Considerations for Designing Active Shooter Protection Measures (Pt. 4)

Forced Entry Standards

Considerations for Designing Active Shooter Protection Measures (Pt. 4)

Parts 1 and 3 of this series surveyed important principles of physical security and facility preparation for mitigating the consequences of active shooter attacks. Although the concepts described in the preceding articles are universal, there are often unique circumstances that influence how these principles are best applied in different situations.

The following are some preliminary questions to consider with bearing on the practicality and prioritization of security measures.

Is it feasible to employ restrictive entry control and screening measures?

In an ideal situation, entrance into the facility is channeled to a limited number of secured entry points and all entrants are subject to verification and weapons screening before admittance. However, there are many situations where restrictive entry controls are impractical (or impossible) due to reasons of high volume of public traffic, cultural expectations, budget, or low-risk justification. Common examples of this situation include malls, hotels, train stations, entertainment districts, houses of worship, hospitals, multi-tenant office buildings, and similar facilities. This is also a common situation in schools and universities with complex campuses, or where concerns about negative impact on school climate, cost, and operational burden outweigh the risk.

In these situations, an adversary could access populated areas of the facility undetected before commencing an attack. To compensate for this, high priority should be given to measures that simplify rapid escape from public areas and expedite the actions of armed responders.  In large buildings (such as multi-level office buildings, schools, hospitals, and hotels), alert communication is critical and safe refuge options should be abundantly available for people unable to escape or who are unaware of the threat’s location.

Although restrictive entry control may not be practical in these cases, it may be worth configuring an access control macro to facilitate the rapid lockdown of exterior doors and high-risk indoor locations if an attack is detected outdoors.

Are there groups of occupants present whose capability to respond is likely impaired or who are unable to easily evacuate during an attack?

This is generally the case in schools, daycare facilities, nursing homes, and hospitals. In these situations, alert communications and ensuring the availability of safe refuge areas are top priorities. In schools and daycare centers, all classrooms should meet criteria as basic-level safe rooms. In hospitals and nursing facilities where it is not feasible to secure patient rooms, measures should be implemented to rapidly secure wards and hallways wings occupied by vulnerable groups. Additionally, all employees caring for vulnerable populations should be trained in lockdown procedures and drill regularly to ensure reliable performance under stress.

In nightclubs and entertainment venues, we often have a different type of concern—alcohol. When considering other conditions typical in nightclubs and party venues (e.g., dense crowds, low lighting, loud music, light shows, etc.), alcohol is the final ingredient in a recipe for disaster. In previous nightclub attacks (e.g., Pulse, Reina, Bataclan Theater, etc.), the reaction of patrons was initially delayed by confusion and followed immediately by panic as occupants fled the direction of danger. To address this concern, priority should be given to designing intuitive and high capacity egress routes in directions away from the main entrance. Ideal preparation also includes options for direct escape from all locations inside the building (incl. restrooms, service hallways, etc.). To further address the problem of confusion, measures should be explored for quickly shutting off the A/V system and illuminating exit doors.

Are there large numbers of people present who are expectedly unfamiliar with the facility?

If yes, careful consideration should be given in the design and marking of egress routes, public notification systems, and training employees in procedures for directing guests’ response.

Does the interior layout of existing buildings provide ample options for occupants to take safe refuge?

In schools, hotels, and many office buildings, the existing indoor layout usually provides adequate options for designating rooms which can be easily upgraded to meet basic requirements as safe rooms. Where I often encounter problems with this matter are industrial facilities, telephone call centers, and office buildings with extensive use of indoor glass walls.

If budget permits, the preferred remedy is to construct (or upgrade) several intrusion-resistant rooms throughout the facility to provide accessible refuge options for employees regardless of location. As a minimum, we recommend at least one safe room per floor wing with adequate capacity for all employees in proximity. In call centers and office buildings with open floor plans, the newly constructed safe rooms can often serve a practical role as conference rooms during day-to-day activities.

If constructing safe rooms where needed is not possible, egress routes should be easily accessible and discharge directly outdoors. Additionally, employees should be trained to know that hiding in an unsecured work area is unsafe and escape is the preferred response when possible. Training should also include a discussion about optional egress paths (e.g., alternative exits, roof access, etc.) and high-risk areas to avoid during evacuation (such as first floor lobbies and central hallways).

If circumstances dictate that escape is the preferred response, situational awareness is critical and measures should be explored for monitoring the movement of attackers by CCTV and relaying real-time updates to employees.

Do cultural expectations or public image concerns restrict the employment of high profile security measures?

This issue frequently arises in corporate and hospitality facilities conscientious about branding. Many schools are also sensitive to this matter considering research by psychologists warning of the potential for negative impact on school climate. In many cases, this concern can be easily addressed by employing locks, barriers, and other hardware with a low profile appearance. Egress design, communications systems, and other infrastructure preparations are generally unnoticed by employees and the public.

Where concerns about high profile measures most often influence protective strategy are decisions about posting armed officers inside the facility and implementing entry screening measures (as described earlier in this article).

As discussed throughout this series, few measures offer as much benefit during an attack as having an on-site armed response force. If an organization is attracted to the idea of armed protection, but hesitant due to public image concerns, some measures can be employed to address this situation.

One option is to stage armed response officers in a location out of public view. Several years ago we aided an organization in evaluating potential security strategies for a parliament building. At the time, the facility was protected by several police officers armed with handguns posted outdoors. Considering the facility’s risk profile and Design Basis Threat (terrorists armed with assault rifles), we strongly recommended they augment their current security force with an on-site tactical response team equipped with military small arms. This proposal was initially rejected due to public image concerns. Our recommendation, in turn, was to stage the team inside a room hidden from public view and within 120 seconds travel time to all critical locations inside the facility. This same approach can be adopted in office buildings, hotels, schools, and any other location where public image is a concern.

Other methods for addressing this concern include substituting plainclothes officers for uniformed personnel and carefully selecting officers for their unique combination of tactical capabilities and interpersonal relations skills.

Is it expectedly safe for people to evacuate the facility during an attack, or is the facility located in a geographic area where escape outdoors is impractical or possibly dangerous?

