Protecting Students and Staff from
Active Shooters
A Case Study at the European
Simulation and Validation Center (ESVC)
THE TASK AT
HAND – PROTECTING STUDENTS AND STAFF
Protecting the students at the European Simulation and
Validation Center (ESVC) was our objective and specifically, reducing the mass
casualty count during active shooter scenarios.
With the increase in terrorist attack, it was only logistical that the Executive
Director would seek out protection for her staff and cadre of instructors, but
primarily, for the students attending simulation modeling at the ESVC.
“We pride
ourselves in being a professional organization with extensive safety and
security knowledge. Protection of our staff and students in any way is a main
priority”, says, Karen Zwart, Executive Director from her offices in Ede,
The Netherlands.
Because CPK United BV is known for their expertise in training
senior government leaders and industry executives, as well as, their key staff
elements, especially in the transportation and aviation fields, the ESVC is the
“go to” place when it comes to conducting serious gaming models for evaluating
emergency plans and the actions required by them. The ESVC provides a comfortable environment
that is conducive to leadership training at the highest levels in lieu of
costly field exercises. The ESVC can
create an organization specific built (physical) environment virtually; use
existing company or agency plans, while allowing “players” to travel down a
variety of decision paths in a virtual environment. This allows them to test plans through their
interaction, individually and collectively to evaluate efficiencies – without
the additional expense of a full-scale exercise and without anyone getting
hurt. Using ESVC simulation allows plans and
procedures to be tweaked before a real incident occurs and damage or injury
occur.
KNOWN
COMPONENTS OF THE RISK FORMULA
All good risk formulas have some commonalities. The formula usually goes something like this;
C (asset criticality) X Threat (What can harm us) X Vulnerability (How
susceptible we are to the harm) = Risk (How bad is it?). In this particular instance, two of the
essential elements in calculating risks were already known to the assessment
team. Those elements included the criticality of the asset, (high value
targets/students). To understand the
criticality, imagine for a second, if a multi-national corporation’s entire
senior leadership along with key staff were on-site being trained and ESVC were
involved in a catastrophic incident. It would
not only mean damage and death but could also influence the future of the
organization and could very well be the end of that company.
And, the second known element – threat – was an active shooter scenario.
ASSESSING
VULNERABILITIES – A SNAPSHOT IN TIME
The next element of the formula was to determine the
vulnerabilities of the site as they related to the threat. Haines Security Solutions was called in to do
the assessment due to its extensive experience in conducting risk analysis and
developing mitigation strategies as they relate to building design. Experts in forced entry, building design,
antiterrorism and structural engineering repaired to the site to conduct the
evaluation.
It should be noted that during conversations with the staff
it was noted there was a low-moderate probability of occurrence of this type of
attack; however, due to the catastrophic impact on the corporate structure of
an organization attending training if impacted (low/moderate risk – critically high
impact), it was determined to be of extremely high importance to conduct a full
range of assessments.
Each area of the facility (reception area, training
facility, staff offices, storage areas, coffee/snack center, bathrooms and print
shop) was examined from both the owner’s and the aggressor’s points of view.
USING THE
ASSET BASED RISK ANALYSIS METHODLOGY
This dedicated team of subject matter experts collected
physical security, as well as, operational data on-site in order to allow them
to fill-in the vulnerability element and complete the risk formula
They then started collecting physical data from the curb
inward. Data was collect on three
layers where vulnerabilities could occur; i.e., property perimeter, building
façade and internally controlled spaces.
Data about the IT system or software used at the ESVC was not collected
because the ABRA, in this case, did not call for the protection of data on the
IT system. Instead, it called for the
protection of lives.
Once back at their
offices, the Haines Security Solutions team members used an assessment
methodology called Asset Based Risk Analysis[1]
or ABRA to analyze the data and make effective recommendations.
The primary purpose of ABRA is to quantitatively
measure threats, assets, vulnerabilities, and risks associated with large
and/or small government or private facilities.
It establishes a security baseline, explores upgrades, recalculates
vulnerabilities and risks, and recommends optimized features or improvements
for facilities. In essence, ABRA
identifies current levels of vulnerability and risk and then identifies
improved levels with the implementation of specified countermeasures. Basically, a snapshot of where the organization
is today and where it could be after countermeasures are implemented. In addition, ABRA identifies the associated cost
and impact of the improvements. ABRA
includes the performance of six sub-analyses: threat, target, vulnerability,
optimization, risk, and cost–benefit.
Threat Analysis
The treat analysis is
based on information collected during the site visit. The information produces a threat rating,
which measures the threat likelihood (the probability an attack will occur),
and an effectiveness rating (the probability that an attack will be successful).
ABRA takes into account the current local threat environment
for five conditions; i.e., stand-off, explosive; covert, overt and
chem/bio. Although the project only
called for the assessment of an active shooter threat, since we were already on
site, it only made sense to conduct all five analyses.
