3. Identify the Threats
Once you have identified which assets are most critical you should determine the possible threats to these assets. Consider threats from across the full spectrum of physical, personnel and people, and cyber, and also how these threats might evolve over time.
Questions to help you identify the threats to your organisation:
- Does your organisation have a risk management process for identifying and assessing security threats? If so who owns the process? Who is responsible for ensuring it is regularly reviewed, tested and updated?
- What are the most prevalent security threats at the moment and how relevant are they to your organisation (eg terrorism, cyber attack, insider threat)?
- Can you identify the security threats that are specific to your organisation’s core business activities?
- What sources of intelligence does your organisation use or access to build a comprehensive picture of threats?
- What would a serious security incident or breach look like? What impact would it have on your organisation (eg financial loss, loss of reputation or customer information)?
Joining information-sharing groups or information exchanges is a good way of keeping up-to-date with emerging threats. It will also help you increase your knowledge and understanding of threat, and threat mitigation measures that others are using. Examples include the Cyber-security Information Sharing Partnership (CISP) and CPNI Information Exchanges.
Once you have developed the threat picture you can address your organisation’s specific vulnerabilities and go on to develop a plan for your security requirements.
CPNI guidance and information to assist you in developing your plan include:
- Threat intelligence – how to plan an approach to threat intelligence, including building a threat intelligence programme
- Personnel Security in hindsight - video on CPNI YouTube channel illustrating insider threat
- Ongoing personnel security - explains the insider threat and advises on mitigation measures