This is not generally a concern for most facilities. Where this issue most often arises is when a facility is remotely located away from civilization or in hostile threat environments.  An example of the first situation would be the Tigantourine gas facility in Algeria targeted by Al-Mourabitoun in 2013. An example of the second situation might be a compound located in a war zone where friendly authorities have little control and hostile actors abound (e.g., 2012 Benghazi attacks).

In these situations, on-site armed response capability is paramount. Additionally, perimeter defensive measures should be designed to provide the armed response force with a tactical advantage and create time for occupants to seek refuge. Additionally, safe havens should be provided capable of advanced delay times and sustained life support under attack by fire, smoke, and other methods of asphyxiation.

Is it feasible to have an on-site armed response capability?

As detailed in Part 1 of this series, barriers need to be designed to delay an adversary’s ingress into populated areas with sufficient time for a response force to intervene. If it is not possible to have an on-site armed response capability, the emphasis often needs to be placed on measures that facilitate delay (e.g., barrier construction, egress design, etc.) and expedite the response of local police.

Are we located in a region where previous incidents often result in a siege or delayed intervention by security forces?

If yes, there may be justification for upgrading safe rooms to an intermediate or high level of protection. As discussed in Part 2 of this series, most previous attacks where adversaries committed time and effort to forcibly enter rooms were in situations where authorities delayed entry. As an added measure, safe rooms in these cases should be equipped with supplies to sustain occupants for the duration of a siege.

Is our Design Basis Threat adversary an insider, outsider, or both?

As explored in Part 2 of this series, the relevancy of many protective measures is directly related to the attacker’s expected access to the facility. The following table is provided as a general guide to the applicability of physical security and facility design measures to different categories of adversary.

Active Shooter Facility Security Measures

These are some of the many questions to consider as part of the physical security and facility design process. In upcoming articles, we’ll explore these issues in greater depth and present examples of how custom protection strategies can be designed for different types of facilities.

The Sympathetic Nervous System (SNS), Situational Awareness, and Active Shooter Attacks

Another important issue to consider in active shooter planning is the potential effects of the Sympathetic Nervous System (SNS) and lack of situational awareness on employee response.

During life-threatening emergencies, the Sympathetic Nervous System (SNS) is often activated. The SNS governs human flight-or-fight response to imminent threat situations. Although the SNS served an important survival function in human evolution, its effects can impair response actions by building occupants during high-stress events. When the SNS awakens, a person’s heart rate may exceed 200 bpm resulting in cognitive impairment, loss of fine motor skills, irrational behavior, or freezing.[1]

In addition to the SNS, rarely during armed attacks do employees have real-time situational awareness of the attacker’s location and activity. The combined effects of the SNS and lack of situational awareness may result in dangerous and sometimes irrational behavior. For example, employees may be hesitant to abandon a presently unsecured location and relocate to a nearby safe room if getting there requires moving through space they cannot see (e.g., around a corner and into another hallway). If a door is equipped with a single-cylinder lock and no thumbturn, employees may be hesitant to open the door to lock it if they fear the gunman may enter the hallway.

Effective active shooter planning should anticipate the effects of the SNS and lack of situational awareness. Every effort should be made to compensate for these challenges by simplifying the expected actions of employees. Some practical examples include establishing emergency phone numbers that are easy to remember and dial under stress, ensuring that mechanical locks on doors feature a thumbturn and do not require a key for locking, providing abundant availability of safe rooms, and ensuring that escape routes do not require complex navigation to access discharge doors.

As an additional point, employees and on-site responders are not the only ones affected during high stress events. Security control room personnel suddenly launched into action with life-and-death consequences (even when remotely located) may experience some of the same impairing effects as people in the ‘hot zone.’ For this reason, critical communications systems should be designed for simplicity and control room personnel should drill regularly to minimize delays or omission of key tasks.

As we continue in upcoming articles, specific recommendations will be offered in hope of avoiding some of the many problems witnessed in previous attacks resulting from SNS impairment and lack of situational awareness .

In the next part of this series, we’ll explore recommendations for protecting people from outdoor ambush and early attack recognition.

[1] Grossman, Dave, and Loren W. Christensen. On Combat: the Psychology and Physiology of Deadly Conflict in War and in Peace. Warrior Science Pub., 2008.

Share on facebook
Share on twitter
Share on linkedin
Share on email

Facility Preparation for Active Shooter Attacks: Key Objectives (Pt. 3)

Design Basis Threat and The Active Shooter

Facility Preparation for Active Shooter Attacks: Key Objectives (Pt. 3)

In Part 1 of this series, we discussed how the integration of detection, delay, and response functions influences the overall performance of physical security. In security designs aimed at the protection of inanimate assets  (such as theft prevention and anti-sabotage situations), hardware components and physical construction (e.g.,  anti-personnel barriers, alarm systems, CCTV, etc.) are often the primary elements facilitating detection and delay. However, in the case of active shooter attacks, anticipating the actions of facility occupants is critical in designing a successful system.

Most organizations concerned about active shooter attacks have adopted the US Department of Homeland Security’s classic ‘Run-Hide-Fight’ doctrine as the basis for designing facility emergency action plans and training employees. This simplified response guidance is presented as a prioritized list of preferred protective responses when an active shooter attack is recognized. “Run,” for instance, should always be the first option when the opportunity is present. If “Run” is not possible, then “Hide” is the next prioritized option.

Although “Run” is generally the most preferred response, there are situations where attempting escape may be more dangerous than simply remaining in place. A good example is a multi-story building when an attack is launched at ground level. Rarely during attacks do people in the “hot zone” have accurate and real-time knowledge of the attacker’s location and safe routes of escape. In this situation, trying to evacuate through lower levels of the building where possible massacre is in progress may be far more dangerous than barricading in a nearby safe location.

To ensure best performance during armed attacks, facilities should be designed or upgraded to support these response actions and proactively address common challenges faced by people during life-threatening events.

Physical Security and Active Shooters: Key Objectives

The following points summarize key measures for protecting facility occupants during active shooter events.

