Five Things You Need To Know About Real World Threat Assessment

Security expert Spencer Coursen discusses five things you need to know about real-word threat assessment

Jokes are the Truth in Jest

Louis CK does a funny bit (mature language) about the “different set of values” people seem to have for expressing their grievances while driving a car. While all jokes are the truth in jest, his point is that If someone ever-so-slightly drifts into your lane while driving, “death threats” are an acceptable recourse – a behavior that would never be acceptable inside an elevator if someone ever-so-gently brushed up against you.

Actions Speak Louder Than Words

All jokes aside, a threat is a threat regardless of how it was delivered.

Some threats are planned. Some threats are scripted. Some threats are directed at their targets with intent to cause emotional harm and fear. Other threats are more aligned with the “warning signs” of targeted violence.

I categorize threats into two different categories:

Disruptive Threats” are intended to bring about emotional and psychological turmoil.

Predatory Threats” stem from identifiable actions that pose a threat to a specific target. These are the observable, attack-related activities such as conducting surveillance, stalking, or trespassing on private property.

Threat Assessment is about understanding the context, intent, and likelihood of a threat to be carried out. The first step in this process is to determine if the threat is one which has been expressed or one that has been posed. For example, if you accidentally cut someone off on the road and they yell out, “I’m going to kill you,” they have expressed a threat. If they say nothing, but you seem them scowling in the rear-view mirror as they start to follow you home, their behavior poses a threat. Actions speak louder than words. ~Spencer Coursen

“Response Rage”

Response Rage is the angry, aggressive, harassing, inappropriate and sometimes threat-fueled language used in social media communications when expressed interest in another is unrequited. In today’s culture of social media mingling, there has been a noticeable increase in the inappropriate communications utilized by those who believed they have been shunned, ignored, or otherwise embarrassed when their expressed – typically romantic – interest in another person is not reciprocated.

I have assessed countless Tinder, Twitter, Facebook, email, and text message conversations which escalate from pleasant to downright offensive in almost no time at all.

There are Social Media Safety Tips which may help prevent you from being targeted by online predators who get online “Response Rage” the way some drivers experience “Road Rage”

(Image hyperlinked to sample assessment available for free download)

Social Media Is A New Threat Medium

Social Media provides an accepting, sympathetic, and sometimes supportive forum for the expression of real, perceived, and imagined grievances. While most violent offenders will not directly communicate threats to their intended target, many will make ominous posts about their attack ideation.

Recent news reports of social media threats escalating into real world hazards only makes the fear more real. Even the Supreme Court is involved in determining where free speech ends on social media and where prosecutable threats begin.

Perhaps the most challenging aspect of online threats and harassment is that the different social media services are only aware of the concerns reported on their own site(s). They have no way to monitor the behavior of predators who “jump” between communication platforms. At present, Twitter, Facebook, Tinder, Instagram, and personal communications like email and text messages have no way to share the reported concerns of their users. This void allows for those intending to harass, stalk, or threaten their targets to “jump” between platforms with near certainty of anonymity. (Solving This Challenge Soon)

These Are The Top Five Things You Need To Know About Real World Threat Assessment:

1. Those who wish to do harm do not just “snap.”

Targeted violence is the result of an identifiable and observable process of thinking and behavior that when identified, assessed, and managed has been proven to prevent violent outcome.

2. Violent offenders do not make direct threats toward their intended target,

…but they do express their intent to others they believe will be agreeable, supportive or even sympathetic to the ideas that they can “do something” to resolve their grievance. The expression of these grievances increasingly takes place via social media.

3. On the pathway to violence, those who wish to do harm must first engage in some form of research and planning to determine the likelihood of success for their intended action.

A key component to to bringing a threat assessment case toward peaceful resolve is identifying the subject’s attack-related behavior. These are the self-identifying patterns on the pathway to violence that include research, planning, weapon acquisition, training, and logistical considerations. The research and planning phase provides the best protective intelligence to determine if the subject poses a realistic threat that is likely to escalate into violence. This phase also offers the most observable monitoring of the time, money, and effort, being invested in the subjects willingness to do harm. This phase is crucial in determining if the offender will continue on the path toward violence or if they will transfer their ideation toward a more easily accessible target.

