Organizational Context

This case examines Force Protection and Threat Reporting across the Department of Defense, spanning installations, deployed locations, transit nodes, exercises, and personnel operating in both garrison and forward environments. Force protection involves commanders, security forces, intelligence elements, law enforcement, counterintelligence, antiterrorism officers, and host-nation partners.

Threat and force protection information enters the system through suspicious activity reports, intelligence reporting, law enforcement tips, social media monitoring, access control anomalies, and partner notifications.

• Thousands of threat indicators and force protection reports are generated annually across DoD.

• Standard threat levels, reporting formats, and escalation paths exist, but interpretation varies by location and posture.

• Visibility, fear of underreaction, and leadership sensitivity often drive escalation.

• Similar threat reports frequently result in very different protective actions.

Leadership sought consistent force protection decisions and reduced false alarms, but the deeper problem was that individual threat reports were being treated as equivalent when they were not.

How the Work Was Intended to Function

From a command and policy viewpoint, force protection reporting was expected to function predictably:

• Threat indicators are reported promptly by personnel and partners.

• Reports are assessed using standardized threat and credibility criteria.

• Threat levels and protective measures are adjusted accordingly.

• Security forces implement physical or procedural controls.

• Commanders are informed and posture decisions are communicated.

Because threat levels, antiterrorism plans, and reporting channels existed, the system appeared controlled at an aggregate level.

What Was Actually Happening

Observed reality diverged materially:

• Two threat reports with similar surface characteristics could trigger very different responses depending on commander risk tolerance.

• Threat credibility and intent were often conflated with worst-case impact.

• Routine suspicious activity was sometimes escalated as imminent threat, while subtle indicators were dismissed.

• Protective measures were implemented without clear linkage to assessed threat.

• Installations experienced alert fatigue and operational disruption.

• Trust eroded as personnel viewed force protection changes as arbitrary.

The underlying issue was not reporting volume or vigilance, but the absence of a shared way to interpret a single threat report before deciding how much protection it warranted.

How FLOW Was Introduced

Leadership sought to stabilize force protection decisions without redesigning antiterrorism doctrine. Specifically, they wanted:

• A common language for why threat reports behave differently.

• A method to separate perceived danger from assessed impact.

• A lens focused on the individual threat report rather than overall threat posture.

• Protective measures aligned to consequence breadth rather than fear of blame.

FLOW was introduced as a classification lens applied before posture changes or protective actions were authorized.

Identifying the Unit of Effort

The organization anchored analysis on a single, stable unit of work:

• Unit of Effort: One force protection threat report requiring assessment, decision, and disposition.

• The unit may be triggered by a tip, observation, intelligence report, or anomaly.

• Multiple observations may inform the same unit without creating additional units.

• The unit does not change as impact expands; only protection measures and governance change.

How Complexity Was Determined

Complexity was defined strictly as the amount of judgment required to assess credibility, intent, and implications of one threat report.

• Low complexity: clear false positives or benign explanations.

• Higher complexity: ambiguous intent or incomplete information.

• Higher complexity: tradeoffs between security measures and mission disruption.

• Higher complexity: need to integrate intelligence, law enforcement, and behavioral indicators.

This definition of complexity was applied uniformly across all FLOW levels.

How Scale Was Determined

Scale was defined as the breadth of force protection impact created by one threat report.

• Number of personnel, facilities, or events affected.

• Downstream impact on operations, training, or mobility.

• Coordination required across commands, agencies, or host nations.

• Extent to which protective measures constrain normal operations.

Threats affecting a single gate or individual were treated as low scale; threats affecting installations or multiple locations were treated as higher scale.

Other Measures of Scale Considered

• Threat level labels alone.

• Weapon lethality assumptions.

• Media attention.

• Senior leader interest.

These remain inputs, but were not used as the primary definition of scale in this walkthrough.

Applying FLOW to Real Force Protection Threats

With complexity and scale definitions fixed, each threat report was classified using the same logic. The unit remains constant across all examples; only judgment requirements and impact surface change.

• Classify complexity first.

• Classify scale second.

• Assign the single FLOW classification that best fits the unit.

FLOW A — Local, Contained Threat Reports

This example involves one threat report. The unit does not change.

Example: a reported suspicious vehicle near an installation gate that is quickly identified as a contractor error.

• Complexity: low (benign explanation confirmed).

• Scale: low (localized impact).

• Handling implication: document and close.

Built-out handling: security forces verify credentials, correct the issue, document the report, and restore normal operations without broader action.

FLOW B — Broader Operational Impact from One Threat Report

This example still involves one threat report. The unit remains the same; impact expands.

Example: multiple credible reports indicate coordinated surveillance of installation access points.

• Complexity: low (pattern and intent indicators are clear).

• Scale: moderate (multiple facilities and personnel affected).

• Handling implication: coordinated protective measures.

Built-out handling: commanders adjust access control procedures, increase patrols, coordinate with law enforcement and intelligence, and communicate guidance. The distinction from FLOW A is coordination breadth, not analytic depth.

FLOW C — Complex, Judgment-Driven Threat Reports

This example still involves one threat report. Judgment requirements increase.

Example: ambiguous online threats targeting military personnel with unclear credibility or intent.

• Complexity: high (intent and capability uncertain).

• Scale: low-to-moderate (potentially serious but unclear).

• Handling implication: deliberate assessment and monitoring.

Built-out handling: analysts assess credibility, consult behavioral and intelligence indicators, balance protective measures against overreaction, and update commanders as confidence evolves.

FLOW D — System-Level Impact from One Threat Report

This example still involves one threat report. The unit remains unchanged; dependency becomes enterprise-wide.

Example: credible intelligence indicates a coordinated threat campaign targeting multiple DoD installations.

• Complexity: variable.

• Scale: high (enterprise-wide force protection impact).

• Handling implication: elevated governance and posture adjustment.

Built-out handling: DoD leadership coordinates posture changes, resource allocation, host-nation engagement, and strategic communication. One threat report drives system-wide action.

FLOW S — Exceptional Threat Reports

This example still involves one threat report, but normal governance pathways are inappropriate.

Example: time-sensitive intelligence of imminent attack requiring immediate action.

• Complexity and scale vary.

• Handling implication: explicit emergency authority.

• Key risk: irreversible operational disruption.

Built-out handling: immediate protective actions, evacuation or lockdown, rapid command decisions, and follow-on assessment once the threat window passes.

What Changed After FLOW Classification

• Force protection decisions became proportional and consistent.

• FLOW A threats closed quickly without alert fatigue.

• FLOW B threats received coordinated responses.

• FLOW C threats received thoughtful assessment.

• FLOW D threats were governed at the appropriate level.

• FLOW S threats followed clear emergency pathways.

Organizational Implications

• Commanders trusted force protection recommendations.

• Security forces avoided unnecessary disruption.

• Resources aligned to credible risk.

• Personnel regained confidence in threat reporting.