Delay the attacker’s ingress into populated areas to permit time for critical alerts, escape and refuge actions, and deployment of the response force. (DELAY)

Protective layers should be designed to delay adversary movement into populated areas. If the attacker is an ‘outsider,’ this includes exterior barrier layers (e.g., facade glazing, doors, locks, etc.) and delay measures at entry points and public reception areas (e.g., lobbies, etc.). Additional protective layers securing work suites and high-valued assets (e.g., executive offices, etc.) should be used to frustrate adversary ingress further and provide critical delay against movement by ‘insider’ adversaries already located inside the building.

Expedite detection and assessment of the threat. (DETECTION)

As discussed in Part 1 of this series, time is critical during active shooter events and every measure that expedites detection of the attack and deployment of an armed response force is critical in mitigating  consequences. Measures that expedite event notification to security or authorities, such as panic alarms or gunshot detection systems, can greatly reduce the typical reporting times normally encountered by relying on witnesses to call an emergency number by telephone.

Rapidly and reliably alert all facility occupants. (DETECTION)

A critical part of effective response during active shooter events is fast and reliable alert to expedite protective actions by employees. Critical alerts should ideally be issued by audible means (public address) for the benefit of all facility occupants, and where feasible, followed by a redundant mass notification system (MNS) message for those who may not have heard the initial announcement. When important developments occur, updates can be issued to employees as follow up messages.

Facilitate easy and rapid evacuation/escape by employees and facility guests. (DELAY)

For employees located outdoors, ground level, or in building locations without safe refuge options, escape (DHS’ term ‘Run’) is the primary response. Escape routes should be abundantly available, easy to locate, and permit fast and unobstructed egress to safe locations away from the facility.

Provide safe refuge options for employees and facility guests unable to safely evacuate or who are unaware of the threat’s location. (DELAY)

One of the most basic facility preparations is ensuring adequate availability of safe rooms for people to take refuge if escape is not feasible. For this purpose, rooms should be abundantly available throughout the facility capable of providing adequate delay against forced entry considering the methods and tools likely to be employed by attackers.

Expedite the intervention of a response force capable of neutralizing an armed adversary. (RESPONSE)

Although many active shooter attacks terminate in suicide before the intervention of police or security forces, the speed at which security or police arrive and locate the adversary has a major impact on consequences of the event.

In an ideal scenario, police or armed security officers would be assigned to reliably ensure fast response times. If an organization cannot implement an on-site armed response capability, additional measures should be used to expedite the effective response of local police. Some examples include marking buildings on multi-building campuses with distinctive signage to ease location, establishing procedures for orienting and directing law enforcement officers as they arrive on scene, and preparations for providing building keys, access control badges, and floor plans to facilitate unimpeded movement by police.

Ensure employees are prepared to respond safely and without direction.

Even the best designed plans and facility preparations will fail if employees are unprepared to take independent action for their self-preservation during active shooter events. As detailed further in Part 4 of this series, the effects of the sympathetic nervous system during high stress events and lack of situational awareness can have a debilitating effect on employee response and even lead to dangerous actions. The first step in combating this problem is training employees in emergency response procedures.

The Department of Homeland Security and various municipalities throughout the US have produced short videos useful for this purpose. It is also recommended that training include instructor-led discussion about facility-specific measures for contacting security or police, location of suitable safe rooms inside the facility, special egress considerations (e.g., feasibility of roof access, etc.), communications systems, and location of medical kits.

In the next part of this series, we’ll explore common challenges and unique circumstances that often influence how these principles are best applied in different facility situations.

Share on facebook
Share on twitter
Share on linkedin
Share on email

Design Basis Threat and The Active Shooter (Pt. 2)

Design Basis Threat and The Active Shooter

Who exactly are we trying to protect ourselves against when we use the term “active shooter?”

For many, the answer to this question seems obvious—a “bad guy” killing people at random with a gun. However, this type of vague definition provides little guidance for developing an effective security design. A more useful definition considers:

    • How many adversaries would possibly be involved in an attack?
    • What is their level of skill?
    • What types of weapons would they bear?
    • What tools and methods of entry would they employ?
    • Would the attacker(s) likely be an insider, outsider, or potentially either?
    • Has the adversary employed any unique modus operandi in previous attacks?

Although many aspects of active shooter preparation are universal, these types of details have a major influence on the performance of our protective design and the benefit of system components (e.g., anti-personnel barriers, ballistic protection, etc.). Additionally, if our budget is limited, the answers to these questions can often guide us in prioritizing vulnerabilities of greatest concern.

As a security consultant, I’m frequently called on to assess facilities that have already invested in protective upgrades. In these situations, I frequently find examples of overlooked vulnerabilities, overconfidence in protective measures, or wasted expenditure. And these problems often stem from failing to define the attacker’s likely capabilities and methods as a driving factor in the original security design.

In professional approaches to security planning, this is the role of the Design Basis Threat (DBT) or Threat Definition. A DBT (or Threat Definition) provides a description of an adversary’s likely capabilities and tactics essential for determining the expected performance of security measures and identifying attack scenarios that should be addressed in security design.

Considerations for Developing a Design Basis Threat

Number of Attackers

The number of adversaries has a direct relationship to the potential effectiveness of our response force (i.e., Probability of Neutralization) and may influence the behavior of adversaries during attacks. One practical example is the likelihood of adversaries forcibly entering secured rooms to locate targets. Many documented incidents where adversaries forcibly entered locked rooms to seek targets involved more than one perpetrator.[1]

In the United States, the spectrum of active shooter adversaries has historically been quite diverse with most attacks committed by non-ideologically motivated perpetrators in alignment with Dr. Park Dietz’s definition of a pseudocommando.[2] The majority of these attacks are executed by a single attacker withstanding a handful of notable exceptions (e.g., 1998 Westside Middle School, 1999 Columbine High School, 2011 South Jamaica House Party, and 2012 Tulsa[3]). Historically, most terrorist-related active shooter attacks in the United States also involved only one perpetrator with exceptions including the 2015 San Bernardino and 2015 Curtis Culwell Center attacks.

