TIP: Identifying the security behaviours you require is best done once you have completed a risk assessment and are clear on (a) the areas of a site that are high, medium and low risk, and (b) the groups and/or individual roles that have access to your most sensitive assets (e.g. privileged access, critical, and /or sensitive roles).