Most people understand that physical security control measures, such as security alarms, access control and CCTV systems, are a necessary evil in this day and age. However, when it comes to what security measures to install, and to what extent, everyone has a different view. Nobody wants to “undercook” their physical security and risk insufficient protection of their people and assets. But neither does anyone want to throw money away on extensive and expensive systems that are unnecessary.

In this series of blogs, we will lay out a basic process that can be used to help you determine a pragmatic, proportionate and effective physical security solution for your organisation. We will start by looking at threat and risk, followed by how to apply threat and risk assessments to your organisation’s physical security environment. We will then look at some of the principals of physical security and how these apply to different physical security control measures. Finally, we will pull everything together to present a high-level process for determining an appropriate physical security solution for your business.

It's probably worth noting that the language and terminologies used in this series of blogs has been deliberately simplified so that it can be understood by everyone and not just the technical experts!

Threat and Risk

Understanding threat and risk is the fundamental building block to achieving the pragmatic and proportionate aspects of a physical security solution. Most organisations regularly deal with risk assessments in the health and safety domain, but often don’t take the same approach in the security domain.

By identifying the threats to your organisation and the associated risks they present, you can determine where your vulnerabilities lie. However, there is often a lack of understanding of the difference between threat and risk. While there are many standards, handbooks and guides on threat and risk, we will try and boil it down to a social media-sized summary below.

What are threats and risks:

A threat identifies an action or event that leads to a negative outcome and incorporates who or what perpetrates that action or event. For example, a threat may be a petty criminal breaking into a storage shed and stealing some tools.

Common threat categories used within government circles are shown in Table 1 below. These are fairly broad and some may be more relevant to your organisation than others.

Identifying what may go wrong on its own is not that helpful, so threats also consider the likelihood of that action or event occurring. For example, if your site is in an industrial area with a high crime rate and your shed is secured with a low grade lock, you may determine there is a fairly high chance that someone might steal your tools.

Risk takes this a step further and considers the impact or consequences. Identifying instances of how these threats could occur and assessing the impact or consequences of these occurrences results in a set of risks. For example, if the tools were low value and used only for routine maintenance, the impact of them being stolen might be low. However, if the tools were a critical part of your operations and difficult to replace, the impact of them being stolen might be very high.

Another way of looking at the relationship between threat and risk, and how to determine them, is shown in Figure 1. This is the process used by the Combined Threat Assessment Group (CTAG) when setting the national terrorism threat level[1].

To provide context, threats and risks are usually assigned a level. This could be low/medium/high or a scale of one to five, or whatever system works for you. From Figure 1 we can see that the risk level is usually the combination of the Likelihood and Impact or Consequence. A common approach is to use a numerical scale, then output a colour coded high/medium/low rating, an example of this is shown in Table 2. However, the purpose of a risk rating is to help you understand the significance of a risk to your organisation, both absolutely and relative to other risks, so use any system that provides the relevant information and works for you.

So now you have taken a good look at the threats to your organisation’s physical security and assessed the potential impact of those threats on your people and operations, resulting in a list of risks and ratings.

In the next part of this series, we look at what to do with your risk assessment and how to apply it to your organisation.

[1] https://nationalsecurityjournal.nz/assessing-terrorism-threats-to-new-zealand-the-role-of-the-combined-threat-assessment-group/