Since September 11, 2001, the terrorism attacks were integrated into the agenda of law enforcement agencies. The distribution of threat-related information among law enforcement agencies has significantly improved since then. For example, the U.S. Department of Homeland Security has extended its computer-based antiterrorism system (called the Homeland Security Information Network (HSIN)), to all the states in the U.S. Another related system, called Regional Information Sharing Systems (RISS), successfully operates all over the U.S. through its six regional centres serving 7,500 law enforcement agencies. Other initiatives such as National Joint Terrorism Task Force (NJTTF) by the FBI and the State Homeland Security Assessment and Strategy (SHSAS) Process by the DHS Office of Domestic Preparedness (ODP) have been also effective at tackling the terrorist threat. Nonetheless, the need for timely and ongoing terrorist threat assessment is still in high demand.
Researchers provide the foundation for risk assessment and management of terrorism threat through a number of steps: 1) critical infrastructure identification; 2) criticality assessment; 3) threat assessment; 4) vulnerability assessment; 5) risk calculation; and 6) countermeasure identification. In the beginning, the critical infrastructure which requires the utmost attention should be identified. In the US, the following infrastructure is determined to be of strategical importance: 1) agriculture; 2) banking and finance; 3) chemical and hazardous waste; 4) defence industrial base; 5) energy; 6) emergency services; 7) food; 8) government; 9) information and telecommunication; 10) transportation; 11) postal and shipping services; 12) public health; and 13) water. The database on critical infrastructure in each jurisdiction is maintained and updated on a continuous basis.
To estimate the potential loss of life or property, criticality assessment should take place. Extreme criticality means that a terrorist threat risks incurring irreparable damage to property or substantial loss of life. High criticality does not lead to life loss, but to solid damage to facilities. On the other hand, medium criticality implies serious disruptions in facility operations a medium-term. Finally, low criticality risks with minor disruptions in such operations, and negligible criticality risk with highly insignificant damage to facilities
Law enforcement agencies also conduct threat assessment. It is stated that threat assessment should be all-rounded, based on cooperation with local, state and federal organizations and in combination with the knowledge available to these organizations. Threat assessment must incorporate type, category and objectives of adversaries, number of adversaries per category, targets chosen, types of planned activities and potential time of adversary attacks, their chosen methods and capabilities. These activities are related to threat calculation, i.e. determining the seriousness of threat based on the combination of such factors as existence of terrorist groups, their capability, intent, history, targeting and the security environment in given jurisdiction.
Even though it is hard to objectively assess vulnerability, some factors are often used to make it as objective as possible. They are location of a facility, its accessibility, adequacy of its storage and protection, as well as availability of general security systems. Highly vulnerable facilities usually have open access with close proximity to unguarded highways or waterways; patrols and alarm systems are easy to defeat or provide incomplete coverage; hazardous materials including weapons and explosives are easily available within the perimeter of a facility; and response units have inadequate training or physical protections are commensurate with the level of terrorist threat. Moderately vulnerable facilities usually have open access with close proximity to guarded highways or waterways; patrols and alarm systems may pose some difficulties to defeat, e.g. threat elements may not come unspotted; hazardous materials including weapons and explosives are not easily available within the perimeter of a facility; and response units have adequate training to tackle even experienced adversaries but physical protections are commensurate with the level of terrorist threat. Finally, low vulnerability facilities are difficult to access because of their geographic location or substantial distance from major highways; unauthorized entry is precluded thanks to effective control and reporting systems; sensitive materials are hard to impossible to access for corresponding threat levels; and response units have all the infrastructure and equipment to cope with the corresponding threat level. It is worth mentioning that there is an important distinction between three constituents of risk. Criticality assessment and calculation measures the potential impact of the damage or loss. Threat assessment and calculation measures the likelihood that the facility will be attacked. Vulnerability assessment and calculation identifies breaches that the adversaries may use to initiate the attack. Once criticality, threat and vulnerability assessments have been conducted, it is a high time to conduct risk assessment. As matter of fact, risk to an asset can be simply computed by multiplying our measures of criticality, threat and vulnerability.
Finally, appropriate countermeasures should be adopted to tackle any level of risk. “Countermeasures are actions, devices, or systems employed to eliminate, reduce, or mitigate risk and vulnerability”. There are three packages of countermeasures based on the trade-off between their costliness and efficiency: 1) risk averse; 2) risk tolerant; and 3) risk acceptance. Policy makers utilizing risk averse package of countermeasures strive to achieve the effective goal of combatting terrorism at any price possible, and therefore see no financial or political restrictions. Risk tolerance package is implemented as a balance between needs to tackle terrorism on one hand and financial or political restrictions of the underlying jurisdiction on the other hand. Finally, risk acceptance package (the least preferred) implies the highest risk of a terrorist attack but also the lowest cost of implementation. The terrorist threat countermeasures such as staffing and technology should be periodically put to test to ensure their highest efficiency.