Using HB167 in Your Protective Security Risk Assessment Regime – A Beginner’s Guide
Introduction: Why Protective Security Risk Assessment Matters
In today's uncertain environment, organisations face a wide array of security threats — physical intrusions, sabotage, cyberattacks, insider actions, natural disasters and more. Effective security is no longer about simply reacting to threats. It’s about anticipating risks and mitigating them before they cause harm.
Security Risk Assessments (SRAs) are critical in this context. An SRA is a structured, defensible approach that helps organisations identify critical assets, assess threats and vulnerabilities and implement appropriate controls. Without an SRA, organisations often waste resources on ineffective or misaligned security measures.
In Australia, one of the most important guides for undertaking an SRA is HB167:2006 – Security Risk Management. Whether you're new to security risk management or seeking a refresher, this guide will walk you through the fundamentals of HB167 — without overwhelming you.
What is HB167?
HB167 (Handbook 167) is an Australian guide published by Standards Australia to assist organisations in performing security risk assessments.
Rather than prescribing rigid rules, HB167 provides a framework for applying logical, structured, and scalable security risk management practices. It complements broader risk management standards, such as ISO 31000:2018 (formerly AS/NZS 4360).
HB167 is essential because it tailors the general principles of risk management specifically to the security domain — addressing threats, vulnerabilities, consequences and, importantly, asset criticality.
Understanding the Foundation: Protective Security Risk Assessments (PSRAs)
A Protective Security Risk Assessment is fundamentally about answering five key questions:
What are our critical assets?
What threats do we face?
What vulnerabilities exist in our systems, processes, or facilities?
What would be the consequences if a threat exploited a vulnerability?
What can we do to treat the risk effectively and proportionately?
HB167 provides the structure for answering these questions professionally and defensibly.
The Central Concept: Why Criticality Comes First
Many beginners make the mistake of rushing straight into threat analysis. HB167 makes it clear: you must first determine what assets are critical.
Criticality is the importance or value of an asset relative to the organisation’s mission, obligations, or survival. Not all assets are equal — and not all deserve the same level of security investment.
Example: Understanding Criticality Before Threats and Vulnerabilities
Imagine you're responsible for security at a major hospital. Your assets include:
The Emergency Department.
The IT systems.
The cafeteria.
Staff lockers.
Before worrying about potential threats (like theft or cyberattacks), you must identify which assets are most critical to your hospital's operations and community service mission.
The Emergency Department is high criticality — lives depend on it operating without interruption.
The IT systems are high criticality — loss could cripple patient care and record-keeping.
The cafeteria is low criticality — inconvenient if disrupted, but not catastrophic.
The staff lockers are very low criticality — minor inconvenience.
Thus, when assessing threats and planning security measures, you prioritise protecting the Emergency Department and IT systems far more heavily.
Key Takeaway: Without determining asset criticality first, your entire risk assessment risks being misaligned with what truly matters.
HB167's Structured Five-Step Security Risk Management Process
HB167 lays out a clear five-step process:
1. Establish the Context (Including Criticality)
Before anything else, define:
Internal context: Organisational mission, culture, critical assets, legal obligations.
External context: Political, economic, social, technological environments.
Risk criteria: What level of risk is tolerable?
Most importantly: identify and rank critical assets. This step shapes every decision that follows.
2. Identify Risks (Threats and Vulnerabilities)
Once you know what matters most:
Identify potential threats: e.g., terrorism, theft, espionage, natural disasters.
Identify existing vulnerabilities: e.g., weak access control, insider threat exposure, poorly secured systems.
Risks only exist when a threat can exploit a vulnerability to impact a critical asset.
3. Analyse Risks (Likelihood and Consequences)
For each risk:
Estimate likelihood: How probable is the event?
Estimate consequence: How bad would the impact be if it occurred?
Tip for Beginners: Be careful not to conflate high likelihood with high risk — a low-probability but catastrophic event (like terrorism) may require more focus than a common but minor risk (like petty theft).
4. Evaluate Risks (Prioritisation)
Compare risk ratings to your predefined risk criteria. Decide:
Which risks are acceptable as they are.
Which need risk treatment to bring them within tolerable limits.
Which are intolerable and require urgent action.
Prioritisation ensures that security resources are used where they matter most.
5. Treat Risks (Security Controls)
Select and implement appropriate controls:
Preventive controls: (e.g. CCTV, access cards, fencing).
Detective controls: (e.g. alarms, patrols).
Responsive controls: (e.g. incident response procedures).
Controls should be proportionate to the risk — overengineering security wastes money, while underengineering it invites disaster.
How HB167 Aligns with Other Frameworks
HB167 does not exist in isolation. It aligns well with:
ISO 31000 (Risk management guidelines).
Protective Security Policy Framework (PSPF) for Australian government entities (or organisations that deal with government classified information).
AS ISO 22301 (Business continuity management).
If your organisation already applies these frameworks, HB167’s approach to security risks will fit neatly alongside.
Practical Beginner Tips for Applying HB167
✅ Start with critical assets. Don’t jump to threats — anchor your analysis in criticality.
✅ Tailor the scale. HB167 can be applied to large corporate environments or small operational units — scale it appropriately.
✅ Use multidisciplinary input. Engage stakeholders from operations, IT, HR, and leadership.
✅ Keep documentation simple but structured. Risk registers, asset criticality lists, and control maps are invaluable.
✅ Review and iterate. Risk environments change — HB167 supports ongoing refinement of assessments.
Common Pitfalls to Avoid
🚫 Skipping the criticality assessment. (Biggest mistake — leads to wasted resources.)
🚫 Confusing threats and vulnerabilities. (Threats are external; vulnerabilities are internal weaknesses.)
🚫 Assuming risk analysis is static. (Environments change — your assessments must too.)
🚫 Overcomplicating early assessments. (Keep it simple at first — maturity can build over time.)
Why Professional Tools and Support Matter
While HB167 provides the framework, executing PSRAs well — especially for large or complex environments — often demands structured templates, tailored tools and expert guidance.
At CrisisCompass, we offer:
Advisory support for organisations wanting to uplift their protective security maturity.
Experienced, qualified and accredited security consultants who’ve worked in a range of industries and sectors.
Conclusion: HB167 — Your Blueprint for Smarter Security
Security risk management isn’t about fear — it’s about clarity, structure, and proportionate action. HB167 provides a blueprint that turns vague concerns into defensible, actionable strategies.
By focusing first on critical assets, understanding how threats and vulnerabilities interact, and applying sensible treatments, you can materially reduce your organisation’s exposure to harm — and demonstrate responsible stewardship of its most vital resources.
Ready to take the next step in your security journey?