Threat is the “fissile material” needed to activate the individual components of asset, vulnerability, impact, consequence, and likelihood in the calculation of risk. It is threat that initiates the sequence of relationships and events that, together, combine to elevate or lower risk. It is important to understand threat in this context because all too often the element of threat is minimized or abstracted when security assessments are done. Why?
Unlike the examination and assessment of asset value or weaknesses in the facility or organization’s security defenses, a “threat” can be deceptively hard to define. Reliable intelligence about the intent, timing, nature, size, and capability of the threat actor’s goals are difficult and costly to obtain. Threats exist outside of the organization’s control. This is true whether it is a trusted “insider” intent on facilitating access to sensitive material for an adversary or an outside criminal group plotting to kidnap a corporate executive. The contours of threat events take form in plots and planning well outside of the knowledge of the targeted organization or individual.
Since threat is hard to assess or control, organizations often “abstract” threats via a generic design basis threat (DBT) matrix, applying levels of severity and impact to various threat actors rather than more detailed descriptors such as intent, capability, presence, or timing. A DBT is a useful and necessary tool but should never be the sole substitute for a thorough threat assessment. Alternatively, organizations will outsource threat assessment to firms that deliver anodyne products that lack the granularity and specificity that comes from solid, on the ground, up-to-date data. Assessments such as these are rife with conditional terminology – could, should, may, might – because they do not have solid intelligence and thus lack confidence in their analyses and predictions. A threat analysis that is either not predictive, or vaguely predictive, is useless.
In either case, organizations that give short shrift to threat analysis, end up overly focused on the internal picture. They identify and seek to resolve vulnerabilities. The premise is that the vulnerability “could” be exploited by “a threat.” With this conditional premise in mind, the vulnerability is closed and the threat mitigated. Problem solved. The concern with this approach is that it fosters a risk avoidance mentality. Threats that are ill defined or abstract do one of two things: they are minimized because they lack substance or they are magnified because they are not understood properly. Either way, minimizing threat analysis skews the risk assessment.
It is true that risk can certainly be partially defined by looking almost exclusively at vulnerability and potential impact. But the outcome will be murky at best, particularly if the risk assessment is the foundation of security program and system design. A well-defined threat analysis makes a real difference because it provides much greater clarity on the critical component of likelihood. This in turn, sheds more light on the potential impact of a threat event or actor’s manifestation against an asset.
Risk cannot truly be quantified in specific, measurable terms without solid threat analysis.
As a general rule, threat assessment should begin with an examination of trends and indicators surrounding a specific threat actor – it is a reading of the tea leaves. Inexact, yes, but this is a starting point. The assumption that a threat cannot be clearly defined because it exists outside of the control of the organization, is false. It just requires a different set of skills. For example, a terrorist attack does not take place in a vacuum. It requires planning. While terrorists have free reign with regard to target sets, they are – as are security forces – constrained by operational considerations such as money, manpower, weapons, and intelligence. They need to resolve each of these issue, to successfully accomplish their mission. Targets must be reconnoitered, security forces must be probed for weaknesses, weaponry and explosives must be obtained and stockpiled, personnel recruited, trained, and tested. Quite often, smaller operations in similar environments are used as test beds to “blood” terrorist attackers. All of these tasks are indicators and leave traces in their execution. This constitutes a pattern, gives substance and definition to the likelihood of an event. The more refined the assessment of likelihood that a threat actor is planning to attack or will attack, the more refined the risk equation becomes and the subsequent security planning to mitigate the risk.
As noted before, obtaining information about threat is not easy. The analysis of incomplete information is likewise difficult; it requires a trained analyst to deduce from incomplete evidence the bigger picture that comprises an active and gathering threat. Organizations today, to keep information current and relevant for their operations, require the development of an effective intelligence capability within their own security ranks. Intelligence-driven security programs ultimately provide the best value for the organization because security systems and design are refined to address threat and risk with much more specificity than the old “gates, guards, and guns” approach to securing a facility or operation.
Threat-led risk analysis refines an assessment so that capital cost expenditures on security countermeasures needed to protect a client’s assets, are sharply focused, effective, and necessarily efficient.