Purpose
The Assess Risk phase of ICAT answers one question. What is worth protecting, from what, and how badly could it go wrong? Everything that follows in a project, including the technology you specify, should trace back to a finding here. This phase aligns with ISO 31000 for the overall process and borrows the analytical mechanics of NIST SP 800-30.
Step One: Identify Assets
Start with what you are protecting. Assets include people, physical property, information, operations, and reputation. List them, then assign each a value. Value is not only dollars. A server room and a daycare both rate high, for different reasons. Record where each asset sits, who depends on it, and what already protects it.
Step Two: Analyze Threats and Vulnerabilities
A threat is a source of harm. Common categories are crime against people, theft, vandalism, unauthorized access, insider action, and environmental events such as fire or flood. For each asset, ask which threats are credible at this site. Use local crime data, incident history, and site context. A downtown loading dock and a rural substation face different threats.
A vulnerability is a weakness a threat can use. Poor sightlines, an unmonitored side door, a shared access code, or a camera that cannot read a face in low light are all vulnerabilities. NIST SP 800-30 frames this as pairing threat sources with the conditions that let them succeed.
Step Three: Rate Likelihood and Impact
For each credible threat-vulnerability pair, estimate two things. Likelihood is how probable the event is given current conditions. Impact is how much harm results if it happens. Keep the scale simple and consistent. A three- or five-point scale works. Write down the reasoning, because a defensible rating beats a precise-looking one.
Step Four: Determine Risk Rating
Risk is the combination of likelihood and impact. A simple matrix turns the two estimates into a single rating that sets priority.
| Likelihood \ Impact | Low | Medium | High |
|---|---|---|---|
| High | Medium | High | Critical |
| Medium | Low | Medium | High |
| Low | Low | Low | Medium |
Treat Critical and High ratings first. Medium ratings get a plan and a date. Low ratings get documented and accepted. Recording accepted risk is as important as treating the rest, because it shows the decision was deliberate.
CPTED Principles
Crime Prevention Through Environmental Design reduces risk through the layout and use of space, often before any electronic system is added. Four principles guide it.
Natural Surveillance
Design so that legitimate users can see what is happening. Clear sightlines, trimmed landscaping, and good lighting let people observe entrances and approaches.
Natural Access Control
Use paths, fencing, and entry points to guide where people can and cannot go, so movement is channeled and unusual routes stand out.
Territorial Reinforcement
Make ownership clear through signage, surface changes, and maintenance, so the space signals that someone is responsible for it.
Maintenance
A cared-for site deters misuse. Broken lights and graffiti signal neglect and invite more.
CPTED findings belong in the risk register because they often resolve a vulnerability more cheaply than a device would.
Aligning With ISO 31000 and NIST SP 800-30
Run the steps inside the ISO 31000 cycle. Establish context first, assess, treat, then monitor and review on a set schedule, since threats and sites change. Use NIST SP 800-30 for the structure of the assessment itself, including its threat-source and vulnerability framing. The output of this phase is a risk register that drives the technology specification.
References
Last updated 2026-06-14.