This was originally published on the Resilience First website. Read more about our partners.

As the government is about to undertake a wide-ranging review of the UK’s defence and security strategy, this assessment looks at the case for reviewing the national threat levels.

The document below is a think-piece on the nature and value of the UK’s threat levels around terrorism.

A letter signed by Lord Harris of Haringey and Sir Ian Andrews, together with a copy of this document, has been sent to the Minister of State for Security for his consideration.

An edited version of the main document will appear in the February edition of Professional Security magazine.

Readers are invited to send their comments to:


The terrorist attack in London on 29 November 2019 occurred 15 days after the lowering of the official threat level in the UK from “˜Severe’ (an attack is highly likely) to “˜Substantial’ (an attack is likely). This is not the first time such a situation has arisen.

It is easy to say with hindsight that the lowering of the threat level was premature with the death of al-Baghdadi (the past leader of IS) and with a General Election preceding Christmas. Previous such events have indeed been marked by terrorist atrocities. Rather than analyse the reasoning from a distance, however, the situation should prompt questions as to whether or not the current threat levels remain fit for purpose for the private sector and the wider public.

Those who decide

The arrangements for the government to declare a national threat level were put in place in 2006 following a report by the Intelligence & Security Committee (ISC) into the circumstances surrounding the 7/7 (2005) bombings. The ISC recommended “˜a greater transparency of the threat level and alert systems as a whole, and in particular that more thought is given to what is put in the public domain about the level of threat and required level of alert’. Until then, the threat level was not made public with individual departments responsible for implementing their own arrangements.

Responsibility for the judgement on the appropriate national threat level rests with the Joint Intelligence Analysis Centre (JTAC), part of MI5. The aim of the five official levels of threat warning is, according to the MI5 website, to provide “˜a tool for security practitioners working across different sectors of the Critical National Infrastructure (CNI) and the police to use in determining what protective security response may be required’.

The MI5 website states that: “˜Threat levels in themselves do not require specific responses from the public’. “˜Sharing national threat levels with the general public keeps everyone informed’ and explains the context for the various security measures e.g. bag checks at airports. “˜Vigilance is vital regardless of the current national threat level.’

In mid-2019, changes were made to the terrorism threat level system to reflect the dangers posed by all forms of terrorism, whether that be from Islamist or Northern Irish terrorists as well as left-wing and right-wing extremists. The level is set according to an informed judgement covering both capability and intent.

The issues

The changes to the national threat levels over the years have introduced a number of significant challenges.

First, there is the issue of definitional value. The threat level has not dropped below “˜Substantial’, nor is it likely to do so, given that over the past half century there has been a terrorist attack, or a credible attempt, against the UK for most of that time. Since 1971, there have been terrorist attacks, or attempted attacks, on the UK Mainland in 37 of the 49 years. As the terrorist threat of the future is generational in duration then it is reasonable to assume that another attack is more likely than not. Hence, the threat level will probably not go below the top three classifications (“˜Critical, “˜Severe’, and “˜Substantial’) for the foreseeable future.

What is more, the fine distinction between “˜highly likely’ and “˜likely’ is also not one that anyone outside closed professional security circles is likely to appreciate. In fact, the bulk of the private sector (non-CNI related) usually reduces the five official levels to no more than three, often combining “˜Substantial’ and “˜Severe’ levels together into a category such as “˜Heightened’ or “˜Elevated’. Beyond these circles, the public is generally unaware of the nomenclature used or what it means for them in their daily lives. It may well create added alarm when announced.

Second, there is the question of duration. When an enhanced threat level like “˜Severe’ lasts for 25 months (from 17 September 2017 to 4 November 2019) then one must ask what it achieves in both the eyes of both the public and most of the private sector. It can certainly be argued that to remain vigilant for months or years ­- regardless of the specific threat level – blunts the message even if the intended purpose remains valid. Attention and vigilance wane over prolonged periods, and old casual behaviours soon return.

Third, there is the question of national coverage. While certain industry sectors e.g. airlines can be given their own threat levels under certain situations, the use of a national level across the whole of GB (NI is handled separately handled) means that, for instance, Padstow is treated the same as Paddington. Yet, there have been no major attacks in Wales and only two in Scotland in recent times i.e. Lockerbie (1988) and Glasgow Airport (2007). While a terrorist cell could have a footprint in distant locations, it is unlikely the threat level is the same across all geographies. To assume otherwise dulls the impact of the national alerting system.

There may well be a need for greater granularity in, say, regional or city locations as there are in industry sectors. But if that granularity resulted in discrete threat levels across a city like London – say, one for rail, one for airports and one “˜above ground’ – then there would be further grounds for confusion by the wider population. It is no comfort that 8 million Londoners don’t understand any of the current threat levels as they continue about their daily lives, and so are unlikely to respond meaningfully. A more bespoke and local approach would, however, have to consider any displacement activity should attacks take place in areas where the threat was assessed to be lower.

Action-oriented messaging

The threat of terrorism from one organisation or other has been with us for a long time and is likely to continue for the foreseeable future. If the public and wider private sector are to retain confidence in official threat assessments and pronouncements, even though they may not be the declared primary audience to date, then it is time to review the role and purpose of the threat levels as currently constructed.

Any review could begin by looking at a simpler, possibly colour-coded, classification based around a reduced number of threat levels. (The three levels of flood warning issued by the Environment Agency are one model while the US Department of Homeland Security uses just two for terrorism i.e. “˜Elevated’ and “˜Imminent’.) The new levels should be aimed at, and understood by, the wider community. Perhaps, other threats such as flooding could be included to produce a national alerting scheme based on the official National Risk Register. Regular risk bulletins should supplement the register.

A review could also examine the benefits of supplementing threat levels with directed actions that indicate what people should do in the face of an attack or disruption. A desired change of behaviour or plan of action would be the objective. The actions would complement regular campaigns such as “˜Run, Hide, Tell’ and “˜Action Counters Terrorism’ but with specific, actionable messages that were tailored for the particular threat level. The message must go beyond vigilance and offer positive advice and meaningful actions. The result could improve responsiveness and minimise complacency across a large part of the population.

Perhaps the ISC could be asked if more thought could be given to advocating a better systematic approach that adds real value to national preparedness. Resilience First has begun the task by asking its business members for their views on the subject and ideas for better alerting and responding.

For further reading, please visit our Knowledge Hub.

Read more: