This document contains a security threat and risk assessment of various external and internal risks. It evaluates the likelihood and potential consequences of threats such as theft, fraud, hacking, sabotage, and data breaches. It rates the risks on a scale from low to extreme. For high risk threats, it recommends actions such as specifying management responsibilities, utilizing additional physical and human resources, and gaining senior management attention. The assessment tool is meant to help manage security risks and refers to several risk management standards.

1. SECURITY-IN-CONFIDENCE
(Once completed)
Part 2. Security Threat and Risk Assessment
Threat Reality Actions
Threat Activity Expectancy Desire Intent Knowledge Resources Capability Threat Level Vulnerability Threat Profile Likelihood Consequence Risk Rating Action Required
External theft, fraud Certain Certain Certain Certain Certain Certain Certain High Certain Almost Certain Catastrophic Extreme Immediate action required.
External Robbery Very Low Negligible Negligible Negligible Very Low Negligible Negligible Very High Low Possible Minimal Low Manage by routine procedures and physical design.
External coercion Medium Medium Medium Very High Medium High Medium Low Low Unlikely Major Moderate Management responsibility must be specified, additional physical and human resources may be
utilised.
External DOS/hacking Very Low High Low Low Low Low Low Moderate Low Unlikely Moderate Moderate Management responsibility must be specified, additional physical and human resources may be
utilised.
External harassment/assault Very High Certain Very High Certain Very High Very High Very High Very High Certain Almost Certain Minor Moderate Management responsibility must be specified, additional physical and human resources may be
utilised.
External infrastructure Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
vandalism utilised.
External random attack from Medium Medium Medium Medium Medium Medium Medium Very High High Likely Catastrophic High Senior Management attention needed, additional physical and or human resources must be
deranged person utilised.
External sabotage, vandalism Low Very Low Very Low Very Low Very Low Very Low Very Low Very low Negligible Rare Minimal Low Manage by routine procedures and physical design.
External virus attack Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal accidental Medium Medium Medium Medium Medium Medium Medium Very High High Likely Catastrophic High Senior Management attention needed, additional physical and or human resources must be
unauthorised information utilised.
disclosure
Internal coercion Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal data integrity Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal harassment/assault Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal information Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
leak/misuse utilised.
Internal negligence Medium Medium Medium Medium Medium Medium Medium Very High High Likely Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal pranks Medium Medium Medium Medium Medium Medium Medium Very High High Likely Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal sabotage, vandalism Certain Certain Certain High Certain Very High Very High High High Likely Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal theft, fraud Certain Certain Certain Low Low Low High Moderate Medium Possible Catastrophic High Senior Management attention needed, additional physical and or human resources must be
utilised.
Internal unauthorised asset Medium Medium Medium Medium Medium Medium Medium Very High High Likely Catastrophic High Senior Management attention needed, additional physical and or human resources must be
use utilised.
Terrorism Very Low High Low Low Low Low Low Moderate Low Unlikely Moderate Moderate Management responsibility must be specified, additional physical and human resources may be
utilised.
References:
1. AS/NZS ISO 31000:2009 Risk management - Principles and guidelines
2. HB 167: Security risk management
3. AS/NZS 4360:2004 Risk management - superseded by AS/NZS ISO 31000: 2009
4. HB 221:2004 Business continuity management
Date and Time last saved
2. Assessment tool
EXAMPLE SECURITY RISK ASSESSMENT TOOL JULY 2010.xlsx SECURITY-IN-CONFIDENCE 1 of 1
File directory path (Once completed) (C) GBHP Enterprises P/L 2010