Regional trends in adversary characteristics vary greatly in different parts of the world. In locations where terrorist attacks are the predominant concern, the number of perpetrators in attacks is often higher. In a study of 20 Marauding Terrorist Firearms Attacks (MTFA) conducted by the Critical Intervention Services in 2015, 1-2 perpetrators was most common in active shooter assaults in Europe with notable exceptions being events such as the 13 November Paris attacks.[4] In Africa, by contrast, terrorist groups such as Al-Shabaab frequently use teams of 4-9 attackers in assaults on civilian locations such as the Westgate Shopping Mall (2013), Garissa University (2015), and numerous hotels in Mogadishu.[5]

Relationship to the Facility/Organization

Is the adversary possibly an “insider” (e.g., current student, employee, etc.)? Or do the characteristics of our organization and environmental circumstances likely limit our concern to “outsider” adversaries? The answers to these questions often determine the relevance and priority of protective measures.

For instance, if the adversary is most likely an outsider, protective measures associated with perimeters, building facades, and entry controls are a high priority. By contrast, if the probable adversary is an insider, it is often wise to focus on indoor protective measures if the budget is a limiting concern. 

In school settings, the probable type of adversary is largely influenced by the age of students. Withstanding a handful of plots, shooting events in primary schools have been executed by adult-aged outsiders (e.g., 2017 North Park Elementary School, 2012 Sandy Hook, 2006 West Nickel Mines, etc.) and a handful of expelled students (e.g., 2016 Townville Elementary School). In secondary schools, the spectrum of perpetrators is more diverse including both current and former students, and to a lesser degree, adult-aged outsiders.

In closed workplace settings, the majority of mass shootings are committed by current or former employees (e.g., 2020 Molson Coors, 2019 Henry Pratt Co., 2019 Virginia Beach Municipal Center, etc.). Although less common than employee-related shootings, there have also been cases of nonemployees (outsiders) targeting businesses for reasons of personal or ideological grievance such as the 2018 shooting at YouTube headquarters and the 2015 Charlie Hebdo attack.

In attacks against houses of worship and ethnic cultural centers, outsider adversaries motivated by ideology or reasons of personal grievance have been most common. Some recent examples include attacks at the Poway Synagogue (2018), Tree of Life Synagogue (2018), First Baptist Church (2017), Burnette Chapel Church of Christ (2017), Emanuel AME Church (2015), and Overland Park Jewish Center (2014).

Outsiders have also been the dominant category of adversary in attacks against public entertainment venues such as nightclubs, theaters, entertainment districts, and festivals. In many of these situations, the venue is targeted due to mass casualty potential or the characteristics of its patrons. Examples in recent years include attacks at the Nels Peppers Bar (2019), Gilroy Garlic Festival (2019), Borderline Bar and Grill (2018), Jacksonville Landing (2018), Route 91 Harvest Festival (2017), Reina nightclub (2017), and Pulse nightclub (2016). Although most attacks in entertainment facilities are premeditated, there have also been cases of disputes among patrons escalating into mass violence such as the 2017 shootings at the Power Ultra Lounge and Cameo nightclub.

In situations where terrorism is the primary concern, outsider adversaries should be the first priority. Although there have been attacks executed by radicalized employees (e.g., 2019 Naval Air Station Pensacola, 2015 Inland Regional Center, 2009 Fort Hood, etc.), the overwhelming majority of terrorist armed assaults are executed by outsiders.

Entry Tools and Methods

 The delay time value of barriers (e.g., doors, locks, glazing, etc.) is directly related to the tools and methods adversaries may use to breach our barriers. Attacker tools and entry methods was one of the issues the CIS MTFA study team examined with the aim of creating a research-supported justification for defining threat capabilities.[6] Of the attacks assessed as part the study, in none of the events did attackers arrive equipped with tools (other than firearms) for the specific purpose of penetrating barriers. In case research conducted by CIS about other armed attacks against facilities over the past 20 years, the number of incidents where adversaries brought tools specifically for forced entry purposes was few. In the majority of attacks, forced entry was facilitated exclusively by blunt object impact (e.g., kicking, beating with rifle butt stock, etc.) and sometimes aided by bullet penetration or cutting with a bladed weapon.

For the purpose of designating or planning potential safe rooms, another issue worth considering is adversary effort and commitment to attack people located inside locked rooms. Joseph Smith and Daniel Renfroe describe their observations on this matter in an article on the World Building Design Guide web site: Analysis of footage from actual active shooter events have shown that the shooter will likely not spend significant time trying to get through a particular door if it is locked or blocked. Rather they move to their next target. They know law enforcement is on its way and that time is limited. [7] Separate case study research conducted by Critical Intervention Services also supports this perspective.

In a large percentage of attacks, adversaries focus solely on targets of easiest opportunity by using visually-obvious pathways and unlocked/unobstructed portals (e.g., doors, windows, etc) to facilitate indoor movement. This behavior may be due to perceived time pressure (“kill as many as possible before the police arrive”) or possibly diminished problem-solving ability resulting from activation of the Sympathetic Nervous System (SNS). In most documented attacks where adversaries committed effort to forcibly enter locked rooms, intervention by police or security forces was delayed and adversaries had exhausted all targets in accessible areas. 

When developing a DBT for use in a region where the main threat concern is a particular terrorist group, research should focus on identifying any unique tactics or preferences for entry methods demonstrated in previous attacks. Al-Shabaab, for instance, has employed disguise and deceptive entry tactics for gaining access through the outer perimeter of several protected facilities in Somalia. If we were developing a DBT for Al-Shabaab, it would be wise to consider attack scenarios employing deception and disguise in addition to overt entry methods.


Weaponry influences the potential effectiveness of our response force, and caliber and type of ammunition determines the effectiveness of ballistic barriers in resisting bullet penetration.

According to FBI statistics, handguns were the most powerful firearm used in most attacks (59%) with rifles constituting 26% of incidents.[8] Although the FBI has not published statistics on weapon calibers used in active shooter attacks, most mass casualty attacks where rifles were employed in the United States involved 5.56mm weapons with examples including assaults at the Pulse Nightclub (2016), Inland Regional Center (2015), Sandy Hook Elementary School (2013), and Aurora Century 16 Theater (2012).