It is important to keep in mind that to the violent offender, likelihood of success is the most significant factor in the decision to move forward with their intended action.

This is one of the predominant factors as to why schools are so frequently targeted by their own students and why workplace violence offenders attack their own offices. The offenders know these locations well. They know the terrain. They know the active-shooter response plan. They know the layout of the structures. They know what the security response is likely to involve. They know how effectively access control is regulated, and they are able carry out a “dry run” rehearsal without raising much suspicion.

4.There is a difference between a threat which has been made and those who pose a threat.

Of the two, posed threats are of greater concern. Whereas those who make threats have made a conscious decision to choose alarming words over harmful actions, those who pose a threat are of a much greater concern as their self-identifying behavior is consistent with actions that are commonly associated with hazardous outcome.

This is especially common with “bomb threats.” The purpose of a bomb threat is to instill fear, panic, and disruption – not to physically harm their target. If the intent was to physically harm their target, they would not call in the threat. A predator with a grievance against a target, who then moves along the pathway of violence and partakes in the requisite research and planning (acquires the materials, builds the bomb, secretly gets the bomb inside their target area, and successfully escapes without incident) would not go through all of that hard work only to undo it all with a phone call.

In this example, the unsubstantiated bomb threat is of lesser concern than the motivation behind the posed threat. It’s important to not confuse a seemingly disruptive threat with a predatory act. The intended target may not be the building itself, but someone who works there. Calling in a bomb threat may be part of their research and planning to see if the evacuation point provides a higher likelihood of success for targeted violence.

5. Effective Threat Assessment is about a “Totality of Circumstance.”

This is the pattern of behaviors over space and time – more than it is about the assessment of a specific incident in the context of a singular occurrence.

These practices of identifying, monitoring, and assessing patters of behavior are not new methodologies. They have been utilized by financial institutions to track market trends trends for central banks and private investors for years. Similar methodologies are used by governments to identify destabilizing geopolitical realities which often precede terror concerns.

Until now, these methodologies have not been available to reduce risk and prevent violence in our homes, schools, and places of work. Today is different.

Today we can begin “Preparing Today For A Safer Tomorrow”


Spencer Coursen is a nationally recognized threat management expert who has an exceptional record of success in the assessment, management, and resolution of threats, domestic and global security operations, investigations, policy authorship, and protective strategy.

Spencer Coursen | Threat Management Expert


“Response Rage”

Response Rage | Threat Assessment | Spencer Coursen | Social Media Threat Prevention

Response Rage | Threat Assessment | Spencer Coursen | Social Media Threat Prevention

Response Rage is the angry, aggressive, harassing, inappropriate and sometimes threat-fueled language used in social media communications when expressed interest in another is unrequited. In the social media culture of online dating, there has been a noticeable increase in the inappropriate communications utilized by those who believed they have been shunned, ignored, or otherwise embarrassed when their expressed – typically romantic – interest in another person is not reciprocated. 


Spencer Coursen helps manage unfavorable circumstance toward favorable resolve. He is a security advisor, analyst, consultant, and strategist who is dedicated to reducing risk and preventing violence. His systems and strategies help corporations, non-profit organizations, private individuals, schools, and at-risk public figures ensure the certainty of safety for all involved.

 @SpencerCoursen / @CoursenSecurity

Social Media Tips: Privacy & Safety

Social Media Safety

The Weakest Link

When hackers broke into the Home Depot database and stole massive amounts of credit card information, they did it by targeting a vendor who had a valid username and password. In other words, they didn’t pick the lock so much as they stole a key.

This is a similar concern for social media. You may think you know who can see what you post and share online, but the truth of the matter is that somewhere in your social network is a vulnerable weak link.

weak link

A good rule of thumb is to not post anything that you wouldn’t want made public knowledge. You may have the best privacy settings possible, but if your friend’s account gets compromised, those settings go right out the window.

Example: You may think you’re only sharing something with your friend Samantha, but if Samantha – who has used the same password for everything since High School – get’s hacked by her ex boyfriend…drama ensues.

