A threat assessment model is a representation of an organization's plan regarding the identification of possible threats and the means that it will implement to minimize or counter those threats. Such models may use spreadsheets, graphs, flow charts, diagrams or a number of other aids to illustrate their necessary points.
The purpose of a threat assessment model is to give organizations the ability to identify possible threats before they occur and outline ways of either preventing them or reversing their effects. As an organization becomes increasingly large and complex, the various types of threats that it faces can grow in number and magnitude, and it is important to have an established model that the organization can use to organize and analyze these threats and then implement countermeasures against them. Attempting to minimize threats without the use of a model can be confusing, inefficient and even counter-effective.
Threat assessment models can be useful when it comes to matters of liability, such as safety risks that could cause customers to file civil suits against a retailer. They may also deal with things like computer security, which can be extremely important for companies that deal with vast stores of client account information, especially when they store information like credit card numbers, addresses and Social Security numbers. By making note of possible threats and coming up with ways of dealing with them, organizations can protect themselves, their reputations, their clients and society in general.
According to James Bayne's "An Overview of Threat and Risk Assessment" for the SANS Institute, a source for information security training, any threat assessment model must deal with a number of key issues. First, it must identify what needs to be protected, such as physical assets or sensitive information. Second, it must identify all of the threats and vulnerabilities that the organization faces. Third, it must lay out the full implications of what would happen if any of the valuable assets were to be lost. Fourth, it must give some solutions regarding how the organization can minimize its exposure to such threats.
In conducting a threat assessment, you must analyze the nature and severity of the threats that your organization faces. The most important aspect of categorizing threats is identifying them as either human or non-human. A human threat, for instance, would be a hacker, a disgruntled employee, an improperly trained employee or a thief. A non-human threat would be a natural disaster or equipment failure. A threat assessment model must assist you in listing all of these threats and quantifying their degree of severity.