An Epidemiological Framework for Investigating Organized Crime and Terrorist Networks

Abstract

In the last two decades, organized crime and terrorism has grown more complex, posing evolving challenges to law enforcement nationally, regionally and globally. Within the US ‘…there is a transformation in how criminals are using technology to invent new types of crime, and are creating new methods for committing traditional crimes’ (Wexler C. Critical issues in policing series new national commitment required: The changing nature of crime and criminal investigations police executive research forum, Washington, D.C. 20036 retrieved from https://www.policeforum.org/assets/ChangingNatureofCrime.pdf: 2018). In addition, criminals and terrorists have adopted more agile structural models and internationalized their operations. The UK regards organized crime as a threat to national security which costs the UK at least £32 billion each year, leads to loss of life, and can deprive people of their security and prosperity (https://www.gov.uk/government/publications/official-development-assistance-oda-fco-programme-spend-objectives-2017-to-2018/combatting-serious-and-organised-crime-objectives-2017-to-2018).

Given this threat and risk landscape, it has been argued that the ‘…science of criminal investigations is changing rapidly, and many law enforcement agencies are not prepared for the changes that are taking place’ (Wexler C. Critical issues in policing series new national commitment required: The changing nature of crime and criminal investigations police executive research forum, Washington, D.C. 20036 retrieved from https://www.policeforum.org/assets/ChangingNatureofCrime.pdf: 2018). The inherent complexity associated with serious and organized crime and terrorism calls for intervention and investigative strategies and practices rooted in a science-informed, evidence-based approach. Epidemiology, the science of public health, provides a unique approach that can be leveraged and tailored to support policing operations. The systems lens is key to the application of epidemiological models, and hence the Cynefin framework is introduced to help frame the policing problem space in terms of complexity.

This paper presents a conceptual model that illustrates and operationalizes epidemiological practices to support policing operations.

1 Introduction

In the last two decades, organized crime and terrorism has grown more complex, posing evolving challenges to law enforcement nationally, regionally, and globally. Within the US ‘…there is a transformation in how criminals are using technology to invent new types of crime, and are creating new methods for committing traditional crimes’ (Wexler 2018). In addition, criminals and terrorists have adopted more agile structural models and internationalized their operations. The UK regards organized crime as a threat to national security which costs the UK at least £32 billion each year, leads to loss of life, and can deprive people of their security and prosperity (https://www.gov.uk/government/publications/official-development-assistance-oda-fco-programme-spend-objectives-2017-to-2018/combatting-serious-and-organised-crime-objectives-2017-to-2018).

With this in mind, consider the policing landscape described in Wexler (2018):

• The nation is experiencing an epidemic of drug abuse fatalities, fueled in part by the internet.

• New types of crime, based on technology, are being invented.

• Local gang members and other criminals have noticed that they can make more money, with less risk of getting caught, and smaller penalties if they do get caught, by using technology.

• Even when technologies are invented to prevent crime, criminals adapt.

• The work of criminal investigators is becoming more complex.

• Police are not getting sufficient help from the technology sector, while criminals are using the “dark web” to make themselves anonymous online.

• Technology is changing the environment every day, and most police agencies are far behind the curve. Because policing in the United States is decentralized, there are thousands of small and medium-size agencies that lack the resources to respond to the changes cited above.

• Crime data systems have not kept pace with changes in crime: A major challenge facing the profession is that we do not have an accurate picture of the problems (Wexler 2018).

Given this threat and risk landscape, it has been argued that the ‘…science of criminal investigations is changing rapidly, and many law enforcement agencies are not prepared for the changes that are taking place’ (Wexler 2018). The inherent complexity associated with serious and organized crime and terrorism calls for intervention and investigative strategies and practices rooted in a science-informed, evidence-based approach. Epidemiology, the science of public health, provides a unique approach that can be leveraged and tailored to support policing operations.

2 Epidemiology

Applying epidemiological principles to law enforcement is not a new concept. As described in Masys (2016a:299), references to terrorism being a “virus” or to al Qaeda “mutating” or “metastasizing” are common, and such terminology is useful when catalyzing the use of an epidemiological framework for investigations.

As described in Brownson and Hoehne (2006), epidemiology is the study of the health of human populations. Its functions are:

1. 1.

   To discover the agent, host, and environmental factors which affect health, in order to provide the scientific basis for the prevention of disease and injury and the promotion of health.