Between Coursen Security Group, Date Site Data and pro bono work with a survivor advocacy group, I spend a good part of my day helping people who are being harassed, threatened and stalked both online and in person. In order to minimize risk, one of the first things I do is to conduct a vulnerability assessment. Many clients are surprised to learn how much “open source” information can be obtained through a “Deep Web” search and how easily their computers, wifi routers, and mobile applications are vulnerable to attack.

One of the first steps to ensuring safety is to embrace a positive protective posture; one that embraces a preventative methodology rather than a reactive response.

Here are a few tips and tricks to help get you started:

Security Settings Exist For A Reason

The recent cyber attack on Sony have brought much attention to online security protocol. The FBI was quoted saying that “90% of US Companies are vulnerable to attack.” Other security firms have estimated this likelihood as high as 97%.

Hacking is going to happen. It’s just the nature of today’s marketplace. However, it is important to understand that while it is nearly impossible to protect everything all of the time, the bad guys can’t attack everything at the same time either.

So what do we do?

  1. We don’t make it easy for them to get in. Strong passwords and protective measures matter.
  2. We don’t give away the store if they get inside the door. We compartmentalize and segregate the most critical information.

(Like a Bank: Security at the front door. More security behind the teller desk. Yet, even more security to get into the vault.)

Passwords and Updates

You don’t need a bullet proof door to keep your home safe, and you don’t need CIA-level encryption programs to keep your computer safe. But you DO want your front door to be shut and locked and you DO want your computer to have a strong password. Not being bothered enough to take even the most basic of precautions will most certainly come back to haunt you. (Remember Jennifer Lawrence talking on the red carpet about not bothering with her iPhone updates?)

Strong passwords combine capital and lowercase letters with numbers and symbols to create a more secure password. Separate passwords for every account to help thwart cybercriminals. It’s best if passwords are changed frequently (every 90 days) and immediately after ending any personal or professional relationships.

Avoid using words found in the dictionary. Instead, modify words you can easily remember and spell them using symbols and numbers whenever possible. Example: B@seB*11

Most of the updates that come across your screen are related to security updates that reduce vulnerability and patch security flaws. Always choose Yes!

Privacy Settings

The privacy settings on mobile applications and social networks allow you to control who can view the different aspects of your profile. Take a few minutes right now to update your settings and take control of your online experience in a positive way.

All Friends Are Not Created Equal

Connecting a large group of friends and coworkers who would otherwise never meet helps foster new friendships. This DOES NOT mean they should all have the same level of access to everything you say and do online.

Consider making groups that compartmentalize your social network into smaller groups like work, family, friends, and perhaps a more specific “trusted” group that may include those who overlap certain boundaries.

Think Before You Link

Research shows that 75% of corporate recruiters have rejected candidates based on information they found online. Recruiters respond positively to a strong personal brand so think before you link and don’t post anything online you wouldn’t want to be made globally available. (SONY)

When In Doubt, Throw It Out

Most malware is delivered in the form of downloads, links, fake profiles, and false friends. If it looks suspicious, throw it out. Always check the address bar for a known and trusted address like, “” and not something like “” or “http://www.2facebook1.php.” Fraudulent domains names like these are a giveaway of nefarious activity intending to compromise your private information.

Stop Updating Your Relationship Status

The people in your life who matter already know if you are single, married, dating, on-a-break, or involved in something “complicated.” Regardless of your personal situation it is usually unfavorable to make your relationship status public knowledge.

Those who have harassed or stalked you in the past would love to know that you just became newly single. In the mind of a pursuer, changing your status to “Single” is a green-light for them to use your update as an excuse to contact you. It also let’s them know that you are likely now spending your nights home alone. A positive protective posture is your best course of action, so it”s best to leave the relationship section blank.

Keep Private Information Private

Embrace the “less is more” philosophy when it comes to your personal information. Be mindful to not post pictures of your home, your car, your office, your parking spot, and other distinguishable facets of information that make it easier for you to be singled out of the crowd and identified. The more information you provide to your online audience, the easier it may be for someone to use that information to target you for identity theft, data breaches, harassment, or stalking.

Keep Sensitive Content on a Password Protected External Drive

In addition to being a preferred practice for regularly backing up your computer, it is best to keep photos, emails, documents, and other files which may be private or sensitive in nature on an password protected external hard drive that is not connected to the internet.

