Historically, security management in hotels could be characterized as fragmented, uncoordinated and reactive. It was certainly not seen as central to the success of the business. Given the largely static security environment of hotels in the past, this approach was, however, probably effective enough in mitigating the security risks that confronted international hotel brands. As hotels themselves shifted from being largely individually owned to the international brands that currently populate business travellers’ lodging options, sets of brand standards emerged that attempted to guarantee a consistently good hotel experience for frequent travellers across the brand. In most cases, however, the move to brand consistency had little impact on security management, which had tended to become somewhat detached from developments elsewhere in the hotel sector and had become something of an organizational anachronism (even if still reasonably effective in responding to routine security issues). At the same time, the risk environment in which hotels operated was changing. Developments in the political, economic, social, technological and legal spheres were presenting new challenges as well as opportunities for hotel security risk management. The most salient element of this shift was the emergence of international terrorism, and this was made abundantly clear when al Qaeda in Iraq carried out simultaneous suicide attacks against three international hotels in Amman in November 2005. This was not, however, the only element in the security spectrum that had changed. The end of the Cold War had shifted the global security paradigm in other areas that now affected hotel risk management, such as identity theft and money laundering. National catastrophes such as the Asian tsunami and Hurricane Katrina in recent years also challenged the security departments of international hotel brands to prepare and respond to significantly higher-impact events. Similarly, security (and risk) departments became the first port of call for senior hotel management when faced with events such as the conflict in Lebanon in 2006 and 2007 and newly emerging threats such as cyber-crime. It became clear to IHG during this period that the traditional, fragmented and reactive approach to hotel security was not able to provide the desired level of sophisticated protection against a rapidly more complex and ambiguous threat environment; nor was it well placed to meet the increasing expectations placed on hotels to prevent, prepare for, respond to and recover from major risk incidents. IHG therefore carried out a far-reaching analysis of its existing security capacity set primarily against the benchmark of the international terrorist threat and developed a strategy of threat-based security risk management. The consequences of this study were to have a profound effect on the company’s perception of both the security risks and the consequent mitigation strategy.