[COUNTRY / REGION] - Collection Map
OSINT-034 Kidnap & Ransom (K&R) Risk Assessment - collection workspace. Central topic = the assessed country or sub-national area and the client’s people at risk there. Branches = data-point categories for K&R threat-actor, vulnerability-domain, and ransom-environment collection. Drop each collected value as a child node; expand with source URL/date; paste raw tool output into Notes. → feeds deliverable OSINT-034.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Risk Register, §15 Key Findings, §20 Collection Gaps.
PIR-1 - Threat-actor landscape: who poses a K&R threat and how?
- EEI: named groups / networks operating in the assessed area + affiliation (criminal / ideological / political / hybrid)
- EEI: per-actor capability and geographic reach
- EEI: targeting criteria (nationality, sector, profile, perceived wealth/profile)
- EEI: TTPs - surveillance, approach, detention, communication, ransom demand, victim treatment
- EEI: incident frequency and trend by actor type
- EEI: likelihood of targeting the client’s specific exposure profile (1–5)
PIR-2 - Geographic & route risk: where does kidnap risk concentrate?
- EEI: highest-risk sub-national areas, districts, cities, corridors
- EEI: known ambush points, kidnap hot zones, areas of contested control / LE absence
- EEI: temporal patterns (time-of-day, day-of-week, seasonal, event-triggered)
- EEI: risk to client’s known or planned locations and movement corridors
PIR-3 - Residential & workplace vulnerability: how exposed are the client’s fixed locations?
- EEI: physical security posture per location (perimeter, access control, surveillance detection, guard force)
- EEI: neighbourhood crime/threat profile and proximity to threat-actor operating areas
- EEI: predictable personnel routines and high-value-individual / family / dependant exposure
- EEI: existing protective measures and assessed effectiveness
PIR-4 - Travel & movement vulnerability: how exposed are the client’s personnel in transit?
- EEI: route risk per journey type (commute, inter-city, airport transfer, field visit)
- EEI: transport mode and security (armoured vehicles, convoy, driver training)
- EEI: journey predictability and pattern-of-life exposure
- EEI: airport / transit-node vulnerability
- EEI: existing travel-security protocols and their effectiveness
PIR-5 - Ransom, negotiation & payment environment
- EEI: typical ransom-demand range and currency
- EEI: payment methods and mechanisms (cash, cryptocurrency, facilitators)
- EEI: negotiation dynamics and typical duration
- EEI: victim-treatment profile (conditions, violence risk, release probability)
- EEI: host-government stance on ransom payment and sanctions/legal payment risks
PIR-6 - Law enforcement & hostage-response capability
- EEI: existence and capability of dedicated hostage-response or anti-kidnap unit
- EEI: LE integrity / corruption risk and insider-threat / information-leakage risk
- EEI: legal framework for ransom payment in country
- EEI: resolution track record (successful rescue vs. negotiated release vs. deterioration)
- EEI: risk of official involvement in or facilitation of kidnap
PIR-7 - Insurance & crisis-response readiness
- EEI: client’s K&R insurance policy scope and limits
- EEI: crisis-response / hostage-negotiation retainer status
- EEI: internal incident-response plan and crisis-management team
- EEI: travel-security tracking and personnel awareness / training
- EEI: family / dependant support arrangements
PIR-8 - Trajectory & inflection: where is K&R risk heading?
- EEI: structural drivers pushing risk up or down over the horizon
- EEI: proximate / near-term events that could shift the rating
- EEI: pivotal indicators / tripwires (per §16)
- EEI: most likely trajectory, most dangerous trajectory, de-escalation path
Collection gaps / RFIs (running)
- [open item - e.g., incident data gap for sub-region X] → route to [OSINT-031 / OSINT-036 / In-country HUMINT]
- [open item]
01 · Principal / Protectee or Exposure Profile
Who the client has at risk in the assessed area - the lens through which impact (1–5) is scored throughout. → feeds §5 K&R Risk Framing & Methodology, Appendix A Client Exposure Profile.
