Dynamic Patterns of Terrorist Networks: Efficiency and Security in the Evolution of Eleven Islamic Extremist Attack Networks



The current research examines how the efficiency/security tradeoff shapes the evolution of dynamic terrorist networks by focusing on the structural properties of these collectives. Some scholars argue that terrorist groups develop as chain-like, decentralized structures, while others maintain that terrorist networks form patterns of redundant ties and organize around a few highly connected individuals, or central hubs. We investigate these structural properties and consider whether patterns vary at different phases of a terrorist network’s formation.


Using a variety of descriptive network measures and Separable Temporal Exponential Random Graph Models, we consider patterns of tie formation across eleven multi-wave terrorism networks from the John Jay & ARTIS Transnational Terrorism database. This dataset includes networks from prominent attacks and bombings that occurred in the last 3 decades (e.g., the 2002 Bali Bombings), where nodes represent individual terrorists and ties represent social relationships.


We find that terrorist groups navigate the efficiency/security tradeoff by developing increasingly well-connected networks as they prepare for a violent incident. Our results also show that highly central nodes acquire even more ties in the years directly preceding an attack, signifying that the evolution of terrorist networks tends to be structured around a few key actors.


Our findings have the potential to inform counterterrorism efforts by suggesting which actors in the network make the most influential targets for law enforcement. We discuss how these strategies should vary as extremist networks evolve over time.


Groups engaged in covert and illegal activities threaten harm and create widespread fear across the world. Given their potential for damage, it remains crucial for scholars to apply in-depth techniques to better understand the evolution of these collectives. Social network analysis represents one tool increasingly used in this manner to examine criminal networks (e.g., Bright et al. 2018; Lantz and Hutchison 2015; Papachristos 2009), and other dark networks (e.g., Everton 2012; Krebs 2002; Sageman 2004; Yarlagadda et al. 2018). Modeling instances of violence and crime as networks highlights the theoretical importance of studying these phenomena beyond the individual level (McMillan et al. 2018; Weerman 2011).With some exceptions (e.g., Carley 2006; Everton 2016; Gill et al. 2014), however, research in this area tends to be hampered by the challenges associated with collecting and analyzing data on the evolution of covert networks. Yet a better awareness of the dynamics of illicit networks can help inform theoretical debates regarding the manner in which these collectives change over time. The goal of our current research is to employ novel dynamic network modeling techniques in an examination of the structural evolution of extremists’ social relationships, with the use of a uniquely large, longitudinal sample of attack-focused terrorist networks.

Social scientists are increasingly interested in studying the relational ties within terrorist enclaves, and multiple theories have emerged to explain these network structures. For instance, similar to other covert organizations, terrorist networks face a continuous tradeoff between efficiency and security when organizing their members (Morselli et al. 2007). Illicit groups desire to keep their operations secret and avoid being targeted by authorities, but simultaneously require a certain degree of coordination to accomplish their goals successfully (Baker and Faulkner 1993). There is an ongoing debate as to how the efficiency/security tradeoff influences the relational patterns in terrorist networks. Some argue that terrorist attack groups organize as chain-like, decentralized structures, while others believe these dark networks tend to be dense, clustered, and interconnected (Perliger 2018; Zech and Gabbay 2016).

Although theories of terrorist network structure are inherently concerned with the evolution of these collectives, most empirical work applies these theories to study networks from a single time point (e.g., Krebs 2002; Horowitz and Potter 2014; Helfstein and Wright 2011; Pedahzur and Perliger 2006; Ünal 2019). Fewer investigations consider the progression of dynamic, insurgent networks (e.g., Carley 2006; Crossley et al. 2012; Cunningham et al. 2016; Everton 2016; Gill et al. 2014). Despite this lack of research, it is important to study how terrorist networks evolve over time to better understand the consequences of these structural patterns (Cunningham et al. 2016; Zech and Gabbay 2016), including the successful execution of deadly extremism and violence. By rigorously considering how the structures of terrorist networks develop, researchers can better inform efforts to combat these extremist groups. In a particularly famous illustration, social network analysis is said to have aided in the breakthrough discovery of Osama bin Laden’s secret location in Pakistan in 2011 (Knoke 2013). Moreover, if counterterrorism strategies are better tailored to target networks according to their structural development, these strategies can reduce the risk of future terrorist attacks and increase resilience in civilian communities (White et al. 2013).

In the current study, we undertake an in-depth investigation of the structural phenomena that characterize the development of eleven longitudinal, Islamic extremist terrorist networks as they approach the execution of a violent attack. We apply multivariate, dynamic statistical network models to analyze how the efficiency/security tradeoff influences the evolution of various structural processes across five time points of network data. By adopting this modeling approach, we are able to predict where ties are likely to develop over time, while simultaneously accounting for the inherent endogeneity that defines the relational structures of terrorist networks. Finally, we discuss the implications of our findings for future anti-terrorism efforts.


The Efficiency/Security Tradeoff

Contrary to pro-social, positive networks, dark networks face a unique efficiency/security tradeoff when organizing their members (Morselli et al. 2007). Networks involved in illicit activity hold a vested interest in concealing their goals and membership to maximize the security of their operations and avoid detection from law enforcement. Prior to carrying out the group’s commission, such secrecy is necessary for achieving the collective’s destructive goals, and after these goals have been met, the clandestine nature of the group’s operations can protect the anonymity of individual actors (Crossley et al. 2012). However, privileging the security of a dark network does not come without costs. The efficiency/security tradeoff assumes that when illicit collectives organize in a manner that enhances security, this undermines the group’s efficiency, or its ability to mobilize in an effective, coordinated manner (Morselli et al. 2007).

A host of research argues that terrorist attack groups hold a strong interest in preserving the security of their operations (e.g., McAllister 2004; Stohl and Stohl 2007), perhaps even more so than other genres of illicit networks (Morselli et al. 2007). However, it remains unclear how this desire for security shapes the network structures of terrorist collectives. On the one hand, many scholars argue that terrorist networks navigate the efficiency/security tradeoff by maintaining sparse, decentralized networks with minimal redundant connections and limited direct contact between members (Baker and Faulkner 1993; Enders and Su 2007; Helfstein and Wright 2011). Both Krebs’s (2002) formative study of the network of those involved in the 9/11 attacks and the investigation of the 2004 Madrid bombing by Rodríguez (2005) suggest that only weak and disconnected ties linked the terrorists involved in these violent incidents. While these organizational patterns may inhibit the flow of efficient communication, they are also expected to bolster the resiliency of illicit networks. If one member is captured by authorities, for instance, that person will be able to provide only limited information about the other members involved with the group (Milward and Raab 2006).

On the other hand, there is evidence that dark networks are highly centralized and defined by clusters of redundant connections. Due to the risks that accompany illicit activity, actors involved with covert groups tend to recruit new members from their pre-existing social networks and these trusted connections are paramount for upholding the operation’s security (Erickson 1981). Thus, covert networks may reflect the same structural patterns observed in friendship and family networks by exhibiting high levels of density, transitivity, and clustering (Granovetter 1973). Examples of recent empirical work argue that terrorist networks navigate the efficiency/security tradeoff by adopting these interconnected structures (Cunningham et al. 2016; Perliger 2018). For instance, certain terrorist networks are defined by close-knit clusters (Ünal 2019) and redundant ties that reduce the social distance between members (Everton 2016; Helfstein and Wright 2011). While highly cohesive networks could lead to increased security risks if an actor is compromised by authorities, these structures can promote security and efficiency simultaneously, since they encourage the diffusion of information and build trust among members (Crossley et al. 2012).

