Threat assessments and vulnerability assessments are both integral parts of the risk assessment process. Together, they are used to prioritize targets based on the greatest risk, so the organization will know where to focus its efforts with regard to security controls and risk mitigation.
A threat assessment consists of a threat definition and a subsequent analysis. Threat definition is basically a three-step process.
Step 1: Identify Adversaries
Adversaries are generally characterized into categories such as insiders, outsiders or outsiders with the assistance of insiders
Within each category, adversaries can be further broken down into classes such as terrorists, criminals, activists, and hackers (outsiders). If individual adversaries have been identified, these should be included as well.
Step 2: Characterize the Adversaries
Characterization involves identifying the motivations, goals, tactics and capabilities of adversaries. This information can be gathered from intelligence sources including past incidents, crime studies, government reports, and other published literature.
Step 3: Evaluate Targets from the Perspective of the Adversary
Targets, such as assets, are then evaluated from the perspective of the adversary in order to determine the likelihood and possible actions (e.g., theft, sabotage, collusion) that could be taken. After the threats are defined, they can then be analyzed in order to determine the likelihood and impact of adversary actions against particular targets.
A vulnerability assessment uses information from the threat assessment, so it cannot be conducted until the threat assessment has been completed. A vulnerability assessment is also a three step process:
Step 1: Identify and evaluate the potential actions of an adversary against a target
Scenarios can be used in order to describe the potential actions that can be taken against a facility or individual targets within the facility, or assets can simply be listed and evaluated.
Step 2: Identify and evaluate the existing security measures
Each security control applied to a target should be identified and evaluated for effectiveness. This can be a daunting task for the first assessment.
Step 3: Identify and analyze the potential vulnerabilities discovered in steps 1 and 2
Worksheets play a major role in vulnerability assessments. Items on the worksheet are rated from Very Low (1) to Very High (5) in order to perform a more quantitative analysis on the data. Rated items include the severity of the consequences, the threat level, the attractiveness of the asset, and the severity of the vulnerability. New countermeasures can be recommended at this point, based on the vulnerabilities discovered in step 3.