These devices are lightweight, mobile, and small enough to travel with you yet keep your private files compartmentalized and separated from being compromised by a security breach to your network.

Real Friends Look Out For Each Other

Everyone has a different tolerance for how much they want the world know about them. Similarly, everyone has a million things going on in their own life that may not be for public knowledge. Be honest about those pictures, posts, and tags that make you feel uncomfortable and let your friends know how you feel. Likewise, be sure to keep an open mind and respect the opinions of others when it comes to postings you have made with regard to them.

Don’t Check-In Until You Check-Out

Lot’s of people love to use the geo-location and “check-in” features of Instagram, Facebook, and Twitter. The problem is that now you’ve just told everyone where you are and where you are not. If a stalker is trying to find you, you’ve just told them where you are. Same goes for the robber determining which homes offer the highest likelihood of success. Live-tweeting your vacation from the beach makes you that much more of a candidate.

When in doubt, turn off the geotagging and if you want to share the moment with friends and family who aren’t there with you, use text or email. Wait until you get home to share with those who don’t matter the most.

Update Basic Infrastructure Settings

Regularly running virus scans on your computer and updating the security features of your wireless router are extremely important. This is especially the case if you have had your wireless router for a few years and you are still using WEPencryption.

Standard WEP is easily cracked within minutes and only provides a false sense of security. An amateur hacker can defeat WEP security in a matter of minutes. If you are still using the default router password posted on the bottom of the router, it’s even easier. Unfortunately, many people set their wireless routers up years ago and have never bothered to change their wireless encryption from WEP to the newer and stronger WPA2 security. Updating your router to WPA2 is easy as browsing the manufacturer’s website for details.


Spencer Coursen is the President of Coursen Security Group. He is an expert security consultant, threat assessment advisor, and protective strategist who is dedicated to reducing risk and preventing violence. His systems and strategies help corporations, non-profit organizations, schools, and at-risk public figures ensure the certainty of safety for all involved.

@SpencerCoursen / @CoursenSecurity


Diving Into The Deep Web

Deep Web | Coursen Security Group | Spencer Coursen | Internet Anonymity

Whenever you “Google” something, the search results are based on  key-word association and content that has been referenced by other popular sites. For many, this is more than enough. For others, it may be helpful to understand what lies below the skimmed surface of a standard search.

Just be sure to look before you leap.


Surface Web refers to content that is available through search engines like Google, Yahoo, Bing, etc.. This is information that is “linked” throughout the internet.

Standard search engines have created technologies that “crawl” through websites and index them as a way for users to identify pages of interest.

Search engines return the most popular links, not necessarily the most valuable content.

Surface Web results are geared toward generic search queries like:

“Movie Times 10019”

“Top Restaurants NYC”

“Best Bar in Vegas”


The internet is built around web ages that reference other web pages. If you have a destination web page which has no inbound links it becomes “concealed” and it cannot be found by users or search engines. One example of this would be a blog posting that has not yet been published. The blog post may exist on the public internet, but unless you know the exact URL, it can be difficult to find.

There are several “Deep Web” search engines which exist to help locate information related to specific queries like: “How many grants were issued for AIDS research in NYC in 2014.”

Beyond Google

56 Authoritative, Invisible, and Comprehensive Resources


A website that archives older websites that are no longer available on the Internet. For example, Alexa has about 87 million websites from the 2000 election that are for the most part no longer available on the Internet.

Direct Search

A list of hundreds of specialty databases and search engines. No longer maintained, but still perhaps the most complete list of the deep web.


Breaks your results down into categories – general web, blogs, news, academic, cloud, metrics, research, etc. This allows you to quickly focus on the best results to your query.


Refers to a subsection of the deep web which requires special TOR software to view content that has otherwise been concealed from the “public” internet.

Understanding TOR

Understanding TOR | Deep Web | Coursen Security Group | Spencer Coursen | Internet Anonymity

TOR – The Onion Router – known by its acronym TOR- refers to the process of removing encryption layers from internet communications, similar to peeling back the layers of an onion. TOR offers an anonymous connection to the Deep Web. It is, in effect, the Deep Web search engine.