Largely due to the challenges associated with collecting dynamic data on covert groups, most of the prior empirical research on terrorist insurgencies analyzes single, cross-sectional snapshots of their relational networks. However, to understand how the efficiency/security tradeoff shapes the evolution of networks, it is necessary to examine how these structures grow and adapt over time. For example, Crossley et al. (2012) find that as the UK women’s suffrage movement became increasingly targeted by authorities at the start of the 20th century, the suffragette networks strategically evolved in a manner that increased security to protect the privacy of their members. In a study of a drug-trafficking network’s evolution, Bright et al. (2018) argue that members maintained security by avoiding direct ties with highly central actors, but also promoted efficiency by forming connections with those who performed different operational roles than their own. By analyzing longitudinal data, we can develop more insight about the social processes that guide tie formation in terrorist networks, and better understand how individual network structures relate to the timing and execution of attacks. For instance, it remains unclear whether the network structures of terrorist groups are fixed attributes that reflect an insurgency’s characteristics and ideologies (Morselli et al. 2007), or if these collectives adapt their structures over time to maximize their strategic capacity (Crossley et al. 2012).

Structural Properties of Terrorist Networks

While previous work applies a variety of empirical measures to operationalize the tradeoff between efficiency and security (see Zech and Gabbay 2016 for summary), here, we focus on two structural properties of terrorist attack networks: transitivity and central hubs. These properties are useful because they are associated with theoretical concepts that can be applied intuitively to analyze the efficiency/security tradeoff. Additionally, both transitivity and the development of central hubs can be measured quantitatively through a variety of descriptive statistics, as well as through parameters in statistical network models.

Transitivity Versus Chain-Like Structures

When a network is defined by transitivity, or triadic closure, individual actors tend to share links with the same peers (Wasserman and Faust 1994). In other words, if individual a is tied to individual b and individual b is tied to individual c, then a relationship is likely to connect individuals a and c. Patterns of transitivity shape the structure of many pro-social groups, including networks of friends and family (McMillan 2019; Newcomb 1961; Widmer 1999), and these structural tendencies tend to encourage the spread of ideas and information. Networks characterized by high levels of transitivity are defined by inherently redundant connections that result in clusters of actors. These structural characteristics are associated with a greater ease of communication and an increased ability to mobilize resources (Enders and Su 2007; Helfstein and Wright 2011; Ünal 2019). Transitive relationships also can facilitate the development of intimate, trustworthy ties (Granovetter 1973), and as a result, some previous research on illicit networks associates this phenomenon with maximizing security (e.g., Bright et al. 2018).

However, it is not clear whether the networks of terrorists are defined by transitive patterns. If terrorist networks are characterized instead by intransitivity, or open triads, then these networks will consist of loose, chain-like structures of non-redundant ties. In an intransitive triad, individual a is connected to individual b, individual b is connected to individual c, but individuals a and c are not linked by a social tie. Networks characterized by intransitivity rely instead on brokers, or intermediaries (e.g., individual b), to facilitate indirect connections that link the broader network (Bright et al. 2018). Loose structures of non-redundant ties may enable terrorist groups to preserve their clandestine nature (Helfstein and Wright 2011) because members are likely to have little awareness or knowledge of the other actors involved in the network (Baker and Faulkner 1993; Morselli et al. 2007).

Previous work that analyzes single time points of terrorist network data finds that these relational structures tend to exhibit greater proportions of transitive triads than would otherwise be expected (e.g., Helfstein and Wright 2011; Ünal 2019). Yet the question remains unanswered as to whether the social processes that influence tie formation vary over time, and depend on how close a terrorist group is to orchestrating an attack. The limited amount of research that analyzes transitivity in longitudinal terrorist network data tends to focus only on the evolution of a single terrorist attack network (e.g., Everton 2016; Gill et al. 2014) and these studies report mixed findings. As a result, it is unclear whether tendencies towards transitivity increase as terrorist networks evolve, or if, instead, these redundant ties are avoided. The current study reconsiders previous theoretical and empirical work by analyzing a uniquely large dataset of eleven attack-focused terrorist networks carried out by Islamic extremists. Using data on five time points, we use multivariate statistical models to rigorously test whether social ties develop in a chain-like manner, or if there is a tendency towards triadic closure over time (Research Question 1).

Central Hubs Versus All-Channel Networks

Another structural pattern that is theorized to shape the evolution of terrorist networks is the development of central hubs, a phenomenon that could reflect processes known as “preferential attachment,” “cumulative advantage,” or the “rich getting richer.” When networks are structured around a handful of central hubs, the majority of actors have very few ties, while a small minority have an abundance of social connections (Barabási and Albert 1999). As these networks evolve over time, those individuals who operate as prominent cores tend to become increasingly popular and develop disproportionately large numbers of new connections. Previous work highlights the key role central hubs play in connecting social groups, such as networks of friendship, coauthorship, and electronic communication (Armal et al. 2000; Barabási and Albert 1999; Newman 2001).

However, it is unclear whether central hubs exist in networks of terrorism and if their prevalence varies according to the network’s stage of development. Dating back to the early works of Simmel (1906), scholars have argued that the hierarchical structures that surround central cores represent an ideal strategy for covert networks. Structuring relational ties around a small number of key actors can represent an effective offensive strategy, especially when there exists a clear chain of command (McAllister 2004). It is important to note, however, that the existence of central hubs does not imply that the group’s leaders are those who are most connected. Instead, actors who occupy important leadership positions may be situated on the peripheries of the network to reduce their risk of being targeted by authorities and bolster the security of the operation (Baker and Faulkner 1993). Yet regardless of which actors are located in the core versus the periphery of an illicit network, the presence of central hubs often is associated with efficiency because this structural pattern can help facilitate the spread of information and promote a systematic division of labor (Bright et al. 2018; Wood 2017).

At the same time, there is evidence that illicit groups navigate the efficiency/security tradeoff by maintaining network structures where popularity is distributed equally and there are no dominant, central actors (Morselli et al. 2007). These networks, which are occasionally referred to as “all-channel networks,” may be better equipped for carrying out defensive strategies since there are no highly connected nodes that make tactical targets for counterterrorism efforts (McAllister 2004). For instance, if an extremist network is structured around a handful of central hubs, it can be combatted effectively through targeted attacks on these highly connected individuals (Albert et al. 2000), especially if they fill important leadership roles (Matthew and Shambaugh 2005). Less centralized, all-channel networks, on the other hand, are more resilient to the dismantling efforts of authorities (Duxbury and Haynie 2019).

Since the effectiveness of counterterrorism efforts varies according to the distribution of individual centrality in the network (Albert et al. 2000; Bakker et al. 2011), it is crucial to consider how prominent hubs develop as terrorist networks evolve over time. The limited empirical work on terrorist networks that statistically tests for the development of central hubs finds that these nodes are more prevalent at certain points of a network’s evolution. For instance, research on the network of extremists involved in the Provisional Irish Republican Army shows that predominant hubs developed as the group became increasingly active (Stevenson and Crossley 2014), but no such patterns existed during the group’s early formation and eventual dissolution (Gill et al. 2014).

Through considering a variety of descriptive network measures and multivariate statistical models, the current paper further explores how the prevalence of prominent hubs varies as terrorist networks evolve over time (Research Question 2). By analyzing eleven attack-based networks of Islamic extremists, we consider whether patterns of tie formation support or impede the development of central hubs.

A Multivariate Approach

Previous work that considers the structural properties of terrorist networks—either at single instances in time or with multiple panels of data—frequently relies on descriptive statistics, such as density, average degree, and the clustering coefficient (for exceptions, see Everton 2016; Gill et al. 2014; Helfstein and Wright 2011). While these measures are informative tools for understanding the patterns of relational structures, they are prone to certain limitations. First, previous work critiques this approach for its lack of benchmarks or cutoffs (Crossley et al. 2012). It is unclear, for instance, how many social ties are needed to separate a dense network from a sparse network.