Principals / high-value individuals
- [principal - e.g., C-suite / HNW individual / public figure]
- Name / role:
- Nationality:
- Time in area / travel frequency:
- Profile visibility / perceived wealth:
- Existing protective measures:
- Confidence: [H/M/L]
Resident employees
- [category - e.g., expatriate staff / local nationals in sensitive roles]
- Headcount / locations:
- Sector / employer visibility:
- Dependants / family in-country:
- Notes:
Travelling / project personnel
- [category - e.g., periodic visitors / field teams / contractors]
- Frequency and duration:
- Locations visited:
- Travel-security protocols in place:
Dependants & family
- [family type / location]:
- School / routine exposure:
- Protective measures:
Client risk tolerance (context only)
- Stated appetite: [Low / Moderate / High - record, do not use to adjust scores]
- Engagement purpose:
- Risk horizon: [6 / 12 / 24 months]
02 · Venue & Geography - Area Assessment
Spatial characterisation of the assessed country / region and its K&R risk landscape. → feeds §2 Executive Summary & Scope, §5 Methodology (geographic bounds), §7 Geographic & Route Risk.
Country / region overview
- Geographic / administrative bounds defined:
- Sub-national areas in scope:
- Population density / urbanisation relevant to K&R:
- Terrain and OCOKA factors:
Kidnap hot zones
Clone block per zone. → feeds §7 Geographic & Route Risk.
- [zone - e.g., state / province / city / district]
- Incident density:
- Primary threat-actor type(s) active:
- Risk factors (contested control, LE absence, terrain):
- Likelihood score (1–5):
- Trend (↑/→/↓):
- Source grade (A–F / 1–6):
- Notes / dataset: ← ACLED, INSO, OSAC, Control Risks, Global Incident Map
- [zone 2]
Areas of low / tolerable risk
- [zone]:
- Basis:
Seasonal / temporal patterns
- Peak kidnap period / event triggers:
- Time-of-day patterns:
- Source:
03 · Routes & Movement
Route-by-route vulnerability for the client’s known or anticipated movements. Each route is a clonable block. → feeds §7 Geographic & Route Risk, §9 Travel & Movement Vulnerability.
Route blocks
Clone per journey type. Assess inherent, credit existing mitigations, score residual.
- [route / journey - e.g., Airport ↔ Residence, City A ↔ City B field visit]
- Distance / duration:
- Transport mode & security (armoured, convoy, driver training):
- Kidnap incident density on route:
- Ambush points / choke points:
- Predictability / pattern-of-life exposure:
- Transit-node risk (airport, border, checkpoint):
- Inherent vulnerability (L×I):
- Existing mitigation:
- Residual vulnerability:
- Trend: [↑/→/↓]
- Confidence: [H/M/L]
- Source grade:
- Notes / tool output: ← Google Maps satellite / OSM / ACLED spatial filters / local press
- [route 2]
Airport & transit nodes
- [airport / crossing / hub]
- Kidnap / express-kidnap / scam risk at node:
- LE presence and quality:
- Safe pick-up / drop-off protocols:
04 · Threat Actors & Persons of Interest
The centre of gravity of the K&R product. Each threat-actor category is a clonable block; expand with named groups where identified. → feeds §6 Threat-Actor Landscape, Appendix G Threat-Actor Profiles.
Threat-actor blocks
Clone per category / named group.
- [threat-actor category - e.g., Criminally motivated kidnap gang / Jihadist / Rebel / Insider / Opportunist / Express-kidnap network]
- Named group / network:
- Affiliation (criminal / ideological / political / hybrid):
- Capability & geographic reach:
- Targeting criteria (nationality / sector / profile / wealth):
- TTPs - surveillance approach:
- TTPs - method of approach / abduction:
- TTPs - detention conditions:
- TTPs - communication and ransom demand:
- TTPs - victim treatment and release:
- Incident frequency and trend:
- Likelihood of targeting client profile (1–5):
- Trend: [↑/→/↓]
- Confidence: [H/M/L]
- Source grade:
- Notes / tool output: ← ACLED, UNODC, OSAC, academic conflict databases, Control Risks, INSO
- [threat-actor category 2]
Named persons of interest (if applicable)
Clone per individual. Handle with care - personal data / legal handling required.