Outside the United States, 7.62x39mm weapons (AK-47) have been most common.

Likelihood of a Hostage/Siege Event

Although not directly related to adversary capabilities, another possible factor to consider is the likely duration of an event. If the adversary is a terrorist group with a specific preference for hostage-taking or if we are located in a region where there has often been delayed intervention by police/security forces, circumstances may justify a more advanced level of preparation.

In the 2015 CIS MTFA study, 35% of all attacks escalated into a siege by police/security forces upon arrival. In a number of these incidents, intervention was delayed due to early confusion about the event (“hostage situation” versus “armed massacre”). Some events resulted in a siege when arriving police or security forces were overwhelmed by the adversary’s firepower and withdrew pending the arrival of more assistance. In other events, police and security forces made committed entry but the size of facility and movement of the attackers inside the building delayed location and neutralization of the adversaries (e.g., 2019 Virginia Beach Municipal Center, 2013 Washington Navy Yard, 2015 Corinthia Hotel Tripoli, etc.).

Incidents documented in the CIS study that escalated into a siege had a duration ranging between 2h 24m and est. 96 hours, with a mean duration of 21h 44m. Although most events resulting in siege durations over 2 hours were in Africa or West Asia, recent incidents have occurred in Western countries with effective response times over 2 hours such as the 2016 Pulse Nightclub shooting (194 minutes from first call to 911) and Bataclan Theater (~156 minutes from first call to 112).  

Developing a Design Basis Threat for Active Shooter Attacks

In the government community, many organizations promulgate official DBT statements to serve as a standardized reference throughout the organization. For instance, the Interagency Security Committee (ISC) in the United States produces a Design Basis Threat (DBT) document for use during risk assessments and security planning in Federal facilities. The ISC DBT includes several threat scenarios related to armed attack with narrative descriptions of the event, and adversary characteristics such as numbers of adversaries, weaponry, tactics, etc.

The US Department of Defense also provides similar guidance for DoD facilities in UFC 4-020-01 “DoD Security Engineering Facilities Planning Manual.”[9] In Table 3-27, DoD presents a generic DBT (Threat Parameters) including several categories of Aggressor Tactics and a system for defining progressive levels of threat. Each threat level is attributed a corresponding description of weaponry, toolset, and/or delivery method.

As a consultant, I am not an advocate of adopting generic DBTs unless required by official mandate. Instead, I prefer using a research-based approach which considers the specific characteristics of relevant adversaries, historical attack data, regional trends, and similar issues. This type of approach is often more laborious, but results in a custom DBT that is rational, justifiable, and specific to the threat situation.

When developing a custom DBT, I typically begin by collecting data about attacks against similar facilities in the region or attacks perpetrated by adversaries of relevance with focus on weaponry, number of attackers, and tactics. The following table illustrates how this type of data collection might be applied for a facility in Kenya where Al-Shabaab is the primary adversary of concern.

Al-Shabaab Attacks

After data has been collected, a threat definition is then developed representing likely adversary capabilities and modus operandi. In a basic approach, the DBT is written to match any capabilities well established by trend or average. In a cautious or very cautious approach, the DBT matches or exceeds the highest level of capability as demonstrated in previous attacks.

Al-Shabaab Design Basis Threat

Even in situations where there are no unique adversary groups to serve as a model, this same type of research-supported approach can be applied for creating a non-specific, but justifiable DBT. Following are some examples of reasonable threat definitions based on historical attack data and well-established trends in different regions of the world.

Active Shooter Characteristics by Region

[1] Examples including the 2015 Corinthia Hotel Tripoli attack and 2008 Taj Majal attack.

[2] Dietz, Park D. “Mass, Serial, and Sensational Homicides.” Bulletin of the New York Academy of Medicine.  62:49-91. 1986.

[3] Blair, J. Pete, and Schweit, Katherine W. A Study of Active Shooter Incidents, 2000 – 2013. Texas State University and Federal Bureau of Investigation, U.S. Department of Justice, Washington D.C. 2014. pp. 7. PDF. (The 2011 South Jamaica and 2012 Tulsa shootings are specifically noted as the only events involving more than one attacker in the FBI’s study of U.S. domestic active shooter attacks between 2000 and 2013.)

[4] Gundry, Craig S. “Analysis of 20 Marauding Terrorist Firearm Attacks.” Preparing for Active Shooter Events. ASIS Europe 2017, 30 Mar. 2017, Milan, Italy.

[5] Gundry, Craig S. “Threat Assessment Methodology and Development of Design Basis Threats.” Assessing Terrorism Related Risk Workshop. S2 Safety & Intelligence Institute, 25 Apr. 2017, Brussels, Belgium.

[6] Gundry, Craig S. “Analysis of 20 Marauding Terrorist Firearm Attacks.” Preparing for Active Shooter Events. ASIS Europe 2017, 30 Mar. 2017, Milan, Italy. (Presentation included results of an unpublished 2015 study by Critical Intervention Services.

[7] Smith, Joseph, and Daniel Renfroe. “Active Shooter: Is There a Role for Protective Design?” World Building Design Guide, National Institute of Building Sciences, 2 Aug. 2016, Accessed 22 Sept. 2017.

[8] Blair, J. Pete, Martaindale, M. Hunter, and Nichols, Terry. “Active Shooter Events from 2002 to 2012.” FBI Law Enforcement Bulletin. Federal Bureau of Investigation, 1 July 2014, Accessed 22 Sept. 2017.

[9] UFC 4-020-01, DoD Security Engineering Facilities Planning Manual. US Department of Defense, N.p.: 2008.

Share on facebook
Share on twitter
Share on linkedin
Share on email

Physical Security Design and The Active Shooter (Pt. 1)

Physical Security and Active Shooter Attacks
Physical Security and Active Shooter Attacks

Physical Security Design & The Active Shooter

By Craig S. Gundry, PSP, cATO |

When many people think of physical security, the first ideas that come to mind are things like locks, alarm systems, screening with metal detectors, CCTV, etc.—hardware components or procedures. Although these elements play a role in physical security, they have no value outside the context of the overarching system design.