Second, structural network processes are defined by high levels of endogeneity (Steglich et al. 2010), meaning that the coevolution of structural processes, such as triadic closure and the formation of central hubs, is inherently interdependent. Since tendencies towards transitivity and centralization operate simultaneously, the way terrorist networks navigate the efficiency/security tradeoff is apt to have consequences for how these structural processes coevolve. For instance, some terrorist networks may be structured around central hubs, but exhibit an aversion to transitivity. This will result in star-shaped networks where a small number of key players are connected to many peripheral actors who are not tied to each other (see Fig. 1, top left panel). Alternatively, if there exists a tendency towards transitivity, but no central hubs, this will result in densely connected networks where social ties are equally distributed among all members (Fig. 1, bottom right panel). Finally, when terrorist groups develop prominent hubs and high levels of transitivity (Fig. 1, top right panel), the resulting networks may excel at easing communication difficulties, while chain-like networks with few closed triads or central hubs (Fig. 1, bottom left panel) will impede the flow of information. Because processes of transitivity and the development of central hubs work together to pattern the structure of illicit networks, it is important to analyze these tendencies simultaneously. In addition to considering a variety of well-known descriptive measures, the current project applies multivariate statistical network models that can account for this inherent endogeneity and predict where relational ties are likely to develop over time.

Fig. 1

Illustrations of network structures that support transitivity versus the development of centralized hubs

To summarize, we have two specific research questions that we seek to answer by analyzing our dataset of eleven attack-focused Islamic extremist networks at five time points:

  1. 1.

    As terrorist networks approach the execution of an attack, do social ties form in a chain-like manner, or is there a tendency towards transitivity and redundant connections?

  2. 2.

    What role do central hubs play in structuring the formation of social ties in terrorist networks? As a terrorist group approaches an attack, do patterns of tie formation result in centralized or decentralized structures?



We test our hypotheses by using data from the John Jay & ARTIS Transnational Terrorism (JJATT) database. This database includes publicly available social network data on individual terrorists who participated in an assortment of radical Islamic terrorist attacks from 1993 to 2005. Data on hundreds of extremists and their social connections were compiled from field-based first-hand testimony, interviews, court records, media accounts, letters, photos, and telephone conversations (Magouirk et al. 2008; JJATT Database 2009). A network is constructed for each specific terrorist attack where nodes represent individual extremists who were known to play a direct or indirect role in orchestrating the attack of interest. Undirected edges signify that a pair were either acquaintances, friends, operational collaborators, or family members during the year of interest (Magouirk et al. 2008). Coders defined a relationship to exist between two actors if data sources suggested that the pair met with each other in person or spoke on the telephone. While we assume that these ties represent social relationships, the dataset does not indicate the frequency of interactions that define each connection. Thus, a tie between two extremists could indicate that a pair interacted once or many times. Due to the scarcity of relational data, the JJATT dataset assumes that relationships are stable unless sources suggest that a dispute arose between the pair, or one node experienced a personal circumstance that severely limited their ability to communicate (e.g., imprisonment or death) (JJATT Database 2009).

Although the JJATT database codes ties according to the type of relationship, our methods of analysis can only consider binary relational data.Footnote 1 As a result, we recode the edges of our network such that a score of one indicates that any type of relationship was present during the year of interest and a score of zero suggests that no relation was known to exist between the pair. Discerning structural differences between the types of relational ties is beyond the scope of the current investigation.

The data we analyze from the JJATT database consist of multiple dynamic, attack-focused social networks. To improve the convergence of our analytic models, we limit our sample to networks that contain at least ten extremists and with observable changes in relational patterns over the period of interest.Footnote 2 Our final sample includes eleven distinct attack networks: 1993 World Trade Center bombing, 1996 Paris subway bombing, 2000 USS Cole bombing, 2000 Christmas Eve bombings, 2000 Philippines Ambassador residence bombing, 2001 Hamburg 9/11 cell, 2002 murder of Daniel Pearl, 2002 Bali bombings, 2004 Madrid train bombings, 2004 Australian Embassy bombing, and 2005 Bali bombings.Footnote 3 For each network, we analyze five year-long waves of panel data including the three years preceding the attack, the year of the attack, and the year following the attack.Footnote 4,Footnote 5 Although the current project is primarily concerned with understanding how relational ties form as terrorist networks approach an attack, we include a wave of data collected the year after each attack takes place to improve the fit of our statistical models.Footnote 6

While the JJATT dataset includes some of the highest quality, open source data on the evolution of interpersonal relationships of extremist networks (Helfstein and Wright 2011; Magouirk et al. 2008), the data are not without limitations. First, the sample of terrorist attacks was not randomly selected, but instead driven by data availability. Data on the individual actors involved in terrorist collectives are typically compiled by law enforcement officials and other authorities after an attack takes place, but it is less common for these personnel to collect details on the relational ties that connect these extremists. As a result, the JJATT researchers were only able to create network datasets for terrorist attacks where officials collected and publicly released a sufficient amount of relational data. While the data are not representative of all terrorist networks, the JJATT researchers’ collection strategy increases the likelihood that the network data are complete enough to minimize collection bias.Footnote 7 Second, the data are all from terrorist networks that were able to carry out their attacks “successfully.” Therefore, the results reported herein may only apply to those terrorist networks with the necessary structure and characteristics to orchestrate effective attacks.

Finally, as is a limitation of all first- and second-hand data on covert networks, it is possible that the JJATT relational tie data are subject to observational bias (Asal and Rethemeyer 2006; Gerdes 2015). This bias is of particular concern when analyzing longitudinal data, since security organizations, media outlets, and witnesses likely report more information about the extremists and their connections around the point in time when an attack was committed. As a result, there may be more data available on relational ties during waves that occurred closer to when the attack took place than those from several years prior to the attack. While it also seems likely that terrorist networks become increasingly interconnected as they approach an attack, we expect that observational bias will partly explain changes in the number, or density, of ties as each terrorist network evolves. However, we do not believe that this potential bias will necessarily alter the patterns in which these relational ties develop. For instance, as new relational ties develop and density increases, these connections could either close intransitive triads or increase the span of chain-like structures. While observational bias may play a role in inflating network density as our sample of networks evolve, it should minimally affect the patterns in which new relational ties form.

Plan of Analysis

To analyze our data, we use Separable Temporal Exponential Random Graph Models (STERGMs), which represent an ideal method for understanding what factors cause relational ties to both form and dissolve in social networks. Although our focus is on tie formation, the STERGM enables us to control for processes of tie dissolution, which decreases the bias of our estimates. STERGMs can be understood as an extension of traditional exponential random graph models (ERGMs) (see Hunter et al. 2008; Robins et al. 2007 for a thorough review of ERGMs). While ERGMs only can analyze a single snapshot of network data, STERGMs can analyze multiple panels of data to estimate the processes that underlie tie formation and dissolution separately. STERGMs build off the strengths of traditional ERGMs by employing a statistical analysis that compares the dyadic, or pairwise, patterns observed in the actual network to what would be expected by random chance (Hunter et al. 2008; Robins et al. 2007). By making this comparison, STERGMs can determine whether the observed network processes differ significantly from what would be expected to occur randomly, while controlling for other parameters included in the multivariate model. Controlling for other types of network phenomena helps ensure that measures of processes, such as triadic closure, are not upwardly biased (Block 2015) and increases our confidence that we are observing true structural phenomena. Another benefit of ERGMs and their extensions, is that they allow one to analyze data at the level of the dyad, or relationship, without violating dependence assumptions (Krivitsky and Goodreau 2017; Robins et al. 2007).

