Let’s first define a threat assessment, the textbook definition is:

“A threat assessment determines the credibility and seriousness of a potential threat, as well as the likelihood that it will be carried out at some point in the future”.

Many people simply lump together the elements of a threat assessment with a vulnerability study but our focus he will just be the threat assessment portion, we will cover the vulnerability in another post.

There are many methodologies on how to perform a threat assessment (sometimes called a risk assessment) and they often confuse threat assessment with a vulnerability study. Some are freely offered by those who have tried them and met with some success and others that are proprietary and usually offered only as a part of a full service offering.  They all try to answer the questions: “What needs to be protected, from whom and when?  Of equal importance are the implications that if the asset being protected were damaged or lost how would that affect the business?  What would be the cost to replace this asset?.

Taking those questions one at a time and starting with “What needs to be protected” we should all recognize that the managers of a business know all too well which elements (people or property) are critical to their operation and how the business would suffer with the loss of that asset.  Simply identifying business assets is usually NOT a reason for a threat assessment.

From whom does the asset need to be protected? That question is a bit more complicated, the “whom” is better defined by a “group” characteristic than an individual by name.  For example one of the more common threats is from indigents looking for crimes of opportunity, simple burglary.  Other more focused threats are from insiders with knowledge and intent to commit a crime to improve their own situation.  A good example is drug theft from hospital pharmacies.  These crimes are most often committed by employees who are involved in drug use or drug sales.  Sometimes, the threat is intended to do damage to the company such as industrial espionage where trade secrets are taken from the company to be sold or given to a competitor.  Now a reason to  do a threat assessment begins to emerge.

If the management team of the organization has not already identified these groups, an examination of internal incident reports will begin the identification process.  If there are no internal reports or there is insufficient detail in these reports, we frequently turn to outside sources.  This usually means police reports or crime data on a local level.  And sometimes, even that information is either unavailable or incomplete.  That would lead us to national crime data and information from the FBI.

Finally, if the management team really doesn’t know what type of crimes it needs to be concerned about and there is no physical evidence indicating criminal activity has occurred in the past, we can research this question by contacting similar organization and asking them about their experience and then infer that this company would have similar results.

The “when” is often circumstantial and simply refers to periods when the security should be tightest.  In most cases, that is the evening hours when facilities are unoccupied.  However, there are many security instances when control over a space is equally important during the day.

In my more than 35 years in the security industry I have not worked for client who did not know what types of crimes concerned their management team.  Identifying the potential crime is usually not a problem but knowing the business’s vulnerability and that crime is.  Therefore, when some people say they need a threat assessment what they’re really need a is a vulnerability study.

A vulnerability study begins with an identification of threats and seeks to learn how susceptible the organization is to those threats.  It must be assumed that the threat can become real even when it has never occurred and at this organization.  However, that’s a subject for our next post.