In the context of active assailant attacks, performance-based physical security design integrates Detection, Delay, and Response elements in a manner that mathematically reconciles the time required for an adversary to commence mass killing and the time required for detection and response by security or police.

Fundamentally, physical security design is a mathematics problem defined by several key times and probabilities. The main performance metric of a Physical Protection System (PPS) design is its Probability of Interruption, defined as the probability that an adversary will be detected and intercepted by a response force before he/she can complete their objective.[1] The most important elements determining the Probability of Interruption are the Adversary Task Time (total time required for an adversary to enter a facility and access their target) and response force time. If the total time for detection, assessment, communications, and response force intervention is longer than the adversary task time, the system will fail. Specific elements alone (such as having an access control system or CCTV cameras) mean nothing outside the context of the overall system design. Individual PPS elements must work together integrally to reconcile these key times or the adversary will succeed.

In the context of active shooter events, detection usually is the result of visual or audible observation when the attack commences. Detection may also result from an alarm signal generated by forced entry into secured spaces or gunshot detection systems. The Time of Detection during an attack is represented in figure 1 as TD.

The time the report is received by authorities and/or assessed by a security control room for deployment of on-site armed officers is represented in the diagram as TA (Time of Assessment).

After the 911/112 center or security control room is alerted, the response force is subsequently dispatched to intercept and neutralize the adversary. This is represented in the following diagram as the Time of Interruption (TI).

Physical Protection System Times and Functions

While the alert and response force deployment is in progress, the adversary advances through barriers and distance to access targets and initiate mass killing. The time mass killing is in progress is represented in the previous diagram as Time of Completion (TC). The Adversary Task Time is the cumulative time between the Time of Detection and the Time of Completion. If the Time of Interruption is before the Time of Completion, the Physical Protection System (PPS) is successful in its function of preventing mass killing.

In most previous active shooter attacks, deficiencies in one or more key functional elements (Detection, Delay, or Response) result in a situation where mass killing (TC) initiates before the response force intervenes (TI).

Based on data yielded during several studies of active shooter attacks, the consequences of the difference in time between commencement of mass killing and response force intervention (TC versus TI) can be estimated as one casualty per 15 seconds.[2] 

Physical Security and Active Shooter Planning

Although the ideal objective of PPS design is to interrupt mass killing before it commences, real world conditions often limit the possibility of achieving a high Probability of Interruption. This type of situation is often common in ‘soft target’ facilities due to the need for unobstructed public access and facilities reliant on the unpredictable response times of off-site police. Other real world challenges such as cultural expectations, branding, and budget boundaries often limit the feasibility of implementing ideal physical security measures. And if an attack is launched by an insider adversary (e.g., employee, student, etc.) already inside the facility, physical protection elements at outer protective layers (e.g., perimeter, building envelope, entrances, etc.) will have little or no benefit.

Nevertheless, all measures that increase Adversary Task Time and expedite response time have a direct benefit in reducing potential casualties by narrowing the gap between TC and TI.

Sandy Hook Elementary School, 14 December 2012: Case Study of Performance-Based Physical Security Principles in Practical Application

 At approximately 09:34, Adam Lanza used an AR-15 rifle to shoot through a tempered glass window adjacent to the school’s locked entrance doors and passed into the lobby.[3]

 After killing the school principal and a school psychologist and injuring two other staff members who entered the hallway to investigate, Lanza entered the school office. Meanwhile, staff members concealed inside the school office and nearby rooms initiated the first calls to 911. Staff located throughout the building were alerted when the ‘all-call’ button on a telephone was accidentally activated during a 911 call.

After finding no targets in the office, Lanza returned to the hallway and proceeded into the unlocked door of first grade classroom 8 where mass murder commenced (approx. 09:36).[4] In less than two minutes, Lanza killed two teachers and fifteen students.

Sandy Hook Elementary Attack Diagram

As the attack in classroom 8 was in progress, teacher Victoria Soto and a teaching assistant in classroom 10 attempted to conceal children in cabinets and a closet.

After exhausting targets in classroom 8, Lanza proceeded into classroom 10 and killed Ms. Soto, assistant Anne Murphy, and five children. Although the exact reason Ms. Soto did not lock the door to classroom 10 is unknown, all classrooms at Sandy Hook Elementary School featured ANSI/BHMA “classroom-function” (mortise F05 and bored F84) locks which can only be locked with a key from the hallway-side of the door.

The tragedy ended in classroom 10 when Lanza committed suicide at 09:40 while police were preparing for entry into the building.

As common in U.S. primary schools, Sandy Hook Elementary School relied on off-site police as their response force during emergency events. Response was first initiated at 09:35 when a staff member called 911 to report the crisis. At 09:36, an alert was broadcast by radio and police units were dispatched to the school. The first police unit arrived at 09:39, followed immediately by two other units. After assessing the scene and planning a point of entry, the officers organized into a contact team and made entry into the school at 09:44.

In the context of physical protection system performance, the adversary task time (time between when Lanza’s entry commenced and mass killing was in progress) at Sandy Hook Elementary School was approximately 23 seconds. The time between detection of the attack and on-site arrival of police was slightly less than three minutes. However, there was an additional 5-6 minutes of time as officers assessed the situation and organized before making entry and effectively moving indoors to neutralize the killer. When assessing incidents involving response by off-site police, arrival time at the scene is irrelevant. What matters is the time ending when police arrive at the immediate location of the adversary ready to neutralize the threat. This describes the contrast between On-Site Response Time and Effective Response Time. At Sandy Hook Elementary School, the Effective Response Time was approximately nine minutes.

As illustrated in the following table, the variation between Adversary Task Time and Effective Response Time witnessed at Sandy Hook Elementary School has been historically common during active assailant attacks. In each of the six events documented below, mass killing was in full progress within 1-3 minutes of the time the attacker entered the building or shot the first victim. By comparison, the Effective Response Times ranged between 7 and 38 minutes, with most events ending prior to intervention by police when the attacker(s) escaped or committed suicide.

