Assessing Risk for Mass Violence From Platform Behaviors

01 / Introduction

Dr. Heather Leffew Obelus Institute May 2026

02 / Abstract

Abstract

The case for why user reports should be prioritized over automated detection. Perpetrators of mass violence are characterologically heterogeneous, the warning signs are contextual, and the on-platform signal is thin. A working note on the threat-assessment literature, the eight pre-attack warning behaviors, the six-stage path to intended violence, and where machine detection actually breaks.

01 / The Heterogeneity Problem

03 / Perpetrators do not fit a profile.

Perpetrators do not fit a profile.

Mass shootings in the United States rose roughly 250% from one decade to the next, with 57% of all recorded mass shootings in the past ten years (Office for Victims of Crime, 2018). The FBI logged 250 active shooter incidents between 2000 and 2017, producing 2,217 casualties not counting the perpetrators themselves (Silver, Simons, & Craun, 2018). The volume justifies the interest. The literature has not produced a profile.

Thompson and Kyle (2005) cast these offenders as low-self-esteem. Palermo (1997) reads them as psychopathic. Hempel and Richards (1999) and Virtanen (2013) read them as narcissistic. Bondu and Scheithauer (2015) and Wike and Fraser (2009) document characterological heterogeneity at a scale that defeats single-construct typologies. Lankford (2013) finds that the age and attack-location differences between rampage shooters, workplace shooters, school shooters, and suicide terrorists are mostly superficial. Ferguson, Coulson, and Barnett (2011) find youthful mass murderers resemble adult perpetrators more than they differ from them. Most perpetrators do not survive the event, so traditional post-event psychological assessment cannot be performed.

Seung-Hui Cho killed 32 people at Virginia Tech in 2007. Anders Breivik killed 77 across two locations in Norway in 2011. Both left manifestos. Cho's reads as raw, affective, personal injury: "Vandalizing my heart wasn't enough for you. Raping my soul wasn't enough for you." Breivik's runs more than 1,500 pages with chapter headings like "Modern Aftermath of the Crusades" and "US and European Nationalist Rhetorical Differences." Same outcome class. Almost no shared signature.

Implication for detection

Any classifier built on a single perpetrator template will miss most of the population it is supposed to flag. The heterogeneity is not a measurement error to be cleaned up. It is the data.

02 / Pre-Attack Window

04 / Attacks are planned, and the planning leaks.

Attacks are planned, and the planning leaks.

Popular framing treats mass violence as a sudden break, an unpredictable snap. Governmental and academic work has converged on the opposite reading. Most perpetrators display identifiable pre-attack behaviors that reflect intent (Fein, Vossekuil, & Holden, 1998; U.S. Secret Service, 2004). Silver, Simons, and Craun (2018) studied 63 active shooters and found that the majority spent a week or longer in planning and preparation. That is the operational window detection has to live in.

88%

Active shooters aged 17 and younger communicated intent

~33%

Perpetrators created communications claiming credit or articulating motive

≥ 7 days

Median planning-and-preparation window

Active shooters analyzed in the FBI pre-attack study

The same study and adjacent work (Silver, Horgan, & Gill, 2018) document leakage to third parties as the modal communication. The communication channel matters less than the fact that it happens. Detection logic that requires a respondent to directly address law enforcement will miss most cases. Detection logic that pays attention to what perpetrators tell their friends, their classmates, or the internet has signal to work with.

03 / Warning Behaviors x Stages

05 / Eight behaviors, six stages.

Eight behaviors, six stages.

Meloy, Hoffmann, Guldimann, and James (2012) propose eight essential warning behaviors. These are acute, dynamic, particularly toxic changes in behavior that signal accelerating risk and require an operational response. Calhoun and Weston (2003, 2015) propose the path to intended violence as a discrete six-stage sequence: grievance, ideation, research and planning, preparation, breach, attack. The eight behaviors do not occur uniformly across the six stages. Mapping them to where they tend to appear is the structure most threat-assessment work runs on.

Warning Behavior Matrix

Pathway
Fixation
Identification
Novel Aggression
Energy Burst
Leakage
Direct Threat
Last Resort

Active: 1. Pathway

Six-Stage Path to Intended Violence

Grievance

Ideation

Planning

Prep

Breach

Attack

Tap a behavior to see where on the pathway it typically surfaces.

