© 2019 RDL Security Solutions, LLC

  • Ramel Lee

Managing Security Risk Using Public Private Partnerships

On January 7, 2015 French satirical news magazine Charlie Hebdo was the target of a terrorist attack. Writers and editors of the magazine were attacked by Muslim radicals for insulting their religion, specifically the Prophet Mohammed. The method of attack was the use of automatic assault rifles, by two gunmen, on the targets at the Charlie Hebdo Paris office. The attack left 12 people dead, including two police officers. If the risk of terror attacks are properly calculated and adequately researched, effective security countermeasures can be implemented to prevent an attack from occurring.

Charlie Hebdo was a prime terrorist target (Woo, 2015). The reason for not having heightened security may lie in not fully understanding the risk associated with the magazine’s actions. The attacks at Charlie Hebdo should not have come as surprise. There are several risk assessment models that would have predicted an impending attack. There’s Gordon Woo’s Macroterror Attack Risk Modeling (Woo, 2015) and Thomas L. Norman’s Khalid Sheik Mohammed Risk Model (Norman, 2010); that if used would’ve predicted such an attack. The attack on January 7, 2015 wasn’t the first time Charlie Hebdo was attacked. The Paris offices of Charlie Hebdo were firebombed in November of 2011, however, there were no casualties and minimum property damage (Woo, 2015). The insult of the Prophet Mohammed was considered blasphemous by the Islamic Extremist. According to Woo (2015):

“In countries that have not censored the publication of blasphemy, the sources of these publications have become the prime terrorist targets. For [extremist claiming affiliation with Islam], there is zero tolerance for blasphemy.”

Understanding risk can help mitigate risk.

Risk in laymen’s terms would be defined as the likelihood of something happening, how efficient are you at preventing it, and how much it will cost. An easily relatable personal example would be gambling. The likelihood of something happening (odds of losing), how efficient are you at preventing it (skill level), and how much it cost will cost you (your bet). Using the attacks on Charlie Hebdo to explain risk would follow the sequence of: High Probability of a terrorist attack (likelihood of something happening); Non-Heightened Security (how efficient are you at preventing it); 12 lives lost and heightened fear throughout the western world (how much it will cost). Comprehension of the basics of risk is not enough, a thorough explanation of risk by the experts is necessary to adequately conduct an analysis.

The experts, for the most part, define risk mathematically in order to use analytics to arrive at solutions that will reduce risk. Risk = (Probability * Vulnerability * Consequence) is a common risk formula (Norman, 2010). Equations are use so that the amount of risk can be quantified. The quantification of risk allow decision makers to rank risk and determine at what cost they will mitigate against the risk. In the aforementioned equation, you would obtain the probability, vulnerability, and consequence values through the exercises of threat assessments, vulnerability assessments, and consequence assessments (Norman, 2010). Once calculated, the risk can be evaluated. Risk = (High Probability of a terrorist attack * Non-Heightened Security * heightened fear throughout the western world). Using the expert’s formula, it is calculable that by lowering one or more of the factors involved you can reduce the risk.

In deciding which factor of risk to reduce, it must be taken into consideration the manners in which risk can be controlled. According to Ross (2009):

“The risk control strategies are: (1) avoidance; (2) prevention of losses; (3) reduction of losses; (4) segregation of resources; and (5) transference of risk. Depending on the foreseeability of an incident and its frequency and severity, the approach may be to use one or a combination of strategies.”

Charlie Hebdo could’ve simply not published such provocative material; they could’ve maintained heightened security; there could’ve been fewer people at the Paris Office; writers and editors could’ve been located in so many different places it would have required more than a two gun man team to carryout attack; or take no ownership in the circumstances, and fully rely on government protection. The actual causality of the risk must be thoroughly analyzed prior to countermeasure decisions being made.

Grasping the definition of risk and how it can be calculated allows risk to be assessed. It is necessary to assess risk to know how to control or eliminate risk. A risk assessment should be performed before any countermeasures are implemented (Norman, 2010). The risk assessment as a whole is a compilation of the assessments and analysis of the components of risk. A risk assessment includes: asset characterization, threat identification, criticality analysis, consequence analysis, vulnerability analysis, probability assessment, risk assessment, risk prioritization, and risk management (Norman, 2010).

Once understanding the concept of risk, how to assess risk, and ways to mitigate risk, risk can then be managed. Identifying undesirable events and carrying out decisions that control or eliminate their effects is risk management (Ross, 2009). These decisions must be carefully weighed, as there is a risk associated with countermeasures as well. Countermeasures can cause even greater fear, be costly, and worse; not prevent the undesirable event.

