The UHNW Security Reading List
12 research papers every principal should know before choosing a protection firm
The difference between a serious security provider and an ad-hoc operator is institutional depth. The firms that protect you best are the ones that build their programs on research — not instinct, not tradition, not what worked twenty years ago. These twelve papers span four domains that define modern executive protection. They are the works we study, the standards we hold ourselves to, and the evidence base behind the programs we build. If your current provider cannot speak to the ideas in these pages, that tells you something.
01
Executive & Physical Protection
Executive protection is not bodyguarding. It is a discipline rooted in intelligence methodology, behavioral threat assessment, and operational design. A firm that treats protection as “putting a body next to a body” has not engaged with the research that defines the field. These three works establish the intellectual foundation for every serious protection program operating today.
Paper 01
Protective Intelligence and Threat Assessment Investigations
Robert A. Fein & Bryan Vossekuil — U.S. Secret Service / National Institute of Justice
This is the study that changed executive protection from a reactive discipline to an intelligence-driven one. Fein and Vossekuil analyzed every known assassination and near-lethal attack on a prominent American figure and found that the people who attack public figures almost never make direct threats first. The warning signs are behavioral, not verbal. Any firm protecting you should be running a protective intelligence program — systematically monitoring behavioral indicators, not just screening threatening mail. If your provider cannot explain how they operationalize the “pathway to violence” model from this research, they are still working from an outdated threat paradigm.
83 subjects
studied across 73 incidents targeting prominent figures
Fewer than 10%
of attackers made a direct threat to the target before attacking
Paper 02
Mass Attacks in Public Spaces: 2016–2020
National Threat Assessment Center — U.S. Secret Service
The Secret Service’s NTAC analyzed 173 mass attacks over five years and found consistent pre-attack patterns: grievances that escalated visibly, communications that signaled intent, and behavioral changes that were observable to people around the attacker. For UHNW families, this report redefines what “venue security” means. Attending a charity gala, a graduation, or a public event without a team that understands pre-attack behavioral indicators is not security — it is presence. The report also underscores that attack planning timelines are shortening, which means your protection team’s intelligence cycle must be faster than the threat’s planning cycle.
173 incidents
analyzed across a five-year period (2016–2020)
Nearly 75%
of attackers exhibited concerning behaviors observable to others beforehand
Paper 03
Executive Protection: An ASIS Standard (EP-2025)
ASIS International
ASIS EP-2025 is the global consensus standard for executive protection programs. It defines what a protection operation must include: threat assessment methodology, advance work protocols, protective intelligence integration, transportation security, and crisis response. When a firm claims to offer “executive protection,” this is the document that defines what that phrase actually means. If a provider’s program does not align with EP-2025, they are offering a proprietary interpretation of protection that may leave significant gaps. Ask your current provider whether their program is structured against this standard — and whether they can show you how.
Industry-wide standard
defining executive protection program requirements globally
7 core domains
from threat assessment to crisis response and program management
02
Outsourced Security Leadership
Most family offices and UHNW households need a Chief Security Officer but cannot justify — or do not want — a full-time executive hire. The outsourced CSO model solves this, but only if the person filling the role operates at an institutional standard. These three works define what that standard looks like: how a security function should be structured, what competencies the leader must have, and how the role must evolve as digital threats become inseparable from physical ones.
Paper 04
Chief Security Officer Organizational Standard & Security Supervision and Management Effectiveness Standard
ASIS International
These paired ASIS standards define how a security function should be organized and led. The CSO standard establishes the role’s scope, reporting structure, and authority requirements. The SSE standard defines how security programs should measure their own effectiveness — not through incident counts alone, but through systematic performance evaluation. For a family office evaluating an outsourced CSO provider, these documents are the benchmark. A provider who places a “security director” without building the organizational infrastructure described here is giving you a person, not a program. The distinction matters when something goes wrong.
Enterprise-grade framework
for structuring security leadership reporting and authority
Measurable effectiveness
defined through systematic performance metrics, not incident counts
Paper 05
The State of Security Management
Mark Peterson & Dale Roberts — ASIS Foundation
This ASIS Foundation study surveyed security leaders globally to map the profession’s current competencies, organizational models, and gaps. The findings are sobering: the field is bifurcating between leaders who are integrating cyber, intelligence, and enterprise risk into unified programs and those still operating in siloed physical-security models. For a principal hiring a CSO — outsourced or otherwise — this report provides the interview questions. Does the candidate understand convergence? Can they build a program that treats physical and digital risk as one surface? If they cannot speak to the findings in this study, they are a generation behind the profession.
Global survey
of security leaders mapping competencies and organizational models
Convergence gap
identified between integrated programs and legacy siloed models
Paper 06
Global Future of Cyber Survey, 4th Edition
Deloitte
Deloitte’s fourth global cyber survey maps how organizations are restructuring their security leadership to address threats that no longer respect the boundary between “physical” and “digital.” The report shows that the most mature organizations are converging their cyber and physical security functions under unified leadership — and that organizations that have not done this are measurably less prepared for the threat landscape they actually face. For a UHNW family office, the implication is direct: your outsourced CSO must be fluent in both domains. A protection leader who delegates “cyber” to an IT vendor is operating from a model that enterprise security abandoned years ago.
1,200+ executives
surveyed across industries on cyber-physical convergence
Unified leadership
correlates with measurably higher preparedness across all threat types
03
Cyber & Digital Threats to UHNW Individuals
The most dangerous threats to UHNW principals no longer arrive physically. They arrive through a phone that has been silently compromised, a family office email account that has been monitored for months, or a digital footprint that makes physical targeting trivially easy. These three works document the specific digital threats facing high-net-worth individuals — not generic enterprise cybersecurity, but the targeted, personal, and often state-grade attacks that your protection program must account for.