2. 2.

   To determine the relative importance of causes of illness, disability, and death, in order to establish priorities for research and action.

3. 3.

   To identify those sections of the population which have the greatest risk from specific causes of ill health, in order that the indicated action may be directed appropriately.

4. 4.

   To evaluate the effectiveness of health programs and services in improving the health of the population (Brownson and Hoehne 2006)

Each of these four functions has a direct application toward improving the overall health of the population and reflects an inherent systems view of disease aetiology and intervention strategy design.

As a scientific discipline, epidemiology is replete with sound methods of scientific inquiry at its foundation and supporting causal reasoning and hypothesis testing. Characterized as a data-driven, systematically-applied approach of data collection, analysis and interpretation, epidemiology leverages both quantitative and qualitative methodologies including probability, statistics, grounded theory, content analysis, network analysis and other sound research methods. From a systems perspective, social determinants of health are a key influence on the occurrence of disease and other health-related events searching for the “Why” and “How” of such events which are explored through epidemiological methodologies.

3 Understanding Complexity: Cynefin

In addition to a science-based epidemiological framework, the inherent complexity associated with the policing landscape requires one to broaden the traditional approach to investigation and decision making and form a new perspective based on systems thinking and complexity science (Masys 2016b). The Cynefin framework (Fig. 1) allows one to see things from different perspectives, challenge resident mindsets, assimilate complex concepts, and design intervention strategies for real-world problems and evolving criminal organizations.

Fig. 1

Cynefin framework. (Snowden and Boone 2007)

As described in Snowden and Boone (2007), the framework sorts the issues into five contexts defined by the nature of the relationship between cause and effect. Four of these—simple, complicated, complex, and chaotic – span the spectrum from ordered to unordered contexts. The fifth—disorder—applies when it is unclear which of the other four contexts is predominant.

Framing the law enforcement issues along one of the dimensions of the Cynefin implies a specific worldview that shapes how one views the problem space and how one designs intervention strategies. Complex contexts suggest that there is no immediately apparent relationship between cause and effect, and these problems are frequently referred to as wicked or messy because it is difficult to assess the true nature of the problem and therefore how to manage it. Wicked problems (Rittel and Weber 1972) are characterized as nonlinear problem spaces whereby the complex problems are emergent. This is described in Masys (2016b). Given the dynamic and complex policing landscape, problem framing afforded by such approaches as Cynefin is critical for facilitating design of not only investigative tools and approaches, but also development of more strategic intervention strategies to deal with law enforcement issues, and when used in conjunction with an epidemiological framework, can produce manageable investigative methods for use in complex investigations.

4 Connecting Epidemiology and Policing Practices

On the surface, scientific research and law enforcement investigations might appear to have very little in common. Underneath, however, the investigative techniques used in both disciplines bear a striking resemblance to each other. For example, in scientific thinking, a hypothesis is formed, and evidence collected either disproves or supports the hypothesis. Supporting evidence does not necessarily prove the theory correct, but it can add additional credence and plausibility to the hypothesis. In jurisprudence, the concept of “innocent until proven guilty” is very similar. If the theory of a particular criminal’s guilt is proposed, evidence that disproves the suspect’s guilt is considered definitive, while supporting evidence adds credence to the case for the suspect’s culpability without incontrovertibly proving it. In this way, law enforcement investigations have much more in common with scientific investigations than it might seem.

A particularly useful framework for approaching criminal investigations in a scientific manor is epidemiology. Though there are different definitions of epidemiology, at its core, it is the study of patterns of disease. Infectious disease epidemiology, specifically, operates on the premise that disease is not random, that there is a specific cause or set of causes, that it comes from an identifiable source, and that it spreads through identifiable means (Nelson and Williams 2014). These assumptions are not so very dissimilar to investigative assumptions in organized crime or terrorist networks, where crimes do not happen randomly, but instead have a designed purpose/cause, that there is a leader or leaders (source or sources), and that the network spreads outward from this source.

Through the various tools and methods associated with ‘applied epidemiology’, as described in (Brownson and Hoehne 2006), five core purposes emerge with regards to understanding disease etiology:

1. 1.

   synthesize the results of etiologic studies to assess cause across a body of literature;

2. 2.

   describe disease and risk factor patterns to set priorities;

3. 3.

   develop and evaluate public health programs, laws, and policies;

4. 4.

   measure the patterns and outcomes of health care; and

5. 5.

   communicate epidemiologic findings effectively to health professionals and the public.

