When watch lists aren’t enough

By Chriss Knisley

We are protected by brave men and women who rely heavily on lists. 

Every time something bad happens, society’s first reaction is to retroactively search through all those lists to see if the latest bad person is on, or ever was on, some list of known bad people. There are public lists, lists available only to law enforcement, lists available only to certain agencies and super-secret lists known to only the most trusted.

The lists exist for good reason: we need a way to keep track of people we suspect of ties to or support of terrorist organizations, or who are known sex offenders, felons or substance abusers, to name a few. Names are added to or removed from each list as the list owners deem appropriate and most of us live our lives hearing about these lists only in the aftermath of a catastrophic event such as the Orlando nightclub shooting. Post event, the lists are frequently used to point fingers and assign fault. Whether this bad person should have been on a list, shouldn’t have come off the list, or the right list wasn’t consulted at the right time, the use of lists makes for easy scapegoating.

In an ideal world, we wouldn’t need lists. We wouldn’t have to scrutinize any citizen, visitor or traveler to understand their risk to national security. We wouldn’t have to have thousands of analysts spending countless hours researching the lists to ensure they are accurate and complete. The truth is, we don’t live in an ideal world and our national security and law enforcement apparatus spends large amounts of money on creating and managing these lists.

Make no mistake, these lists are useful and have helped law enforcement and national security keep our communities and nation safe. However, many lists break down for three reasons:

• They frequently fail to capture the potential risk in any actionable way.

• They often lack dynamic or streaming analytics to adjust potential risk in immediate response to new information.

• Because of the first two, they are often difficult to effectively integrate within decision processes.

As luck would have it, there are several ways to remedy these shortcomings. First, actionable risk intelligence requires more than just posting a name to a list. It must include the context around the potential threat the person represents as well as their ability to do harm. Risk is a function of threat, vulnerability and consequence. Only by combining the three can we truly understand risk.

Today’s watch lists often provide little more than potential threats with no insight into the level of threat, capability to execute or potential targets and consequences. Rather, they are typically binary: either you’re on the list or you’re not. Consider the fact that most states consider theft of something worth more than $500 a felony, so a list of felons could include a murderer, child pornographer and an 18-year-old that shoplifted an iPad. Watch lists of the future must deliver this context in ways that allow users to make better decisions without getting overloaded.

Second, threat and other risk factors are dynamic values that should be regularly updated based on all the available information. If a single report comes in that someone is “off”, it may be enough to investigate, but lack enough information to take any action. If that individual later starts posting to social media pledging support to a known terrorist organization, the list should be dynamically updated to reflect increased threat and other risk factors. Finally, because of the binary nature of the lists, combined with the lack of dynamic updates, most lists are difficult to integrate within real-time decision processes. Hence our frequent retrospective desire to find out if the latest bad-person-in-the-news was on some list somewhere.

With today’s streaming analytics, each of these factors can be captured and measured in near-real-time as new information becomes available. Binary threat possibility is the only thing a watch list provides, while vulnerability and consequence have to do with the potential target or where the list is applied.

The volume of information necessary to calculate risk on a continual basis is too much for an analyst or team of analysts to process in a timely way. We must rely more heavily on dynamic risk calculations based on all the available information in order to make watch lists more effective. The technology exists today to bring in high volumes of real-time data, process it according to expert-designed models that reason over the data in much the same way an analyst would to understand if it changes the risk, and push the information out to the right people or systems in the field where it matters.

By maintaining the lists in systems designed to integrate with other systems and provide mobile interfaces to front-line staff, we will be able to move watch lists from a favored means of retrospective finger pointing to a useful tool for real-time intervention and agile response. This new era of streaming data analytics will enable us to stop just making lists and start understanding real-time risk.

Chriss Knisley is the president of Haystax Technology, an advanced risk management company. He has led business development, software engineering, product marketing and sales engineering teams for industry-leading software companies. Knisley can be reached at cknisley@haystax.com.