The STERGM models the transition of the network at time t, Yt, to the network at time t + 1, Yt+1, by assuming that the formation and dissolution of ties occur independently of one another within each time step. In other words, since the STERGM represents a discrete time model, all tie changes that occur between observations only affect the structure of dependence at the next observable time point. This process is modeled by two ERGMs simultaneously: one that generates a formation network, Y+, conditional only on the creation of new ties, and another that generates a dissolution network, Y, conditional only on those ties that disband. Each of the two ERGMs specifies the probability that a set of relational ties will form or dissolve, given a set of individuals and their respective attributes:

$$P({\mathbf{Y}}^{ \pm } = y|{\mathbf{Y}}^{t} ;\uptheta^{ \pm } ) = \frac{{\exp \left[ {\uptheta^{ \pm } \cdot g^{ \pm } \left( y \right)} \right]}}{{k\left( {\uptheta^{ \pm } } \right)}}.$$

In the formation ERGM, the \(\theta^{ + }\) term represents a vector of all network parameters that is hypothesized to relate to the probability of tie formation, while the \(\uptheta^{ - }\) parameter in the dissolution ERGM is a vector of parameters that is expected to relate to the dissolution of ties. The flexibility of the STERGM allows for \(\theta^{ + }\) and \(\uptheta^{ - }\) to include either the same or different set of network parameters. Using the observed matrix of social relationships, \(y\), both the formation and dissolution ERGMs respectively calculate a vector of network statistics, \(g^{ \pm } \left( y \right)\). Finally, each ERGM includes a normalizing factor, k \((\uptheta^{ \pm } )\), to ensure that the equation is predicting a legitimate probability distribution.

After each ERGM converges and produces adequate fit statistics, the cross-section of the network at time t + 1, Yt+1, is calculated using the following equation:

$${\mathbf{Y}}^{t + 1} = \varvec{ }{\mathbf{Y}}^{ + } - \left( {{\mathbf{Y}}^{t} - {\mathbf{Y}}^{ - } } \right).$$

In other words, the STERGM estimates Yt+1 by accounting for both the new ties that form and the old ties that dissolve. If there are more than two waves of data, then additional STERGMs are estimated following the same process outlined above. After all waves have been analyzed and the STERGM produces adequate fit statistics, coefficients can be exponentiated and interpreted as log odds. Exponentiated formation coefficients estimate how a one-unit change for the given indicator relates to the odds that a relational tie forms between two individuals, while those for dissolution coefficients estimate how the indicator relates to the odds of tie dissolution.

As dynamic network data are becoming more readily available, researchers have developed multiple methods for the statistical analysis of this data. STERGMs represent one such example, and a growing body of empirical work has begun to apply STERGMs to study the structural patterns of a variety of social relationships (e.g., Desmarais and Cranmer 2012; Felmlee and Faris 2016; McFarland et al. 2014; Schaefer et al. 2011). In addition to STERGMs, another statistical model that has gained attention is the Stochastic Actor-Oriented Model (SAOM) (Steglich et al. 2010). While each method has specific strengths and weaknesses, we believe that dynamic STERGMs are best suited to address the research questions of our current project. Most importantly, ERGMs and their extensions excel when the primary interests are structural, while SAOMs tend to be better equipped to answer questions about network processes (Block et al. 2018; Desmarais and Cranmer 2012; Schaefer and Marcum 2018). The aim of our current project is to model the evolution of different structural processes in eleven terrorist networks. We leave questions about the behavioral phenomena that guide the formation of these ties open to future research.


We include five structural parameters in each of our STERGMs. Our first four parameters specifically consider how structural processes shape the formation of new ties. To address our first research question, we include the transitivity formation parameter to test whether terrorist networks develop redundant connections or evolve into chain-like structures over time. The transitivity formation parameter measures the tendency for ties to form that result in closed triads (e.g., if a is tied to b and b is tied to c, then a tie will form between a and c). If transitive connections are more likely to form than expected by random chance, the coefficient will be positive. A negative coefficient implies that the network becomes more chain-like as it evolves.

We include a measure of degree popularity to test our second research question regarding the formation of central hubs. The degree popularity (square root) formation parameter tests whether there is a tendency for central hubs to develop, or for the most highly connected actors to receive even more ties over time (Snijders et al. 2010). This term adds a network statistic to the model that equals the sum of each actor’s degree, multiplied by its square root. Previous research suggests that multiplying each actor’s degree by its square root can better account for the relationship between individual degree and one’s odds of forming an additional social tie. This is because, for high degree actors, there are diminishing returns associated with each additional social tie (Snijders et al. 2010). Positive values of the degree popularity formation parameter indicate that popular hubs receive more ties as the network evolves. Values close to zero suggest that the network is characterized by a uniform degree distribution over time.

Additionally, we include two formation parameters to serve as controls in our STERGMs. First, the edge formation parameter measures the probability that a relationship will form between any two actors in the network. This parameter can be understood to serve a similar role as an intercept. Second, the brokerage formation parameter accounts for the tendency for two paths, or intransitive triads, to develop in the network (e.g., a is friends with b and b is friends with c, but a and c are not friends).Footnote 8 We include the brokerage formation control because previous work on illicit networks find that brokerage processes explain the tendency towards the development of central hubs (Bright et al. 2018). Additionally, the brokerage formation parameter helps reduce bias when interpreting the transitivity formation parameter (Hunter 2007). In analyses not shown here, we include actor-level, control variables that are not the focus of our study, but could shape tie formation processes; trends remain constant for our independent variables of interest.Footnote 9

Finally, we include one STERGM parameter that accounts for processes that inform the dissolution of ties: the edge dissolution parameter. This parameter measures the probability that a social tie will dissolve between any two actors in the network. Since our research questions focus on the structural processes that guide tie formation and the tie dissolution observed in our sample predominately occurred between the final two waves (Wave 4 and Wave 5), we do not include any additional dissolution parameters in our models.


STERGMs only can analyze the evolution of a single dynamic network at a time. As a result, we estimate STERGMs on each of our eleven longitudinal networks separately. After each of the eleven STERGMs achieved satisfactory goodness of fit statistics,Footnote 10 we aggregate our findings across all models by employing a two-level random effects meta-analysis. We calculate the sample-wide mean for each STERGM coefficient by estimating a random intercept model where the level-one variance is fixed to equal the coefficient’s squared standard error, and the terrorist attack serves as the second level. This averaging process considers the different degrees of precision across all models by giving greater weight to those with estimates that are more precise (Snijders and Baerveldt 2003). A number of previous studies apply this meta-analysis approach to aggregate findings from statistical network analyses across multiple networks (e.g., Lubbers and Snijders 2007; McMillan 2019; Osgood et al. 2013).


Descriptive Results

On average, each terrorist network in our sample contains roughly 26 actors (SD = 14), although some include as few as 12 actors and others have as many as 54 (see Table 1). All attacks occurred between 1993 and 2005, and they resulted in an average of 315 casualties per attack (SD = 892). A little over half of the networks in our sample focused on targets in Asia, while 18% targeted European victims and 27% targeted victims from North America.

Table 1 Descriptive statistics across all networks

In general, there is descriptive evidence that different processes guide the formation of ties during the course of a terrorist network’s evolution. For each wave of data, we calculate the clustering coefficient, or the ratio of transitive triads to the sum of all triads observed in the network (Watts and Strogatz 1998). The clustering coefficient ranges from 0 to 1, with a score of zero indicating that there is a strict aversion to triadic closure and a score of one suggesting that all triads in the network are defined by transitivity. On average, the clustering coefficient is relatively high across all waves and networks in our sample; nearly half of the observed triads are defined by triadic closure (overall mean = 0.494, SD = 0.248, Table 2). The clustering coefficient gradually increases until it reaches its peak during the year of the attack (Wave 4 mean = 0.595, SD = 0.132), and then declines to lower levels of clustering that are similar to those observed before the attack took place (see Fig. 2). Note that the decline in clustering coefficient at Wave 5 is likely the result of tie dissolution rather than tie formation since many of the extremists in our sample are imprisoned or die during the year following the attack. Overall, clustering and transitivity appear to play an important role in developing the structure of our extremist networks, particularly when an attack is imminent.

