The difference between threats and firstname.lastname@example.org
Why is this important
Fundamental to understanding how to undertake threat and hazard assessments is being clear about the difference between a threat and hazard. Just as there is confusion about the difference between a threat and a risk, there is equal confusion about the difference between a threat and a hazard.
Failing to understand the difference may result in invalid “hazard assessments”—that in turn could lead to the inappropriate allocation of money and resources to manage the hazard.
There may be several ways to identify what is a hazard. Before we dive into defining hazards, let’s go back a step and look at potential definitions of threats, assets and risks:
- Threats are an intended and malicious disruption to your assets (usually critical assets). In effect:
A person (threat actor) uses something (threat vector) to disrupt someone or something important (assets).
- Assets enable us to achieve the immediate mission and our objectives.
- Risks are events that can lead to adverse outcomes that may disrupt your objectives. Risk statements should always contain two key elements:
- An event
- An outcome.
- Threats are executed by people with an intent to disrupt assets
- Assets become important when they are mission-critical or enable us to achieve our objectives
- Risks are events that can lead to outcomes that may disrupt our objectives.
We will see that there are distinct similarities between threats and hazards, but they are not the same.
The Importance of Intent as a Differentiator
Naturally occurring hazards are different from threats (as opposed to threat vectors), noting:
- A threat is an intended and malicious action to disrupt assets
- Threat vectors are the means used to execute the threat.
Threats are driven by human intent. Intent (or the potential for intent) is a key distinguisher between threats and hazards we need to understand. From a threat assessment rationale, just because a person does not have intent to harm or disrupt at that point in time, does not mean that can’t change with the right stimulus.
For example, a quiet protest in the streets outside your place of work by an ‘issues motivated group’ (that may have nothing to do with you) may disrupt traffic. The protest is a potential threat and not a hazard, even though the protest group may not be causing deliberate harm to anyone. This is because they (as humans) still have intent (or the potential for intent)—it is just that, from a threat analysis perspective, the level of intent is rated Very Low.
If a flood suddenly occurred that caused disruption to traffic, that is a hazard as there is no human intent in the flood. It just happened and caused problems. The opportunity for the issues motivated group to escalate tensions will be influenced by many factors, including any law enforcement response to the protesters and the effectiveness of security controls in and around the building. It will also test any flood prevention measures (hazard controls).
In this example, there could be two separate risk events with different risk outcomes: one caused by the potential threat of an “issues motivated group” (risk potentially rated Low) and the other caused by the “flood” hazard (risk potentially rated High).
Hazards can be confusing to define. One way to consider hazards is to categorise them into three distinct categories:
- Naturally occurring events that disrupt assets. Some of these are listed later.
- Artificially induced hazards that can be events that are inadvertently created or positioned by humans or fauna that, despite the lack of intent to cause harm or disruption, do have the potential to cause harm to people, property and other assets. Examples include:
- An electrician inadvertently leaving faulty electrical wiring exposed
- Trip or slip hazards on the floor such as cabling or water pooling on slippery surfaces
- Faulty building equipment that could cause a worker to fall off scaffolding
- A domestic pet breaking an item in the home at night and causing the owner to slip and fall in the middle of the night
- Broken glass on the floor of a swimming complex that could lead to serious cuts
- Deliberately used by a threat actor as a threat vector to cause harm or disruption to people, property, information and other assets. Examples may include:
- A terrorist lighting a fire in a building to injure or kill people
- Releasing a deadly biological agent into a water supply
- Deliberately exposing electrical wiring so a person touching a metal item is electrocuted.
In the above examples, the fire, biological agent and exposed electrical wiring are simultaneously threat vectors (requiring analysis in the threat assessment) and hazards (requiring analysis in the hazard assessment).
Types of Hazards
Naturally Occurring Hazards
Naturally occurring hazards can come in many forms, including (but certainly not limited to):
- Hurricanes, cyclones, tornadoes and monsoons
- Electrical currents
- Pandemics (such as COVID-19)
- Wild or domestic flora and fauna…and so the list goes on.
