Before an effective counterespionage program can be developed there must be a risk assessment of the facility and information to be protected to identify the risk of espionage against the protected information of the organization. When determining the risk, one needs to examine the information to be protected, the value of such information, define who would want it, determine how accessible it is, and the impact on the organization should such information be illegally obtained through industrial espionage. Once the threat and risk have been identified, one needs to establish what must be protected. Next, determine the severity of the threat and probability of occurrence.