Table 2 Descriptive statistics by wave
Fig. 2

Network-level averages across all waves (n = 11 terrorist networks)

Our descriptive statistics also suggest a tendency towards the formation of central hubs, particularly as the terrorist networks in our sample prepare for an attack. Specifically, we consider three network-level measures of degree, closeness, and betweenness centralization, which quantify the variability of each respective centrality measure across all actors in a specific network (following Morselli et al. 2007).Footnote 11 Higher values of the three centralization measures suggest that the network is more likely to be defined by the existence of centralized hubs. The average levels of degree, closeness, and betweenness centralization of the networks in our sample increase until each reaches its peak during the attack year (degree centralization mean = 0.595, closeness centralization mean = 0.370, betweenness centralization mean = 0.253). In the year following the attack, all centralization measures decline and return to levels similar to those that existed before the year of the attack (see Fig. 2). Again, we note that the decline in centrality measures observed during the final wave are likely the result of tie dissolution rather than processes of tie formation. Taken together, trends in these centralization measures suggest that network hubs become increasingly centralized as terrorist networks approach a violent attack.

Network Graphs

Next, we depict change over time visually for two of the networks from our sample—the 2004 Australian Embassy bombing in Jakarta, Indonesia and the 2005 Bali bombings in Bali, Indonesia findings (see Figs. 3, 4). Observed patterns tend to correlate with our descriptive results. Here, circular nodes represent individual terrorists and ties indicate that two terrorists are linked to one another. As each network evolves over the first four waves of time, relatively short distances begin to connect most actors, and long, chain-like patterns are uncommon. As each collective approaches the attack, the tendency towards triadic closure is particularly apparent. While the network of terrorists responsible for the Australian Embassy bombing is relatively well-connected in 2003, for example, it also is characterized by several open triads, particularly on the lower left-hand side of the network graph (see Fig. 3, third panel). By the attack year (2004), many of these open triads become transitive, resulting in a more cohesive structure in which most actors could potentially communicate with one another through either direct ties or short, indirect connections (see Fig. 3, fourth panel).

Fig. 3

2004 Australian Embassy bombing network from 2001 to 2005. Nodes represent individual terrorists and ties represent undirected social connections. All nodes have been locked in place so that they have the same coordinates in each panel. Nodes are scaled according to their centrality so that nodes with more social ties are larger than those with fewer ties. Light gray nodes represent isolates (e.g., actors with no social ties)

Fig. 4

2005 Bali bombing network from 2002 to 2006. Nodes represent individual terrorists and ties represent undirected social connections. All nodes have been locked in place so that they have the same coordinates in each panel. Nodes are scaled according to their centrality so that nodes with more social ties are larger than those with fewer ties. Light gray nodes represent isolates (e.g., actors with no social ties)

Additionally, there are multiple illustrations of nodes that act as central hubs in these two terrorist networks. While there are popular, well-connected actors at each wave of the study, these prominent actors play an increasingly important role in connecting extremist networks as they prepare for an attack. For example, in the 2002 panel of the Bali network, there is a node located to the slight left of the graph’s center with nine social connections (see Fig. 4, first panel). As the network evolves, this actor develops additional social ties each year. By the year of the attack (2005), the actor has accumulated sixteen connections and is one of the most central nodes in the network (see Fig. 4, fourth panel). Examples of these increasingly central hubs also are present in the Australian Embassy network, as well as in those graphs that are not visualized here.


In our sample of dynamic terrorist networks, we find statistically significant evidence that individual extremists tend to form ties that promote triadic closure and increase the prominence of central hubs (see Table 3), complementing our descriptive findings. The transitivity formation parameter is positive and significant, after accounting for all other structural controls (b = 1.178, p < 0.001). This coefficient suggests that social relationships that result in triadic closure are over twice as likely (225% more likely) to form over time than would be expected by chance. In other words, if ties exist between actors a and b and actors b and c at time t, then a tie is more likely to form at time t +1 between actors a and c than would occur randomly. Triads represent redundant connections, and they are antithetical to the development of chain-like structures of social relationships (Research Question 1). As a result, the positive transitivity formation coefficient suggests that the terrorist networks in our sample navigate the efficiency/security tradeoff by becoming increasingly dense and interconnect as they approach an attack.

Table 3 Meta-analysis of STERGM results for 11 terrorist networks

Additionally, the degree popularity formation term is also positive and significant, signifying that highly connected nodes tend to become more centralized as time passes (b = 0.144, p < 0.05). For example, an extremist who has ten connections at time t has a 57.68% greater chance of receiving an additional tie at time t + 1 than an extremist who has no social ties at time t. As terrorist networks develop towards the time of an attack, central hubs tend to become even more well-connected across the networks in our sample (Research Question 2).

Coefficients for our control variables are also in the expected directions. The edge parameter is negative and significant in the formation ERGM (b = − 4.897, p < 0.001), while it is positive and significant in the dissolution ERGM (b = 1.051, p < 0.05). Together, these findings reflect the costliness of social ties. Finally, the brokerage formation parameter, while not statistically significant, is negative (b = − 0.053, p > 0.05), which suggests an aversion to the formation of intransitive, two-paths.

Robustness Checks

We conduct additional robustness checks to address the limitations of our data and statistical analyses. First, as is the case with most longitudinal panel data, our dataset is prone to attrition over time. For 126 of the terrorists in our sample, information on relational ties is not available across all five waves of interest, typically because of the individual’s arrest or death. While controlling for the dissolution of ties in our STERGMs helps to address this attrition, we perform additional analyses to ensure that the arrest and death of individual actors is not the primary factor driving our findings. We apply our same analyses to a subsample from each of our eleven networks where we only include those terrorists who were present in all five waves of the study. The descriptive statistics and STERGM meta-analysis for this subsample yield substantively similar results to the findings reported here (analyses available upon request). As a result, we believe that the patterns defining our parameters of interest are not solely a consequence of individual actors joining and leaving the network, but instead show evidence of fundamental structural processes.

Additionally, while the goal of the current project is to make conclusions about the structural tendencies that define all the dynamic terrorist networks in our sample, we are aware that our sample is also diverse. For instance, the attack network data were collected from different time periods and geographic regions. Although the JJATT dataset creators report using the same methodologies to collect data on the various attack networks (Magouirk et al. 2008), we cannot rule out the possibility that security responses and the quality of primary documents used for data collection may vary across time and place. Additionally, the terrorist networks received varying sources of outside ideological and financial sponsorship (Helfstein and Wright 2011). For instance, some of the attack networks were sponsored by Al Qaeda (e.g., the 2000 USS Cole bombing, the 1993 World Trade Center bombing), others were sponsored by Jemaah Islamiyah (e.g., the 2002 and 2005 Bali bombings), and some were not directly associated with a larger terrorist organization (e.g., the 2004 Madrid train bombings). In supplemental analyses (available upon request), we estimate two-level meta-analyses to test whether our dependent variables of interest vary according to the year the attack took place, the attack’s geographic target (American, European, or Asian), and the terrorist organization associated with the attack (Al Qaeda, Jemaah Islamiyah, or none). Overall, we find no significant variation across these characteristics for the independent variables of interest in the current study.Footnote 12

Finally, we perform additional supplemental analyses that utilize Stochastic Actor Oriented Models (SAOMs) in an effort to address some of the limitations of the STERGM. As discussed previously, STERGMs are well-suited to address our research questions regarding structural change. However, the STERGM is limited by its assumption of conditional independence among ties between observation intervals. The SAOM relaxes this assumption by allowing all tie changes that occur between intervals to instantaneously affect the dependence structure of the entire network (Schaefer and Marcum 2018). Many of the networks were unable to reach satisfactory convergence statistics in our SAOM analyses, likely because the networks consist of relatively few actors. Among those networks that did achieve convergence (four out of eleven), substantive findings complement the results of our STERGMs (analyses available upon request).