These epidemiological core purposes map well to the intelligence cycle described in Strang and Masys (2016) illustrated in Fig. 2 (Bruenisholz et al. 2016).

Fig. 2

Intelligence cycle. (Bruenisholz et al. 2016:24)

Epidemiologists work across the spectrum from tactical, operational, and strategic policy-related interventions. They can:

• identify potential interventions based on causal criteria.

• design interventions and evaluation protocols.

• assist policy makers in evaluating the effects of the intervention and in formulating broader policies related to the intervention.

In essence, epidemiology is about: surveillance; investigation; analytic studies; evaluation; intervention strategy design and development; and strategic policy development. Supporting these functions are key operational principles that resonate with law enforcement operations:

1. 1.

   data driven

2. 2.

   systematic and unbiased approach to collection, analysis, and interpretation of data

3. 3.

   pattern recognition, cluster analysis

4. 4.

   spatial and temporal analysis

5. 5.

   examining determinants

6. 6.

   behavior analysis

7. 7.

   surveillance

5 Applications of Epidemiological Concepts in Policing Operations

In applying epidemiological concepts to policing operations, let’s start at the periphery, where most investigations, both epidemiological and criminal, begin. In the criminal world, a crime is reported. In the epidemiological world, a disease is reported. In many instances, this crime and this illness are isolated. The criminal is apprehended or the illness is treated, and in both cases it stops right there. In other instances, the crime that is committed, or the disease that is reported, are routine and very common in that area. Petty theft or the common cold, for instance. These crimes and illnesses are generally taken care of on a routine basis, and they do not raise any undue red flags among investigators.

But sometimes, there can be a sudden rash of burglaries that share a similar modus operandi or a string of drug-related deaths, for instance. Similarly, there can be a sudden rise in illness with similar clinical descriptions or unexpectedly high morbidity. This upswing marks a change from the status quo. It is the first indicator that something new or out-of-ordinary is taking place. In crime, this can indicate a new criminal element moving into an area or new leadership of an old criminal element. In epidemiology, this can indicate the outbreak of a new disease or a genetic shift in an old disease that increases virulence. Either way, the first step is in noticing the shift. Noticing this shift is about having the capability for ‘weak signal detection’.

Public health departments have passive surveillance in place that monitors the occurrence of disease within a region. Surveillance in the public health context is not at all like surveillance in the law enforcement context, which involves active observation of subjects, locations, and activities. Public health surveillance instead involves receiving routine reports from doctors, hospitals, laboratories, and public health departments on the occurrence of reportable diseases (Ashbaugh et al. 2017). These reportable diseases have been designated as such because they are illnesses which can potentially become a larger threat to public health, and occurrences of such diseases are entered into a database and evaluated in periodic reports for any observable changes.

Developing a similar database for criminal activity can be more difficult in that, while raw numbers of various crimes are easily analyzed and reported, characteristics of a particular criminal or criminal group can be difficult to distinguish. Disease reports follow a standard case definition and format, and while they can be more or less reliable based on the reliability of the reporting source, criminal reports contain much less standardization of content and much more variability in source reliability. However, a criminal investigator with an index of suspicion can certainly organize and analyze multiple criminal cases with an eye to finding ones with key shared characteristics that would define a particular criminal or criminal group.

Once this change has been noticed, the objective in both types of investigations is to find the source and stop its spread. The source in an outbreak investigation can be an index case or point source. This point source or index case is the one source of introduction of disease into the population, whether it is an individual exposed to a zoonotic virus through contact with the natural animal host, or someone who just landed in a new country after being exposed in another country. In criminal terms, this source can either be a single criminal (i.e. a serial murderer), or someone new arriving in an area. Looked at in terms of a terrorist organization, if a trained operator moves into a new region to begin setting up operations, this operator can be viewed as the point source from which disease will spread. If such a source remains in the environment unchecked, it becomes a continuing common source, spreading disease to multiple people over a prolonged period of time, as would be the case in an established crime syndicate.

Outbreak investigations can also uncover multiple introductions of the same disease or similar strains of a disease into a population congruently or within a relatively short timeframe. Investigating the similarities between these multiple sources can often point back to a common natural reservoir of disease, just as finding the connections between multiple translocated terrorist cells can lead back to a common origin. Additionally, whether it is from one source or multiple sources, once disease begins spreading from person to person without contact with the original source, it is dubbed a propagated source (Nelson and Williams 2014).