TOR was developed by US Naval Intelligence to allow for anonymous and untraceable communication via the internet. Intelligence agents, law enforcement officers, and political dissidents in foreign countries with oppressive governments are trained in it’s use by the State Department.

The anonymity offered through TOR created a breeding ground for criminal elements who are taking advantage of the opportunity to hide illegal activities. Silk Road (Shut down by the FBI just last year) forged the illicit online structure and business model for how an illegal marketplaces could operate via it’s own anonymous currency (Bitcoin) in the deep web with the certainty of anonymity. Everything from murder-for-hire, to hackers, to child sex crimes, once limited to back alleys could now move freely throughout a global marketplace. Since the shutdown of Silk Road, many other blackmarket bazaars have sprung up in it’s place: TOM, Agora Beta, and Evolution to name a few.

The TOR Project is a non-profit organization that conducts research and development into online privacy and anonymity. It is designed to stop people, including government agencies and corporations, from learning your location or tracking your browsing habits. Based on that research, it offers a technology that bounces internet traffic through “relays” which are hosted by thousands of volunteers around the world. This makes it extremely hard for anyone to identify the source of the information or the location of the user.

Deep Web Links – TOR (.onion site list)

Who uses TOR?

The TOR project team say its users fall into four main groups:

  • Normal people who want to keep their internet activities private from websites and advertisers
  • Those concerned about cyber spying
  • Users evading censorship in certain parts of the world
  • Those engaged in black-market commerce (illegal, drugs, weapons, gambling, hacking, child porn, etc.)

The Dark Side of TOR

The cloak of anonymity provided by TOR makes it an attractive and powerful tool for criminals. NSA documents have described it as, “Very naughty people use TOR.”

TOR can not only mask user identity, but it is also able to host websites via its “hidden services” capabilities. This means sites can only be accessed by people on the TOR network. This is the so-called “dark web” element, and it’s not unusual to see TOR pop-up in stories about a range of criminal sites.

How TOR Works | Spencer Coursen | Deep Web

TOR | TOR Nodes | How TOR Works | Spencer Coursen | Coursen Security Group


TOR | Deep Web | Spencer Coursen | Coursen Security Group

SAMPLE: Agora Beta

TOR | Deep Web | Dark Web | Agora Beta | Spencer Coursen | Coursen Security Group


TOR | Deep Web | Dark Web | TOM Market | Silk Road | Spencer Coursen | Coursen Security Group

SAMPLE: Evolution

TOR | Deep Web | Dark Web | Evolution | Silk Road | Spencer Coursen | Coursen Security Group

Why is this a big deal?

A new report from the U.S. Treasury Department found that a majority of bankaccount takeovers by cyber thieves over the past decade might have beenthwarted had affected institutions known to look for and block transactionscoming through TOR, a global communications network that helps users maintain anonymity by obfuscating their true location online.

In the report, released on Dec. 2, 2014, FinCEN said it examined some 6,048 suspicious activity reports (SARs) filed by banks between August 2001 and July2014, searching the reports for those involving one of more than 6,000 known TOR network nodes. Investigators found 975 hits corresponding to reports totaling nearly $24 million in likely fraudulent activity.


But the Deep Web isn’t all bad either…

Beyond the realm of consumer searches, Deep Web technologies may eventually let businesses use data in new ways. For example, a health site could cross reference data from pharmaceutical companies with the latest findings from medical researchers, or a local news site could extend its coverage by letting users tap into public records stored in government databases.

This level of data integration could eventually point the way toward something like the Semantic Web, the much-promoted — but so far unrealized — vision of a Web of interconnected data. Deep Web technologies hold the promise of achieving similar benefits at a much lower cost, by automating the process of analyzing database structures and cross-referencing the results.

“The huge thing is the ability to connect disparate data sources,” said Mike Bergman, a computer scientist and consultant who is credited with coining the term Deep Web. Mr. Bergman said the long-term impact of Deep Web search had more to do with transforming business than with satisfying the whims of Web surfers.




Security Expert Spencer Coursen specializes in threat assessment protective intelligence and vulnerability reduction. Coursen Security Group Logo.