Vulnerability Assessment
Rachel Derr
Abstract
This chapter outlines how to properly assess an organization’s vulnerabilities or the weak points of a target. This chapter outlines the seven factors used in the process of assessing these vulnerabilities. This chapter also demonstrates how to complete a Vulnerability Worksheet, which contributes to an organization’s threat rating.
Keywords
visibility; target; jurisdiction; population; impact; potential threat element (PTE); natural disaster; man-made accidental disaster; man-made terrorist disaster
Introduction
A vulnerability assessment evaluates vulnerability, or any weaknesses that can be exploited by an aggressor, of critical assets across a broad range of identified threats and provides a basis for determining mitigation measures for protection of people and critical assets. Too many organizations rush into the purchase of security systems without really understanding the vulnerability they’re trying to address. They’re throwing darts at the problem, hoping they get a bull’s eye. Although there is a chance they will hit the target, more often than not, they will miss.
During the phase of assessing your vulnerabilities, it is important to determine the level of the assessment you wish to perform and the skills of your team that you will need to complete the assessment.
Assessing Your Vulnerabilities
During the phase of assessing your vulnerabilities, it is important to determine the level of the assessment you wish to perform and the skills of your team that you will need to complete the assessment.
1. Determine your threat rating.
2. Determine the asset value and level of protection your organization will need.
Although technology is an important part of a security program, it may not be an effective control against specific vulnerabilities. Establishing a security program requires broad security controls. It is a comprehensive approach that uses physical, technical, and operational controls. The complexities of a security program cannot be underestimated and cannot be achieved by implementing a single control. The one-size-fits-all approach will never be applicable to a security program and the management of broad security vulnerabilities.
Security is only one of many broad risks to an organization. A security assessment or security vulnerability analysis is a subset of a process called enterprise risk management (ERM), which involves evaluating and prioritizing all risks to an organization, security being one of them. For instance, from an ERM perspective, the security risk could be vulnerability to assets, people, business, brand, and reputation. To examine this risk, a security vulnerability analysis would evaluate an organization to identify, validate, and prioritize vulnerabilities that could produce a security incident. This incident could be as mundane as product loss or as catastrophic as a shooting in a facility.
A security vulnerability analysis seeks out root causes for a security vulnerability and applies physical, technical, and operational controls to deter, delay, and minimize the impact on the organization of an incident.
The security vulnerability analysis validates vulnerabilities to upper management and helps procure money for improvements. These improvements could be establishing a security program, purchasing technology, performing upgrades to lighting or physical security, training, improving awareness, and so on.
The vulnerability assessment is a key component of the risk assessment model involving the analysis of several key factors about the venue. This is the focus for the assessment of man-made (terrorist) vulnerabilities. There are seven factors to evaluate the asset’s potential risk. Each of the seven factors is rated on a scale of 0 to 5 with 0 being no risk and 5 representing the greatest risk. For man-made (terrorist) attacks, the factors are Fig. 7.1:
1. Level of visibility: Assess the awareness of existence and visibility of the target to the general public.
2. Criticality of target to the jurisdiction: Assess the usefulness of the target to the local population, economy, or government.
3. Potential population capacity: Assess the maximum number of people at a site at any given time.
4. Potential for collateral mass casualties: Assess potential mass casualties within a 1-mile radius of the target.
5. Impact outside of the target: Assess the loss outside of the area.
6. Existence of chemical, biological, radiologic, nuclear, and explosive (CBRNE) elements: Assess the presence of a legal weapon of mass destruction (WMD) on the site.
7. Potential threat element (PTE) access to target: Assess the availability of the building for ingress and egress by a PTE.
Level of Visibility
Level of visibility is the awareness of existence and visibility of the target to the general public. When you are thinking about your organization, does the public know it exists? Or is your target in the middle of downtown, and everyone in town knows about the building?
