In a method for determining a threat situation for an automation component of the controller or field level, wherein the automation component has at least one essentially cyclic program behavior, a number of required program behaviors is established in a learning phase in a processor, and the determined required program behaviors are stored and compared cyclically with actual program behaviors, that are established in operation of the automation component. The result of the comparison is logically linked with results of other security components for verification as to whether a threat situation exists.
