What is a Vulnerability Assessment & Why Do I Need One?

Vulnerability Assessments are intended to be instruments that identify real risks with some type of reliable, objective process leading to the targeted dedication of resources toward the protection of critical assets. More specifically, these are assets, which if degraded or destroyed would effectively halt operations for an extended period of time – or worse yet – altogether.

There is one large problem. There are so many versions of these types of assessments that it can become overwhelming and confusing to the consumer. Let’s take a look at what is out there.

Traditional Risk Vulnerability Assessment

Historically, Risk Vulnerability Assessments have tended to examine only structural elements, such as buildings, facilities and infrastructure. Engineering analyses of the built environment would effectively determine the following:

• The vulnerability of structures based on the building type.

• The construction materials.

• The foundation type and elevation.

• The location within a Special Flood Hazard Area (SFHA).

• The wind load capacity, and other factors.

Today, Risk Vulnerability Assessments are performed for a variety of people, property, and resources. The following are typical components, or styles you might find in a Risk Vulnerability Assessment.

Critical Facilities Analyses

Critical facilities analyses focus on determining the vulnerabilities of key individual facilities, lifelines, or resources within the community. Because these facilities play a central role in disaster response and recovery, it is important to protect them to ensure that service interruption is reduced or eliminated. Critical facilities include police, fire, and rescue departments; emergency operation centers; transportation routes; utilities; essential governmental facilities; schools; hospitals; etc. In addition to identifying which critical facilities are generally vulnerable to hazards due to direct location in or close proximity to high-risk areas (e.g., 100-year flood plain), further assessments might be conducted to determine the structural and operational vulnerabilities.

Built Environment Analyses

Built environment analyses focus on determining the vulnerabilities of noncritical structures and facilities. The built environment includes a variety of structures such as businesses, single- and multi-family homes, and other man-made facilities. The built environment is susceptible to damage and/or destruction of the structures themselves, as well as damage or loss of contents (i.e., personal possessions and inventory of goods). When structures become inhabitable and people are forced to relocate from their homes and businesses, further social, emotional, and financial vulnerabilities can result. As such, assessments can indicate where to concentrate outreach to homeowners and collaboration with businesses to incorporate hazard mitigation measures.

Societal Analyses

Societal analyses focus on determining the vulnerability of people of different ages, income levels, ethnicity, capabilities, and experiences to a hazard or group of hazards. Vulnerable populations are typically those who are minorities, below poverty level, over age 65, single parents with children, age 25 years and older without a high school diploma, households that require public assistance, renters, and housing units without vehicles, to name a few. The term “special consideration areas” indicate areas where populations reside whose personal resources or characteristics are such that their ability to deal with hazards is limited. For example, these areas generally contain higher concentrations of low-to-moderate-income households that would be most likely to require public assistance and services to recover from disaster impacts. Structures in these areas are more likely to be uninsured or under-insured for hazard damages, and persons may have limited financial resources for pursuing individual hazard mitigation options. These are also areas where other considerations such as mobility, literacy, or language can significantly impact disaster recovery efforts. These areas could be most dependent on public resources after a disaster and thus could be good investment areas for hazard mitigation activities.

Environmental Analyses

Environmental analyses focus on determining the vulnerability of natural resources (e.g., include bodies of waters, prairies, slopes of hills, endangered or threatened species and their critical habitats, wetlands, and estuaries) to natural hazards and other hazards that result from the impact of natural hazards, such as oil spills or the release of pesticides, hazardous materials, or sewage into areas of environmental concern. Environmental impacts are important to consider, because they not only jeopardize habitats and species, but they can also threaten public health (e.g., water quality), the performance of economic sectors (e.g., agriculture, energy, fishing, transportation, and tourism), and quality of life (e.g., access to natural landscapes and recreational activities). For example, flooding can result in contamination whereby raw sewage, animal carcasses, chemicals, pesticides, hazardous materials, etc. are transported through sensitive habitats, neighborhoods, and businesses. These circumstances can result in major cleanup and remediation activities, as well as natural resource degradation and bacterial illnesses.

Economic Analyses

Economic analyses focus on determining the vulnerability of major economic sectors and the largest employers within a community. Economic sectors can include agriculture, mining, construction, manufacturing, transportation, wholesale, retail, service, finance, insurance, and real estate industries. Economic centers are areas where hazard impacts could have large, adverse effects on the local economy and would therefore be ideal locations for targeting certain hazard mitigation strategies.

Assessments of the largest employers can help indicate how many people and what types of industries could be impacted by adverse impacts from natural hazards. Some of the most devastating disaster costs to a community include the loss of income associated with business interruptions and the loss of jobs associated with business closures.

The primary problem with the traditional Risk Vulnerability Assessments approach of evaluating “everything” is the time and cost factors. This type of assessment, albeit thorough, it very time consuming and expensive.

Risk Assessment

“Risk Assessment” is the determination of quantitative and/or qualitative value of risk related to a concrete situation and a recognized, perceived or potential threat. This term today is most often associated with risk management.

Example: The Environmental Protection Agency uses risk assessment to characterize the nature and magnitude of health risks to humans (e.g., residents, workers, and recreational visitors) and ecological receptors (e.g., birds, fish, wildlife) from chemical contaminants and other stresses that may be present in the environment. Risk managers use this information to help them decide how to protect humans and the environment from stresses or contaminants.

Risk Management

“Risk Management” is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, ergonomics, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand it involves all means available for humans, or in particular, for a risk management entity (person, staff, and organization).

