Why security should monitor social media to prevent violence

Behavior on social media can offer clues to potential threats of violence against an organization and its employees.

The lone actor

As everyone knows, lone actors such as active shooters and bombers target public places like schools, malls and movie theaters and public events like speaking engagements. In many cases, threats of violence posted to social media precede these attacks.

With this in mind, CSOs and CISOs should consider complementing security measures with social media monitoring and response efforts designed to address the potential that lone actors will carry out threats of violence against the enterprise or any of its employees.

Posted threats and enterprise responsibility

Authorities have uncovered strange and threatening behaviors that lone actors have exhibited on social media prior to acts of violence such as mass murders. Jared Lee Loughner, the man who killed six and injured thirteen including U.S. Representative Gabrielle Giffords in Tucson, Arizona on January 8, 2011 is a clear example.

After the shooting, news media reported that police found more than a hundred disturbing gaming forum posts from 2010 at the Earth Empires Massive Multiplayer Online game site (beware graphic language) and half a dozen bizarre YouTube videos that Loughner authored prior the attack (these are still posted on YouTube).

According to numerous media reports, Loughner's shocking posts included statements such as, "I know how to cut a body open and eat you for more then [sic] a week." He also posted about feeling aggression "24/7." Mental health issues and previous threats give credence to concerns over future violent acts, according to W. Scott Lewis, J.D., President, NaBITA (The National Behavioral Intervention Team Association).

Certainly, not everyone whose Internet communications are continually bizarre and violent is going to target people with bombings and shootings. But given the current environment and the frequency of loan shooter and bomber incidents, no enterprise wants to miss a case of social media threats against its people, or catch one and fail to act on it.

In all this, the CISO's role is to assess the risk from threats of violence that people post to social media, to communicate that to executive management and to help decide what the risk tolerance is for the company, says Dennis Devlin, CISO, SAVANTURE. Then, the enterprise must create and institute policies and programs to make sure that it carries out the executive management's intent.

Enterprise social response

The enterprise has several tools at its disposal in case of threats of violence on social media. The enterprise should monitor social media to uncover threats. Monitoring social media for threats of violence includes sentiment and keyword monitoring using social media monitoring tools such as Hootsuite, according to Max Goldberg, Social Media Expert, Shmedia Media. Hootsuite enables users to create streams of keywords and phrases to monitor and follow.

Similar to how typical social media management governs outbound content, the enterprise can monitor inbound content, according to Goldberg. Applications such as Bottlenose and SocialMention also use search-based filtering techniques to monitor social media and are useful for spotting threats of violence. Google and Google Alerts www.google.com/alerts are also useful for social media monitoring.

In addition to watching the company's brand name, the name of the corporation and trademarks and slogans, the enterprise can automate alerts that include executive and employee names and words and phrases commonly used in threats.

Enterprises should prepare individual executives and employees to catch instances of social media-based threats by training them so they can recognize potentially serious threats and respond accordingly. It's important to have a clear triage of actions based on company policy that every employee can follow in relation to social platforms, according to Goldberg. The policies should provide examples of threats that people could make and carry out along with examples of what to do about it.

Threat assessment

"Public Safety should always be the first contact for threats of violence," says Devlin. Upon the appearance of threats of violence on social media, public safety, public relations, legal, executive management and law enforcement need to work together to assess the threat. The enterprise needs a well-established plan to facilitate this. Threat assessment needs to be a collaborative effort that starts with the public safety organization and closely coordinates with information security, HR and the office of general counsel.

"The threat assessment team has to determine whether this is someone acting up or there is some legitimacy to the threat," says Devlin. Get the IT department to look at where it came from since the source of the threat will clue the enterprise into other factors for threat assessment. To determine how genuine it is, get public safety involved. They would potentially get law enforcement involved.

Ensuring physical safety is the highest priority, stopping further threats is next, and thereafter is the determination of whether or not someone is breaking a law or policy, and with that the potential for prosecution or HR action. "An after action review should follow that to see whether the whole thing could have been prevented," says Devlin.

Enlist legal expertise

Any threats of physical violence are easier to deal with from a legal standpoint than other types of threats, according to Tomas M. Flores, Esq., Attorney. "You have a civil injunction for the individual if you can identify them, and if the threat is sufficient enough, that is now a criminal matter and you should bring it to the attention of your local police or prosecutor," says Flores.

Information security and perhaps external law enforcement will have to collaborate to discover the identity of a person posting an anonymous threat on social media. The information security group is accustomed to dealing with the social media aspect and can look into technical evidence pointing to the perpetrator. The police now have tools for tying social comments to real world crime including LexisNexis' new Social Media Monitor.

The prosecutor can ask the judge for a criminal protective order prohibiting the offender from contacting or coming within 300-feet of the intended victim. And violation of these court orders is a crime. "Prosecutors love violations of court order crimes," says Flores. All the person or the enterprise needs is a court order and evidence that the offender is making contact or coming within 300 feet. If the victim can produce a photo of the person 20 feet away, then the prosecutor picks up the phone. "The police go to the defendants house, cuff him and throw him in jail until the hearing," says Flores.

Steps for in-house counsel

Unprepared victims often limit police and prosecutors. In-house counsel should keep meticulous records on the particular defendant and their conduct, according to Flores. "If the intended victim needs psychiatric help or they need Xanax because they're so panicked about this person, those damages might be recoverable from that defendant," says Flores. So in-house counsel should keep close records.

In-house counsel should maintain a very good relationship with the watch commander of local law enforcement. "When you call, be very nice, work with your detective, when the detective calls, pick up the phone right then," says Flores. The police are often very busy and when compared with corporate threats that are not yet realized, armed robberies will take precedence.

"I would keep a good relationship with a local investigator as well. Private investigators are often retired detectives and are phenomenal at what they do," says Flores.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityphysical securityThe National Behavioral Intervention Team Association

More about 24/7GoogleScott Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place