Often, the goal of organized crime or a terrorist network, when described in epidemiological terms, would be to become a continuing common source and propagated source and to establish an area of control or dominance. While viruses and bacteria do not display the human motivations of seeking power, dominance, or an end objective, their biological characteristics tend toward maximum replication of themselves at the expense of the host organisms. It is also not suggested that pathogens possess the will to attempt to evade detection or to change their tactics in response to investigators’ probes. They do, however, to varying degrees, possess the abilities of antigenic drift (the gradual tendency over time to change outside surface structures so that established immune responses are less likely to recognize them), genetic shift (a sudden, large shift to an entirely new strain), and active efforts to shut down host immune systems so they cannot oppose the infecting pathogen (Nelson and Williams 2014). And so, though it is not consciously driven as it would be in the case of criminals, pathogens display similar behaviors to criminals in order to carry on their activities.

Influenza, for instance, is a virus with a remarkable ability to change two key structures on its surface so that it is not recognized by host immune systems (Heymann 2015). This constant shifting is what necessitates development of a new flu vaccine each year, and when one of these shifts leads to a sudden increase in virulence or mortality, events such as the Influenza Pandemic of 1918 occurs, killing millions worldwide. Similarly, criminals are constantly shifting their tactics and maneuvers to evade detection or established defenses (Phillips 2018). Additionally, criminals can often hide their presence or appear as non-criminals, just as diseases such as typhoid and dengue can often appear without symptoms yet be just as susceptible to spread as symptomatic cases (Heymann 2015). Diseases such as Ebola, however, have not been found to be asymptomatic in humans, and so, just as it is important for outbreak investigators to be extremely familiar with the characteristics of the pathogen they are investigating, it is vital that criminal investigators are familiar with the characteristics of the network they are investigating.

When the source of disease or the leader of a cell are not readily apparent, contact tracing is often required from an identified case back to an index (original) case. Just as tracing the known associates of a lower level criminal who has been detected can lead up the chain to leadership personnel, so contact tracing can backtrack to the original source of infection. This is a labor-intensive process in both criminal and epidemiological investigations, but it is one of the key links in stopping the pathogen/organization. Identifying all of those who have been exposed is vital to determining where the disease has spread and to stopping its further spread (Nelson and Williams 2014).

Rarely is the case of a criminal investigation straightforward from its point of detection to its source and to all of those who have been infected. Often, only some of the pieces of the puzzle can be assembled, but just as in epidemiology, this can potentially be enough to stop the disease. In epidemiology, though it is helpful, it is not always necessary to find the original source in order to stop an outbreak. Cutting the chain of transmission in any part of its cycle can halt the spread of the disease. Similarly, cutting the chain of events in a criminal or terrorist endeavor can also prevent impending crime or attack (Masys 2016c).

Disease transmission requires a viable pathogen, a mode of transmission, and a susceptible host. Disruption of any of these factors halts further infection. Similarly, disruption of any of these factors in a criminal or terrorist network disrupts the intended crime or attack. Terrorist networks and organized crime require money, resources, personnel, and communications in order to function. All of these needs represent vulnerabilities for disruption of the chain of transmission because, without these, the intended crime or attack cannot occur. Such disruption mapping is detailed in Masys (2016c). Figure 3 illustrates the operational views associated with LeT terrorist organization thereby showing leverage points in the terrorist organizational ‘business model’ for disruption of operations.

Fig. 3

Operational View (OV-6c) functional operational processes of LeT. (Masys 2016c)

Thus, these requirements can be likened to modes of transmission or “vectors”. Pathogens require modes of transmission such as mosquitos, direct contact, water, or even air. Without this intermediary, the pathogen cannot get to the host, and infection cannot occur, just as without money, resources, personnel, and/or communication, a crime cannot make it from inception to fruition.

Just as the pathogen in an outbreak requires a mode of transmission to make it to the host, it also requires a susceptible host in order for infection to take place. In epidemiology, hosts can be susceptible for any number of reasons including stress, malnutrition, immunocompromise, and just plain genetics (i.e. genetics cause differences in cellular receptors, and some genetic codes can manifest as immunity to disease because the target cells lack the receptors required to bring a particular virus through their membranes) (Nelson and Williams 2014). Translated into criminality, susceptible hosts become targets, and these targets can include victims of the crime/attack or additional recruits to the network.

