- A security threat is the intent and capability for a threat actor to take some adverse action against you.
- Threat assessments, such as those produced by the government's intelligence assessment bodies, provide judgments on how likely this is to happen and the methodology threat actors are most likely to use.
- Such assessments are typically high level, time bound and qualitative. Estimates of likelihood will rarely represent the likelihood of a threat actor targeting you specifically.
- Methodology assessments help you target your mitigations and will inform your risk tolerance as well.
- Threat assessments are only part of shaping your protective security. These are one part of informing your risk assessments and help you generate threat scenarios on which to base your mitigations.
- If you are working with a CPNI advisor or a police Counter Terrorism Security Adviser (CTSA) they can help with this process.
Threats, Risks and Vulnerabilities
What's in a name?
Key concepts such as 'threat', 'risk' and 'vulnerability' are commonly discussed but either lack a precise definition or are defined differently by each organisation. Definitions may be set out by a professional body, charter or standards used within a community but may be very different when you step outside that community. These terms in particular can sometimes be used interchangeably or as shorthand for complex concepts.
Here are the terms as CPNI defines and uses them:
Protective Security Threat is the intent and capability of an actor to take adverse action against you - for example, to carry out a terrorist attack, exploit your computer networks via cyber means or covertly obtain a piece of your intellectual property.
A Threat Assessment is a professional judgement based on analysis, as to the intent and capability of a particular threat actor or multiple threat actors against particular target(s).
Protective Security Risks are identified threats or vulnerabilities that have been assessed for their likelihood (of the threat ever occurring) and impact (to the organisation and/or third parties) should the threat manifest.
A Vulnerability is the diminished capacity to anticipate, cope with, resist or recover from the impact of an adverse event, for example the manifestation of a threat or hazard.
The concept of Mitigation is closely related to risk. Mitigations reduce the risk posed by threats to your organisation. For example, deterring a terrorist attack, reducing the harm done by a physical attack, or early detection of attempted espionage.
What Can a Threat Assessment Provide?
Accurate threat assessments help you to judge what adverse events may impact your organisation and prepare yourself to manage the risk of this happening. This allows you to develop Threat Scenarios (likely ways in which a particular threat would manifest in your organisation) and risk assessments (identifying the likelihood and impact of an adverse event) and judging what mitigations you may need to protect your assets.
Threat assessments will generally provide some indication as to the likelihood of a threat actor attempting to target you, your organisation or your sector. Such assessments by government bodies will often use probabilistic language, usually found in the 'probability yardstick' issued by the Cabinet Office as the standard across HM Government's intelligence assessment community.
The yardstick, as below, gives general probabilities associated with the language used. This provides a central professional standard for government intelligence assessment to reduce uncertainty around the use of probabilistic language.
GOV.UK - Intelligence Analyst Profession 'probability yardstick' used by the Professional Head of Intelligence Analysis (PHIA) in government.
When interpreting government threat assessments, it is important to remember:
- Threat assessments are usually qualitative and based on limited historic data or a snapshot of intelligence at the time - predicting future trends is more complex.
- The quantitative probabilities tied to the probability yardstick are relative, based on the best judgment available and may not translate to statistical models.
- The yardstick is not universal and threat assessments usually relate to the general threat. For example, if a terror attack is 'highly likely' and an engineer estimates your machine is 'highly likely' to fail, this does not imply equal likelihood.
- These assessments generally address the national or international threat picture or a particular UK sector, rather than your specific sites or interests. The likelihood of something happening may not equal the likelihood it happens to you.
- Given the specialist nature of intelligence analysis you may need to aggregate assessments across a range of threats, such as terrorism, hostile states and crime, to get the full picture. If you are working with a CPNI advisor or police CTSA, they can assist with this.
So, given that you will receive a range of threat assessments, covering the broad picture of a specific threat actor or area of UK life, how does this affect what this means for you?
The probabilistic language of threat assessments will help you understand the greatest threats facing the UK or your sector. However, internal review, development of threat scenarios and informed judgment by competent professionals will be needed to determine the probability of a threat manifesting against you and your organisation. This will then feed into your own risk assessment process and help you identify the top risks to mitigate.
