In the early hours of July 20, a gunman entered a packed movie theater in Aurora, Colo., and opened fire on the audience that had gathered to watch the premiere of the new Batman movie, The Dark Knight Rises. The gunman killed 12 people and injured 58 others. Though police are looking for potential accomplices, the attack appears to have been conducted by James Holmes, a lone gunman who, according to some police reports, may have had a delusional fixation on the Joker, a violent villain from an earlier Batman movie.

On July 18, just two days before the Colorado attack, a man reportedly disguised in a wig and posing as an American tourist in the Black Sea resort town of Burgas, Bulgaria, detonated an improvised explosive device hidden in his backpack as a group of Israeli tourists boarded a bus bound for their hotel. The blast killed five Israelis and the Bulgarian bus driver and wounded dozens more. It is unclear if the incident was an intentional suicide attack; the device could have detonated prematurely as the man placed it on the bus. In any case, the tourists clearly were the intended targets.

The Burgas attacker has not yet been identified. Based on his profile, there is some speculation that he could have been a grassroots jihadist. However, it is also possible that he was acting on behalf of Iran and that this attack was merely the latest installment in the ongoing covert war between Iran and Israel.

While these two attacks occurred on different continents and were committed by people with different motivations and objectives, they nonetheless have one thing in common: They were directed against what are referred to in security parlance as "soft" targets, or targets that do not have much security. Soft targets are much easier to attack than hard targets, which deter attacks by maintaining a comparatively strong security presence.

Evolution of Targets and Tactics

In the 1960s, the beginning of the modern terrorism era, there were few hard targets. In the 1970s, the American radical leftist Weather Underground Organization was able to conduct successful bombing attacks against the U.S. Capitol, the Pentagon and the State Department buildings — the very heart of the U.S. government. At the same time commercial airliners were easy targets for political dissidents, terrorists and criminal hijackers.

Nongovernmental organizations were also seen as soft targets. The Black September Organization conducted an operation targeting Israeli athletes at the 1972 Olympic Games, and Ilich Ramirez Sanchez, known as Carlos the Jackal, and his compatriots seized the OPEC headquarters in Vienna in December 1975.

Embassies did not fare much better. During the 1970s, militant groups seized control of embassies in several cities, including Stockholm, The Hague, Khartoum and Kuala Lumpur. The 1970s concluded with the seizure of the U.S. Embassy in Tehran and the storming and destruction of the U.S. Embassy in Islamabad. The 1980s saw major attacks against U.S. diplomatic posts in Beirut (twice) and Kuwait.

Just as the Weather Underground Organization attacks prompted security improvements at the U.S. government buildings they had targeted, the attacks against U.S. and other embassies prompted increased security at their diplomatic missions. However, this turned into a long process. The cost of providing security for diplomatic posts strained already meager foreign affairs budgets. For most countries, including the United States, security was not increased at all diplomatic missions. Rather, security was improved in accordance with a threat matrix that assessed the risk levels at various missions. Those deemed more at risk received funding before those deemed less at risk.

In some cases, this approach has worked well for the United States. For example, despite the persistent jihadist threat in Yemen, the new embassy compound in Sanaa, which was completed in the early 1990s and constructed to the strict security specifications laid out by the Inman Commission in 1985, has proved to be a very difficult target to attack. However, as embassies became more difficult to attack, militants turned to easier targets. Often this has involved targeting diplomats outside the secure embassy compound, as was the case in the 2002 assassination of U.S. diplomat Laurence Foley in Amman, Jordan, and the April 2010 failed suicide bombing attack against the motorcade carrying the British ambassador to Yemen.

Transnational groups also changed regions to find softer embassy targets. This shift was evident in August 1998, when al Qaeda attacked U.S. embassies in Nairobi, Kenya, and Dar es Salaam, Tanzania. Similarly, during the 1991 Gulf War, Iraqi agents attempted to conduct terrorist attacks against U.S. diplomatic facilities in Manila, Jakarta, Bangkok and Beijing — far from the Middle East. The February 2012 attack against an Israeli Embassy employee in New Delhi is an example of both changing the region and targeting an employee away from the security of the embassy.

There was a similar trend with airliners, which initially were very vulnerable to attack. After many high-profile hijackings, such as that of TWA Flight 847, airliner security, particularly in the West, was increased. But as security was increased in one place, hijackers began to shift operations to places where security was less robust, such as Bangkok or Karachi. And as security was improved globally and hijackings became more difficult in the 1980s, attackers shifted their tactics and began using improvised explosive devices against airliners.

