This blog article is about different types of kidnappings, and how we can determine if we are at risk from them i.e. how to make a risk assessment around kidnappings etc. This article is prompted by a seminar I conducted yesterday, around armed abductions.

The first thing we must do if we are to ascertain whether we are at risk or not, or what the level of risk is, is to make a risk assessment. There are three things we need to look at in order to do this: assets, threats and vulnerabilities. An asset is something, which we value, and want to protect from potential threats; it maybe an object such as a car, building or laptop, it may be information (possibly contained on a laptop), or a person, such as ourselves. In kidnapping scenarios, we may neglect to consider certain assets, and so not put in place any measures to protect and secure them e.g. If you are on business in a foreign country, and are the victim of an express kidnapping, where you are taken to ATM’s and forced to withdraw money etc. you may not consider that the company data you have on your laptop, is an asset that could be at risk – one of your kidnappers forces you to login to your computer, so that they can access personal information about you, such as reading your emails, and in the process find company data that if leaked would give your company’s competitors an advantage etc. Making a comprehensive inventory of your assets is part of your risk assessment.

One of the other things you need to consider when making such a risk assessment are those things which are threats to your assets. In this case it is the different types of kidnapping there are, and how they relate to you i.e. what type of threat are they to you (this is where you conduct a threat assessment). There are various types of kidnapping, and how they relate to you may change according to geography e.g. in one country you may be a desirable target for a particular type of kidnapping, and in another not. In the US, you may be seen as someone with not enough financial resources to pay a significant ransom, however as soon as you set foot in South America, parts of Africa, that perception may change. The level of threat, may change based on your geography. If you are a successful business person, with a high net worth, who may have your own security detail, you may be targeted whether you are in the US or abroad; it may be that your kidnappers take advantage of a business trip you take to South America, however in this instance your geography has not changed/altered the threat, but instead has exploited a potential vulnerability e.g. your security detail is not familiar with the environment in which they are working etc.

Understanding vulnerabilities that a threat can exploit either deliberately or inadvertently is the third part of your risk assessment. If you recognize that a kidnapper could gain access to the company information on your laptop, you can look at ways to correct this vulnerability. You may at first think of encrypting such data, so the person trying to gain access to it needs a specific password to unlock it etc. This would work, if your laptop was stolen, however it wouldn’t work if a kidnapper put a gun to your head and told you to unlock a particular file/directory or they would shoot you. In this situation the data is still vulnerable. If you hid this data on an encrypted partition of your hard drive, which was not easily identifiable to anyone who didn’t know the partition existed you have dealt with this vulnerability. If you leave your house at the same time every day, taking the same route to work etc. your predictable routine, makes you vulnerable to anyone who may want to kidnap you. It is worth pointing out that in a “Tiger Kidnapping”, you are not the person of value, but are a bargaining chip to leverage somebody else to commit a criminal activity e.g. your partner may have the access codes to a safe, and you are kidnapped, in order to force them to give up those codes to your kidnappers etc. If your kidnappers know your routine you will be an easy target for them.

If you are targeted for this or a similar kidnapping, your chance to identify that you have been selected is by picking up on your kidnapper’s surveillance of you – sometimes this is crude, sometimes it can be relatively sophisticated and difficult to identify. If you leave your house at the same time each morning, it is easy for a car to follow you, and determine the route you take – it is also relatively easy for you to identify this. However, if a car follows you for a few turns, and then another takes over for a few more, and another after that etc. you will probably not pick up on these change-overs, and fail to realize that you have been followed. It is unlikely that a kidnapper would put direct these resources to the target of a basic kidnapping, however if the potential rewards and gains were big enough they may well do so. If you kept changing your route to work, it would be extremely difficult for each car to know where to wait and take over from the one that was following you. It can be difficult, and sometimes impossible to reduce threats, however it is always possible to manage vulnerabilities.

Risk, is basically the intersection of assets, threats and vulnerabilities. If there are no threats, there is no risk, if there are no vulnerabilities there is no risk etc. if we can manage our vulnerabilities we can reduce risk. If we our realistic in our threat assessments, we can identify what we are at risk from e.g. if we are not a prominent political figure, it is unlikely that we will be at risk of a “political” kidnapping, where we are taken to either produce political change, or force political/terrorist prisoners to be released etc. By understanding threats and vulnerabilities, we can start to reduce risk.