The cost of a Physical Security Threat Risk Assessment (TRA or STRA) is largely based on a consultant’s hourly or daily rate and the time it will take the consultant to complete based on the requirements of the assessment.
Hourly Rate
A security consultant’s hourly or daily rate will depend on their experience and qualifications. There are many qualifications for physical security consultants. They include, the ASIS International Physical Security Professional (PSP) and Certified Protection Professional (CPP). The Crime Prevention Through Environmental Design (CPTED) certification. For Canadians a Harmonized Threat Risk Assessment (HTRA) qualification.
Generally, you should expect to pay a quality physical security consultant anywhere from $80 to $300 per hour or 650 or 2400 per day. This rate will very depending on the length of the project. A security consultant may be willing to charge a lower hourly rate on a project with more hours.
Complexity of the Site
The number of hours to complete the assessment will depend on the complexity of the site and the requirements of the request. For any TRA, a consultant generally requires time to do the following activities:
- Interview relevant individuals with security responsibilities for the site or who interact with critical assets or processes.
- Conduct open-source research into the area of the site, industry or product involved. At the same time looking at the most likely threats and risks to the site being evaluated as well as the potential impact of a threat event. This could include reviewing crime statistics as well as any relevant incident reporting.
- Review existing physical security policies as well as any previously conducted threat risk assessments or security related diagrams.
- Conduct a comprehensive physical inspection of the site to evaluate operations the security infrastructure in place such as locks, alarms and quality of cameras etc.
- Draft a report that documents the findings of the review with recommendations to mitigate the identified vulnerabilities to critical assets.
Length and Depth of Report
There is not one standard Threat Risk Assessment Report template. The final reports are based on the requirements of the client, the quality of the assessor and any underlying industry standards (such as TAPA or SOC 2) that were used for the review. The report can be quite in depth if the client requires a detailed report to satisfy the request of a third-party for due diligence or certification. Conversely, should the client simply wants a verbal brief or bullet points for their own use, a report can be short which will save time and the cost of the report.
Get in touch to discuss your threat risk assessment requirements to receive a scope and price that is right for you!