Dating back to early work by Blau (1968), widespread debate exists concerning the ideal structure for formal organizations and groups, and specifically whether optimal group performance results from a structure that is largely centralized or decentralized. While originally concerned with pro-social organizations, this same debate applies to illicit and covert collectives, including the social networks of terrorism (e.g., Baker and Faulkner 1993; McAllister 2004; Morselli et al. 2007). Several arguments maintain that successful terrorist insurgencies benefit from decentralized, chain-like sets of network ties (Krebs 2002; Rodríguez 2005), while others argue that it is more advantageous for these illicit operations to adopt redundant, centralized structures (Helfstein and Wright 2011). Our research finds more evidence in support of the latter argument, especially with regard to the structural development of terrorist networks as they approach the time of an attack.

Using a unique set of longitudinal data from eleven terrorist attack networks that exhibit structural change across five time points of interest, we find that the attack-based social networks in this sample become increasingly interconnected and centralized while they prepare for a violent event. For example, our dynamic network models uncover significant trends towards transitivity, or triadic closure. This pattern of extending a connection to a third actor to create an interlinked group of three actors over time increases the redundancy of ties and is common in multiple types of social networks (e.g., Felmlee et al. 2018; Maoz et al. 2007; Newcomb 1961). Moreover, we find both descriptive and statistical evidence that centralized hubs emerge over time within terrorist networks, whereby highly linked individuals become progressively more popular and tied to others. This development of hubs reflects a trend towards centralization and could be the result of network processes such as preferential attachment, or the phenomenon whereby highly connected nodes receive disproportionate numbers of additional connections because of their popularity (Barabási and Albert 1999; Price 1976). Similar to transitivity, the increasing prominence of centralized hubs likely enhances communication among terrorists as the networks in our sample evolve over time.

Note, too, that the social networks of these terrorist collectives initially exhibit truncated levels of clustering and centralization. These measures increase substantially as the networks approach an attack. After this point, clustering and centralization decay abruptly, yielding more dispersed networks, presumably due to the completion of the primary mission and the death or capture of individual extremists. Studies of these same terrorist networks at a single point in time, therefore, may yield quite dissimilar conclusions regarding the composition of a group’s structure, depending on the network’s stage of evolution. In other words, cross-sectional studies may report different findings regarding tendencies towards transitivity and the development of central hubs if they study attack-based terrorist networks early in development, at the time of an event, or after an act of violence has taken place.

Our findings extend those of prior research. Based on a cross-sectional statistical analysis of a subsample of the data used here, for example, Helfstein and Wright (2011) conclude that the attack networks of six terrorist collectives navigate the efficiency/security tradeoff by developing relational structures defined by high levels of cohesion and clustering. Our study extends that conclusion to a larger sample size and applies STERGMs to study the structural changes over time while accounting for the endogeneity of these processes. We find that the downsides of decentralized, chain-like structures noted previously may lead to increased centralization among several terrorist networks as they evolve. Given the challenge of quickly disseminating information, for example, communication difficulties tend to arise in decentralized networks, and the loss of a single actor may jeopardize the collective’s ability to interact effectively (Enders and Su 2007). More centralized network structures may be able to ease communication challenges and increase the likelihood of successfully coordinating the group’s goals, particularly as they approach the violent event. Additionally, individual extremists may need to adopt more specialized roles as an attack becomes imminent, which also could explain the rising prominence of central hubs in our sample of networks.

The results reported herein depart from those of research finding that terrorist networks consist of chains of weak ties among individuals (e.g., Krebs 2002; Rodríguez 2005) or small, informal and non-centralized arrangements (Sageman 2004, 2008). Furthermore, we find evidence that many terrorist networks do not maintain rigid, stable networks throughout the course of their operations. Instead, these collectives are dynamic and adapt their relational structures to maximize mission capacity.Footnote 13 The discrepancies in these conclusions could be due to differences in the samples of terrorist attack networks, the methodology, or the cross-sectional versus longitudinal designs. Although our analyses rely on one of the largest samples to date of terrorist networks, the sample is not representative of all insurgencies. Instead, our dataset focuses on a selection of successful attack networks that were associated with radical Islamic groups, such as al Qaeda and Jemaah Islamiyah, and all eleven networks carried out their attacks within a span of 12 years. It seems likely that other types of terrorist groups and those from different time periods could exhibit variations not documented here. In addition, there could be methodological explanations for the discrepancies in findings. Unlike previous research, we apply a dynamic, multivariate, random graph method to examine our data. These techniques account for structural endogeneity and control for basic structural tendencies, such as the prevalence of ties and tie dissolution, which may shape our findings and explain the differing conclusions.

This research study has a number of strengths, but also several limitations. First, a common drawback of data on terrorist attack networks is that it tends to be based on second-hand information with missing data, and the findings should be interpreted with caution. Second, data gathered in earlier waves of our study could have less complete information than that accumulated at the time of the attack. While this possible shortcoming may explain part of the increase in the network density of our sample, it does not easily account for the structural patterns of tie formation that we uncover. Note that most datasets collected on illicit groups face this particular limitation. Third, our dataset is limited in scope, and contains information regarding very specific insurgencies. For example, we only have data on “successful” terrorist networks that were able to carry out acts of destruction. Our analyses would be more complete if we also contained data on unsuccessful attack networks, and such data would enable us to compare the patterns of relational structures according to whether the collective achieved its violent goals. Furthermore, in recent years there have been substantial technological advances and online social media adoption that could alter the flow and dissemination of information among dark networks. We do not know the extent to which new media channels could yield more chain-like structures, or whether they would lead to the enhanced centralization of key, nodal actors. Additional research is necessary to investigate possible alterations in the structural development of terrorist networks with the use of new technologies.

We believe that our results have possible implications for anti-terrorism efforts. At their inception, a number of successful, terrorist networks are likely to be more chain-like with few to no actors who operate as highly central hubs. While previous work finds that decentralized, chain-like network structures are difficult to disrupt, the odds of successfully dismantling these networks increase if authorities target actors operating as brokers in the network (Duxbury and Haynie 2019). As the network matures, however, we find that central hubs play a more important role and thus, all central actors should make particularly tactical targets (Albert et al. 2000; Duxbury and Haynie 2019).

In terms of specific intelligence analysis methodologies, we propose that this awareness of network composition and the changes over time can help inform analysts during the “sense making process” (e.g., Pirolli and Card 2005). In other words, if data collection occurs during the foraging or gathering phases, then network analysis can be undertaken during the final sensemaking phase. It is also possible that machine processing such as network analytics could be employed to process data from extremist networks to alert analysts when certain connectivity thresholds are passed that indicate the potential for an impending attack (e.g., Gartner et al. 2019). Additional studies are needed to determine the generalizability of these implications to a wider variety of networks. Given the findings reported herein, we believe such research will benefit from further focus on the evolution of terrorist networks over time by applying a multivariate framework that can effectively account for the endogeneity of structural processes.


  1. 1.

    Additionally, according to Gerdes (2015), it is occasionally difficult to correctly distinguishing between the various relationship types in the JJATT data.

  2. 2.

    For instance, in the network that surrounded the November 17th attacks of 2000, all ties were present during each wave of interest. Because there was no observable change, this network was excluded from our final sample.

  3. 3.

    While these attack networks are distinct, they are not independent. Our sample includes individual terrorists who participated in multiple attack networks.

  4. 4.

    It is important to note that we cannot verify whether the relational ties observed during the attack year occurred before or after the group orchestrated the attack of interest.

  5. 5.

    For two of our networks (the 2000 Philippines Ambassador residence bombing and the 2000 Christmas Eve bombing), there are limited data on the structure of the network before each attack took place. As a result, our analyses of these two networks is characterized by larger gaps of time (e.g., 5 years) between the earliest waves of data.

  6. 6.

    In order for our multivariate models to achieve satisfactory goodness of fit statistics, it is necessary that we observe a time period with a sufficient degree of tie formation and tie dissolution. Across our five waves of data, the vast majority of tie formation (99.9%) occurred between Wave 1 and Wave 4, and only 9.8% of observed tie dissolution transpired between these time points. As a result, we include Wave 5 in our analytic sample because it introduces a necessary degree of tie dissolution for our statistical models to converge.