Your own industry may have tools or definitions of probability which can be helpful refining your own threat scenarios and risk assessments. For example: some industries use Monte Carlo simulations or attack/failure trees; your organisation may operate under the government's Security Policy Framework; or you may follow particular processes mandated by standards such as ISO23000 (Business Continuity), ISO27000 (Information Security) or ISO31000 (Risk Awareness). Qualitative threat assessments should inform, not replace, these other processes.
What will happen?
The other key information a threat assessment provides is the likely range of methodologies or 'tactics, techniques and procedures' (TTPs) a threat actor may employ in targeting you. Aside from the likelihood of the threat manifesting against you in particular, this information will help you judge what to prepare for if it does happen.
This methodology information informs the threat scenarios you may develop to understand what is likely to happen if a threat manifests against you. For example, you may want to prepare a site for a terrorist attack but understanding whether the terrorist is likely to use a knife or a vehicle-borne improvised explosive device (VBIED) makes all the difference. Similarly, understanding how a Hostile State Actor is likely to make an approach to your staff online or exploit a business relationship helps you prepare for, identify and respond to such actions.
This information is crucial to understanding the threat and having the right mitigations in place.
In scenario 1, considering the threat from a terrorist attack of the sort seen relatively recently in the UK, you draw on threat assessments to identify bladed/ blunt force weapons used in a marauding attack against a crowded place as the most likely methodology to affect your site.
Reviewing your site, you note that the main entrance opens onto a busy concourse. As such, you build a threat scenario around this as a vulnerability, assuming a single attacker using a bladed weapon, beginning the attack on the concourse and moving into your site. Based on this scenario you put plans in place to monitor the front entrance, improve access control, implement hard physical barriers to contain an attacker who breaches the perimeter, and train security on moving staff and delaying an attacker should this happen.
However, under scenario 2 you consider the threat from an actor more likely to use a VBIED to target your site, likely to also be outlined as a popular methodology in threat assessments available to you.
Reviewing your site, you still identify the main entrance as the only accessible location for this to be carried out and therefore the vulnerability on which to focus. As a result, you outline this threat scenario which assumes the vehicle parks within a short distance of your main entrance on the concourse outside. However, understanding the intent of the threat actor also factors in: a suicide VBIED attacker may seek to maximise casualties while different terrorist actors may leave the vehicle in place to detonate so as to cause maximum disruption to your site and area without seeking indiscriminate mass casualties.
While many of the mitigations against this and the risk in scenario 1 may be similar - such as planning for better CCTV coverage of the area, establishing relationships with whoever controls vehicular access to the concourse and establishing a bollard line to maximise standoff from the main entrance - your response plans and assumptions may be very different depending upon the likely intent of the attacker.
Taking a different type of threat in scenario 3, available threat assessments may outline the potential malicious theft of information from your organisation.
Reviewing these threats you may identify the most likely scenario to be an individual on your site exfiltrating data from a sensitive system. Here, most of the mitigations may be the same - such as air-gapping the system, restricting physical access to servers, protective monitoring, policies on removable media and even searches in and out of site. However, the intent of the actor is likely to impact your organisation's risk tolerance; there may be a significant difference in the tolerance of a lone insider extorting money through threats of a leak versus the prospect of a hostile state exfiltrating your intellectual property, giving its domestic enterprises an unfair competitive advantage against your company and potentially uplifting the capabilities of a hostile military.
As these examples demonstrate, the different threat scenarios, details of the methodologies and the intent of the threat actors require very different mitigations and plans.
In this guide we have:
- Introduced definitions we use when talking about key concepts such as threat, risk and vulnerability;
- Explained how threat assessments inform your threat scenarios and risk assessments;
- Highlighted the difference in language and assumptions in these threat assessments and the other lines which may appear on your organisation's risk register, and how to manage the difference; and
- Provided example scenarios to demonstrate the importance of methodologies and intent in defining your threat scenarios and plans.
For further reading on national security threats, please see the threats pages.