How to Identify Lone Wolf Terrorists in Three Decision Steps

Security Brief       

Terrorist threat has many facets and instances. Some methods and actors diminish over time giving place to others. Previously less-known become prominent. Terrorism forms and methods thought insignificant, least dangerous keep evolving to become among most damaging. This is the nature of terrorists—they are in constant search of system vulnerabilities and move fast and are highly flexible and adaptive to the changing environment, in finding new organisational forms, execution methods, and new recruits as well as inspiring other, independent perpetrators.

This is the case with terrorists known as lone wolfs–individuals or a small number of individuals who commit an attack being inspired by a terrorist group and its ideology without being directed or materially supported by it.



– Attacks carried out by lone wolfs (individuals and small number of them) became a dominant vehicle for terrorism in Western countries.

– Identifying and tracking lone wolfs and eventually stopping them is even more difficult than in the case of terrorist organisations.

– Traditional methods of surveillance, data collection and processing appear ineffective against this category of perpetrators. The same is true for decision making methods.

– A flexible decision making process using small set of formalised methods based on sense-making, professional intuition, and simple but powerful decision rules (known as heuristics) offers an opportunity worth considering and testing.

The threat

Just five years ago the following statement was quite typical from terrorism experts: ‘But should the American public panic over this shadowy enemy? Is the lone wolf really so scary after all? Not if its record of lethality is any indication. The four lone wolf attacks since Sept. 11 managed to kill just one civilian… And the perpetrators used weapons no more powerful than a gun.’

Today, situation is very different, especially in Western countries. Lone wolfs are identified as a ‘growing threat’ and rightfully so. As stated in the Global Terrorism report, ‘the majority of terrorist attacks in the West are not carried out by well-organised international groups. Instead, the terrorist threat in the West largely comes from lone wolf terrorism. … These types of attacks account for 70 per cent of all deaths in the West from 2006 to 2014.’ And as evidenced in the global terrorism databases, the trend keeps expanding geographically, diversifying in terms of weapons and perpetrators, and intensifying in terms of lethality of attacks. The massacre carried out by a lone wolf terrorist in Nice using a truck was defined by specialists as ‘weaponization of everyday life’ by terrorists and as such presenting ‘insurmountable challenges for security officials’. Terrorist organisations, in first hand ISIL, are taking advantage of it and are increasingly ‘quick-radicalising’ vulnerable individuals and using lone wolfs for their purposes: only between October 2015 and August 2016  this category of terrorists carried out 20 attacks in Western countries.

The challenge

To prevent a terrorist attack, security agencies shall have enough information received and processed in advance time to allow them stop it effectively. This is not the case, unfortunately—the information is always incomplete, not always verifiable or reliable, and usually there is no much time at disposal. Even more difficult is to prevent attacks carried out by lone wolfs, because they are often-time unknown, untraceable, and as a result highly unpredictable.

Decision-making in intelligence comprises the same elements as in any other decision-making process governed by a mix of search and decision rules. The challenge is that by broadening the search parameters specialists get an enormous amount of data on millions of people who meet the predefined (numerous) criteria, which makes time of processing prolonged, the exercise laborious, expensive and dependant on sophisticated computation. There is no such luxury in security and counter-terrorism (even if funds and other resources would allow)—things move very fast and may change direction at any moment, with totally new actors and methods employed. Therefore a lot depends on the efficiency of methods used for collecting and processing the information, and especially for the final stage—that is, making decisions and acting upon them.

The proposal

Intelligence officers are closely following certain people they believe are representing a real threat as terrorists (i.e. terrorism suspects). Daily screening of information received from various sources also gives early warning signals of suspicious behaviour of many other individuals. The purpose is to find potential ‘new entrants’ who could be flagged for closer surveillance. But first you have to identify them. The problem is that vast majority of these random signals are ungrounded or irrelevant, but still must be assessed—pretty much seeking a needle in a haystack. Not an easy task, even in the case of organisation-affiliated terrorists, let alone a loner.