Active Shooter Timeline Infographic

Mitigating the consequences of active shooter attacks through better physical security design and integration


In the Newtown tragedy, PPS failure was largely the result of inadequate delay in relation to the time required for response by off-site police. When the attack is analyzed using Sandia’s Estimate of Adversary Sequence Interruption (EASI) Model, the original PPS at Sandy Hook Elementary School would have had a Probability of Interruption of 0.0006 (Very Low).

Sandy Hook Shooting Timeline
Sandy Hook Shoting - EASI Attack Analysis

In the case of Sandy Hook Elementary School, there are a number of measures that could have improved overall system performance.

Upgrade the facade with intrusion-resistant glazing. Adam Lanza entered the building by bypassing the locked entrance doors and shooting a hole through the adjacent tempered glass window. He then struck the fractured window and climbed through the breach. Tempered safety glass is generally only 4-5 times resistant to impact as annealed glass and provides minimal delay against forced intrusion. According to testing documented by Sandia National Laboratories, 0.25 inch tempered glass provides 3-9 seconds of delay against an intruder using a fire axe and the mean delay time for penetrating 1/8″ tempered glass with a hammer is 0.5 minutes.[5] However, impact testing documented by Sandia did not account for the fragility of a tempered glass specimen after first being penetrated by firearm projectile. In penetration tests Critical Intervention Services conducted of 1/4-inch tempered glass windows using several shots from a 9mm handgun to penetrate glazing prior to impact by hand, delay time was only 10 seconds.[6]

Upgrading facade glazing with the use of mechanically-attached anti-shatter film could have improved delay time at the exterior protective layer by 60-90 seconds.[7]

Construct an interior protective layer to delay access from the lobby into occupied school corridors. Once Adam Lanza breached the exterior facade into the school lobby, there were no additional barrier layers delaying access into areas occupied by students and faculty. A significant percentage of active shooter assaults by outsider adversaries originate through main entrances and progress into occupied spaces.[8] Some examples include attacks at the Riena Nightclub (2017), Pulse Nightclub (2016), Charlie Hebdo Office (2015), Inland Regional Center (2015), Colorado Springs Planned Parenthood (2015), Centre Block Parliament Bldg (2014), and US Holocaust Memorial Museum (2009).
An ideal lobby upgrade would be designed to facilitate reception of visitors while securing the interior of the school through a protective layer constructed of intrusion-resistant materials. Depending on material specifications, an interior barrier layer could have delayed Adam Lanza’s progress into the school by an additional 60-120 seconds.
Sandy Hook Elementary School Lobby Concept

Replace “classroom-function” locks on school doors with locks featuring an interior button or thumbturn. All classroom doors inside Sandy Hook Elementary were equipped with ANSI “classroom-function” locks (mortise F05 and bored F84). These are perhaps the worst choice of locks possible for lockdown purposes during active shooter events. As witnessed in a number of attacks, doors equipped with classroom-function locks often remain unlocked due to difficulty locating or manipulating keys under stress. In addition to Sandy Hook classroom 10, another incident where this situation clearly contributed to unnecessary casualties was the 2007 Virginia Tech Norris Hall attack.[9] In these two events alone, 26 students and faculty were killed and 24 wounded specifically because the doors to classrooms could not be reliably secured.

Ideal specifications for door locks would be ANSI/BHMA A156 Grade 1 with an ANSI lock code of F04 or F82.[10] Mechanical locks rated ANSI/BHMA Grade 1 have been successfully evaluated under a variety of static force and torque tests. Locks coded as F04 and F82 feature buttons or thumbturns to facilitate ease of locking under stress.

Although there are no empirical sources citing tested forced entry times against ANSI/BHMA A156 Grade 1 rated locks, it is estimated that a committed adversary using impact force with no additional tools could penetrate improved locks in approximately 90-110 seconds.

Replace door vision panels with intrusion-resistant glazing. During the attack at Sandy Hook Elementary, Adam Lanza was able to enter classrooms 8 and 10 directly through unlocked doors. If these classrooms were secured, the tempered glass vision panels on all classroom doors could have been easily breached to facilitate entry in less than 10 seconds.

An effective approach to physical security specification would ensure that all barriers composing the classroom protective layer are composed of materials with similar delay time values. This could be accomplished by ensuring that vision panels are no wider than 1.5″ (3.8 cm) or constructed of intrusion-resistant glazing such as laminated glass, polycarbonate, or reinforced with anti-shatter film.

If the aforementioned barrier improvements were employed in the PPS design at Sandy Hook Elementary School, Adam Lanza’s access into occupied classrooms would have been delayed by an additional 162-312 seconds. This would have improved the overall performance of the PPS by potentially increasing the Adversary Task Time to 185-335 seconds before mass killing was in progress. Although this is a significant improvement from the original Adversary Task Time (est. 23 seconds), 335 seconds is still less than the estimated response time of police during the original event (est. 544 seconds).

In many cases, accomplishing the performance-based objective of interrupting an active shooter before mass killing commences requires a combined approach aimed at both increasing delay time and decreasing response force time. In the case of Sandy Hook Elementary School, decreased response time could have been facilitated by the use of gunshot detection technology or duress alarms, improved communications procedures, and similar improvements. Any measure that decreases alert notification and response times has a beneficial impact on system performance. Even if enhancements only reduce response time by 10 or 15 seconds, such improvements have the theoretical benefit of reducing casualties by one victim per fifteen seconds of decreased response time.

In the situation of Sandy Hook Elementary School, the greatest improvement could have resulted from having an on-site response force (e.g., armed school resource officer) capable of reliably responding anywhere on the school campus within 120 seconds of alert.[11] If this measure were implemented, the total estimated alert and response time could have been improved to 147-157 seconds. When compared to the increased Adversary Task Time of 206-316 seconds, the improved PPS design would have likely resulted in interruption before mass homicide commenced. When analyzed using Sandia’s Estimate of Adversary Sequence Interruption (EASI) Model, the improved PPS would have resulted in a Probability of Interruption of 0.87 (Very High).

