Assess the Nature of Threats and Hazards to Determine Risk

1-3

Understanding and evaluating threats and hazards is foundational in physical security risk management. This task involves identifying the types of threats, assessing their likelihood and severity, and analyzing the broader operational and environmental context in which these threats may manifest. The ultimate goal is to develop a risk profile that informs the development and prioritization of mitigation strategies.

DOMAIN 1 - TASK 3

Severity and Likelihood Assessment

Severity reflects the magnitude of potential harm, while likelihood addresses the probability of occurrence. Various models exist:

  • Qualitative: Use of descriptors (High, Medium, Low)
  • Quantitative: Numerical scoring (e.g., 1–5 or 0–100 scales)
  • Hybrid Models: Matrix models that plot severity vs. likelihood for risk prioritization

Sources of Data:

  • Crime reports
  • Natural disaster records
  • Law enforcement bulletins
  • Regulatory agency alerts
  • Socioeconomic and geopolitical reports

Analyzing the Operating Environment

Analyzing the Operating Environment

Understanding the operating environment is critical to accurate threat modeling.

 

A. Physical Environment

  • Facility location and design
  • Natural surroundings (urban/rural, lighting, elevation)
  • Traffic patterns (pedestrian/vehicular)
  • Adjacent land uses
  • Existing physical security countermeasures

B. Logical Environment

  • IT infrastructure (on-premise, cloud)
  • Network design and security
  • Connectivity (VPNs, mobile devices, remote access)
  • Integration with physical systems (HVAC, surveillance, access control)

C. Nonphysical (Organizational) Environment

  • Industry regulations and compliance requirements
  • Organizational structure and resilience
  • Financial health and resource allocation
  • Corporate culture and employee behavior

These environmental variables directly influence an organization's exposure and vulnerability to specific threats.

External Organizational Influence on Risk

A facility's security is affected by adjacent or related organizations' operations and security posture.

 

Neighboring Entities

  • Shared infrastructure or property
  • Adjacent tenants with weaker security
  • Businesses with controversial operations (protests, threats)

Competitors

  • Industrial espionage or sabotage risk
  • Regulatory influence or interference

Supply Chain Partners

  • Vendors, contractors, and logistics providers with:
    • Weak cybersecurity
    • Lax visitor controls
    • Non-compliant physical security standards

Example: A contractor using a default password on a networked HVAC system could allow cybercriminals to pivot into a secure facility zone.

Internal and External Risk Factors

Risk isn’t only driven by physical or cyber threats. Broader organizational risks play a role:

Threat and Vulnerability Interaction

Risk is the result of a threat exploiting a vulnerability. Two key questions to assess:

  • Observability: Can adversaries detect or become aware of the vulnerability?
  • Exploitability: Can adversaries leverage the vulnerability to cause harm?

This concept aligns with the Four Ds of security: Deter, Detect, Delay, and Deny, which form the foundation of all countermeasure planning

Threat Modeling Methodology

A common model for evaluating risk incorporates the following:

 

Risk = Threat × Vulnerability × Impact

 

Each component is rated or scored to calculate an overall risk value. Using tools such as heat maps or risk matrices can help visualize risk levels and assist in prioritizing mitigation strategies.

Integration with Security Program Design

Risk assessment should be tightly integrated with the design and management of the physical protection system (PPS). This includes:

  • Aligning threats with the most relevant protective layers (e.g., physical, electronic, personnel)
  • Matching severity ratings with countermeasure robustness
  • Ensuring compliance with applicable standards (NFPA, ANSI, ASIS)
  • Periodic reassessment to address changing threat landscapes (e.g., pandemics, geopolitical instability)

Key Takeaways for PSP Candidates

  • Understand the difference between threats and hazards.
  • Apply both qualitative and quantitative assessment tools.
  • Consider internal and external organizational dynamics.
  • Use threat modeling to determine mitigation priorities.
  • Document and justify risk decisions based on evidence and data.
  • Recognize that threat assessments are iterative and should be revisited periodically.

Final Tip

PSP candidates must articulate not just the threats but how they interact with vulnerabilities and environmental factors to produce risk and how these risks shape protection strategies. Remember, a threat without a vulnerability does not constitute a risk, and a well-defended asset may render even a high-threat actor ineffective.

© Copyright. All rights reserved.
Legal Notice | Privacy Policy 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.

Privacy Settings

Website Translator

Privacy Settings

This tool helps you to select and deactivate various tags / trackers / analytic tools used on this website.

Select all services
Website Translator
More
Save Settings