- [individual - e.g., known kidnap facilitator / scout / financier]
- Role / affiliation:
- Known activities:
- Open-source basis:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← public court records / sanctions lists / investigative journalism
Sanctioned / designated entities
- OFAC SDN check: [Clear / Hit / Near-match]
- EU / UK / UN sanctions:
- INTERPOL notices (public):
05 · Threat Landscape - Incidents, History & Chatter
The empirical kidnap incident record and observable threat signals in the assessed area. → feeds §6 Threat-Actor Landscape (incident frequency), §7 Geographic & Route Risk (spatial patterns), §14 Overall K&R Risk Rating & Trajectory, Appendix H Incident Chronology.
Incident dataset
Clone per data source / incident log used.
- [dataset - e.g., ACLED / OSAC / INSO / Control Risks / media scrape]
- Coverage period:
- Geographic scope:
- Total incidents (kidnap / ransom / extortion):
- Trend vs. prior period: [↑/→/↓]
- Primary actor types in dataset:
- Under-reporting caveat:
- Source grade (A–F / 1–6):
- Notes:
Selected significant incidents
Clone per incident. Build Appendix H from these blocks.
- [incident - e.g., date + location + victim profile + actor + outcome]
- Date:
- Location:
- Victim profile (nationality / sector):
- Threat actor:
- Method (TTP):
- Ransom demanded / paid:
- Outcome (released / rescued / killed / pending):
- Source grade:
- Notes:
Online chatter / surface-web threat signals
→ feeds §6 Threat-Actor Landscape (threat signals, targeting intelligence) and §16 K&R Risk-Escalation & Early-Warning Indicators (chatter as tripwires).
- [platform / forum / channel - e.g., local criminal forums / social media / Telegram channels]
- Signal observed:
- Date:
- Reliability:
- Notes / tool output: ← Google Alerts / media monitors / OSINT social search
06 · Vulnerabilities & Attack Surface
Client-side vulnerabilities across residential/workplace and travel domains - the inputs to §8 and §9 scoring. → feeds §8 Residential & Workplace Vulnerability, §9 Travel & Movement Vulnerability, §13 Consolidated Risk Register.
Residential & workplace locations
Clone per location.
- [location - e.g., Residence / HQ / Project Office / Compound]
- Type (Residence / Office / Compound / Shared-space):
- Physical security posture (perimeter, access control, CCTV, guard force):
- Neighbourhood crime / threat profile:
- Proximity to known threat-actor operating areas:
- LE response time / coverage:
- Personnel visibility / predictable routine at this location:
- High-value-individual / family / dependant exposure:
- Inherent vulnerability (L×I):
- Existing mitigation:
- Residual vulnerability:
- Trend: [↑/→/↓]
- Confidence: [H/M/L]
- Source grade:
- Notes / tool output: ← satellite imagery / OSM / local press / client security audit
- [location 2]
Predictability / pattern-of-life exposure
- Daily routine disclosure (social media / public schedule):
- Source:
- Exposure level: [High / Medium / Low]
- Personnel-tracking capability in place: [Yes / No / Partial]
- Route variability protocols: [Yes / No / Partial]
Personnel awareness & training
- Anti-surveillance / hostile-environment awareness training: [Completed / Partial / None]
- Date of last training:
- Crisis-communication protocol: [Exists / Partial / None]
07 · Local Environment - Security, Medical & Infrastructure
Host-country security apparatus, medical-response capability, and infrastructure that affects K&R outcomes. → feeds §11 Law Enforcement & Hostage-Response Capability, §12 Insurance & Crisis-Response Readiness.
