How should a physical security professional prioritize risks when multiple threats have been identified?