Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Activities
  4. Sourcing a threat assessment

Sourcing a threat assessment

Service delivery teams should be aware of the potential threat actors who may try to harm your organisation as well as their motivation, intentions and capabilities.

Many organisations will have a threat assessment that applies to the whole organisation which should be used to inform your own digital service level assessment. Before commissioning your own, explore whether there is a recent threat assessment available within your organisation to use as your starting point, or if there is an internal specialist team that can perform one. Any existing organisation threat assessment may need to be adapted to take into account new threats identified for your service.

The threat landscape is constantly changing and increasingly capable threat actors are likely to target government services. Sourcing a threat assessment will allow you to:

It’s highly recommended to have a threat assessment before you perform threat modelling or carry out a risk assessment.

It should be sourced during the discovery or alpha phases of the service delivery lifecycle and reviewed whenever there are updates to the service that have security implications.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to adopt a risk-driven approach.

Who is involved

This is an activity performed by specialists from outside your delivery team.

The commissioning and distribution of the threat assessment should be led by your programme manager with support from the Senior Responsible Officer (SRO), service owner and technical security professionals within your team.

How to source a threat assessment

Step 1: Understand what a threat assessment is

A threat assessment involves research into potential threat actors using Cyber Threat Intelligence (CTI).

This is a task undertaken by trained security professionals who understand the latest cyber security landscape and collaborate on platforms such as the Cyber Security Information Sharing Partnership (CISP).

Some of this research (such as National Cyber Security Centre (NCSC) threat reports) is publicly available, giving service delivery teams enough information to make an informed judgement about the type of threats that could face their service. However this information should not replace the need for your own threat assessment.

The further reading resources listed at the end of this activity provide information for senior leaders and delivery teams to help them understand how CTI is sourced and used.

Step 2: Appoint a specialist threat analyst

This step should only be followed if there is no recent threat assessment available from your organisation and no internal specialist team who can provide one for your service. If you can source one from within your organisation, move on to step 3.

You could appoint threat analysts from the National Cyber Security Centre (NCSC), National Protective Security Authority (NPSA) or a private sector CTI provider to complete a threat assessment specific to your organisation and service.

When sourcing an appropriate provider check that their processes include:

Step 3: Tailor your threat assessment

Whether you’ve sourced a threat assessment from inside or outside your organisation, the outcome should be a report that includes a list of potential threat actors that might want to harm your organisation, such as investigative journalists, hacktivists, cyber criminals, disgruntled employees or organised criminals.

The report should include threat ratings (from very low to very high) for each actor and details on their:

Review this information, considering how each threat applies to specific areas of your service. If there are elements that may have implications on your organisation’s overall threat profile, feed this information to your Chief Information Security Officer (CISO) and security advisors so they can adapt their assessment and integrate the information into their strategic plans.

This information should be considered a sensitive asset and only shared with those who are required to use it. This may include:

Threat briefings should be delivered when the initial threat assessment has been produced and whenever there are significant updates that require attention.

Further reading

This activity is part of the ‘Manage cyber security risks’ stage of Secure by Design, which also includes:

Read the Secure by Design activities

The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.

Last update: 31 January 2024