The level of visibility relates to the level of the site’s visibility using the following scale. Rating level 0 equals “invisible,” where the location is a classified or a secret location unbeknownst to the general public. Ranking level 1 assumes the site has a “very low visibility,” which means that it is also a so-called secret or classified location that is only known by a very few people. Rating level 2 represents that the site has “low visibility,” meaning that the knowledge of its existence is public but generally not too well known. The third rating level is used when the site has “medium visibility,” meaning the existence of the facility is only known locally. Ranking level 4 means that the site has a “high visibility”; the existence of the site is typically known throughout the region. Last, ranking level 5 is used when a site has a “very high visibility.” The highest vulnerability assessment rating is only used when the site’s existence and purpose are typically known nationally by members of the general public.
To better understand, use Table 7.1 to assess the awareness of the existence of the target.
Table 7.1
| 0 = Invisible: existence secret or classified location | 3 = Medium visibility: existence known locally |
| 1 = Very low visibility: existence not publicized | 4 = High visibility: existence known regionally |
| 2 = Low visibility: existence public but not well known | 5 = Very high visibility: existence known nationally |
Criticality of Target Site to Jurisdiction
The usefulness of a potential target defines its criticality to a jurisdiction. Is the potential target critical to the jurisdiction’s infrastructure and the continuity of basic services? This factor can involve specific components within a facility or specific facilities within a jurisdiction.
Two things to keep in mind when you are assessing the criticality of a target:
1. Assess the usefulness of a target.
2. Is it necessary for basic services (e.g., hospital; Fig. 7.2)?
The second factor focuses on the building’s or site’s criticality, or importance, to the jurisdiction (e.g., city or town) where it is located. This includes an assessment of the impact that the site’s assets have on the local population, economy, or government. The six possible assessment rankings in this category include rating level 0 for no usefulness whatsoever, rating level 1 for minor usefulness, 2 for moderate usefulness, 3 for significant usefulness, 4 for highly useful and, 5 when the site’s assets are “critical” to the city or town where it is located.
Impact Outside of the Jurisdiction
Who depends on the organization? Assessment factor 3 examines the impact that the site or building has outside the jurisdiction where it is located. The question asked is, “What effect would losing the facility have outside of our county?” The possible assessment rankings using the 6-point scale include rating level 0 for none (no impact), 1 for very low impact, 2 for low impact, 3 for medium impact, 4 for high impact, and 5 for very high impact. This last assessment ranking is only used when a site or building serves as a large employer, has a significant impact on the local economy, or has a close and vital working relationship with its local government.
This factor measures the impact the loss of a potential target would have outside of the jurisdiction. With this in mind, select the rating value that most closely represents the facility, infrastructure, or event.
Potential Threat Element Access to the Target (Accessibility)
The fourth factor talks about possible access to the site or building. The exact question posed is, “How accessible is the site?” The six possible ranking levels for this category range from “restricted” access to “unlimited” access.
When looking at the accessibility of your organization, make sure you evaluate the following areas:
2. Controlled lots for visitors
9. Limited number of entrances?
17. Heating, ventilation, and air conditioning (HVAC) intakes
Ranking level 0 stands for restricted access, which means that the site or building is patrolled 24/7; is fenced, alarmed, and equipped with security cameras; has controlled access that requires prior clearance; contains designated parking (with the requirement that no unauthorized vehicle can park within 300 feet of the facility); and has protected airspace and entranceways.
A rating level of 1 means that the site has controlled access—the facility has a 24/7 security patrol; is fenced; has controlled access to vehicles and personnel; contains designated parking, including a restriction that no unauthorized vehicles can park within 300 feet of the facility; and has protected airspace and entranceways.
A ranking level of 2 means that access to the site is limited in nature. It has security guards at the main entrance during regular business hours, is fenced, contains a security alarm, has controlled access for visitors, and has designated onsite parking and the requirement that no unauthorized vehicles can park within 300 feet of the facility. This rating level also includes the fact that the site has protected airspace and entranceways.
The third assessment rating level indicates moderate access, which means that the site and building have controlled access for visitors, have security alarms after regular business hours, have protected airspace and entranceways, contain designated parking areas, and have the requirement that there can be no unauthorized vehicles parking within 50 feet of the facility.
Ranking level four means the site has open access. The site is open and has public access during regular business hours; has few, if any, safeguards in place; and contains unprotected airspace and entranceways.
