Determining the threat level is an important part of an initial TSCM or counter-surveillance assessment and helps the TSCM operator better prepare for the type of environment and compromise that may be encountered. However, threat levels should be used as a general guideline and not as a hard rule. It is important to remember that a simple low-cost device can collect the same information as a highly sophisticated device costing thousands of dollars.
Some factors that affect the determination of a threat level are the type of business or personal activity, type of information collected or stored requiring protection, the value of information, public or media interest and level of business operation (i.e., corporate, medium or small business). Other considerations include current unique or special circumstances that may exist at the time such as matters of litigation, contract or business acquisitions etc.
Additionally, threats can be either internal or external and although we tend to think of any attempt to acquire our personal or business information as coming from outside our place of business or residence, many times the threat is an internal problem. Internal threats can come from all levels of an organization, from management to any employee, whether they are full time, part-time or on contract and have the advantage of access to the facility or place of business.
Level 5: Includes government, military and law enforcement and involves information that is classified or restricted, of high value either nationally or internationally and may relate to national security. Corporate clients providing products or services to government, military or law enforcement are often placed at this level.
Level 4: Includes large corporate / business and local government clients who deal with valuable confidential or proprietary information including research and development, large contract or business acquisitions, protective operations, stock or shareholder issues as well as matters of both public and media interest.
Level 3: Includes businesses involved in matters of litigation, labour disputes and contract bids. Others may include business plans and financial activities along with collection and storage of confidential business, customer or client information.
Level 2: Includes matters of privacy invasion, investigative surveillance, identity theft, personal litigation and information relating to home-based businesses.
Level 1: Includes individual private information involving domestic issues such as spousal or family disputes. May also include issues or disputes with friends, neighbours or business associates both past and present and involve surveillance attempts as well as matters relating to harassment.
Unfortunately, there are circumstances that can affect the accuracy of a threat level determination. While clients are asked to be as forthcoming as possible about circumstances surrounding the need for TSCM services, many times important or even critical information is not provided to the TSCM operator. Some cases may include a combination of factors from different levels or involve factors initially unknown to the client. Because of this, TSCM services need to be flexible, utilizing threat levels as guidelines which can be re-evaluated at any time as required.