What happened?

On June 2nd, 2023 at about 5pm, two women (age 22 - 26) were stabbed repeatedly by a man (age 39) at the mall named Plaza Hollywood in Hong Kong.

The incident happened during a bustling Friday afternoon, so many bystanders witnessed the horror. The man, believed to be mentally ill, was arrested by police at the scene.

The man's motive was unclear, and he had purchased a 12-inch long knife from a store within the mall prior to the incident. The two women were declared dead later at the United Christian Hospital.

There are two elements surrounding this incident. Psychological health of the general public and security management of the mall. This post will focus on the latter: Security Management.

What to do?

Following a major security incident, the business shall review its security management arrangement. Shall we increase our security? If yes, by how much? And how much is enough?

If nothing or too little were done and similar incident happens again, the impact to business will be much higher and legal liability could follow. If too much was done, the costs and disruptions to the business would not be justified.

But the question remains: how much is not too little nor too much? In another word, how much is optimal for the business? Security department is part of the business, and like any other department, security must contribute to the business objective and justify its spending.

Threat, Vulnerability & Risk Assessment

All business have assets. Security department's main objective is to protect these assets by mitigating security risks against those assets to a tolerable level.

Two of the largest assets of a mall would be its customers and reputations. In response to this stabbing incident, the business should instruct the security department to initiate a threat, vulnerability, and risk assessment (TVRA).

During the TVRA, each item in the methodology shall be reviewed. Here is an example:

Threats:

1. Past active attack incidents of the mall or its peers (e.g.: another nearby mall)

2. Mental illness incidents around the community (e.g.: attack happened at a local market)

3. Dangerous merchandise (e.g.: 12-inch long knife, corrosive liquid, big frying pan, etc) availability

Vulnerability:

1. Lack of emergency response training on active attack incidents

2. Lack of first aid training

3. Lack of equipment (e.g.: defensive shields)

4. Lack of detection (e.g.: commotion, screaming sound, or sudden silence detection)

5. Inadequate video surveillance coverage and artificial intelligence support

Based on the example above, security risks emerged. Each risk would have an impact and probability rating* assessed. The product of the ratings is the risk score, and based on the score, risk level** can be determined.

TVRA allow the business to view security risk in an objective way, and it would help to answer the question: how much is not too little nor too much? Security department should implement just enough security measures in order to reduce the untreated risk score to a tolerable level.

*impact and probability ratings are usually ranged from 1 - 5. Each rating would have a definition agreed upon amongst senior management, asset owner, and security department.

**risk levels are usually ranged from low, medium, and high. A high level risk would have the highest priority for mitigation implementation.

The Bottom Line

Senior management is responsible for the security of the business. TVRA is the method for the business to address security risks optimally. Talk to your internal or external security consultants for a general or ad-hoc security review.