[COUNTRY / REGION] - Collection Map

OSINT-034 Kidnap & Ransom (K&R) Risk Assessment - collection workspace. Central topic = the assessed country or sub-national area and the client’s people at risk there. Branches = data-point categories for K&R threat-actor, vulnerability-domain, and ransom-environment collection. Drop each collected value as a child node; expand with source URL/date; paste raw tool output into Notes. → feeds deliverable OSINT-034.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Risk Register, §15 Key Findings, §20 Collection Gaps.

PIR-1 - Threat-actor landscape: who poses a K&R threat and how?

  • EEI: named groups / networks operating in the assessed area + affiliation (criminal / ideological / political / hybrid)
  • EEI: per-actor capability and geographic reach
  • EEI: targeting criteria (nationality, sector, profile, perceived wealth/profile)
  • EEI: TTPs - surveillance, approach, detention, communication, ransom demand, victim treatment
  • EEI: incident frequency and trend by actor type
  • EEI: likelihood of targeting the client’s specific exposure profile (1–5)

PIR-2 - Geographic & route risk: where does kidnap risk concentrate?

  • EEI: highest-risk sub-national areas, districts, cities, corridors
  • EEI: known ambush points, kidnap hot zones, areas of contested control / LE absence
  • EEI: temporal patterns (time-of-day, day-of-week, seasonal, event-triggered)
  • EEI: risk to client’s known or planned locations and movement corridors

PIR-3 - Residential & workplace vulnerability: how exposed are the client’s fixed locations?

  • EEI: physical security posture per location (perimeter, access control, surveillance detection, guard force)
  • EEI: neighbourhood crime/threat profile and proximity to threat-actor operating areas
  • EEI: predictable personnel routines and high-value-individual / family / dependant exposure
  • EEI: existing protective measures and assessed effectiveness

PIR-4 - Travel & movement vulnerability: how exposed are the client’s personnel in transit?

  • EEI: route risk per journey type (commute, inter-city, airport transfer, field visit)
  • EEI: transport mode and security (armoured vehicles, convoy, driver training)
  • EEI: journey predictability and pattern-of-life exposure
  • EEI: airport / transit-node vulnerability
  • EEI: existing travel-security protocols and their effectiveness

PIR-5 - Ransom, negotiation & payment environment

  • EEI: typical ransom-demand range and currency
  • EEI: payment methods and mechanisms (cash, cryptocurrency, facilitators)
  • EEI: negotiation dynamics and typical duration
  • EEI: victim-treatment profile (conditions, violence risk, release probability)
  • EEI: host-government stance on ransom payment and sanctions/legal payment risks

PIR-6 - Law enforcement & hostage-response capability

  • EEI: existence and capability of dedicated hostage-response or anti-kidnap unit
  • EEI: LE integrity / corruption risk and insider-threat / information-leakage risk
  • EEI: legal framework for ransom payment in country
  • EEI: resolution track record (successful rescue vs. negotiated release vs. deterioration)
  • EEI: risk of official involvement in or facilitation of kidnap

PIR-7 - Insurance & crisis-response readiness

  • EEI: client’s K&R insurance policy scope and limits
  • EEI: crisis-response / hostage-negotiation retainer status
  • EEI: internal incident-response plan and crisis-management team
  • EEI: travel-security tracking and personnel awareness / training
  • EEI: family / dependant support arrangements

PIR-8 - Trajectory & inflection: where is K&R risk heading?

  • EEI: structural drivers pushing risk up or down over the horizon
  • EEI: proximate / near-term events that could shift the rating
  • EEI: pivotal indicators / tripwires (per §16)
  • EEI: most likely trajectory, most dangerous trajectory, de-escalation path

Collection gaps / RFIs (running)

  • [open item - e.g., incident data gap for sub-region X] → route to [OSINT-031 / OSINT-036 / In-country HUMINT]
  • [open item]

01 · Principal / Protectee or Exposure Profile

Who the client has at risk in the assessed area - the lens through which impact (1–5) is scored throughout. → feeds §5 K&R Risk Framing & Methodology, Appendix A Client Exposure Profile.

