Glossary

Asset

A person, item, facility, or system of value to an organisation. Assets require protection because their loss, damage, or compromise would affect operational continuity, financial performance, or reputation.

Examples include employees, intellectual property, critical infrastructure, financial records, and physical facilities.

Audit (Security)

A systematic evaluation of whether existing security controls are operating effectively and in accordance with documented procedures and standards.

An audit assesses what is working and what is not, typically against a defined standard or benchmark.

See also: Risk Assessment.

Critical Infrastructure

Likelihood

Residual Risk

Vulnerability

Benchmarking

CPTED

Gap Analysis

Risk Assessment (Security)

Threat Actor

A comparison of your organisation’s security posture against industry peers, regulatory standards, or best practice frameworks.

Benchmarking identifies where you exceed expectations and where gaps exist, helping justify risk ratings and prioritise improvements.

Penetration Testing (Physical)

Control (Security)

Consequence

Mitigation (Risk)

Stakeholder

Risk Register

Threat

A measure, procedure, or system implemented to reduce risk by mitigating threats or vulnerabilities. Controls can be physical (fencing, locks, CCTV), procedural (access policies, incident reporting), or human (staff training, awareness).

Effective security relies on layered controls.

Crime Prevention Through Environmental Design.

A security methodology that uses environmental design and management to reduce crime opportunity and fear.
CPTED focuses on natural surveillance, access control, territorial reinforcement, and maintenance to create safer spaces without heavy-handed security measures.

Infrastructure whose failure or destruction would have a serious impact on national security, public health, safety, or the economy.


Australian critical infrastructure asset classes / sectors defined by the Security of Critical Infrastructure (SOCI) Act 2018 include:

  • Electricity assets (generation, transmission, distribution and some system control functions)

  • Gas assets (processing, storage, transmission, distribution)

  • Liquid fuels assets (fuel refineries, certain fuel storage and pipeline assets)

  • Water and sewerage assets (drinking water and wastewater services and supporting assets)

  • Ports assets (certain major ports and port facilities)

  • Aviation assets (certain airports and critical aviation infrastructure)

  • Maritime assets (certain shipping related infrastructure, depending on definitions)

  • Communications assets (telecommunications networks and facilities)

  • Data storage or processing assets (certain data centres and managed service environments)

  • Financial services and markets assets (payment systems, clearing and settlement and other designated assets)

  • Food and grocery assets (certain critical supply chain assets)

  • Healthcare and medical assets (certain critical hospitals and related assets)

  • Higher education and research assets (certain universities and research infrastructure)

  • Transport assets (certain rail and other transport infrastructure, where designated)

  • Defence industry assets (certain defence industry facilities and capabilities)

  • Space technology assets (certain space related ground infrastructure and capabilities

The outcome or impact if a threat materialises and exploits a vulnerability. Consequences are assessed across multiple dimensions: financial loss, operational disruption, reputational damage, legal liability, safety impact, and compliance breach.
Consequence severity informs risk priority.

A systematic comparison between your current security posture and a defined standard, benchmark, or desired state. Gap analysis identifies missing controls, outdated procedures, or non-compliance, forming the basis for recommendations and implementation planning.

The probability that a specific threat will occur and exploit a vulnerability within a given timeframe. Likelihood is assessed as low, medium, or high based on threat actor motivation, capability, and opportunity.
Combined with consequence, likelihood determines overall risk rating.

Methodology (Security Assessment)

The documented approach and standards used to conduct security assessments. PSA’s methodology applies ISO 31000 (risk management principles), HB 167:2025 (security risk assessment), and PSPF principles to ensure consistency, transparency, and alignment with Australian standards.

An action or control implemented to reduce the likelihood or consequence of a risk. Mitigation strategies may avoid the risk entirely, reduce its probability, limit its impact, or transfer it (e.g., through insurance).
Residual risk remains after mitigation.

A controlled security assessment in which authorised testers attempt to breach physical security controls (locks, access systems, perimeter fencing) to identify vulnerabilities.
Results inform recommendations for improved controls and procedures.

PSPF

Protective Security Policy Framework.
The Australian Government’s mandatory security policy framework for protecting classified and sensitive information. PSPF establishes security zones, clearance requirements, and protective measures. Compliance is required for government contractors and is increasingly adopted by critical infrastructure operators.

The PSPF can be found here: https://www.protectivesecurity.gov.au/

The level of risk remaining after mitigation controls have been implemented. No control eliminates risk entirely; residual risk reflects the organisation’s acceptance of remaining exposure and is monitored through ongoing review and incident tracking.

Risk

The possibility that a threat will exploit a vulnerability and cause harm to an asset or organisation. Risk is a function of threat, vulnerability, and consequence. Risk assessment identifies risks and recommends controls to reduce exposure to acceptable levels.

A systematic evaluation of threats, vulnerabilities, and consequences to an organisation’s people, assets, and operations. A security risk assessment identifies gaps in current controls and recommends prioritised, cost-effective mitigation strategies aligned to the organisation’s risk tolerance and budget.

A documented inventory of identified risks, including threat description, vulnerability, consequence, current controls, residual risk rating, and recommended actions. A risk register is the primary deliverable of a security risk assessment and serves as a living document for ongoing risk management.

SCEC

Security Certification and Endorsement Committee.
An Australian Government committee that certifies security consultants and endorses security products. SCEC endorsement signals that a consultant meets rigorous standards for competence, independence, and ethical practice.

Rachell DeLuca, PSA’s Director is a SCEC endorsed security consultant.

More information can be found here: https://www.scec.gov.au/

Security Zone

A defined area within a facility or across a site where access is controlled and security measures are applied consistently. Security zones are established based on the sensitivity of assets, the level of threat, and operational requirements.
The PSPF defines security zone classifications.

Any person or group with an interest in or responsibility for security outcomes. Stakeholders include facility managers, operations teams, finance, senior leadership, and end users. Effective security assessment engages stakeholders to understand concerns, gather intelligence, and build consensus on recommendations.

A potential source of harm to an asset or organisation. Threats may be human (theft, fraud, sabotage), environmental (fire, flood), or systemic (system failure, supply chain disruption).
Threat assessment identifies realistic threats specific to your sector, location, and operational context.

A person or group with the motivation, capability, and opportunity to exploit a vulnerability and cause harm. Threat actors may be external (criminals, competitors, hostile states) or internal (disgruntled employees, contractors).
Understanding threat actors informs realistic risk assessment.

A weakness in a physical, procedural, or human control that could be exploited by a threat actor. Vulnerabilities include unsecured doors, absent access logs, poor staff awareness, or outdated security systems.
Vulnerability assessment identifies gaps in your current security posture.