The Strategy for Protecting Crowded Places from Terrorism: two years on


In 2017, the Australian Government released its Strategy for Protecting Crowded Places from Terrorism (the “Strategy”) in which it stated that “[o]wners and operators of crowded places have the primary responsibility for protecting their sites, including a duty of care to take steps to protect people that work, use, or visit their site from a range of foreseeable threats, including terrorism”.[1] As we approach the second anniversary of the release of the Strategy, this article examines whether its message has been effectively understood and actioned by private owners/operators, and some of challenges of effectively implementing its message in practice.

Why it’s more difficult than ever to stop attacks

We have seen an evolution of terrorist attacks towards low-resource high-impact attacks where simple but effective methods such as ramming vehicles in crowds are being used by lone perpetrators.[2] There are several important implications of this development. The first is that it is now more difficult for attacks to be intercepted before they cause harm. The speed at which perpetrators can be radicalised, as well as the speed at which attacks can be formed and executed using every day and readily available items and tools substantially decreases the opportunity for law enforcement and other agencies to identify and then intercept such attacks before they occur.[3] The second is that given the focus on causing mass casualties, any crowded place is now a viable target and a greater number and variety of assets now have real exposure to terrorism. This broadening of potential targets also strains centralised resources tasked with advising potential targets to deal with a terrorist attack. Our own experience has shown that teams within law enforcement and national security tasked with performing risk assessments on behalf of property owners and operators are strained, with assets waiting up to 18 months for risk assessments to be provided.

The Strategy’s message of primary responsibility

These developments in terrorism have driven new policy initiatives around the world, with governments making a more concerted effort to highlight and build resilience and preparedness at a broader level by emphasising the need for individual asset owners and operators to take greater responsibility in relation to managing terrorism risk.[4] In 2017, the Australian Government released its Strategy for Protecting Crowded Places from Terrorism in which it stated that “[o]wners and operators of crowded places have the primary responsibility for protecting their sites, including a duty of care to take steps to protect people that work, use, or visit their site from a range of foreseeable threats, including terrorism”.[5] Whether this “responsibility” highlighted by the Strategy implies a legal responsibility that could see organisations prosecuted for failures to adequately prepare for a terrorist attack remains untested. However leading legal experts have argued that there is a need for private owners/operators of at-risk assets such as major hazard facilities, critical infrastructure and crowded places, to proactively identify security and terrorism risks and implement appropriate management of these risks.[6]

How well has the message been understood and implemented?

As we approach second anniversary of the Strategy, the question we ask is has the message delivered by the Strategy been effectively understood and actioned by owners/operators of crowded places? There have certainly been challenges in understanding who is responsible for protecting particular assets and spaces. Public owners/operators of crowded places, most notably local government councils, appear to be the most proactive in embracing the Strategy’s message of primary responsibility. This makes sense given that they are often responsible for public spaces and venues, as well as having advantage of accessing $120 million in grants from the Australian Government via the Safer Communities Fund.[7]

To support the Strategy, the Australian Government has developed additional resources to assist owner/operators to meet this responsibility, including various publicly accessible tools such as the Crowded Places Security Audit and Crowded Places Self-Assessment Tool.[8] There have also been Crowded Places forums and workshops organised for local government and private sector owners/operators. Yet these resources alone are unlikely to equip private sector owners/operators with the level of expertise and knowledge it requires to adequately manage terrorism risks. This should come as no surprise – terrorism is a complex threat and managing terrorism risk requires expertise and knowledge which very few private owners/operators have in place. Managing terrorism risk requires an understanding of the broader threat environment as well as the specific threat environment that applies to the asset itself due to its function, location, profile and so on. It also requires an assessment of the gaps in current security measures that could be exploited or leave the asset vulnerable to an attack. All of this knowledge and expertise costs money, and is typically something that only those private owners/operators with large security budgets can actually afford.

Our (anecdotal) experience working within industry

Our own experience has shown that some private owner/operators understand their exposure to terrorism risk and have been proactive in seeking advice, implementing new plans and procedures and investing in protective hardware such as vehicle barriers. Other organisations operating under more constrained budgets have had to pick whether they receive appropriate advice from security consultants or spend that money instead on actual hardware without the advice. It is difficult to know how many organisations are either completely unaware of this responsibility or have chosen to ignore it in the belief that their exposure to the risk is too small, or that there is nothing they can actually do. We do have anecdotal evidence that perhaps many organisations still look to law enforcement for guidance and advice. Yet we also have anecdotal evidence that law enforcement agencies are stepping back from this role due to limited resources and concerns about potential liability issues. 

The Strategy: still a work in progress

Overall, it is argued that two years on from its release, the message that private owners/operators have primary responsibility for protecting their assets against terrorism remains a work in progress. This is perhaps understandable, given that dealing with terrorism risk and performing tasks such as security and terrorism risk assessments, is not something that most private owners/operators have had to do in the past. The notion that private owners/operators hold a “primary” responsibility also requires nuance: effectively managing terrorism risk requires a combination of public and private efforts and responsibility. However, terrorism is a risk that is not going to disappear in the foreseeable future and the Strategy’s message remains as relevant as ever: an essential part of effectively managing terrorism risk at a whole-of-society level is to have more organisations being proactive in building their resilience and preparedness to terrorist attacks.


[1] Australia-New Zealand Counter-Terrorism Committee. “Australia’s strategy for protecting crowded places from terrorism.” Canberra: Australian Government (2017).

[2] Goertz, Stefan, and Alexander E. Streitparth. “Summary: What Is New About New Terrorism?.” The New Terrorism. Springer, Cham, 2019. 133-139.

[3] This does not detract from the capability Australian law enforcement and national security agencies at foiling some 14 terrorist plots since 2014.

[4] The UK Government has been particularly active in this. See for example:

[5] See 1.

[6] Tooma, Michael and Cohen, Gabi, ‘Australia: building resilience’ (14 May 2019)


[8] See