In response to security measures implemented after bombing attacks in the 1980s, attackers underwent yet another paradigm shift. In December 1994, Philippine Airlines Flight 434 was attacked with an improvised explosive device that had been carried onto the aircraft in separate components, assembled in the plane's restroom and left on board when the attacker left at an intermediate stop on a multiple city flight. This attack was a dry run for a plan against multiple airlines called Operation Bojinka. The operational mastermind of Bojinka, Khalid Sheikh Mohammed, would later plan the 9/11 attacks on the United States.

When security measures were put in place to protect against Bojinka-style attacks in the 1990s, jihadists adapted again and conducted the 9/11 attacks using a different method of attack. When security measures were put in place to counter 9/11-style attacks, jihadists quickly responded by shifting to onboard suicide attacks with concealed improvised explosive devices inside shoes. When that tactic was discovered and shoes began to be screened, jihadists changed to camouflaged containers filled with liquid explosives. Security measures were adjusted to restrict the quantity of liquids that people could take aboard aircraft, and jihadists altered the paradigm once more and attempted underwear bombing using a device with no metal components. When security measures were taken to increase passenger screening in response to the underwear bombing, al Qaeda in the Arabian Peninsula decided to attack cargo aircraft with improvised explosive devices hidden in printer cartridges. Currently, there is a concern that the next evolutionary step will be to hide non-metallic improvised explosive devices in body cavities or to surgically implant them in suicide bombers.

While some jihadists have remained fixated on hardened airline targets, other attackers — especially grassroot and lone wolf attackers who do not possess the ability to attack hardened targets — have sought other, softer airline targets to attack. After Israeli airline El Al beefed up security on its airliners in the 1980s, the Abu Nidal Organization compensated by attacking crowds of El Al customers at ticket counters outside of airport security in Rome and Vienna in 1985. Then in November 2002, jihadists attempted to attack an Israeli airliner in Mombasa, Kenya, with SA-7 surface-to-air missiles. More recently, a dual suicide bombing in the arrival lounge of Moscow's Domodedovo Airport in January 2011 killed 35 and injured more than 160, proving that areas outside an airport's security measures are vulnerable to attack. Further illustrating this vulnerability was an attack at an airport in Frankfurt, Germany, in March 2011. In that attack, a jihadist killed two U.S. airmen and wounded two others at the airport's bus departure area.

Other Targets

As embassies and other government installations have become more difficult to attack, we have noted a discernable trend toward the targeting of hotels, which are similarly symbolic of Western influence and are often described in jihadist literature as spy dens and brothels. In many cities of the developing world, major hotels are frequented by foreign tourists, journalists, visiting officials and military officers, and local government and business leaders. In addition, high-profile restaurants have been attacked in places such as Bali, Indonesia, Mumbai, India, and Marrakech, Morocco. There have also been attacks on theaters in Moscow and Mogadishu, on schools in Beslan, Russia, and Toulouse, France, and on marketplaces all over the world.

As long as there are groups or individuals bent on conducting attacks — whatever their motivation — they will be able to find vulnerable soft targets to attack. It is impossible to protect every potential target. In fact, it is often said that when you try to protect everything, you end up protecting nothing. Not even the vast manpower of the Chinese government or the advanced security technology employed by the U.S. government can cover every potential target.

While attacks against soft targets are an unfortunate prospect in the contemporary world — if not throughout all human history — people are not helpless in defending against them. Terrorism is a continuing concern, but it is one that can be understood. Once understood, measures can be taken to thwart terrorist plots and mitigate the effects of attacks.

Perhaps the most important and fundamental point to understand about terrorism is that attacks do not appear out of nowhere. Individuals planning a terrorist attack follow a discernible cycle, and that cycle and the behaviors associated with it can be detected. The places where terrorism-related behavior can be most readily observed are referred to as vulnerabilities in the terrorist attack cycle.

As the attacks in Aurora and Burgas are investigated, authorities very likely will uncover behaviors in the perpetrators that could have prevented the attacks if they were properly investigated. Every attacker — even a lone wolf assailant — leaves evidence of a pending attack. This fact was brought up by the recent release of a report by the William H. Webster Commission into the investigation of 2009 Ft. Hood shooter Nidal Hasan. The report highlighted the mistakes made in the investigation of Hasan, who was brought to the FBI's attention prior to the attack.

But since it is impossible for any government to prevent all attacks, people have to assume responsibility for their own security. This means citizens need to report possible planning activity when it is spotted. Such reporting helped avert an attack in July 2011 against a restaurant outside of Ft. Hood, Texas.