Threats & Risk Analysis Fundamentals

Key Takeaways

  • The all-hazards approach categorizes threats as natural, criminal activity, terrorism, accidental/technological, and consequential (cascading), so no source of loss is overlooked.
  • A consequential threat is a secondary, downstream effect of an initiating event (e.g., reputational damage after a breach), not the initiating event itself.
  • Likelihood is the probability a threat materializes within a defined period; criticality is the severity of impact if it does — the two axes of a risk matrix.
  • Qualitative risk rating uses descriptive labels (Low/Moderate/High/Extreme); quantitative rating uses Single Loss Expectancy times Annualized Rate of Occurrence to produce Annualized Loss Expectancy.
  • Risk exists only where a credible threat, an exploitable vulnerability, and a consequence worth protecting against all intersect.
Last updated: July 2026

The All-Hazards Approach to Threat Identification

A Certified Protection Professional must map the full universe of threats before recommending any countermeasure. The CPP Body of Knowledge uses the all-hazards approach, a threat-identification framework that refuses to confine analysis to a single category, because real losses routinely cross categories and compound one another. Under an all-hazards model, the security professional inventories every credible source of loss regardless of origin, then screens the list down to what is relevant to the asset or organization being assessed.

Threat Categories

CategoryDefinitionRepresentative Examples
NaturalGeological, meteorological, or biological events outside human controlHurricanes, earthquakes, floods, pandemics
Criminal activityIntentional acts against people, property, or information for personal or financial gainBurglary, robbery, fraud, workplace violence, cybercrime
TerrorismIdeologically or politically motivated violence intended to intimidate or coerceBombings, active-assailant attacks, CBRNE incidents
Accidental / technologicalUnintentional human error or system/infrastructure failureFire, hazardous-materials release, power or IT outage
Consequential (cascading)Secondary losses that follow an initial event rather than causing it directlyReputational damage after a breach, supply-chain disruption after a plant closure, business interruption after a disaster

The consequential category is the one candidates most often underweight. A consequential threat is not the initiating event itself — it is the downstream chain reaction the initiating event triggers. A ransomware attack (criminal) can trigger regulatory fines, customer attrition, and stock-price decline; each of those is a consequential threat that must be separately assessed and, where material, separately mitigated. Failing to trace consequential threats produces a risk assessment that understates true organizational exposure.

Likelihood Analysis

Once threats are categorized, the CPP must estimate likelihood — the probability a given threat will materialize within a defined time horizon. Likelihood is derived from several inputs:

  • Historical incident data — internal loss logs, insurance claims history, and law-enforcement crime statistics for the facility's location.
  • Threat intelligence — open-source intelligence and industry information-sharing groups (covered in Section 1.7).
  • Environmental factors — facility type, hours of operation, cash handling, political climate, and proximity to known hazards.
  • Frequency trending — whether a threat category is increasing, stable, or decreasing at comparable sites.

Likelihood is typically expressed on an ordinal scale (Rare / Unlikely / Possible / Likely / Almost Certain) for qualitative assessments, or as an annualized rate of occurrence for quantitative assessments.

Criticality Analysis

Criticality measures the opposite axis of risk: the severity of consequences if the threat actually occurs, accounting for loss of life or injury, financial loss, operational downtime, legal exposure, and reputational harm. A threat with very low likelihood, such as a category-5 hurricane at an inland facility, may still warrant planning attention if its criticality is extreme, while a high-likelihood but low-criticality threat, such as minor shoplifting at a low-margin kiosk, may not justify significant investment.

The Risk Matrix

CPP candidates should be comfortable applying likelihood and criticality together in a risk matrix, or heat map, which plots the two axes to produce a composite risk rating:

  1. High likelihood + high criticality — extreme risk; prioritize immediate treatment.
  2. High likelihood + low criticality — moderate risk; treat efficiently but without urgency.
  3. Low likelihood + high criticality — moderate-to-high risk; plan and prepare even though frequency is low.
  4. Low likelihood + low criticality — low risk; monitor and reassess on the normal review cycle.

This matrix is the direct output of the risk assessment process covered in Section 1.4 and the direct input to the risk treatment decisions covered in Section 1.6 — a threat rated extreme or high is prioritized for immediate treatment, while a low-rated threat may simply be monitored and reassessed at the next review.

Distinguishing Threat, Vulnerability, and Consequence

The exam frequently tests whether a candidate can separate the three inputs to risk: a threat is any actor or event capable of causing harm; a vulnerability is a weakness a threat could exploit; and criticality, or consequence, is the resulting impact. Risk exists only where all three intersect — a credible threat, an exploitable vulnerability, and a consequence worth protecting against. A CPP who can correctly classify a scenario into an all-hazards category, rate its likelihood, and rate its criticality has completed the analytical foundation that the next domain task, risk treatment, depends on.

Qualitative Versus Quantitative Rating

CPP candidates should recognize that likelihood and criticality can be scored two ways. Qualitative rating uses descriptive labels — Low, Moderate, High, Extreme — assigned through expert judgment and comparative reasoning; it is fast and works well when hard data is scarce. Quantitative rating assigns numeric values, most commonly through Single Loss Expectancy (the dollar cost of one occurrence) and Annualized Rate of Occurrence (the expected frequency per year), multiplied together to produce Annualized Loss Expectancy. Quantitative analysis is more defensible to finance audiences but depends on reliable historical data that many organizations, especially for low-frequency high-consequence events such as terrorism, lack. Most mature programs blend the two: qualitative screening for the full threat list, then quantitative analysis on the subset significant enough to justify the added effort.

Applying the Analysis

A completed threats-and-risk-analysis worksheet drives every later domain of the CPP Body of Knowledge. Physical security (Chapter 5), information security (Chapter 6), and crisis and business-continuity planning (Chapter 7) are all sized and prioritized against the likelihood and criticality ratings developed here, so consistent scoring across the organization is essential — a facility that rates workplace violence as extreme in one business unit and moderate in another, using the same underlying data, has a scoring problem that will distort every downstream resourcing decision.

Test Your Knowledge

Which of the following best describes a "consequential" threat under the all-hazards model?

A
B
C
D
Test Your Knowledge

In CPP risk analysis, "criticality" refers to:

A
B
C
D