When looking at recruiting new members, it is useful to look at the characteristics that make these new “hosts” susceptible. Naturally, in areas of endemicity (areas where the pathogen is common or prevalent), there will be more cases of infection, as there are naturally more exposures; just as in areas of high crime or terrorist strongholds, more civilians will become part of the syndicate due to increased exposure to the criminal or terrorist networks within the fabric of the community. But looking at the characteristics of these susceptible recruits often shows commonality in factors such as socioeconomic status, disenfranchisement, and discontent that may lead to vulnerability to radicalization/recruitment (Badurdeen and Goldsmith 2018). Not all recruits come from economically disadvantaged populations, as there are often several highly educated members within terrorist and drug organizations (Bennett, Coleman, and Co. 2012). Identifying the commonalities in these highly-educated or economically advantaged recruits can be just as valuable as identifying the characteristics of the more disadvantaged group. Such indicators regarding counter violent extremism are discussed in detail in (Pressman 2016; Masys 2018).

And just as some pathogens are more virulent than others, some ideologies are more virulent than others, leading to higher and faster rates of transmission. ISIS, for instance, would have very high virulence, with its ideology spreading in pandemic proportions across the globe. And just like the flu, Islamist radicalization is not a new virus, but it has taken on a particularly virulent new form in ISIS with high rates of mortality and global spread.

Now, among some pathogens, there is the phenomenon of “superspreaders.” This is when, due to a number of factors, an infected individual is able to spread the disease far more effectively than normal to others (Wong et al. 2015). This phenomenon was seen clearly in the SARS outbreak in Asia, where the majority of cases were infected by a small number of superspreading individuals, and other individuals did not pass on the disease at all (Wong et al. 2015). These superspreaders can be viewed in the criminal world as recruiters or highly charismatic individuals capable of larger-than-normal influence (Badurdeen and Goldsmith 2018). They can alternatively be analyzed as perpetrators of large-scale attacks or spectaculars when viewing the susceptible host within this epidemiological framework as the target of a crime or attack.

Hardening the target to make it more difficult to attack/infect is a way of stopping transmission. In the outbreak situation, hardening the target can include measures such as vaccination, handwashing, disinfecting equipment, prophylaxis, personal protective gear and N-95 mask respirators. In the criminal situation, hardening the target can include measures like varying routine, physical security measures, access control, armored vehicles, safe rooms, countersurveillance, and armed response.

When we have placed organized crime or a terrorist network into the epidemiological context, we have the following linkages:

Outbreak Context	Criminal/Terrorist Context
Outbreak	Organized crime or terrorist network
Detection of disease case	Detection of a crime
Endemicity	High crime area or extremist community
Attack rate/Virulence	Persuasive ideology
Source	Leader
Contact tracing	Known associates
Superspreaders	Recruiters or large-scale attackers
Susceptible host	New recruit or victim/target
Vectors	Money, resources, communications

With these analogies in mind, we can look at analyzing the structures in order to find weaknesses where the cycle can be broken.

Let’s take Explosively-Formed Projectiles (EFP’s), which became widespread for use against armored vehicle convoys in Iraq beginning in 2005, as an example (Knights 2016). This new form of attack indicated a change from the previously common use of roadside IED’s (improvised explosive devices) (Bonsignore and Eshel 2006). Because of their shaped charges, they were much more effective at penetrating the armor on Allied vehicles, and morbidity and mortality from these attacks was much higher. Recognition of the growing use of these devices constitutes an “outbreak,” with each of these devices as a case of “disease.”

Examination of these devices as they were recovered indicated a uniformity of design, and just as genetic markers on a pathogen would point to a single strain and common source of infection, the conformity of materials and design would point to a single manufacturer. In searching for EFP’s that conform to these particular standards, there are, of course, others that can be found which do not meet these exact specifications. These devices would be outside the “case definition” and likely be a product of other bombmakers.

With indications of a single source, investigative efforts would turn toward finding the source in order to halt transmission. This is often a difficult and involved process in epidemiology, and it is even more so in criminal and terrorism investigations. And so, while efforts are ongoing to try to find and remove the source, interim measures can be put in place to stop transmission. As the “host” is most readily available to defending forces, reducing susceptibility of the host can be the easiest cycle interruption to achieve. Measures such as varying travel routes, employing devices to trip passive infrared sensors prematurely, broadcasting signals designed to suppress or prematurely trigger activation frequencies, and changing armor composition are all strategies for disrupting the transmission cycle at the “host” level.

