Physical security threat assessment
First of all, if you think this is just for professionals, don't be misguided! A threat assessment can be implemented by any person eager to improve their security at home, place of business, office, ranch, farm, flat, or even just a single room! It is just a simple step-by-step system that has been developed over a couple of years, and can be used by anyone willing to put some thought and research into it!
Why use it?
One of the most common risks an organization runs is stagnant and non-evolving security measures. Unfortunately, these things can only be addressed if it is known to the organization. For that reason, it is necessary to perform a complete threat assessment. Sadly, too often a comprehensive threat assessment is missing completely or never updated. So it's your responsibility as the Advisor/Consultant/Team-leader/Security manager or head of the house to make sure that all the risks are reduced to an acceptable level.
The biggest mistake most organizations make is waiting for a safety breach or incident to happen before they implement mitigation strategies. Preparing a thorough threat assessment will undoubtedly help in improving overall security. It will also help in identifying which preventative measures to implement and reduce the risk of possible threats.
Any organization will always have some form of physical threat. Whether it's from general crime, human error, or even natural elements. Physical security is not a one-size-fits-all package. It gets very specific to the organization itself, especially when it comes down to demographics and location.
Before we start
Before we go any further, you should have a clear knowledge of the differences between risk, threat, and vulnerability. If you are unsure or just need a little refresher to make sure you are on the right track, you can learn the difference >Here<. It's also important to note that there are different methodologies out there and each one probably works, but will not necessarily be comfortable for everyone. That's why you need to learn from each of them and develop something that you are comfortable to use.
That being said, you should make sure that the following points are covered in your assessment:
- Buildings, assets, and vehicles are characterized
- Undesirable events should be identified
- The consequences of those events should be determined
- The types of threats should be identified
- Testing and analyzing the protection security systems and procedures
- Complying with law and regulations
- Identifying reasonable control measures needed
To formulate the assessment:
Formulating a threat assessment can be done by following these 5 steps:
1) Characterizing facilities
So it should be obvious that you should first know what the actual basis is that your working with. The boundaries of the site, where buildings are on the site, all access points, floor plans, procedures in place, and current security measures if any should be noted. You will need to reach out to some contacts to get all of this information and make sure it is as accurate as possible. Depending on how long the organization has been up and running, you will be able to use things like building blueprints, municipal reports, security SOP's and IAD's, previous threat assessments and reports, environmental reports, site surveys, and a few more.
2) Now you need to determine what events are undesirable to the organization (the risks)
This will vary for every organization. Any crime or disruption in operations is undesirable, and sometimes you might be called in to address something specific, like for instance theft among employees or a physical threat that has been made known to the organization. The following are things to look for:
- The crime rate in that specific area and also if there are high-risk areas close by.
- Industry-specific crimes, for example, drug stores and banks will have different types of specific risks related to their trade.
- Common crime, things like theft and crimes of opportunity.
- The number of people who will be accessing the organization's infrastructure
- Cameras and other monitoring systems
- Lack of manpower
- The political and religious standing of the organization can also attract more risks
- Training of staff or team members
- If there are any direct threats to the organization or one of its high-ranking officials