Pathway behavior is research, planning, preparation, or implementation of an attack (Calhoun & Weston, 2003). Fixation is increasingly pathological preoccupation with a person or cause (Mullen et al., 2009). Identification is the psychological desire to be a "pseudocommando" (Dietz, 1986), to adopt a warrior mentality, to identify with previous attackers, or to identify as an agent of a cause. Novel aggression is an act of violence unrelated to the attack, committed for the first time, testing the subject's capacity for the act. Energy burst is an increase in the frequency or variety of activities tied to the target. Leakage is communication to a third party of intent to harm. Direct threat is communication of a direct threat to the target or to law enforcement beforehand. Last resort is increasing desperation expressed in word or deed.

04 / Threats vs Ultimatums

06 / Words that alarm, actions that harm.

Words that alarm, actions that harm.

People often prefer words that alarm over actions that harm. Reading a threatening statement requires separating content from context. The first question is whether the statement is direct (delivered to the potential target) or indirect (delivered to a third party). The second question is whether the statement is a threat or an ultimatum. Ultimatums attach conditions. They are warnings or attempts at manipulation. Threats are non-conditional.

Threats are riskier in principle but often less actionable in practice. A person who directly threatens another is frequently expressing desperation and frustration rather than communicating an actual plan. The anxiety the threat provokes in the target functions as an emotional release for the speaker, and that release can substitute for the act itself. The threat that worries threat-assessment professionals is the one that does not seek a fear pay-out.

Late-appearing threats are more concerning than early ones. Early threats tend to be emotional reactions to an immediate upset. Late threats tend to be the residue of a deliberative process where other alternatives have already been considered and rejected. Indirect threats - delivered to someone other than the intended target - carry elevated risk precisely because they bypass the fear-payout loop that normally drains the speaker's emotional charge.

05 / Risk x Threat

07 / Probability against impact.

Probability against impact.

Threat assessment risk management is an equation evaluating the probability an event will occur (the threat) against the potential impacts of the event (the risk). The intervention demand for low-probability events rises with the impact magnitude. The combinations produce a familiar 2x2.

Threat (probability)

Risk (impact)

Low risk · Low threat

Burglary of an unoccupied home. Likelihood is low for most homeowners, impact is bounded, locked doors are usually sufficient.

Low risk · High threat

Frequent low-stakes nuisance behavior with high probability of recurrence. Routine moderation handles this class.

High risk · Low threat

School shootings sit here for most communities. Consequences are catastrophic; probability remains low enough that schools stay open and parents continue to send children.

High risk · High threat

A well-armed individual who has communicated credible intent to commit a mass shooting at a specific, accessible elementary school. Both axes are pegged. The response demand is immediate.

The matrix is useful as a decision aid because it forces the assessor to hold two separate estimates: how likely is this, and how bad if it happens. Conflating them produces the two characteristic failures of threat work - panic about everything that could be catastrophic, or complacency about anything that is statistically rare.

06 / Contagion

08 / The post-event risk window.

The post-event risk window.

After a highly publicized attack the risk of a copycat attack remains elevated for approximately 13 days. Watershed events - the ones that lodge in cultural memory - can elevate risk for ten years or longer. Mother Jones tracked the Columbine effect and counted 72 plots inspired by the event, 21 carried out, 89 deaths. The contagion does not require the original attacker to have used a platform. The contagion is the cultural artifact, not the dataset.

For platform threat-assessment workflows, the operational implication is asymmetric staffing. Detection volume needs to spike with cultural events, not with calendar quarters. The post-watershed window is also where automated false-positive rates spike, because the volume of users discussing the event surges and discussion is not intent. The cost of pattern-matching on surface features in a contagion window is paid in over-flagging the people who are simply reading the news.

07 / The Thesis

09 / User reports outperform automated detection, and the reasons are structural.

User reports outperform automated detection, and the reasons are structural.

Grounded threat assessment is only as good as the data feeding it. Examination of on-platform behavior in isolation cannot reach a defensible determination of actual threat level, because the variables that move the assessment - warning signs, risk factors, stabilizing factors, precipitating events - are almost never all on-platform. Collateral data sources are essential. A platform that builds its threat workflow exclusively around its own telemetry has stipulated to working with an incomplete record.

The characterological heterogeneity that defeats single-profile classifiers also defeats list-based automated detection. Different behaviors represent different positions on the pathway, and a single behavior late in the pathway warrants a more urgent response than several appearances at the early end. Building an automated system around behavior counts rather than behavior positions inverts that logic and dilutes the operational response.

