Zohar Global Security

The UHNW Security Reading List

12 research papers every principal should know before choosing a protection firm

The difference between a serious security provider and an ad-hoc operator is institutional depth. The firms that protect you best are the ones that build their programs on research — not instinct, not tradition, not what worked twenty years ago. These twelve papers span four domains that define modern executive protection. They are the works we study, the standards we hold ourselves to, and the evidence base behind the programs we build. If your current provider cannot speak to the ideas in these pages, that tells you something.

Executive & Physical Protection

Executive protection is not bodyguarding. It is a discipline rooted in intelligence methodology, behavioral threat assessment, and operational design. A firm that treats protection as "putting a body next to a body" has not engaged with the research that defines the field. These three works establish the intellectual foundation for every serious protection program operating today.

Paper 01 1998

Protective Intelligence and Threat Assessment Investigations

Robert A. Fein & Bryan Vossekuil — U.S. Secret Service / National Institute of Justice

This is the study that changed executive protection from a reactive discipline to an intelligence-driven one. Fein and Vossekuil analyzed every known assassination and near-lethal attack on a prominent American figure and found that the people who attack public figures almost never make direct threats first. The warning signs are behavioral, not verbal. Any firm protecting you should be running a protective intelligence program — systematically monitoring behavioral indicators, not just screening threatening mail. If your provider cannot explain how they operationalize the "pathway to violence" model from this research, they are still working from an outdated threat paradigm.

83 subjects studied across 73 incidents targeting prominent figures
Fewer than 10% of attackers made a direct threat to the target before attacking
Read the full paper ↗
Paper 02 2023

Mass Attacks in Public Spaces: 2016–2020

National Threat Assessment Center — U.S. Secret Service

The Secret Service's NTAC analyzed 173 mass attacks over five years and found consistent pre-attack patterns: grievances that escalated visibly, communications that signaled intent, and behavioral changes that were observable to people around the attacker. For UHNW families, this report redefines what "venue security" means. Attending a charity gala, a graduation, or a public event without a team that understands pre-attack behavioral indicators is not security — it is presence. The report also underscores that attack planning timelines are shortening, which means your protection team's intelligence cycle must be faster than the threat's planning cycle.

173 incidents analyzed across a five-year period (2016–2020)
Nearly 75% of attackers exhibited concerning behaviors observable to others beforehand
Read the full paper ↗
Paper 03 2025

Executive Protection: An ASIS Standard (EP-2025)

ASIS International

ASIS EP-2025 is the global consensus standard for executive protection programs. It defines what a protection operation must include: threat assessment methodology, advance work protocols, protective intelligence integration, transportation security, and crisis response. When a firm claims to offer "executive protection," this is the document that defines what that phrase actually means. If a provider's program does not align with EP-2025, they are offering a proprietary interpretation of protection that may leave significant gaps. Ask your current provider whether their program is structured against this standard — and whether they can show you how.

Industry-wide standard defining executive protection program requirements globally
7 core domains from threat assessment to crisis response and program management
Read the full standard ↗

Outsourced Security Leadership

Most family offices and UHNW households need a Chief Security Officer but cannot justify — or do not want — a full-time executive hire. The outsourced CSO model solves this, but only if the person filling the role operates at an institutional standard. These three works define what that standard looks like: how a security function should be structured, what competencies the leader must have, and how the role must evolve as digital threats become inseparable from physical ones.

Paper 04 2008 / 2022

Chief Security Officer Organizational Standard & Security Supervision and Management Effectiveness Standard

ASIS International

These paired ASIS standards define how a security function should be organized and led. The CSO standard establishes the role's scope, reporting structure, and authority requirements. The SSE standard defines how security programs should measure their own effectiveness — not through incident counts alone, but through systematic performance evaluation. For a family office evaluating an outsourced CSO provider, these documents are the benchmark. A provider who places a "security director" without building the organizational infrastructure described here is giving you a person, not a program. The distinction matters when something goes wrong.