Paper 07
Hide and Seek: Tracking NSO Group's Pegasus Spyware to 45 Countries
Bill Marczak et al. — Citizen Lab, University of Toronto
Citizen Lab’s investigation revealed that Pegasus — a zero-click spyware tool originally marketed for counterterrorism — had been deployed by at least 36 operators across 45 countries, many of them targeting journalists, activists, and political figures. The implications for UHNW principals are concrete: nation-state-grade surveillance tools are commercially available and have been documented targeting private individuals. Your phone can be compromised without clicking anything. Your protection program must include mobile device security, communication protocol hardening, and continuous monitoring for indicators of compromise. A firm that treats “cyber” as antivirus software and a VPN has not engaged with the threat environment this research documents.
45 countries
where Pegasus spyware operations were identified
36 distinct operators
deploying state-grade surveillance against private targets
Paper 08
Digital Executive Protection Report 2025
Ponemon Institute / BlackCloak
This report quantifies what security professionals have long suspected: executives and high-net-worth individuals are being targeted through their personal digital lives, not their corporate infrastructure. Personal email, family members’ social media, home network vulnerabilities, and publicly available records are the primary attack vectors. The data shows that most organizations’ security programs stop at the corporate perimeter and do not extend to the personal environments where executives are most vulnerable. For a UHNW principal, this report makes the case that digital executive protection — covering personal devices, home networks, family members’ exposure, and online reputation — is not optional. It is a core requirement of any serious protection program.
Personal attack surface
is the primary vector for targeting executives and UHNW individuals
Home networks and family
identified as the most under-protected exposure points
Paper 09
Family Office Cybersecurity Report 2024
Deloitte Private
Deloitte Private’s survey of family offices worldwide reveals a stark gap between perceived and actual cybersecurity readiness. Most family offices believe they are adequately protected; most are not. The report documents the specific vulnerabilities: insufficient access controls, lack of incident response planning, over-reliance on the family’s primary bank for security guidance, and minimal testing of existing controls. For a principal evaluating their current security posture, this report is a checklist. If your family office has not conducted a formal cybersecurity assessment, has not tested its incident response plan, and does not have a dedicated point of contact for cyber incidents, you are operating with the same gaps this report identifies in the majority of family offices surveyed.
Majority of family offices
overestimate their cybersecurity readiness
Incident response gaps
found in most surveyed organizations despite perceived preparedness
04
Travel & Aviation Security
UHNW principals travel constantly — across jurisdictions, across threat environments, and often into regions where their wealth, nationality, or profile creates specific risks. Travel is where protection programs are most tested and most likely to fail. These three works define the standards, threat data, and operational frameworks that a serious travel security program must be built on.
Paper 10
ISO 31030:2021 — Travel Risk Management: Guidance for Organizations
International Organization for Standardization
ISO 31030 is the first international standard dedicated to travel risk management. It provides a systematic framework for identifying, assessing, and mitigating travel-related risks — before, during, and after every journey. The standard covers duty-of-care obligations, traveler risk profiling, destination assessments, and crisis response protocols. For UHNW families, ISO 31030 is the benchmark against which your travel security program should be evaluated. If your protection team cannot articulate how their travel protocols map to this standard — including pre-trip intelligence, in-transit monitoring, and post-arrival security — they are improvising rather than operating from a validated framework.
First global standard
dedicated exclusively to travel risk management
End-to-end framework
covering pre-trip assessment through post-arrival protocols
Paper 11
Risk Outlook 2025
International SOS / Ipsos
International SOS’s annual Risk Outlook synthesizes travel risk data from their global operations — covering medical, security, and geopolitical threats across every region. The 2025 edition documents the acceleration of several trends critical to UHNW travel planning: increasing civil unrest in previously stable destinations, the growing intersection of climate disruption and travel risk, and the rising frequency of targeted incidents against high-profile travelers. For principals who travel internationally, this report provides the current threat baseline. A protection firm that is not incorporating this level of real-time threat intelligence into its advance work and route planning is operating on outdated assumptions.
Global operations data
across medical, security, and geopolitical risk domains
Accelerating disruptions
in civil unrest, climate events, and targeted incidents against travelers
Paper 12
Kidnap for Ransom in 2022
Control Risks
Control Risks’ kidnap report provides the most detailed publicly available analysis of kidnap-for-ransom trends, hotspots, and victim profiles. The data reveals that kidnap risk is not confined to the countries most people associate with it — incidents occur across Latin America, parts of Africa, Southeast Asia, and increasingly in regions experiencing political instability. For UHNW families, the report underscores that kidnap risk is directly correlated with visible wealth, predictable travel patterns, and inadequate advance intelligence. A protection firm managing travel for a high-profile principal must integrate kidnap risk assessment into every international itinerary — not as a theoretical exercise, but as a standing operational requirement with pre-staged response protocols.
Expanding geography
of kidnap risk beyond traditional hotspots
Direct correlation
between visible wealth, predictable patterns, and targeting probability
How These Twelve Works Connect
Read individually, each of these papers addresses a specific domain of security. Read together, they describe a single, integrated discipline — one where physical protection is informed by behavioral intelligence, where security leadership requires fluency across both physical and digital domains, where digital threats create physical vulnerabilities, and where travel security demands the same rigor as fixed-site protection.
The firms that protect UHNW principals most effectively are the ones that have internalized these connections. They do not treat executive protection, cybersecurity, and travel security as separate service lines to be purchased independently. They build unified programs where intelligence flows between domains, where a concerning social media post triggers the same assessment process as a suspicious vehicle near a residence, and where a family office’s network security is evaluated with the same standards as its physical access controls.
This reading list exists because we believe that informed principals make better decisions about their own protection. If this research raises questions about your current program, we welcome that conversation.