The following table and spreadsheet models the PPS improvements described in this article to demonstrate how performance-based physical security design can influence the outcome of armed attacks.

Sandy Hook Elementary - Improved Security Design
Sandy Hook Elementary Physical Security

Threat Characteristics and Physical Security Performance

The delay time expectations of physical barriers cited in this article were based on the weaponry and methods of entry employed by Adam Lanza at Sandy Hook Elementary School. If Lanza had employed different tools or methods, the delay time of barriers would have correspondingly been different. The same principle is true for bullet-resistant barriers. The ballistic resistance of materials is directly relative to the caliber and type of ammunition used by an adversary.

To ensure a security design performs as expected, it is first necessary to establish a definition of the adversary’s likely capabilities and tactics. In Part 2 of this series, we’ll continue this discussion by exploring trends in the behavior of attackers, threat capabilities and methods, and approaches to developing a Design Basis Threat (DBT) suitable for security planning.

[1] Garcia, Mary Lynn. Design and Evaluation of Physical Protection Systems. Burlington, MA: Elsevier Butterworth-Heinemann, 2007.

[2] Anklam, Charles, Adam Kirby, Filipo Sharevski, and J. Eric Dietz. “Mitigating Active Shooter Impact: Analysis for Policy Options Based on Agent/computer-based Modeling.” Journal of Emergency Management 13.3 (2014): 201-16.

[3] Sedensky, Stephen J. Report of the State’s Attorney for the Judicial District of Danbury on the shootings at Sandy Hook Elementary School and 36 Yogananda Street, Newtown, Connecticut on December 14, 2012. Danbury, Ct.: Office of the State’s Attorney. Judicial District of Danbury, 2013. Print.

[4] Time estimated based on witness event descriptions and assessment of time required to walk through the school office and down the corridor to classroom 8.

[5] Barrier Technology Handbook, SAND77-0777. Sandia Laboratories, 1978.

[6] Critical Intervention Services assisted a window film manufacturer in 2015 in conducting a series of timed penetration tests of 1/4-inch tempered glass windows with mechanically-attached 11 mil window film. The tests involved penetration by firearm followed by impact (kicking and rifle buttstock). The delay times ranged from 62 to 94 seconds and deviated according to the aggression of our penetration tester.

[7] Ibid.

[8] Gundry, Craig S. “Analysis of 20 Marauding Terrorist Firearm Attacks.” Preparing for Active Shooter Events. ASIS Europe 2017, 30 Mar. 2017, Milan, Italy.

[9] Mass Shootings at Virginia Tech. April 16, 2007. Report of the Review Panel. Virginia Tech Review Panel. August 2007. pp.13.

[10] ANSI/BHMA A156.13, Mortise Locks and Latches. Builders Hardware Manufacturers Association (BHMA), New York, NY, 2011.

[11] CIS Guardian SafeSchool Program® standards define a performance benchmark of 120 seconds as the maximum time for acceptable response by on-site officers. However, achieving this type of response time in many facilities requires careful consideration of facility geography, communications systems, access obstructions, and officer capabilities (e.g., training, physical conditioning, etc.).

Share on facebook
Share on twitter
Share on linkedin
Share on email

Facility Preparation and The Active Shooter Threat (Main Article)

Facility Preparation and The Active Shooter Threat (Main Article)

By Craig S. Gundry, PSP, cATO |

Comprehensive risk management programs employ a multi-layered approach to reducing the risk of active shooter violence. Issues such as threat recognition and assessment, reinforcement of positive workplace/school climate and culture, suspicious activity recognition and reporting, emergency planning, and employee training all contribute to reducing the risk of active shooter attacks. However, if measures employed to prevent attacks are unsuccessful or an outsider targets the facility in a manner that evades our proactive influence, physical security and infrastructure readiness are crucial factors influencing the consequences of the event.

In recent years, much has been published focused on managing risks of active shooter violence through preventive approaches and response training. Organizations such as the US Department of Homeland Security, ASIS International, and the Association of Threat Assessment Professionals offer a wealth of information to assist in developing threat assessment and management programs and training employees in active assailant response.

Unfortunately, far less attention has been devoted to equally important matters of building design and physical security. Withstanding a handful of essays and school-related publications, there is little guidance in print about designing and preparing facilities for active shooter violence. Further, most guides that have explored this subject to date have been basic and tend to overlook important vulnerability issues and technical details.

The following collection of articles aims to address this situation and serve as a comprehensive design guide and technical reference for architects, building managers, and security professionals. The essays in this series were originally prepared for a book I have been writing for the past few years. Although I will probably submit the final body of work for print when everything is complete, we have decided to publicly release what has been written thus far in hope of filling the gap in current literature.  

Protective Design Concepts

Parts 1-4 of this series provide an overview of protective strategy for reducing active shooter risk, principles of performance-based physical security, and practical issues that should be considered during the design process.

      1. Physical Security Design & The Active Shooter
      2. Design Basis Threat & The Active Shooter
      3. Facility Preparation for Active Shooter Attacks: Key Objectives
      4. Unique Planning Considerations

Universal Protective Measures

Parts 5-14 of the series address specific preparation matters applicable to most facilities including topics such as secure entry control, safe rooms, egress design, and emergency communications infrastructure.

      1. Outdoor Protective Measures
      2. Building Envelope & Entrance Design
      3. Entry Control Screening
      4. Access Control Systems
      5. Safe Rooms
      6. Egress Design
      7. Attack Detection Systems
      8. Emergency Communications Infrastructure
      9. Armed Response Officers
      10. CCTV and Control Rooms
  1. Technical References

Throughout this series, references are made to various standards for hardware specification and barrier construction. The following articles are provided as a technical reference to assist architects, engineers, and security professionals in interpreting these standards and/or evaluating the vulnerability of existing security barriers.

A. Forced Entry Standards
B. Ballistic Protection Standards
C. Protective Barrier Materials & Construction

Share on facebook
Share on twitter
Share on linkedin
Share on email