The approach I propose aims at helping counter-terrorism specialists handle this initial screening/assessment process of enormous datasets relatively quickly, using a formalised but adjustable, open to experimentation process, while arriving at accurate inferences. The approach is based on a notion of ecological rationality—that is, to arrive at more adaptively useful outcomes, decision-making mechanisms shall exploit the structure of the environment and the information it offers.

Process requirements

Requirements I set for effective and efficient decision making to identify lone wolfs are grouped in terms of input, information processing, and output characteristics:


  • Limited information: Ability to perform using limited and relatively accurate data;
  • Time constraint: Fast and computationally easy, to screen and evaluate large number of candidates;
  • Resource constraint: The scope notwithstanding, can be undertaken by an individual or a small team of professionals.


  • Flexibility: Rules allowing use of different clues (factors, features, aspects, criteria) and interchangeably, assign different values, and order them in alternative ways;
  • Focus: Applicable to evaluating both single candidates and a group of candidates;
  • Compatibility: Ability to make judgement of an individual candidate (or candidate group) without comparison to other candidates or reference to baseline (historical) data.


  • Operational usefulness of decision: Deterministic decision at the output (i.e. telling what to do, take-the-best);
  • Certainty of decision: Discharged from the ambiguity of input information; minimal interpretation of decision (i.e. pointing to one selected action);
  • Overall quality of decision: Good enough although not optimal (i.e. accuracy rate is acceptable, enough to act upon it).

Decision making in three steps

Step One: Defining the search cues

The objective of initial step is to define search cues as key characteristics of an object assessed for decision purpose. This is done by identifying distinct features which the candidate for detailed screening must possess in order to be further considered. There are two sequential tasks under this step.

First task: Set key search cues

Key features serve as criteria to help assessing the candidates in decision-making process and shall be grounded in some (generally or locally) accepted definition of the target population. In this case this would the definition of lone wolf terrorists. I will use the general definition offered by National Security Program of the National Security Critical Issue Task Force (NSCITF; 2015): ‘The deliberate creation and exploitation of fear through violence or threat of violence committed by a single actor who pursues political change linked to a formulated ideology, whether his own or that of a larger organization, and who does not receive orders, direction, or material support from outside sources.’

It also offers a clarification very useful for the purpose of defining criteria and categorising the lone wolfs:Absent violence or the threat of violence, the individual may hold extremist or radicalized views, but he or she is not a terrorist. Absent political motivation, an attack would more closely resemble traditional forms of crime, organized violence, or hate crimes. Absent the individual acting alone, the attack would fall under the traditional definition of terrorism that encompasses violence conducted by organized terrorist groups.’

I draw from this definition five key cues/characteristics. Note that the candidate must meet ALL of them in order to be considered/qualify for flagging (follow-up close monitoring). The search cues are:

  1. Single, lone actor
  2. Political aim driven
  3. Intends at/is predisposed to use violent means
  4. Ideology-inspired
  5. Not affiliated with (by chain of command or supply) with terrorist organisation

Second task: Establish indicators

To support the decision making, we have to introduce a set of indicators—the signs which help us make best use of the information available. They may be categorical (yes/no), descriptive or numerical. In any case the decision makers will have to use judgement based on arbitrarily assigned weighs and values. Indicators may be formulated in the form of questions and not necessarily grouped under each of five core features. Below is a set of indicator groups I suggest as an initial shot; it is illustrative, by no means prescriptive.


  • Age group;
  • Permanent residence area;
  • Sex;
  • Social/ethnic/religious/sectarian background;
  • Employment status.