Principals / high-value individuals

  • [principal - e.g., C-suite / HNW individual / public figure]
    • Name / role:
    • Nationality:
    • Time in area / travel frequency:
    • Profile visibility / perceived wealth:
    • Existing protective measures:
    • Confidence: [H/M/L]

Resident employees

  • [category - e.g., expatriate staff / local nationals in sensitive roles]
    • Headcount / locations:
    • Sector / employer visibility:
    • Dependants / family in-country:
    • Notes:

Travelling / project personnel

  • [category - e.g., periodic visitors / field teams / contractors]
    • Frequency and duration:
    • Locations visited:
    • Travel-security protocols in place:

Dependants & family

  • [family type / location]:
    • School / routine exposure:
    • Protective measures:

Client risk tolerance (context only)

  • Stated appetite: [Low / Moderate / High - record, do not use to adjust scores]
  • Engagement purpose:
  • Risk horizon: [6 / 12 / 24 months]

02 · Venue & Geography - Area Assessment

Spatial characterisation of the assessed country / region and its K&R risk landscape. → feeds §2 Executive Summary & Scope, §5 Methodology (geographic bounds), §7 Geographic & Route Risk.

Country / region overview

  • Geographic / administrative bounds defined:
  • Sub-national areas in scope:
  • Population density / urbanisation relevant to K&R:
  • Terrain and OCOKA factors:

Kidnap hot zones

Clone block per zone. → feeds §7 Geographic & Route Risk.

  • [zone - e.g., state / province / city / district]
    • Incident density:
    • Primary threat-actor type(s) active:
    • Risk factors (contested control, LE absence, terrain):
    • Likelihood score (1–5):
    • Trend (↑/→/↓):
    • Source grade (A–F / 1–6):
    • Notes / dataset: ← ACLED, INSO, OSAC, Control Risks, Global Incident Map
  • [zone 2]

Areas of low / tolerable risk

  • [zone]:
    • Basis:

Seasonal / temporal patterns

  • Peak kidnap period / event triggers:
  • Time-of-day patterns:
  • Source:

03 · Routes & Movement

Route-by-route vulnerability for the client’s known or anticipated movements. Each route is a clonable block. → feeds §7 Geographic & Route Risk, §9 Travel & Movement Vulnerability.

Route blocks

Clone per journey type. Assess inherent, credit existing mitigations, score residual.

  • [route / journey - e.g., Airport ↔ Residence, City A ↔ City B field visit]
    • Distance / duration:
    • Transport mode & security (armoured, convoy, driver training):
    • Kidnap incident density on route:
    • Ambush points / choke points:
    • Predictability / pattern-of-life exposure:
    • Transit-node risk (airport, border, checkpoint):
    • Inherent vulnerability (L×I):
    • Existing mitigation:
    • Residual vulnerability:
    • Trend: [↑/→/↓]
    • Confidence: [H/M/L]
    • Source grade:
    • Notes / tool output: ← Google Maps satellite / OSM / ACLED spatial filters / local press
  • [route 2]

Airport & transit nodes

  • [airport / crossing / hub]
    • Kidnap / express-kidnap / scam risk at node:
    • LE presence and quality:
    • Safe pick-up / drop-off protocols:

04 · Threat Actors & Persons of Interest

The centre of gravity of the K&R product. Each threat-actor category is a clonable block; expand with named groups where identified. → feeds §6 Threat-Actor Landscape, Appendix G Threat-Actor Profiles.

Threat-actor blocks

Clone per category / named group.

  • [threat-actor category - e.g., Criminally motivated kidnap gang / Jihadist / Rebel / Insider / Opportunist / Express-kidnap network]
    • Named group / network:
    • Affiliation (criminal / ideological / political / hybrid):
    • Capability & geographic reach:
    • Targeting criteria (nationality / sector / profile / wealth):
    • TTPs - surveillance approach:
    • TTPs - method of approach / abduction:
    • TTPs - detention conditions:
    • TTPs - communication and ransom demand:
    • TTPs - victim treatment and release:
    • Incident frequency and trend:
    • Likelihood of targeting client profile (1–5):
    • Trend: [↑/→/↓]
    • Confidence: [H/M/L]
    • Source grade:
    • Notes / tool output: ← ACLED, UNODC, OSAC, academic conflict databases, Control Risks, INSO
  • [threat-actor category 2]

Named persons of interest (if applicable)

Clone per individual. Handle with care - personal data / legal handling required.