  7. 7.

    Note that Helfstein and Wright (2011) argue that it is unlikely that terrorist network structure and officials’ willingness to collect and release relational data are associated and, thus, this limitation is unlikely to substantively bias analyses of structural processes.

  8. 8.

    Transitivity is the geometrically weighted edgewise shared parameter and brokerage is the geometrically weighted dyadwise shared parameter (see Snijders et al. 2006). For all terms that require a decay parameter, we use a weight of 0.10.

  9. 9.

    In supplemental STERGMs, we include node match formation parameters to account for organizational role homophily and education homophily among the individual terrorists in our sample (available upon request). Including these controls does not substantively alter the interpretation of our parameters of interest. However, small sample sizes and missing data on these individual-level characteristics prevent us from examining these controls further.

  10. 10.

    We assess the goodness of fit of our STERGMs by comparing the degree distribution, distribution of edge-wise shared partners, and the distribution of geodesic distances of the observed networks to the simulated networks generated by the STERGMs (analyses available upon request). The STERGMs presented here come close to matching the observed data on all three of these higher-order statistics.

  11. 11.

    Degree, closeness, and betweenness centralization reach their maximum value of 1 in star-shaped graphs where one actor is tied to all other actors and these actors are not tied to each other. The measures reach their minimum score of 0 in networks where all actors share equal actor indices for the centralization measure of interest (Wasserman and Faust 1994).

  12. 12.

    It is important to note that the lack of power in these supplemental analyses preclude us from relying on their findings. The number of terrorist networks in our sample is too limited to justify a thorough analysis of contextual variation. We leave further questions about variation across terrorist networks open to future research.

  13. 13.

    Note that these findings only apply to those networks included in our final analytic sample. Due to the constraints of our modeling approach, it was necessary to exclude attack networks that did not exhibit any structural change over the five waves of interest.


  1. Albert R, Jeong H, Barabási AL (2000) Error and attack tolerance of complex networks. Nature 406:378–382

    Article  Google Scholar 

  2. Armal LAN, Scala A, Barthelemy M, Stanley HE (2000) Classes of small-world networks. Proc Natl Acad Sci 97(21):11149–11152

    Article  Google Scholar 

  3. Asal V, Rethemeyer K (2006) Researching terrorist networks. J Secur Educ 1(4):65–74

    Article  Google Scholar 

  4. Baker WE, Faulkner RR (1993) The social organization of conspiracy: illegal networks in the heavy electrical equipment industry. Am Sociol Rev 58(6):837–860

    Article  Google Scholar 

  5. Bakker RM, Raab J, Milward HW (2011) A preliminary theory of dark network resilience. J Policy Anal Manag 31(1):33–62

    Article  Google Scholar 

  6. Barabási AL, Albert R (1999) Emergence of scaling in random networks. Science 286(5439):509–512

    Article  Google Scholar 

  7. Blau PM (1968) The hierarchy of authority in organizations. Am J Sociol 73(4):453–467

    Article  Google Scholar 

  8. Block P (2015) Reciprocity, transitivity, and the mysterious three-cycle. Soc Netw 40:163–173

    Article  Google Scholar 

  9. Block P, Koskinen J, Holloway J, Steglich C, Stadtfeld C (2018) Change we can believe in: comparing longitudinal network models on consistency, interpretability and predictive power. Soc Netw 52:180–191

    Article  Google Scholar 

  10. Bright D, Koskinen J, Malm A (2018) Illicit network dynamics: the formation and evolution of a drug trafficking network. J Quant Criminol. https://doi.org/10.1007/s10940-018-9379-8

    Article  Google Scholar 

  11. Carley KM (2006) Destabilization of covert networks. Comput Math Organ Theory 12(1):51–66

    Article  Google Scholar 

  12. Crossley N, Edwards G, Harries E, Stevenson R (2012) Covert social movement networks and the secrecy-efficiency trade off: the case of the UK suffragettes (1906–1914). Soc Networks 34:634–644

    Article  Google Scholar 

  13. Cunningham D, Everton S, Murphy P (2016) Understanding dark networks: a strategic framework for the use of social network analysis. Rowman & Littlefield, Landham

    Google Scholar 

  14. Desmarais BA, Cranmer SJ (2012) Micro-level interpretation of exponential random graph models with application to estuary networks. Policy Stud J 40(3):402–434

    Article  Google Scholar 

  15. Duxbury SW, Haynie DL (2019) Criminal network security: an agent-based approach to evaluating network resilience. Criminology 57(2):314–342

    Article  Google Scholar 

  16. Enders W, Su X (2007) Rational terrorists and optimal network structure. J Confl Resolut 51(1):33–57

    Article  Google Scholar 

  17. Erickson BH (1981) Secret societies and social structure. Soc Forces 60(1):188–210

    Article  Google Scholar 

  18. Everton SF (2012) Disrupting dark networks. Cambridge University Press, New York

    Google Scholar 

  19. Everton SF (2016) Social networks and religious violence. Rev Relig Res 58(2):191–217

    Article  Google Scholar 

  20. Felmlee D, Faris R (2016) Toxic ties: a network of friendship, dating, and cyber victimization. Soc Psychol Q 79:243–262

    Article  Google Scholar 

  21. Felmlee D, McMillan C, Inara Rodis P, Osgood DW (2018) Falling behind: lingering costs of the high school transition for youth friendships and grades. Sociol Educ 91(2):159–182

    Article  Google Scholar 

  22. Gartner SS, Felmlee D, Yarlagadda R, Verma D (2019) Understanding patterns of terrorism in India using AI machine learning: 2007–2017. In: Fifteenth international conference on technology, knowledge & society, Barcelona

  23. Gerdes LM (2015) Dark dimensions: clarifying relationships among clandestine actors. In: Gerdes LM (ed) Illuminating dark networks: the study of clandestine groups and organizations. Cambridge University Press, New York, pp 19–38

    Google Scholar 

  24. Gill P, Lee J, Rethemeyer KR, Horgan J, Asal V (2014) Lethal connections: the determinants of networks connections in the Provisional Irish Republican Army, 1970–1998. Int Interact 40(1):52–78

    Article  Google Scholar 

  25. Granovetter MS (1973) The strength of weak ties. Am J Sociol 78(6):1360–1380

    Article  Google Scholar 

  26. Helfstein S, Wright D (2011) Covert or convenient? Evolution of terror attack networks. J Confl Resolut 55(5):785–813

    Article  Google Scholar 

  27. Horowitz MC, Potter PBK (2014) Allying to kill: terrorist intergroup cooperation and the consequences for lethality. J Confl Resolut 58(2):199–225

    Article  Google Scholar 

  28. Hunter DR (2007) Curved exponential family models for social networks. Soc Netw 29:216–230

    Article  Google Scholar 

  29. Hunter DR, Handcock MS, Butts CT, Goodreau SM, Morris M (2008) ergm: a package to fit, simulate and diagnose exponential-family models for networks. J Stat Softw 24(3):1–29

    Article  Google Scholar 

  30. John Jay & ARTIS Transnational Terrorism (JJATT) database (2009) http://doitapps.jjay.cuny.edu/jjatt/index.php. Accessed 4 May 2018

  31. Knoke D (2013) ‘It takes a network:’ the rise and fall of social network analysis in U.S. army counterinsurgency doctrine. Connections 33(1):1–10

    Google Scholar 

  32. Krebs VE (2002) Mapping networks of terrorist cells. Connections 24(3):23–52

    Google Scholar 

  33. Krivitsky PN, Goodreau SM (2017) STERGM—separable temporal ERGMs for modeling discrete relational dynamics with statnet

  34. Lantz B, Hutchison R (2015) Co-offender ties and the criminal career: the relationship between co-offender group structure and the individual offender. J Res Crime Delinq 52(5):658–690