However, if risk is properly assessed, the proper countermeasures can be implemented to greatly reduce risk. Countermeasures to reduce risk in the Charlie Hebdo attack scenario would involve either, reducing the probability of a terrorist attack, increasing the level of security, or stemming the fears of the western world. Reducing the probability of a terrorist attack would most likely be accomplished by not publishing the offensive material. The possibility of an attack cannot be assessed with any degree of accuracy (Fay, 2011). Stemming the fears of the western world would probably involve the media not broadcasting the attacks. There is no doubt that media coverage encourages further violent acts by terrorist (Fay, 2011). There’s a phrase

“If it bleeds, it leads” (Pastor, 2010). Increasing the security level would probably be the healthiest for society and most realistic to accomplish.

Deciding which security countermeasures will work to prevent a similar type of attack as the one that occurred at Charlie Hebdo’s Paris office requires an understanding of the purpose and goal of a security plan. Security involves the protection of life, property, and general welfare of the community (Craighead, 2009). A security plan is designed to protect identified assets from anticipated threats. Security systems refers to systems used to prevent or detect an attack by a malevolent human adversary (Garcia, 2008). The systems properly managed work in an integrated fashion to provide multiple layers of protection. The components of the system are people, policies, and technology. Fay (2011) states:

A security program is a bundle of three major parts: people, process, and physical security……. The parts are sometimes called the ‘pillars of security,’ and rightly so. When the parts work together they are said to be in harmony with one another.”

That harmony will come from having a security system that deters, detects, delays, and/or responds. According to Garcia (2008):

“….the system goal is to protect assets from a malevolent adversary. For a system to be effective at this objective there must be awareness that there is an attack (detection) and slowing of adversary progress to the targets (delay), thus allowing the response force enough time to interrupt or stop the adversary (response).”

Detection involves picking up the movements of an adversary. Detection can be accomplished with human or technological resources. Detecting terrorism doesn’t begin with observing terrorist operatives on closed circuit television (CCTV) just prior to an attack; by then it will be too late. Terrorism in itself must be researched, intelligence gathered and analyzed based on the results of that research, and then appropriate delay and response mechanisms are put into place.

Researching terrorism, for the purposes of identifying terrorist organizations that will possibly attack, will require first an appropriate definition of terrorism. Terrorism is the calculated use of violence to inculcate fear, intended to coerce governments or societies towards goals that are political, religious, or ideological (Pastor, 2010). Research should be conducted to ascertain which groups fit that description. Research should be an unbiased and objective way to find the answers to your professional questions (Kumar, 2014). Biased research can lead to overlooking the actual terrorist groups that would most likely attack a particular target.

Once identified, intelligence should be gathered on the potential adversaries. Intelligence is the life-blood of any operation or policy (Nemeth, 2013). Particular attention should be paid to their modus operandi (M.O.). Their M.O. should tell you their motivations, preferred targets, and means of attack. Knowledge of who may attack and their method of attack will help in designing a way to prevent the attack. Gathering intelligence is proactive (Pastor, 2010). In the Charlie Hebdo scenario, the M.O. appears to be small groups, using firearms, to attack soft targets. There are literally millions of soft targets (Pastor, 2010).

Soft targets are targets that require minimal resources in order to attack. Soft targets include, but aren’t limited to shopping malls, hotels, nightclubs, sports arenas, and business districts (Pastor, 2010). Soft targets will need to be hardened with delay mechanisms. Delay mechanisms include checkpoints into business district and sporting arenas, barriers for pedestrian thoroughfares, bullet resistant glass for restaurants. Bollards, structurally strengthened exterior walls, roofs and lobby doors, and blast curtains are all ways to harden soft targets (Craighead, 2009). The goal is to make terrorist have to work harder to cause damage and if they still attempt, give responders enough time to get to the scene to neutralize their attempt.

The initial response will be by local emergency responders and private security personnel. However, the response to any terrorist attack is too overwhelming for any local municipality or private security force to handle. Remember, one of the consequences of the Charlie Hebdo attack was the spread of fear throughout the entire western world. Joint endeavors fare better than isolation (Nemeth, 2013). The most effective approach to this brand of terrorism is public-private-partnerships (PPP) to prevent similar style attacks. PPP is endorsed by most professional organizations, groups, think tanks, and institutes (Nemeth, 2012). PPP brings together the skills and assets of the public and private sectors to deliver a service to the general public (Cellucci, 2011).