Users of a platform with millions of participants bring something an automated system cannot replicate: contextual interpretation at scale. A user reading a friend's post understands the prior six months of that person's behavior, the relationship history, the in-group jokes, the affective baseline. Algorithms see a comment and a numeric vector; humans see a person whose pattern has changed. The recommendation is not to remove automation. It is to position automation as the support layer for the human judgment that has the higher base rate of correct identification.

Operational stance

Prioritize clear, low-friction reporting channels for users. Use automated systems to support the routing, triage, and analytical surfacing of those reports rather than as the primary detection mechanism. Anticipate elevated reporting volume in the 13-day window after any watershed event, and staff accordingly.

08 / Bibliography

010 / References

References

Bondu, R., & Scheithauer, H. (2015). Narcissistic symptoms in German school shooters. International Journal of Offender Therapy and Comparative Criminology, 59(14), 1520-1535.
Calhoun, F. S., & Weston, S. W. (2003). Contemporary threat management: A practical guide for identifying, assessing, and managing individuals of violent intent. Specialized Training Services.
Calhoun, F. S., & Weston, S. W. (2015). Perspectives on threat management. Journal of Threat Assessment and Management, 2(3-4), 258-267.
Dietz, P. E. (1986). Mass, serial, and sensational homicides. Bulletin of the New York Academy of Medicine, 62(5), 477-491.
Fein, R., Vossekuil, B., & Holden, G. (1998). Protective intelligence and threat assessment investigations: A guide for state and local law enforcement officials. U.S. Department of Justice.
Ferguson, C. J., Coulson, M., & Barnett, J. (2011). Psychological profiles of school shooters: Positive directions and one big wrong turn. Journal of Police Crisis Negotiations, 11(2), 141-158.
Fox, J. A., & Levin, J. (2003). Mass murder: An analysis of extreme violence. Journal of Applied Psychoanalytic Studies, 5(1), 47-64.
Hempel, A. G., Meloy, J. R., & Richards, T. C. (1999). Offender and offense characteristics of a nonrandom sample of mass murderers. Journal of the American Academy of Psychiatry and the Law, 27(2), 213-225.
Lankford, A. (2013). A comparative analysis of suicide terrorists and rampage, workplace, and school shooters in the United States from 1990 to 2010. Homicide Studies, 17(3), 255-274.
Meloy, J. R., Hoffmann, J., Guldimann, A., & James, D. (2012). The role of warning behaviors in threat assessment: An exploration and suggested typology. Behavioral Sciences & the Law, 30(3), 256-279.
Mullen, P. E., James, D. V., Meloy, J. R., Pathe, M. T., Farnham, F. R., Preston, L., & Darnley, B. (2009). The fixated and the pursuit of public figures. Journal of Forensic Psychiatry & Psychology, 20(1), 33-47.
Office for Victims of Crime. (2018). 2018 National Crime Victims' Rights Week resource guide: Crime and victimization fact sheets - Mass casualty shootings. U.S. Department of Justice.
Palermo, G. B. (1997). The berserk syndrome: A review of mass murder. Aggression and Violent Behavior, 2(1), 1-8.
Silver, J., Horgan, J., & Gill, P. (2018). Foreshadowing targeted violence: Assessing leakage of intent by public mass murderers. Aggression and Violent Behavior, 38, 94-100.
Silver, J., Simons, A., & Craun, S. (2018). A study of the pre-attack behaviors of active shooters in the United States between 2000 and 2013. Federal Bureau of Investigation, U.S. Department of Justice.
Thompson, S., & Kyle, K. (2005). Understanding mass school shootings: Links between personhood and power in the competitive school environment. Journal of Primary Prevention, 26(5), 419-438.
U.S. Secret Service & U.S. Department of Education. (2004). The final report and findings of the safe school initiative: Implications for the prevention of school attacks in the United States.
Virtanen, H. (2013). The King of Norway: Negative individuation, the hero myth and psychopathic narcissism in extreme violence and the life of Anders Behring Breivik. Journal of Analytical Psychology, 58(5), 657-676.
Wike, T. L., & Fraser, M. W. (2009). School shootings: Making sense of the senseless. Aggression and Violent Behavior, 14(3), 162-169.

Assessing Risk for Mass Violence From Platform Behaviors

Assessing Risk for Mass Violence From Platform Behaviors

Dr. Heather Leffew Obelus Institute May 2026

Abstract

Perpetrators do not fit a profile.

Attacks are planned, and the planning leaks.

Eight behaviors, six stages.

Words that alarm, actions that harm.

Probability against impact.

The post-event risk window.

User reports outperform automated detection, and the reasons are structural.

References

Related Works