  • [individual - e.g., known kidnap facilitator / scout / financier]
    • Role / affiliation:
    • Known activities:
    • Open-source basis:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← public court records / sanctions lists / investigative journalism

Sanctioned / designated entities

  • OFAC SDN check: [Clear / Hit / Near-match]
  • EU / UK / UN sanctions:
  • INTERPOL notices (public):

05 · Threat Landscape - Incidents, History & Chatter

The empirical kidnap incident record and observable threat signals in the assessed area. → feeds §6 Threat-Actor Landscape (incident frequency), §7 Geographic & Route Risk (spatial patterns), §14 Overall K&R Risk Rating & Trajectory, Appendix H Incident Chronology.

Incident dataset

Clone per data source / incident log used.

  • [dataset - e.g., ACLED / OSAC / INSO / Control Risks / media scrape]
    • Coverage period:
    • Geographic scope:
    • Total incidents (kidnap / ransom / extortion):
    • Trend vs. prior period: [↑/→/↓]
    • Primary actor types in dataset:
    • Under-reporting caveat:
    • Source grade (A–F / 1–6):
    • Notes:

Selected significant incidents

Clone per incident. Build Appendix H from these blocks.

  • [incident - e.g., date + location + victim profile + actor + outcome]
    • Date:
    • Location:
    • Victim profile (nationality / sector):
    • Threat actor:
    • Method (TTP):
    • Ransom demanded / paid:
    • Outcome (released / rescued / killed / pending):
    • Source grade:
    • Notes:

Online chatter / surface-web threat signals

→ feeds §6 Threat-Actor Landscape (threat signals, targeting intelligence) and §16 K&R Risk-Escalation & Early-Warning Indicators (chatter as tripwires).

  • [platform / forum / channel - e.g., local criminal forums / social media / Telegram channels]
    • Signal observed:
    • Date:
    • Reliability:
    • Notes / tool output: ← Google Alerts / media monitors / OSINT social search

06 · Vulnerabilities & Attack Surface

Client-side vulnerabilities across residential/workplace and travel domains - the inputs to §8 and §9 scoring. → feeds §8 Residential & Workplace Vulnerability, §9 Travel & Movement Vulnerability, §13 Consolidated Risk Register.

Residential & workplace locations

Clone per location.

  • [location - e.g., Residence / HQ / Project Office / Compound]
    • Type (Residence / Office / Compound / Shared-space):
    • Physical security posture (perimeter, access control, CCTV, guard force):
    • Neighbourhood crime / threat profile:
    • Proximity to known threat-actor operating areas:
    • LE response time / coverage:
    • Personnel visibility / predictable routine at this location:
    • High-value-individual / family / dependant exposure:
    • Inherent vulnerability (L×I):
    • Existing mitigation:
    • Residual vulnerability:
    • Trend: [↑/→/↓]
    • Confidence: [H/M/L]
    • Source grade:
    • Notes / tool output: ← satellite imagery / OSM / local press / client security audit
  • [location 2]

Predictability / pattern-of-life exposure

  • Daily routine disclosure (social media / public schedule):
    • Source:
    • Exposure level: [High / Medium / Low]
  • Personnel-tracking capability in place: [Yes / No / Partial]
  • Route variability protocols: [Yes / No / Partial]

Personnel awareness & training

  • Anti-surveillance / hostile-environment awareness training: [Completed / Partial / None]
  • Date of last training:
  • Crisis-communication protocol: [Exists / Partial / None]

07 · Local Environment - Security, Medical & Infrastructure

Host-country security apparatus, medical-response capability, and infrastructure that affects K&R outcomes. → feeds §11 Law Enforcement & Hostage-Response Capability, §12 Insurance & Crisis-Response Readiness.