    Article  Google Scholar 

  35. Lubbers MJ, Snijders TAB (2007) A comparison of various approaches to the exponential random graph model: a reanalysis of 102 student networks in school classes. Soc Netw 29(4):489–507

    Article  Google Scholar 

  36. Magouirk J, Atran S, Sageman M (2008) Connecting terrorist networks. Stud Confl Terror 31(1):1–16

    Article  Google Scholar 

  37. Maoz Z, Terris LG, Kuperman RD, Talmund I (2007) What is the enemy of my enemy? Causes and consequences of imbalanced international relations, 1816–2001. J Polit 69(1):100–115

    Article  Google Scholar 

  38. Matthew R, Shambaugh G (2005) The limits of terrorism: a network perspective. Int Stud Rev 7(4):617–627

    Article  Google Scholar 

  39. McAllister B (2004) Al Qaeda and the innovative firm: demythologizing the network. Stud Confl Terror 27(4):297–319

    Article  Google Scholar 

  40. McFarland DA, Moody J, Diehl D, Smith JA, Thomas RJ (2014) Network ecology and adolescent social structure. Am Sociol Rev 79(6):1088–1121

    Article  Google Scholar 

  41. McMillan C (2019) Tied together: adolescent friendship networks, immigrant status, and health outcomes. Demography 56(3):1075–1103

    Article  Google Scholar 

  42. McMillan C, Felmlee D, Osgood DW (2018) Peer influence, friend selection, and gender: how network processes shape adolescent smoking, drinking, and delinquency. Soc Netw 55:86–96

    Article  Google Scholar 

  43. Milward HB, Raab J (2006) Dark networks as organizational problems: elements of a theory. Int Public Manag J 9(3):333–360

    Article  Google Scholar 

  44. Morselli C, Giguère C, Petit K (2007) The efficiency/security trade-off in criminal networks. Soc Netw 29:143–153

    Article  Google Scholar 

  45. Newcomb TM (1961) The acquaintance process. Holt, Rinehart & Winston, New York

    Google Scholar 

  46. Newman MEJ (2001) Clustering and preferential attachment in growing networks. Phys Rev E 64:1–4

    Google Scholar 

  47. Osgood DW, Ragan DT, Wallace L, Gest SD, Feinberg ME, Moody J (2013) Peers and the emergence of alcohol use: influence and selection processes in adolescent friendship networks. J Res Adolesc 23(3):500–512

    Article  Google Scholar 

  48. Papachristos AV (2009) Murder by structure: dominance relations and the social structure of gang homicide. Am J Sociol 115(1):74–128

    Article  Google Scholar 

  49. Pedahzur A, Perliger A (2006) The changing nature of suicide attacks. Soc Forces 84(4):1987–2008

    Article  Google Scholar 

  50. Perliger A (2018) Terrorism networks. In: Victor JN, Montgomery AH, Lubell M (eds) The oxford handbook of political networks. Oxford University Press, New York, pp 653–668

    Google Scholar 

  51. Pirolli P, Card S (2005) The sensemaking process and leverage points for analyst technology as identified through cognitive task analysis. In: Proceedings of international conference on intelligence analysis, p 4

  52. Price DD (1976) A theory of bibliometric and other cumulative advantage processes. J Am Soc Inf Sci 27(5):292–306

    Article  Google Scholar 

  53. Robins G, Pattison P, Kalish Y, Lusher D (2007) An introduction to exponential random graph (p*) models for social networks. Soc Netw 29(2):173–191

    Article  Google Scholar 

  54. Rodríguez JA (2005) The March 11th terrorist network: in its weakness lies its strength. EPP-LEA working papers

  55. Sageman M (2004) Understanding terror networks. University of Pennsylvania Press, Philadelphia

    Google Scholar 

  56. Sageman M (2008) The next generation of terror. Foreign Policy 165:37–42

    Google Scholar 

  57. Schaefer DR, Marcum CS (2018) Modeling network dynamics. SocArXiv https://doi.org/10.17605/osf.io/6rm9q

  58. Schaefer DR, Simpkins SD, Vest AE, Price CD (2011) The contributions of extracurricular activities to adolescent friendships: new insights through social network analysis. Dev Psychol 47(4):1141–1152

    Article  Google Scholar 

  59. Simmel G (1906) The sociology of secrecy and of secret societies. Am J Sociol 11(4):441–498

    Article  Google Scholar 

  60. Snijders TAB, Baerveldt C (2003) A multilevel network study of the effects of delinquent behavior on friendship evolution. J Math Sociol 27(2–3):123–151

    Article  Google Scholar 

  61. Snijders TAB, Pattison PA, Robins GL, Handcock MS (2006) New specifications for exponential random graph models. Sociol Methodol 36(1):99–153

    Article  Google Scholar 

  62. Snijders TAB, van de Bunt GG, Steglich CEG (2010) Introduction to stochastic actor-based models for network dynamics. Soc Netw 32(1):44–60

    Article  Google Scholar 

  63. Steglich C, Snijders TAB, Pearson M (2010) Dynamic networks and behavior: separating selection from influence. Sociol Methodol 40:329–393

    Article  Google Scholar 

  64. Stevenson R, Crossley N (2014) Change in covert movement networks: the ‘inner circle’ of the Provisional Irish Republican Army. Soc Mov Stud 13(1):70–91

    Article  Google Scholar 

  65. Stohl C, Stohl M (2007) Networks of terror: theoretical assumptions and pragmatic consequences. Commun Theor 17(2):93–124

    Article  Google Scholar 

  66. Ünal MC (2019) Do terrorists make a difference in criminal networks? An empirical analysis on illicit drug and narco-terror networks in the prioritization between security and efficiency. Soc Netw 57:1–17

    Article  Google Scholar 

  67. Wasserman S, Faust K (1994) Social network analysis: methods and applications. Cambridge University Press, Cambridge

    Google Scholar 

  68. Watts DJ, Strogatz SH (1998) Collective dynamics of ‘small-world’ networks. Nature 393(4):440–442

    Article  Google Scholar 

  69. Weerman FM (2011) Delinquent peers in context: a longitudinal network analysis of selection and influence effects. Criminology 49(1):253–286

    Article  Google Scholar 

  70. White G, Porter MD, Mazerolle L (2013) Terrorism risk, resilience and volatility: a comparison of terrorism patterns in three southeast Asian countries. J Quant Criminol 29(2):295–320

    Article  Google Scholar 

  71. Widmer ED (1999) Family contexts as cognitive networks: a structural approach of family relationships. Pers Relatsh 6(4):487–503

    Article  Google Scholar 

  72. Wood G (2017) The structure and vulnerability of a drug trafficking collaboration network. Soc Netw 48:1–9

    Article  Google Scholar 

  73. Yarlagadda R, Felmlee D, Verma D, Gartner S (2018) Implicit terrorist networks: a two-mode social network analysis of terrorism in India. SBP-BRiMS 2018. LNCS 10899:1–8

    Google Scholar 

  74. Zech ST, Gabbay M (2016) Social network analysis in the study of terrorism and insurgency: from organization to politics. Int Stud Rev 18:214–243

    Article  Google Scholar 

Download references


This research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of Defence under Agreement Number W911NF-16-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Army Research Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government. The U.S. and U.K. Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. This work was also supported by Pennsylvania State University and the National Science Foundation under an IGERT award # DGE-1144860, Big Data Social Science.

Author information



Corresponding author

Correspondence to Cassie McMillan.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

McMillan, C., Felmlee, D. & Braines, D. Dynamic Patterns of Terrorist Networks: Efficiency and Security in the Evolution of Eleven Islamic Extremist Attack Networks. J Quant Criminol 36, 559–581 (2020). https://doi.org/10.1007/s10940-019-09426-9

Download citation


  • Terrorist networks
  • Dynamic networks
  • Transitivity
  • Central hubs
  • Efficiency
  • Security