The above clip from our Threat & Risk Analysis lecture in our Security Managementand Physical Security courses talks about the importance of Threat definition in a Threat & Risk Analysis exercise. Only after defining the threat can we start to estimate the risks of that threat being carried out. An example is given of an important public building in a major western capital city which was thought of as being protected against blasts but it was discovered that the threat had been defined as 10kg of TNT at a distance of 70m. This cannot even be considered a threat to the building and in this particular case, was completely inappropriate. The building owners and residents felt that they were protected because the risk analysis and protection project had been completed successfully however no one realized that the underlying assumptions were flawed.
As security managers it is not enough to tick the boxes and go through the motions. We must understand the threats, question assumptions and make sure that the risks are understood. Employing a methodology which assesses risks, grades vulnerabilities and calculates outcomes should result in a prioritized list of protection projects that is logical and transparent to senior management.