Enterprise-grade framework for structuring security leadership reporting and authority
Measurable effectiveness defined through systematic performance metrics, not incident counts
View ASIS standards ↗
Paper 05 2022

The State of Security Management

Mark Peterson & Dale Roberts — ASIS Foundation

This ASIS Foundation study surveyed security leaders globally to map the profession's current competencies, organizational models, and gaps. The findings are sobering: the field is bifurcating between leaders who are integrating cyber, intelligence, and enterprise risk into unified programs and those still operating in siloed physical-security models. For a principal hiring a CSO — outsourced or otherwise — this report provides the interview questions. Does the candidate understand convergence? Can they build a program that treats physical and digital risk as one surface? If they cannot speak to the findings in this study, they are a generation behind the profession.

Global survey of security leaders mapping competencies and organizational models
Convergence gap identified between integrated programs and legacy siloed models
Read the full report ↗
Paper 06 2024

Global Future of Cyber Survey, 4th Edition

Deloitte

Deloitte's fourth global cyber survey maps how organizations are restructuring their security leadership to address threats that no longer respect the boundary between "physical" and "digital." The report shows that the most mature organizations are converging their cyber and physical security functions under unified leadership — and that organizations that have not done this are measurably less prepared for the threat landscape they actually face. For a UHNW family office, the implication is direct: your outsourced CSO must be fluent in both domains. A protection leader who delegates "cyber" to an IT vendor is operating from a model that enterprise security abandoned years ago.

1,200+ executives surveyed across industries on cyber-physical convergence
Unified leadership correlates with measurably higher preparedness across all threat types
Read the full survey ↗

Cyber & Digital Threats to UHNW Individuals

The most dangerous threats to UHNW principals no longer arrive physically. They arrive through a phone that has been silently compromised, a family office email account that has been monitored for months, or a digital footprint that makes physical targeting trivially easy. These three works document the specific digital threats facing high-net-worth individuals — not generic enterprise cybersecurity, but the targeted, personal, and often state-grade attacks that your protection program must account for.

Paper 07 2018

Hide and Seek: Tracking NSO Group's Pegasus Spyware to 45 Countries

Bill Marczak et al. — Citizen Lab, University of Toronto

Citizen Lab's investigation revealed that Pegasus — a zero-click spyware tool originally marketed for counterterrorism — had been deployed by at least 36 operators across 45 countries, many of them targeting journalists, activists, and political figures. The implications for UHNW principals are concrete: nation-state-grade surveillance tools are commercially available and have been documented targeting private individuals. Your phone can be compromised without clicking anything. Your protection program must include mobile device security, communication protocol hardening, and continuous monitoring for indicators of compromise. A firm that treats "cyber" as antivirus software and a VPN has not engaged with the threat environment this research documents.

45 countries where Pegasus spyware operations were identified
36 distinct operators deploying state-grade surveillance against private targets
Read the full paper ↗
Paper 08 2025

Digital Executive Protection Report 2025

Ponemon Institute / BlackCloak

This report quantifies what security professionals have long suspected: executives and high-net-worth individuals are being targeted through their personal digital lives, not their corporate infrastructure. Personal email, family members' social media, home network vulnerabilities, and publicly available records are the primary attack vectors. The data shows that most organizations' security programs stop at the corporate perimeter and do not extend to the personal environments where executives are most vulnerable. For a UHNW principal, this report makes the case that digital executive protection — covering personal devices, home networks, family members' exposure, and online reputation — is not optional. It is a core requirement of any serious protection program.

Personal attack surface is the primary vector for targeting executives and UHNW individuals
Home networks and family identified as the most under-protected exposure points
Read the full report ↗
Paper 09 2024

Family Office Cybersecurity Report 2024

Deloitte Private

Deloitte Private's survey of family offices worldwide reveals a stark gap between perceived and actual cybersecurity readiness. Most family offices believe they are adequately protected; most are not. The report documents the specific vulnerabilities: insufficient access controls, lack of incident response planning, over-reliance on the family's primary bank for security guidance, and minimal testing of existing controls. For a principal evaluating their current security posture, this report is a checklist. If your family office has not conducted a formal cybersecurity assessment, has not tested its incident response plan, and does not have a dedicated point of contact for cyber incidents, you are operating with the same gaps this report identifies in the majority of family offices surveyed.