*Note: This group of indicators is optional for identifying lone wolfs—we don’t know much about them. Most are killed at the attack, and other candidates may serve different ideologies, which makes profiling difficult. For example, most attacks carried out in the UK in recent years were North Ireland related, not al-Qaeda/ISIL inspired. There might be other ultra-right motivated candidates which haven’t surfaced yet. Lone wolfs may have different political aims, and each may have more than one supply group, etc. Social background check is applicable only for countries where there is only one category of attackers, like in Israel, where IDF track potential attackers preferentially among one group—young Palestinians living in certain villages. However, this is rather an exception and most countries face terrorism threats coming from much broader background.


  • Previous security record (been spotted before, evaluated as terror suspect but dropped);
  • Medical record (have undergone psychiatrist treatment);
  • Behavioural record (visits to psychologist, e.g. school counsel);
  • Criminal record (recent conviction, release in last 1 year);
  • Family/personal problems (divorce, unhappy marriage, debt).

Warning signs

  • Internet interests (search topics; frequently visiting terrorist sites as of recent);
  • Social media (friends/contacts; posts glorify terror, express suicidal thoughts, or express intense hatred, intent to attack);
  • Social behaviour (e.g. noticed making hate-incited statements in public, in last three months; as of recent was spotted attending gatherings where terrorists, violent attacks are praised and implicitly or even explicitly encouraged);
  • Change of pattern (car rent: hasn’t driven a car in a year, but suddenly rents an unregistered vehicle; and/or apartment/house rent: suddenly moved to live in the area where he/she hasn’t been noticed to have any business or personal interest).

Access to weapons

  • Has connection to gun smugglers (relative, friend, neighbour);
  • Have intensified (or established if hadn’t have before) contacts, have been seen with them in last three months.

The output of this step is a set of cues that will be used in the next two steps, to aid the decision making. The quality of this output is instrumental for obtaining best possible results in the end.

Step Two: Categorisation

Create categories tailored to the search goal

Categorisation intends at a target group of ‘new entrants’ (considering that a person is spotted on a radar screen in the recent period, say, a three-month slot). The candidates might be total novices (unknown/not in the system) or ‘re-entrants’ (those who have been assessed before as suspects but dropped/not flagged for follow-up). The latter group is included because their characteristics may have changed since the last assessment, or simply they have been incorrectly evaluated at previous try or tries by the intelligence analysts (they may or may not be in the system records).

Creating categories is important for two reasons:

First, it structures the decision process and saves time. In our case the task is to create one category that has distinct features (based on five core criteria)—this will help assigning to it those candidates who meet the predefined accession value set by decision makers to this category.  All others are dismissed right away. This greatly decreases the workload for further analysis. I will illustrate this on an example from social choice practice.

Think of elections in two-party system. Candidates belong to either Right or Left. The goal is to choose one candidate as a winner, but there are a number of them running from both camps. Standpoints of Right and Left are distinct from each other. Because the candidates in the same party should share the fundamental views about political issues, when a political standpoint is the most important feature of each candidate plausible preferences would be one of the two: (a) each candidate in Right is preferred to each candidate in Left; or (b) vice versa. Therefore, opting for one party from the outset narrows the search focus and enables a decision maker to concentrate on individual candidates within the subset selected.

Second, it contributes to the accuracy of judgement. Correctly created categories help making right choices among otherwise randomly presented individual candidates/options. This is achieved by decomposing the choice problem into small problems. The example below illustrates my thought.

Suppose that an interview panel screens the applications to recommend a shortlist for further consideration (tests, interviews, etc.). The candidates’ résumé have been distributed among the panel members, but there is no agreement on the selection cues, except for job description which vaguely sets the requirements (with no precise metrics attached) and thus serves for general guidance only.

The panel members send their shortlists of six candidates to an HR representative (also panel member), who has to calculate the outcome and offer the final list. It appears that there are ten top scorers, but given the limit the HR member selects only highest ranking candidates, leaving others aside. If we look at the list of all ten candidates, we will see that they were supported by panel members as follows: A – six; B, O – five each; J, L, G – four each; F, W – three each; and Z, X – two each. Therefore candidates A, B, O, J, L, G were selected.