Additional efforts would likely be targeted at modes of transmission and vectors of disease. Discovering how the EFP’s are being transported to their destinations and by whom, how they are being financed, where the materials are coming from, and how the orders are being given or decisions are being made for their emplacement are all examples of “vectors” and areas where the chain of transmission can be broken. Temporary removal of any of these vectors forces a change in how the EFP’s are transmitted from production to detonation, and permanent removal of one of the requirements in the mode of transmission would result in the severance of the transmission cycle.

Just as diseases such as Ebola have a suspected but unproven natural source which originates in remote areas that are difficult for researchers to penetrate, so too might the origin of the EFP’s be in a region that is difficult for investigators to research (i.e. militant Shia strongholds or Iran). And so, while it may be difficult to eradicate the natural reservoir or source of the EFP infection, location of its introduction into the population is plausible. Focusing on the individuals involved in transmission as “infected cases” and carrying out contact tracing can eventually lead investigators to the original “index cases” within the population (i.e. operatives that are bringing them into the country and distributing them to the Jaysh-al-Mahdi).

Unfortunately, unchecked, this EFP disease, just like terrorist networks and other organized crime, can take root in the new area and become “endemic,” where personnel, knowledge, material, and supplies become new sources of EFP production within Iraq (McLeary 2007).

The case of the EFPs exemplifies how applying the epidemiological framework of investigation onto an organized crime element or terrorist network can enable a comprehensive analysis of the criminal elements involved. An epidemiologically-based outbreak investigation would involve the following steps:

• Detect the crime.

• Identify characteristics of the “disease” (case definition).

• Determine if there are similar cases anywhere else.

• Contact tracing – who is involved in or connected to this crime?

• Determine vectors and modes of transmission.

• Identify risk factors (locations or individuals that are likely to become targets of the next crime, or those that are likely to already be involved or become involved in the criminal network).

• Identify the source or sources.

• Plan interventions or treatment.

• Eradicate the source or intervene in transmission.

Many of the steps in this investigative process do no occur in a set order but are rather determined by what information is most readily available. Steps may run concurrently to each other as multiple people work on multiple aspects of the investigation or multiple lines of inquiry are pursued. And as more information becomes available, prior steps are often revisited, with the ultimate long-term goal of finding the source and halting transmission.

An existing analytic structure that is utilized in security and defense circles which lends itself to integration into the epidemiologic framework is the attack cycle (Harding 2014). The attack cycle is illustrative in organizing the phases that an attacker must go through in carrying out an attack (Stratford 2012). These phases include:

1. 1.

   Preliminary target selection

2. 2.

   Initial surveillance

3. 3.

   Final target selection

4. 4.

   Pre-attack surveillance

5. 5.

   Planning

6. 6.

   Rehearsal

7. 7.

   Execution

8. 8.

   Escape, explore, exploit

For the purposes of this analysis, these steps can be simplified into:

1. 1.

   Target selection

2. 2.

   Surveillance

3. 3.

   Approach

4. 4.

   Attack

5. 5.

   Explore/Exploit

This process can occur very rapidly, in a matter of seconds, or it can be far more involved and require weeks, months, or even years to reach culmination. These steps are most often taught in a defensive framework, where security personnel learn how to interrupt this cycle and prevent an attack. Let’s turn this paradigm over, however, and instead use it to outline the phases of a law enforcement attack on an organized crime or terrorist network (i.e. investigation leading to an arrest or disruption of a network).

Target selection would entail the initial detection of a crime or criminal element and the subsequent identification of the unique characteristics of the crime that differentiate it from other endemic crimes. Following this is the surveillance and information-gathering phase in which the bulk of investigatory work is carried out. Tracing known associates, mapping the organization’s financial, communications, and resource pathways, analyzing possible targets and spread, and determining the key figures and organizational structure within the element are all investigative methods carried out during this surveillance and information-gathering phase in the epidemiological model.

