Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group,
LLC. Used by permission. Additional information available from Threat
Analysis Group, LLC via www.threatanalysis.com.
In the security ﬁeld, three general types of countermeasures are taken to
prevent, mitigate, and eliminate risk: policies and procedures, physical security
measures, and security personnel. Despite their relative low cost to develop and
maintain, and their ability to demonstrate due diligence, policies and proce-
dures are often the most overlooked component of an effective security
program. Documentation of the security program is a critical element and
includes the identiﬁcation of critical assets, threats, and vulnerabilities.