June 20, 2023
Identifying Assets in Biosecurity Risk Assessments
All licensed facilities in Canada must conduct a biosecurity risk assessment in order to develop a comprehensive biosecurity plan (Canadian Biosafety Standard, Third Edition, 4.1.5 and 4.1.8). One of the most important steps in a biosecurity risk assessment is identifying the assets in need of protection. An organization must determine if it's likely to be a target of a biosecurity incident based on the assets handled or stored in its facilities. A biosecurity risk assessment is driven by an organization's risk tolerance and takes into account potential consequences of a biosecurity incident.
Examples of biosecurity incidents include:
- loss
- theft
- misuse
- diversion
- sabotage
- intentional release of assets
Biosecurity risk assessments can include:
- tangible assets (such as pathogens, toxin, animals, laboratory equipment)
- intangible assets (such as intellectual property, experimental protocol with dual-use potential)
- people assets (such as technicians, scientists, students)
Other assets that an organization may need to protect include:
- reputation
- intellectual property
- critical infrastructure biocontainment components
Intellectual Property
Intellectual property is any product of human intellect that the law protects from unauthorized use by others. Intellectual property includes:
- novel findings
- new or modified laboratory techniques or procedures
- inventions (patent)
- designs (industrial design)
If your organization can financially benefit from its novel findings, it may have a very low risk tolerance for intellectual property theft. As part of your biosecurity plan's information management security strategy, you could restrict access to all information related to research until publication or patent application. This could also help prevent the publication of sensitive research findings from being published. For example, an organization shouldn't publish research findings that could be easily misused to do harm (research with dual-use potential). As demonstrated by recent criticism of organizations publishing protocols on how to synthesize viruses, dual-use potential of scientific research with pathogens can sometimes only be properly assessed after a project has been completed (for example, after the new modified pathogen is fully characterized).
Critical Biocontainment Components
If biocontainment failure could severely affect the health of personnel, the surrounding community or beyond, your organization should have an extremely low risk tolerance to sabotage of critical biocontainment components. The following can help prevent sabotage to critical biocontainment components:
- identifying vulnerabilities
- developing physical security measures
- developing information management strategies in your biosecurity risk assessment
Security measures could include mitigating the risks of cyberattacks on laboratory equipment or restricting access to architectural, mechanical, and electrical drawings of critical biocontainment components to only security-cleared individuals on a need-to-know basis.
Reputation
If reputational damage could affect its funding or collaborations with reputable facilities across the world, your organization may have a very low risk tolerance for reputational damage. Collaborations, affiliations and disinformation campaigns can cause a significant negative impact to an organization's reputation. Such campaigns can also increase the risk of violence and attacks against your facility. Your biosecurity risk assessment can help identify appropriate mitigation strategies in your biosecurity plan. For example, your organization may choose to implement National Security Guidelines for Research Partnerships and create guidance for personnel regarding the use of social media platforms.
For more information on how to conduct a biosecurity risk assessment, consult the Canadian Biosafety Guideline: Conducting a Biosecurity Risk Assessment or contact the Centre for Biosecurity at biosafety.biosecurite@phac-aspc.gc.ca.