The facts are, the vast majority of the millions soft targets are owned and protected by the private sector. However, the responsibility for public safety lies on the public police. PPP allows both the public and private sector to share in the risk (Cellucci, 2011).Working together would be most beneficial in the effort to stop these low tech terrorist attacks. Shared resources will provide the capabilities to implement the best security program.

Intelligence sharing would be key in preventing another Charlie Hebdo style attack. Both the public and private sectors have their advantages in gathering intelligence. The public police have constitutional protections absent in the private sector. Historically, public police operate under a qualified immunity (Nemeth, 2012). However, private security have less procedural restraints than the public police (Nemeth, 2012). Although, there is little to no access to intelligence data for private security (Pastor, 2010); private security has more eyes and ears on the streets than the police. Private security out numbers public police 3:1 and 4:1 in the U.S. and Canada, respectively (Pastor, 2008). Private security has intimate knowledge of the targets that public police do not, private security will notice actions such as a target being surveilled before the police; that information would need to be kicked up to the police. The intelligence sharing must also occur between local, state, and federal government. For intelligence to have any impact it must be shared (Nemeth, 2013). The federal government would have nation-wide and international intelligence information that could assist with local protection.

The federal government has resources that local government does not have. The Department of Homeland Security (DHS) has partnerships with the private sector that produces defense products to be utilized by local entities. DHS through the Science & Technology Directorate has an established a PPP designed to construct fully deployable solutions for homeland defense to local jurisdictions (Cellucci, 2011). Resources also need to be shared locally between police and the private sector. The private sector has surveillance capabilities that the public police do not. The private sector can give public police access to their CCTV cameras to help coordinate protection efforts.

A PPP is the best approach to prevent low tech attacks against soft targets. Zoning and building laws passed by legislation that allows the private sector to build security hardening countermeasures is another form of PPP. The media working with police to spread security awareness also can be considered PPP. The media has an obligation to inform the public (Pastor, 2010).

Public police and private security working in silos and heavy handed security tactics by the government would be an ineffective strategy to prevent another Charlie Hebdo style attack. Failure of public and private communication can lead to key information not being analyzed that could’ve prevented an attack. The 9/11 Commission found a lack of communication as one of the key security failures (Nemeth, 2013).

The government employing draconian security measures will cause citizens to choose between freedom and security. Many worry about the power of government to take away citizens’ rights (Pastor, 2003). A simple solution for Charlie Hebdo would’ve been to not publish the offensive material. However, that would infringe on the right to free speech. Limiting the freedoms of the western world is one of the goals of the Islamic extremist.

Closing the borders and refusing immigrants from entering the country will not prevent a similar attack from happening. Domestic terrorism is a very real concern. A similar attack would more likely happen by a current resident. Domestic terrorism in the U.S. goes as far back as the Ku Klux Klan (Nemeth, 2013).

Any approach used to prevent a terrorist attack will need to be flexible and last the long haul. The fight against terrorism continuously changes and doesn’t appear to be ending anytime soon. The steps involved in developing an approach to prevent another Charlie Hebdo attack would require assessing the risk, deciding how to reduce the risk, and implementing the countermeasures. The nature of the attack, small groups using low tech, will require a public-private partnership to protect the millions of potential soft targets.


  1. Cellucci, T. (2011). A Guide to Innovative Public-Private Partnerships: Utilizing the Resources of the Private Sector for the Public Good. Plymouth, UK: Government Institutes.

  2. Craighead, G. (2009). High-Rise Security and Fire Life Safety (3rd ed.). Burlington, MA: Butterworth-Heinemann.

  3. Fay, J. (2011). Contemporary security management (3rd ed.). Burlington, MA: Butterworth-Heinemann.

  4. Kumar, R. (2014). Research methodology: A step-by-step guide for beginners (Fourth ed.). London: Sage.

  5. Nemeth, C. (2012). Private security and the law (4th ed.). Boston: Elsevier Butterworth-Heinemann.

  6. Nemeth, C. (2013). Homeland security: An introduction to principles and practice (2nd ed.). Boca Raton, FL: CRC Press.

  7. Norman, T. (2010). Risk analysis and security countermeasure selection. Boca Raton: CRC Press.

  8. Pastor, J. (2003). The Privatization of Police in America. Jefferson, NC: McFarland & Company.

  9. Pastor, J. (2010). Terrorism and public safety policing: Implications for the Obama presidency. Boca Raton: CRC Press.

  10. Ross, D. (2009). Civil liability in criminal justice (5th ed.). New Providence, NJ: LexisNexis Matthew Bender.

  11. Woo, G. (2015). Understanding the Principles of Terrorism Risk Modeling from Charlie Hebdo Attack in Paris. Defense Against Terrorism Review-DATR.