous records on the particular defendant and their conduct, according to Flores. "If the intended victim needs psychiatric help or they need Xanax because they're so panicked about this person, those damages might be recoverable from that defendant," says Flores. So in-house counsel should keep close records.
In-house counsel should maintain a very good relationship with the watch commander of local law enforcement. "When you call, be very nice, work with your detective, when the detective calls, pick up the phone right then," says Flores. The police are often very busy and when compared with corporate threats that are not yet realized, armed robberies will take precedence.
"I would keep a good relationship with a local investigator as well. Private investigators are often retired detectives and are phenomenal at what they do," says Flores.