Taking a Rational Look at the Risk of Threats

NY Times - 11/20/15

The terrorist attacks in Paris last week that killed 130 people and injured hundreds more instilled fear in millions of people who weren’t anywhere near the attacks. That, of course, is the point of terrorism.

The sheer randomness of the attacks will persuade some people who may be at higher risk to dismiss any chance that they could find themselves in a similar situation, while others with no need for concern will worry excessively.
“We as human beings don’t perceive risk rationally,” said Martin Hartley, chief operating officer of PURE Insurance, an insurance company aimed at wealthy clients. The Paris terrorism, he said, “makes the risk seem far worse by its magnitude not by its probability. That’s the challenge of risk.”

Which risks are worth guarding against and which ones aren’t? For a fee, various consultants are offering to answer that question.

The very wealthy are among those at some risk. In September, the terrorist group Al Qaeda in the Arabian Peninsula called for the assassination of various billionaires in the United States, including Bill Gates, Larry Ellison, Warren E. Buffett and the Koch brothers.

It’s not an insignificant threat, said Christopher Falkenberg, president of the security and risk management firm Insite Security and a former Secret Service agent. “They’re looking for the easiest target with the highest yield,” he said. “If you subscribe to the theory in the magazine, Al Qaeda in the Arabian Peninsula will succeed in the U.S. by disrupting its economic system, and one way to do that is to kill successful businesspeople. It puts a large target on them.”

Mr. Falkenberg, whose clients include a list of hedge fund managers, said personal security could reduce the likelihood of an attack. It can also make one prominent person less desirable than one without security. “One billionaire is equal to another in the minds of the Al Qaeda guys,” he said.

If you’re not a billionaire, chances are you won’t be singled out by terrorists and probably don’t need a security detail that Mr. Falkenberg said would start at $180,000 a year.

But that doesn’t mean people won’t try to prey on your fear to make a sale. “For the average wealthy person, there is a complete huckster industry to sell them protection against Islamic terrorism that they don’t need,” said Roderick Jones, a former British intelligence agent and now chief executive of Concentric Advisors, which provides digital and personal security services.

“Terrorists are very selective on how they train and deploy against a rich person,” he said. “If you’ve gone to the trouble of infiltrating America and training, you want bang for your buck.”

Still, some affluent people may want to consider spending on one-off protection programs for travel abroad.

“It’s been obvious for a long time that someone needs security if they’re going to Mexico City,” Mr. Jones said. “It wasn’t obvious before these attacks that you needed security if you were going to Europe. You need a more critical mind-set about Europe. Americans are used to going to Europe and not worrying.”

The cost for this varies widely. Mr. Jones said it could be as little as $2,000 to find a safe car to pick a couple up at the airport and check that they made it to their hotel, to nearly $1 million to organize coverage for a large party traveling to an event for a long time. He said his firm was working on one such case for the Summer Olympics in Rio de Janeiro.

But Tim Horner, managing director and practice leader of security risk management at Kroll, urged people who might run out and try to hire a security detail for their next vacation to think it through. People need to do due diligence on the quality of the adviser providing the assessment, he said, to put the fee in context.

He said his firm generally started with an overall assessment of the threats someone could face and the level of vulnerability in their daily lives. This generally costs $25,000 to $75,000. But he said assessments had run as high as $150,000 when a client has multiple homes, boats and aircraft.

After that process, when a client calls for travel advice, the fee could range from nothing to give a simple assessment of risk to $100,000 or more to investigate a trip and provide security for, say, a group of affluent people traveling together in a dangerous area.

For most people, even very wealthy people, the bigger risk is being a victim of online crime.

“The real threat to rich people is digital crime,” said Mr. Jones, whose company has formed an alliance with Pure Insurance called CyberSafe to help with such crimes. “If you build a bunker to protect against an AK-47 but don’t protect your Internet browser, you’re missing the point.”

He said he had met with a group of private banking clients in Portland, Ore., and the majority of them had been victims of some digital crime. “A lot of the news is about this sophisticated cyberwar and what the Chinese and Russians are doing,” he said. “But in reality, people are getting robbed blind out there, and it’s an economic crime.”

He said the common thread in that group was they were over 55 and had poor technology skills.

Through the CyberSafe partnership, his firm offers a home online security audit, which starts at $1,500 a day, and a monitoring program that costs $500 to $3,000 a month. One of its focuses is on regularly updating security systems, given how quickly hackers can get around existing systems and firewalls.

Mr. Hartley said the impetus for the alliance was an insurance customer who lost $100,000 from his bank account, wired out by a hacker who had so much information that he was able to pass as the man, including getting the person’s assistant to confirm the transfer. The bank refused to refund the money since it said the proper protocols were followed.

“With credit card fraud, you’re not going to be out of pocket,” Mr. Hartley said. “This sort of regulation has not reached cybertheft with money and banks. There is no such protection today. It’s on the good will of the bank.”

For the average person, phishing scams remain a persistent and often successful threat. They generally come as emails that look as if they are from a financial institution or social networking site and include a request for passwords or other personal data.

Tim Bloechl, who spent 20 years in Army intelligence and now leads CyberDx, a division of Quantum Research International, that does vulnerability assessments of networks, said he adapted a program he worked on in the military to test employees’ willingness to click on phishing scams.

Despite repeated warnings not to click on links in unknown emails, people continue to do so. In CyberDx’s exercise, the employees are taken to a screen that admonishes them for clicking. In real life, he said, those clicks are how hackers get into personal or professional computers and networks.

In most cases, people could make themselves the online equivalent of the billionaire with the bodyguard — with solid enough defenses so that hackers move on to easier targets.

Neal O’Farrell, chief executive of Privide, a security consultant, and founder of the nonprofit group Identity Theft Council, said apathy was the biggest problem to digital protection.

“The financial services community has been very good at persuading consumers that zero liability means zero responsibility about identity theft,” he said. “One of the biggest challenges is to get consumers to believe that it will happen, and it will be painful. But you can minimize the down time.”

Mr. O’Farrell said simple steps included monitoring or freezing your credit with the three reporting agencies. Another is to guard your password.

Still, in the world of risk assessment, attacks from hackers and terrorists compete with more traditional risks. For Mr. Hartley, the insurance executive, car accidents are his biggest concern. And Mr. Horner at Kroll worries about theft by domestic help and threats from terminated employees.

And if those risks are not scary enough, the Centers for Disease Control and Prevention reported that the leading cause of death continued to be heart attacks.