The assessment team started the assessment asking a series
of about 50 questions to the staff to further determine the asset’s criticality
and threat environment. Additional soft
intelligence was collected via the internet and a clear threat picture emerged.
Target Analysis
The target analysis is
designed to evaluate and measure the value of all targets to the user and to
the aggressor. Targets could include any
type of asset or target including facilities, people, equipment, money,
processes and systems. The end result of
the target analysis is a numeric rating based on the target value or criticality
to the user and the target value or usefulness to the aggressor.
Vulnerability Analysis
Our vulnerability analysis
is designed to quantitatively evaluate and measure how vulnerable a specific
asset is to a specific threat. This phase of ABRA identifies the
countermeasures currently in place for a specific target and is assigned a value
based on their effectiveness in mitigating threats (Baseline Vulnerability
Rating [BVR]).
Optimization Analysis
The optimization analysis
is the reapplication of the vulnerability analysis after implementing
hypothetical improvements resulting from countermeasures that could be used for
a specific asset. Hypothetical countermeasures
could include programmatic or procedural options. The end result is an optimized vulnerability rating
(OVR) associated with the specific target being analyzed, in this case, a
training facility. Based on the optimization
analysis, the average vulnerability and risk rating can be identified and
stated as a percentage.
Risk Analysis
The risk analysis is the aggregation
of the threat, target, vulnerability, and optimization analyses to determine
the calculated value of risk associated with a specific asset that is being
targeted by a specific threat.
Cost–Benefit Analysis
The cost–benefit analysis
compares the potential results of specific countermeasures for reducing or mitigating
threats against specific assets. The
cost–benefit analysis is based on cost versus reduction in vulnerability and
risk.
MAKING
RECOMMENDATIONS THAT WORK
Most risk analyst make recommendations that bring the
facility up to code compliance or base solutions on costs. The recommendations made during this
assessment were made based on risk reduction and not costs. Our
analysis showed that all recommendations were either extremely or highly cost
effective. Those recommendations
included four main or specific areas.
Inhabited
Space Hardening
Windows – Replacing the existing exterior windows with 6 mm
laminated or poly-bicarbonate glazing.
Walls – Retrofitting the walls with a ballistic resistant
material and continuing that concept to other features.
Furniture – Retrofit any interior elements, such as,
reception desk, student chairs, tables, white-board (basically, anything or
anywhere a student could hide behind if they were unable to exercise their
first option of running away).
Electronic
Security Systems
Electronic Security Systems – Install integrated access
control and surveillance (CCTV) systems.
Mass notification system – Install internal and external
speakers, alarm signals and visual message boards.
Crime
Prevention through Environmental Design (CPTED)
Natural Surveillance/Natural Access Control – Use
landscaping to reroute pedestrian traffic entering the building, so that as people
approach they are observed from within the building.
Plans,
Policies and Procedures
Use internal resources/corporate expertise to update plans,
policies and procedures
IN SUMMARY
The recommendations would be implemented in all areas of high
occupancy or critical areas (inhabited spaces); i.e., training facility, staff
offices, coffee/snack center and stairway.
It should be pointed out that normally stairways or other transit type
spaces would not receive the same level of protection because they are usually considered
to have low occupancy, but input from the ESVC indicated it to be mission
critical and a single-point-failure location for their operations.
Bathrooms, storage rooms, print shop and garage were not
recommended to be retrofitted with ballistic protection because of their low
occupancy density (uninhabited spaces).
Overall the risk reduction to the active shooter threat was
calculated at 84 percent. In other
words, the Delta if you will, from where the risk is today to where it will be
when all of the recommendations are implemented. If
implementation of all of the recommendation in the report were accomplished the
risk reduction of the other threat scenarios would be between 74 and 98
percent. The total project costs,
including the data collection, evaluation and analysis and implementation of all
of the recommendations was Euro72,130 ($76,200). If only the recommendations pertaining to
ballistic protection from the shooting threat were adopted the costs would be
Euro53,560 ($56,700). Recommendations were
also prioritized to be implemented based on risk reduction and protection to
the largest number of people first, and to allow their implementation as
funding becomes available.
In summary, that’s a very small amount to pay to protect the
lives of students and staff. The added protections
afforded by the recommendations help reduce risk and provide safety from a host
of criminal and terrorist activities.
Zwart added, “The conclusions
made were rock solid and provided clear vision of the budget choices we need to
make in the years to come. By using
their proprietary formula, Haines Security Solutions was able to demonstrate
the tangible risk reduction of their recommendations. Something we’ve not seen in other assessment
methodologies”.
Making it a safe and secure environment for
those attending training – after all isn’t that what it’s all about?
[1] Haines
Security Solutions was awarded a 2017 Platinum level Government Security award
in the Risk Analysis category for its Asset Based Risk Analysis (ABRA)
methodology. The GOVIE awards are
presented by Security Today magazine
to outstanding products that address security challenges within the municipal,
government, Safe Cities and law enforcement markets.