Once enough information or evidence is gathered, plans for action can be begin. In epidemiology, this is where public health programs and interventions are planned, but in law enforcement, this is where warrants and administrative approvals are requested and approved and plans for effecting arrests are made. These arrests may well not be for the head of the organization but instead for members lower in the hierarchy or involved in one of the vectors of transmission. And so, after the arrest or seizure of evidence has been carried out in the “Attack” phase, “Exploration” is carried out to see where information gained from this attack leads, and the attack cycle immediately resumes with investigative efforts in the “Target Selection” and “Surveillance” phases.

Target Selection	Detect the crime
	Identify characteristics of the crime/disease
Surveillance	Determine if there are similar cases anywhere else
	Contact tracing
	Determine vectors and modes of transmission
	Identify risk factors
	Identify the source or sources
Approach	Plan actions and obtain administrative approvals
Attack	Arrest or remove the source or intervene in transmission
Explore/Exploit	Determine if there are similar cases anywhere else
	Contact tracing
	Determine vectors and modes of transmission
	Identify risk factors
	Identify the source or sources

As shown by the EFP example, the first step when using an epidemiological framework to investigate organized crime or a terrorist network is to detect the crime. On its surface, this may seem like a simple matter, but detection of an organized crime or terrorist-involved incident is not always straightforward. Just as many deadly viruses initially present with flu-like symptoms, organized criminal undertakings can initially blend in with normal crime trends in an area. The Iranian Quds teams, suspects in the above EFP, example often use local crime networks that are already in place, which can initially mask their presence and make detection of the new, more dangerous element difficult (Dai 2018).

Public health systems seek to identify the presence of notifiable diseases as soon as possible through passive, active, and sentinel surveillance systems. Law enforcement has a similar mechanism when it puts out APBs on wanted criminals. These APBs, however, focus on individuals (sources or pathogens) that can be recognized most often by their appearance or distinctive features. Public health systems, however, look for characteristic symptoms that indicate the presence of the disease. In following the epidemiological framework, dissemination of information across law enforcement networks for the type of crime that is likely to be committed by the sought-after criminal may help increase efficacy in detection. Such tactics are used with sensitive substances, like the theft or purchase of large amounts of ammonium nitrates used to make fertilizers or large purchases of controlled prescription narcotics.

Such detection methods can also be used if an investigator has good knowledge of the methods or tactics used by the group he or she is investigating. There are currently limited systems in place to put out wide nets seeking a particular modus operandi, and so current law enforcement must go to increased efforts to share critical information with other law enforcement agencies or jurisdictions in what to be looking for.

There is an overall level of awareness across law enforcement networks about indicators of organized crime or terrorist activity. This can be likened to the passive surveillance that is in place with public health systems, where a healthcare provider reports a case of disease if they come across it. Active surveillance, however, involves the public health investigator actively seeking information, speaking to people, and investigating in an area where a disease presence is suspected. This is what most current law enforcement investigators must do to track down their suspects. Sentinel surveillance, on the other hand, involves priming particular locations and receiving more frequent reports regarding the sought-after disease. In areas where an infectious disease is expected to spread, public health agencies educate and train healthcare professionals in that region on how to recognize early symptoms of the disease and how to report it quickly. Such measures rapidly go into effect at the first hints of viral hemorrhagic fevers in several nations in sub-Saharan Africa, for instance.

Disseminating information across law enforcement networks on the nuances of particular methodologies used by criminal groups, in order for these organizations to be more alert for cases of these crimes, can potentially increase effectiveness in searching for a criminal or criminal group over circulating only pictures and descriptions of suspects. Taking the time to provide education or training on the specifics of what to look for in each case and standardizing how to report and who to report information to can lead to better and faster identification of the sought-after group.

This leads naturally into the surveillance/information-gathering steps of determining if there are any other cases anywhere else and contact tracing. Being able to connect geographically disparate cases allows for investigation of the contacts between these locations and how the translocation has occurred. Such investigation narrows down pools of suspects and leads to additional contacts and vectors. These two steps can also lead to the eventual discovery of the original source or leader of the network, keeping in mind that the etiology of crimes might differ in different locations (just as strains of a pathogen differ across regions and sources) due to their proximity to vectors in the chain of transmission. For instance, contact tracing may lead to discovery of money laundering crimes in conjunction with the financing vector, or it could lead to black market acquisition of illegal explosive materials in conjunction with resource vectors.

