The website of the Threat Analysis Group in Houston, Texas, excels in clear security thinking. There are, TAG advises, assets, threats, vulnerability, and risk – risk being the intersection of assets, threats and vulnerabilities.
The problem is, though, that threats can’t be assessed with much in the way of certainty. They arise, are assessed and “dealt with,” but may arise again in different forms and circumstances.
The need is to start at the site level and give it appropriate protection at the perimeter and entryways. Then assess what the internal risks might be. They aren’t, necessarily, exclusively from external sources.
It’s a challenging exploration demanding hardheaded thinking intended to produce clarity.