Law enforcement & hostage-response capability
- Dedicated hostage-response / anti-kidnap unit: [Exists / Limited / None]
- Unit name / capability assessment:
- Track record (rescue vs. negotiated release vs. deterioration):
- Source grade:
- LE integrity / corruption risk:
- Insider-threat / information-leakage risk:
- Legal framework for ransom payment (host country):
- Anti-ransom statute: [Yes / No / Unclear]
- Sanctions / designation risk for payment:
- Risk of official involvement in / facilitation of kidnap:
- Source grade:
Embassy / consular support
- Embassy / consulate presence (client’s home country): [Yes / No]
- Warden network / citizen-services capability:
- Emergency-contact line:
Medical & emergency-response infrastructure
- Hospital / trauma-care quality in area:
- Evacuation / medevac capability:
- Safe areas / safe houses registered:
Telecommunications & tracking infrastructure
- Mobile network coverage on key routes:
- Satellite / comms backup available:
- Personnel tracking / check-in system in place:
08 · Digital & Social Signals
Open-source digital exposure that could enable threat-actor surveillance or targeting of the client’s personnel. → feeds §6 Threat-Actor Landscape (targeting intelligence available to actors), §9 Travel & Movement Vulnerability (pattern-of-life exposure).
Personnel social media exposure
Clone per individual or role category.
- [person / category - e.g., senior executive / security lead / travelling staff]
- Platforms active on (public):
- Location disclosure / geo-tagged posts: [High / Medium / Low]
- Schedule / travel disclosure: [High / Medium / Low]
- Profile visibility (photos / employer / role):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← manual SOCMINT / LinkedIn / X / Instagram / Google dork
- [person 2]
Client / employer digital footprint
- Company website personnel listings:
- Names / roles / photos publicly listed:
- LinkedIn / professional profiles for key staff:
- Location signals:
- Press mentions naming client personnel:
Threat-actor use of digital channels for targeting
- Evidence of threat actors using SOCMINT to pre-select victims:
- Source / incident reference:
09 · Indicators & Warnings
Specific, observable early-warning indicators tied to threat-actor or vulnerability domains - the tripwires that would signal a score change or new K&R threat. → feeds §16 K&R Risk-Escalation & Early-Warning Indicators, Appendix D Early-Warning Matrix; downstream feeds OSINT-036 Continuous Country Risk Monitoring and OSINT-040 I&W Program.
Indicator blocks
Clone per indicator. Each indicator maps to a domain section and a score-change signal.
- [indicator - e.g., emergence of a new kidnap group targeting foreign nationals]
- Threat-actor / domain (§):
- Score-change signalled (e.g., domain residual 12→16):
- Severity: [Critical / High / Medium / Low]
- Current status: [Not present / Emerging / Present]
- Monitoring method / source:
- Disposition: [Watch / Notify client / Re-score / Route to OSINT-031 / OSINT-036]
- Notes: ← ACLED alerts / OSAC advisories / in-country network / media monitors
- [indicator 2]
- [indicator 3]
Watch-source subscriptions
- [source - e.g., OSAC Country Reports / INSO / Control Risks AlertMap / FCO / State Dept]
- Cadence:
- Coverage area:
- Notes:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail and gap log behind it.
Source register
Every material datum traceable to a graded source. Use Admiralty two-axis code (A–F reliability / 1–6 credibility).
- [S-1 - source name / type]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Combined grade (e.g., B2):
- Date accessed:
- Coverage scope:
- Limitations / self-interest caveat:
- [S-2]
- [S-3]
Evidence archive
- [capture ref - e.g., OSINT-034-EVD-001 + hash + URL + timestamp]:
- [capture ref 2]:
Open gaps / verification pending
- [gap - domain, impact on score, recommended collection] → [escalation route e.g., OSINT-031 / OSINT-036 / in-country HUMINT]
- [gap 2]
Running RFIs
- [RFI - question + who owns it + due date]
- [RFI 2]
Product linkage notes
- Consumes baseline from: OSINT-026-country-regional-study or OSINT-031-country-risk-assessment
- Feeds / referenced by: OSINT-036-continuous-country-risk-monitoring, OSINT-040-indicators-and-warning-iandw-program
- Related siblings: OSINT-032-operational-country-entry-risk-assessment, OSINT-033-investment-market-entry-risk-assessment, OSINT-035-supply-chain-and-logistics-risk-assessment, OSINT-042-pre-travel-threat-assessment, OSINT-043-residential-vulnerability-and-threat-assessment, OSINT-046-event-threat-and-risk-assessment