The majority of the investigatory activities takes place during the surveillance/information-gathering phase of the cycle, and can potentially lead to predictive analyses in future targets, attacks, recruitment, or activities of the organization (risk factors). These analyses can even have mathematical models, as in the Network- and Agent-Based Models of infectious disease epidemiology. In such models, information about the population, individual, and disease characteristics can be entered into the equation for predictive analysis (Nelson and Williams 2014). This has been applied to the human trafficking problem space in Gardner et al. (2017).

When investigative efforts yield sufficient results, plans for arrests or interventions can begin (the “Approach” phase). In epidemiology, this involves designing education, vaccination, and public health campaigns, but in law enforcement it involves breech plans, obtaining warrants for arrest and collection of evidence, cordon and search plans, or any number of approach tactics. These are then carried out in the “Attack” phase.

While the Attack phase is often the culmination of a tremendous amount of effort, the investigation does not stop there. Instead, the cycle proceeds on to the “Explore” phase where information gained from the attack, whether it is through interview of detainees, analysis of seized documents, or examination of forensic evidence, is explored for leads toward further investigative efforts, beginning the Attack Cycle and the epidemiological framework of investigation anew.

Overall, the discussion regarding applications of systems thinking and epidemiology in support of law enforcement operations certainly can be rooted in the social ecological model (SEM) (Fig. 4). As described in (Hayden 2019),

the basis of the SEM is recognition of the dynamic interplay among the various factors at different levels that affect behavior. Because of this interplay between and among the many levels of influence, changing one can have an impact on them all.

Fig. 4

Social ecological model

The SEM facilitates understanding regarding disease/criminal aetiology in terms of complexity causality and influence in addition to support in designing intervention strategies. For example, as described in Tsang and Masys (2018), the fentanyl crisis can be framed as a complex problem space that crosses the public health, national security, law enforcement and social services domains thereby aligning intervention strategies within the SEM.

6 Conclusion

As the basic science of public health, epidemiology is the study (scientific, systematic, data-driven) of the distribution (frequency, pattern) and determinants (causes, risk factors) of health-related states and events (not just diseases) in specified populations. Epidemiologists use a systematic approach to assess the What, Who, Where, When, Why, and How of these health states or events. The benefits of adapting and using the epidemiological lens and approach for investigations of organized crime and terrorist networks are described in Stares and Yacoubian (2007:6):

• First, epidemiologists observe rigorous standards of inquiry and analysis to understand the derivation, dynamics, and propagation of a specific disease. In particular, they seek clarity on the origins and geographical and social contours of an outbreak: where the disease is concentrated, how it is transmitted, who is most at risk or “susceptible” to infection, and why some portions of society may be less susceptible, or, for all intents and purposes, immune. Applying the same methodological approach to mapping and understanding [organized crime and terrorist networks] can yield immediately useful guidance on where and how to counter it.

• Second, epidemiologists recognize that diseases neither arise nor spread in a vacuum. They emerge and evolve as a result of a complex, dynamic, interactive process between people, pathogens, and the environment in which they live. Indeed, the epidemiologic concept of “cause” is rarely if ever singular or linear but is more akin to a “web” of direct and indirect factors that play a lesser or greater role in differing circumstances. To make sense of this complexity, epidemiologists typically employ a standard analytical device that “deconstructs” the key constituent elements of a disease. This model helps not only to understand the phenomenon in its entirety but also to anticipate how it might evolve in the future. The same systemic conception of disease can be adapted to understand the constituent elements of [complex police investigations].

• Third, just as epidemiologists view disease as a complex, multifaceted phenomenon, so public health officials have come to recognize that success in controlling and rolling back an epidemic typically results from a carefully orchestrated, systematic, prioritized, multipronged effort to address each of its constituent elements. At the same time, however, it is also recognized that significant progress or major advances can sometimes be precipitated by relatively minor interventions—or “tipping points.” Again, there are lessons and insights to be learned here for orchestrating a global counterterrorism campaign (Stares and Yacoubian 2007).

With these reasons in mind, an epidemiological framework can be instrumental in quantifying and conceptualizing the complex situations and relationships involved in organized crime and terrorist network investigations. When implemented successfully, it can ground intangible elements of an investigation, such as “hunches,” “intuition,” and “gut-feelings” in a legally-defensible, science-based investigatory methodology that assists in systematic exploration of these difficult-to-quantify concepts and connections in both investigation of events which have already transpired, and predictive analysis of future behaviors and outcomes.