Artificially Induced Hazards
As discussed earlier, artificially induced hazards are very common in everyday life, but not so common from a security perspective. The assessment of artificially induced hazards is usually undertaken by work health and safety practitioners and not so much by security practitioners, unless there is a definite security implication attached to the hazard. Mind you, in practice there can be a very fine line between the two types of assessments.
Hazards used as a Threat Vector
This is where it all gets a bit ‘murkier’ and confusing.
Hazards that are used as a threat vector have a level of ‘deliberate intent’ applied to them as it is the intention of the threat actor to capitalise on the disruptive potential of the hazard to cause deliberate harm or disruption.
For example, consider the WW2 bombing by the ‘Dam Busters’ of the Möhne, Eder and Sorpe dams in Germany to flood the Ruhr Valley and disrupt Germany’s industrial production.
The Germans would have identified the attack on the dam walls as a threat, and the ‘bouncing bomb’ as a threat vector against those assets (the dams and military personnel). The residents and industry residing in the Ruhr Valley would have been disrupted by a separate threat vector; that is, the hazard caused by the breaching of the dam walls. This is a classic example of how the Allied course of action involved the careful combination of different types of threat vectors to effect disruption; the bouncing bomb and the flooding of the Ruhr Valley caused by the destruction of the dam walls.
When a hazard has been identified as a threat vector, we then need to undertake (or revise) a threat assessment by plugging in the hazard as a threat vector, as that is one of the mechanisms by which the threat will be executed. If the hazard is indeed being used as a threat vector, we need to be sure that:
- we have sufficient threat management controls in place or planned to reduce the likelihood of the threat occurring or being successful
- we have sufficient hazard management controls to reduce the likelihood of the hazard occurring or the disruptive impact should the hazard occur.
This is why the vulnerability assessment relating to a threat assessment may identify different control measures to those identified in a hazard assessment. The security budget may need to cover costs for both.
Hazard analysis is often included in risk analysis as a risk event, with little analysis completed for the actual hazard. Hazard analysis requires a similar approach to threat analysis as both hazard and threat analysis require consideration of two key questions:
- What is the likelihood of occurrence (LoO)—to answer this we need to analyse the multi-dimensional relationship between intent, capability and opportunity.
- What is the likelihood of success (LoS)—to answer this we need to assess LoO against the asset vulnerability.
- What is the likelihood of the hazard occurring (LoO)—to answer this we need to analyse the prevailing conditions or hazard context against the asset’s exposure to those conditions.
- What is the disruptive impact (DI) of the hazard on key assets—to answer this, we need to analyse the LoO against the asset vulnerability if exposed to that hazard.
What Should We Look For
With a hazard analysis, you should be assessing a range of factors including:
- The conditions supporting the potential presence of the hazard—for example, an event is being planned for a location that has a history of severe tornadoes at that time of the year
- The planned location of the activity in relation to the hazard
- The exposure of your assets to the hazard—for example, the event will be an open-air concert that has no protection from the rain and wind
- The extent of hazard controls available to reduce the potential disruption caused by the hazard
- Intelligence support that may assist in identifying and managing the potential hazard
- Your response capability
- Your level of resilience should disruption occur
- The likelihood of the hazard occurring
- The disruptive impact should you be exposed to the hazard.
You will see the similarities with the threat assessment methodology. Of course, the specific factors influencing the hazard’s LoO and DI will be different from the threat’s LoO and LoS. Nevertheless, the analysis applies exactly the same logic.
Once we have identified and analysed the hazard, we are then in a position to see how:
- The hazard event will then directly influence the identification of the risk event within the risk statement (for example, ‘Mudslide may lead to multiple injuries and death’)
- The likelihood of the hazard occurring will directly influence the risk likelihood—noting there is now a large amount of analysis supporting the risk likelihood and it is no longer simply ‘speculation’ as is often the case.
Getting the hazard controls correct is also important here as you may need to budget for both threat and hazard controls in order to properly mitigate the final risks.
The diagram below is a high-level explanation of the interactions of threats and hazards with risk.