Now, if we define priority selection criteria more precisely (for example, having two primary criteria – recent experience in the region minimum 5 years and recent work in similar seniority position dealing with same problem for minimum 10 years), then we have two subsets—{a} those who meet these two and score well on others; and {b} those who don’t meet one or both of primary but score well on other criteria. The team’s preference is subset {a} and they have here all candidates but L, O, G and Z. If they choose from this preference category then the initial choice A, B, J will be joined by F, W and X as more suitable candidates in the shortlist, not by L, O, and G.


The decision method we use at this step is elimination. Each candidate is quickly assessed against cues ordered in a certain sequence (usually by descending importance). The candidate who doesn’t pass the cue’s cut-off value is dropped. Heuristics method of Fast-and-Frugal decision tree is most appropriate tool for this exercise. It can be designed in various shapes, to meet the decision maker’s preferences; two flowcharts applicable to our case are represented in Figure 1.


As it is evident from the Figure 1, the Fast-and-Frugal tree allows enough flexibility and room for adjustment and entertaining trial-and-error in order to find an optimal pattern and to arrive at the best available choice, given all limitations imposed by the environment. The decades-long research of this and other heuristics decision methods based on the observation of people working in extreme conditions (military, fire-fighters, nuclear power plant operators, battle planners, etc.) has proven that the method produces robust and accurate results. Moreover, there are examples of applying heuristics and fast-and-frugal methods in security analysis (such as conflict early warning).

The output of this stage is a limited number of candidates included into an initial high risk category for further assessment in Step Three.

Step Three: Assessment and final decision

Now, when we have narrowed our search we can take a closer, final look at the candidates left in the potentially high risk category. This is done by evaluating each candidate against the full set of cues (criteria), but this time assigning values to each cue and weighing them to distinguish by significance. Cut-off value of the end-output would allow the agents to conclude the search with effective decision taken with regards to each candidate considered.

There are various methods which can be used for this exercise. My favourite is multi-criteria model, for it allows enough flexibility (assigning and changing cues, indicators, experimenting with various values and weighs, etc.) which is a necessary condition for decision making in complex situations with limited and imprecise information input.


It can be used to compare and choose among multiple candidates, but is applicable to assessing an individual candidate as well. Figure 2 depicts the flowchart of the process suggested for Step Three. It is an iterative process, where decision makers would go back and forth reconsidering and adjusting the model’s search parameters.

For suspected lone wolfs decision is taken on a case-by-case basis. Once a candidate is assessed his/her total weighed score will be checked against a predetermined threshold. There are only two decisions at this point: either Flag (meaning follow-up with closer surveillance) or Drop (cancel further assessment and make note in the system records). Figure 3 shows how the final matrix may look like.


Final output

Those candidates who are ‘flagged’ may represent, as judged by decision makers, a potential threat as lone wolf terrorists. No probabilities are assigned, but this categorisation of the candidates means that they will be closely monitored for some (predetermined) period of time. Further decisions would be made upon the expiry of the trial period, depending on the candidate’s behaviour and additional information. Added value of the approach proposed is that decision making process is simplified and accelerated while maintaining high accuracy of inferences; it does not require big resources or extensive data; instead it relies on well established, formalised and flexible process and heuristic decision methods and above all, on professional intuition and judgement of intelligence/counter-terrorism experts.


About the author: Dr. Elbay Alibayov is an international development professional specialising in state-building and political processes in conflict affected situations. Most recently, he has worked in Baghdad assisting the Iraqi Government on a range of administrative initiatives and policy reforms. Before that, he helped building local governance structures and capacity through community-based initiatives in rural Afghanistan. In the course of eight years he has worked in Bosnia and Herzegovina, where he held various positions in the field (starting as head of field office in Srebrenica) and headquarters; have designed, implemented and overseen a broad range of strategies and local and nation-wide initiatives; and have chaired and participated in the work of civil-military groups, political coordination boards at all levels.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s