The last assessment ranking level in this category, rating level 5, means that the site has unlimited open access to the public, has no safeguards in place, and has unprotected airspace and entranceways.
Potential Target Threat of Hazard
This factor evaluates the presence of CBRNE materials at a facility that could be used as a CBRNE or could enhance the capability of a PTE weapon if deployed.
Assessing the potential target threat involves the assessment of the site relative to onsite hazards. It pertains to the presence of legal WMD materials, as well as CBRNE materials in quantities that could make the site a target for a possible terrorist attack or that would complicate the public response to a terrorist incident at the site if one took place (Fig. 7.3).
The possible six ranking levels for this category range from none too high. Rating level 0 means that none of the possible WMD or CBRNE materials are located on the site. Level 1 means that minimal WMD or CBRNE materials are present in moderate quantities, but they are controlled. Level 2 reflects a low hazards exposure, indicating that WMD or CBRNE materials are present in moderate quantities, but they are controlled. Level 3 reflects a moderate hazards exposure—there are major concentrations of WMD or CBRNE materials, but they have established control procedures and are secure in the site. Level 4 reflects that a high degree or major levels or concentrations of WMD or CBRNE materials are located on the site, with only moderate control features in place. The last rating criteria in this category, level 5, indicates there is a very high presence of WMD or CBRNE materials on the site, there are no safeguards in place, and the material is readily accessible to employees as well as nonstaff personnel.
Potential Target Site Population
For this factor, you will access the number of individuals that occupy a specific location at any given time. By doing this, you will be able to assess, in an extreme situation, what the possible loss of life would be.
Again, there are six possible rating levels. Rating level 0 indicates that no one is located at the site. Level 1 means that one to 250 people are located there. Level 2 indicates 251 to 5000 people, level 3 reflects 5001 to 15,000 individuals, level 4 represents 15,001 to 50,000 people, and level 5 indicates that more than 50,000 people are present at the site at any given time.
Potential for Collateral Mass Casualties
The final vulnerability assessment factor includes a review of the maximum number of people within a 1-mile radius of the site, reflecting the potential for collateral mass casualties if a major terrorist attack takes place. The six possible assessment ranking include the following: 0 stands for 0 to 100 people, level 1 means 101 to 500 people, level 2 includes 501 to 1000 people, level 3 represents 1001 to 2000 people, level 4 reflects 2001 to 5000 people, and level 5 represents 5001 or more people within a 1-mile radius of the site.
Note: Within this factor, remember to take into consideration:
Based on a site’s, or facility’s vulnerability assessment ranking, the owners or managers of the site or building may wish to take a number of common-sense remediation measures to offset the potential vulnerability of their facility to a possible terrorist attack. These measures include, but are certainly not limited to, providing perimeter fencing, installing parking security safeguards for both employees and delivery persons, purchasing onsite surveillance cameras, using landscaping and vertical impediments to preclude vehicles from getting to close to the site, obtaining some type of employee identification recognition process, and using security guards to protect the facility against possible purposeful human wrongdoing.
Last, it should be pointed out that if you review the four phases of emergency management—prevention, mitigation, response, and recovery—it is much less expensive to initiate upfront remedial measures to prevent your site or facility from being attacked than it is to respond to and recover from an attack. Although there are no 100% foolproof safeguards, common-sense measures can be taken to minimize the possibility of a terrorist attack and thereby limit the loss of life and property from a man-made emergency. Therefore, the use of such assessment questionnaires (Tables 7.2 to 7.4) to determine a site’s vulnerability is likely to increase in future years.
Although this assessment ranking process appears, on the surface, to be objective, greater consideration could be given to the “weight” that each assessment category represents in the overall “vulnerability” equation. For example, an expert in this field could find a good reason to give more points to one assessment category over another. Also, if a terrorist used a nuclear device, the various vulnerability assessment categories would have little meaning. For this reason, the criteria selected represent a “general assessment” of a building’s or facility’s vulnerability, providing a valuable vehicle to use when assessing the vulnerability of public and private buildings and facilities to a possible terrorist attack.