Majority of family offices overestimate their cybersecurity readiness
Incident response gaps found in most surveyed organizations despite perceived preparedness
Read the full report ↗

Travel & Aviation Security

UHNW principals travel constantly — across jurisdictions, across threat environments, and often into regions where their wealth, nationality, or profile creates specific risks. Travel is where protection programs are most tested and most likely to fail. These three works define the standards, threat data, and operational frameworks that a serious travel security program must be built on.

Paper 10 2021

ISO 31030:2021 — Travel Risk Management: Guidance for Organizations

International Organization for Standardization

ISO 31030 is the first international standard dedicated to travel risk management. It provides a systematic framework for identifying, assessing, and mitigating travel-related risks — before, during, and after every journey. The standard covers duty-of-care obligations, traveler risk profiling, destination assessments, and crisis response protocols. For UHNW families, ISO 31030 is the benchmark against which your travel security program should be evaluated. If your protection team cannot articulate how their travel protocols map to this standard — including pre-trip intelligence, in-transit monitoring, and post-arrival security — they are improvising rather than operating from a validated framework.

First global standard dedicated exclusively to travel risk management
End-to-end framework covering pre-trip assessment through post-arrival protocols
View the standard ↗
Paper 11 2025

Risk Outlook 2025

International SOS / Ipsos

International SOS's annual Risk Outlook synthesizes travel risk data from their global operations — covering medical, security, and geopolitical threats across every region. The 2025 edition documents the acceleration of several trends critical to UHNW travel planning: increasing civil unrest in previously stable destinations, the growing intersection of climate disruption and travel risk, and the rising frequency of targeted incidents against high-profile travelers. For principals who travel internationally, this report provides the current threat baseline. A protection firm that is not incorporating this level of real-time threat intelligence into its advance work and route planning is operating on outdated assumptions.

Global operations data across medical, security, and geopolitical risk domains
Accelerating disruptions in civil unrest, climate events, and targeted incidents against travelers
Read the full report ↗
Paper 12 2022

Kidnap for Ransom in 2022

Control Risks

Control Risks' kidnap report provides the most detailed publicly available analysis of kidnap-for-ransom trends, hotspots, and victim profiles. The data reveals that kidnap risk is not confined to the countries most people associate with it — incidents occur across Latin America, parts of Africa, Southeast Asia, and increasingly in regions experiencing political instability. For UHNW families, the report underscores that kidnap risk is directly correlated with visible wealth, predictable travel patterns, and inadequate advance intelligence. A protection firm managing travel for a high-profile principal must integrate kidnap risk assessment into every international itinerary — not as a theoretical exercise, but as a standing operational requirement with pre-staged response protocols.

Expanding geography of kidnap risk beyond traditional hotspots
Direct correlation between visible wealth, predictable patterns, and targeting probability
Read the full report ↗

How These Twelve Works Connect

Read individually, each of these papers addresses a specific domain of security. Read together, they describe a single, integrated discipline — one where physical protection is informed by behavioral intelligence, where security leadership requires fluency across both physical and digital domains, where digital threats create physical vulnerabilities, and where travel security demands the same rigor as fixed-site protection.

The firms that protect UHNW principals most effectively are the ones that have internalized these connections. They do not treat executive protection, cybersecurity, and travel security as separate service lines to be purchased independently. They build unified programs where intelligence flows between domains, where a concerning social media post triggers the same assessment process as a suspicious vehicle near a residence, and where a family office's network security is evaluated with the same standards as its physical access controls.

This reading list exists because we believe that informed principals make better decisions about their own protection. If this research raises questions about your current program, we welcome that conversation.