Law enforcement & hostage-response capability

  • Dedicated hostage-response / anti-kidnap unit: [Exists / Limited / None]
    • Unit name / capability assessment:
    • Track record (rescue vs. negotiated release vs. deterioration):
    • Source grade:
  • LE integrity / corruption risk:
    • Insider-threat / information-leakage risk:
  • Legal framework for ransom payment (host country):
    • Anti-ransom statute: [Yes / No / Unclear]
    • Sanctions / designation risk for payment:
  • Risk of official involvement in / facilitation of kidnap:
    • Source grade:

Embassy / consular support

  • Embassy / consulate presence (client’s home country): [Yes / No]
    • Warden network / citizen-services capability:
    • Emergency-contact line:

Medical & emergency-response infrastructure

  • Hospital / trauma-care quality in area:
  • Evacuation / medevac capability:
  • Safe areas / safe houses registered:

Telecommunications & tracking infrastructure

  • Mobile network coverage on key routes:
  • Satellite / comms backup available:
  • Personnel tracking / check-in system in place:

08 · Digital & Social Signals

Open-source digital exposure that could enable threat-actor surveillance or targeting of the client’s personnel. → feeds §6 Threat-Actor Landscape (targeting intelligence available to actors), §9 Travel & Movement Vulnerability (pattern-of-life exposure).

Personnel social media exposure

Clone per individual or role category.

  • [person / category - e.g., senior executive / security lead / travelling staff]
    • Platforms active on (public):
    • Location disclosure / geo-tagged posts: [High / Medium / Low]
    • Schedule / travel disclosure: [High / Medium / Low]
    • Profile visibility (photos / employer / role):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← manual SOCMINT / LinkedIn / X / Instagram / Google dork
  • [person 2]

Client / employer digital footprint

  • Company website personnel listings:
    • Names / roles / photos publicly listed:
  • LinkedIn / professional profiles for key staff:
    • Location signals:
  • Press mentions naming client personnel:

Threat-actor use of digital channels for targeting

  • Evidence of threat actors using SOCMINT to pre-select victims:
    • Source / incident reference:

09 · Indicators & Warnings

Specific, observable early-warning indicators tied to threat-actor or vulnerability domains - the tripwires that would signal a score change or new K&R threat. → feeds §16 K&R Risk-Escalation & Early-Warning Indicators, Appendix D Early-Warning Matrix; downstream feeds OSINT-036 Continuous Country Risk Monitoring and OSINT-040 I&W Program.

Indicator blocks

Clone per indicator. Each indicator maps to a domain section and a score-change signal.

  • [indicator - e.g., emergence of a new kidnap group targeting foreign nationals]
    • Threat-actor / domain (§):
    • Score-change signalled (e.g., domain residual 12→16):
    • Severity: [Critical / High / Medium / Low]
    • Current status: [Not present / Emerging / Present]
    • Monitoring method / source:
    • Disposition: [Watch / Notify client / Re-score / Route to OSINT-031 / OSINT-036]
    • Notes: ← ACLED alerts / OSAC advisories / in-country network / media monitors
  • [indicator 2]
  • [indicator 3]

Watch-source subscriptions

  • [source - e.g., OSAC Country Reports / INSO / Control Risks AlertMap / FCO / State Dept]
    • Cadence:
    • Coverage area:
    • Notes:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail and gap log behind it.

Source register

Every material datum traceable to a graded source. Use Admiralty two-axis code (A–F reliability / 1–6 credibility).

  • [S-1 - source name / type]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Combined grade (e.g., B2):
    • Date accessed:
    • Coverage scope:
    • Limitations / self-interest caveat:
  • [S-2]
  • [S-3]

Evidence archive

  • [capture ref - e.g., OSINT-034-EVD-001 + hash + URL + timestamp]:
  • [capture ref 2]:

Open gaps / verification pending

  • [gap - domain, impact on score, recommended collection] → [escalation route e.g., OSINT-031 / OSINT-036 / in-country HUMINT]
  • [gap 2]

Running RFIs

  • [RFI - question + who owns it + due date]
  • [RFI 2]

Product linkage notes