ASIS International

(ASIS) is the largest organization for security professionals, with more than 36,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests. The ASIS International Guidelines Commission recommended approach and framework for conducting General Security Risk Assessments:

1. Understand the organization and identify the people and assets at risk. Assets include people, all types of property, core business, networks, and information. People include employees, tenants, guests, vendors, visitors, and others directly or indirectly connected or involved with an enterprise. Property includes tangible assets such as cash and other valuables and intangible assets such as intellectual property and causes of action. Core business includes the primary business or endeavor of an enterprise, including its reputation and goodwill. Networks include all systems, infrastructures, and equipment associated with data, telecommunications, and computer processing assets. Information includes various types of proprietary data.

2. Specify loss risk events/vulnerabilities. Risks or threats are those incidents likely to occur at a site, either due to a history of such events or circumstances in the local environment. They also can be based on the intrinsic value of assets housed or present at a facility or event. A loss risk event can be determined through a vulnerability analysis. The vulnerability analysis should take into consideration anything that could be taken advantage of to carry out a threat. This process should highlight points of weakness and assist in the construction of a framework for subsequent analysis and countermeasures.

3. Establish the probability of loss risk and frequency of events. Frequency of events relates to the regularity of the loss event. For example, if the threat is the assault of patrons at a shopping mall, the frequency would be the number of times the event occurs each day that the mall is open. Probability of loss risk is a concept based upon considerations of such issues as prior incidents, trends, warnings, or threats, and such events occurring at the enterprise.

4. Determine the impact of the events. The financial, psychological, and related costs associated with the loss of tangible or intangible assets of an organization.

5. Develop options to mitigate risks. Identify options available to prevent or mitigate losses through physical, procedural, logical, or related security processes.

6. Study the feasibility of implementation of options. Practicality of implementing the options without substantially interfering with the operation or profitability of the enterprise.

7. Perform a cost/benefit analysis.

Do You Need A Vulnerability Assessment?

There are approximately 30,000 incorporated cities in the United States.


The 2005 edition of Country Reports on Terrorism recorded a total of 11,153 terrorist incidents worldwide. A total of 74,217 civilians became victims of terrorists in that year, including 14,618 fatalities. The annual report to Congress includes analysis from the National Counter-terrorism Center, a U.S. intelligence clearinghouse, which found only a slight increase in the overall number of civilians killed, injured or kidnapped by terrorists in 2006. But the attacks were more frequent and deadlier, with a 25 percent jump in the number of terrorist attacks and a 40 percent increase in civilian fatalities from the previous year. In 2006, NCTC reported, there were a total of 14,338 terrorist attacks around the world. These attacks targeted 74,543 civilians and resulted in 20,498 deaths.

It is relatively easy to disrupt major delivery systems of services in major cities through simple acts of sabotage. When that actually happens, there is likely to be a shutdown of transportation routes and delivery of basic services, including communications, food, water and gasoline. How long will it be before there is widespread panic, chaos and public unrest?

Natural Disasters

The economic and death toll from natural disasters are on the rise. It is arguable as to whether we are experiencing more natural disasters than decades ago. It is more likely whatever increases have been noted are due to more people living in more areas, and better equipment and methods of detection. Between 1975 and 1996, natural disasters worldwide cost 3 million lives and affected at least 800 million others. In the United States, damage caused by natural hazards costs close to one billion dollars per week.

Remember the California earthquakes? Public safety officials along with citizens did an outstanding job responding to the destruction. Lives were saved. Contrast that to hurricane Katrina, in which public safety officials and emergency response teams were basically frozen and ineffective.

The Katrina disaster was due to several factors; poor planning throughout the years, the nature of the event, poor coordination between agencies. Katrina serves to reinforce the misguided belief of safety through the federal or state government only. Individual communities must be prepared. Now imagine for a moment that there was appropriate emergency planning for New Orleans being under water in the event those levees broke down and flooded for whatever reason. It should have looked something like this:

*If the levees did break, vehicles would be inoperable, and people would be stranded. This leaves boats and helicopters as the rationale alternatives to disseminate emergency supplies and to provide rescue efforts.

*An emergency shelter (the dome) is designated as such, and food and water stockpiles are within quick logistical reach.

*Emergency personnel are given response stations and locations.

*Police, fire and state resources are coordinated with several types of contingency plans using many scenarios.

*Coordination with federal officials is a crap-shoot for any state; take it if you can get it but don’t count on it.

*With Katrina everyone is quick to point the finger at the federal government. Granted, the response was terrible, but what had the state and local government done to plan for what seemed to be inevitable? Had individual residents considered taking personal steps to protect their families with something as simple as an inflatable raft along with some extra food and water?

Do you have identifiable assets, which if seriously degraded, compromised or destroyed, would threaten the mission of your organization? Do you have concern regarding a specific threat? An organization’s specific assets may include a person, a thing, a place, or a procedure.

Examples include:

• A person being stalked or that has received specific threats.

• A municipality that desires security plans for critical assets.

• A corporation whose vision and mission may be compromised by vulnerabilities to their critical assets.

• An agency or corporation that has a person of such value that if he or she were kidnapped or attacked the agency or corporation would suffer serious setback.

• A gated community desiring an effective screening process for anyone who enters or an effective neighborhood response to an emergency.

• The physical location of documents or critical information that, if stolen or destroyed, would throw the organization into chaos.

• An institution that has a significant history of problem employees who have caused damage and as a result that institution may be interested in methods of effectively screening potential employees.

• An organization that, because of its geopolitical presence in the world or demographic location of its facility, desires basic safety measures at its location and safety awareness tactics for its employees.

• A corporation or agency that is exposed to a greater risk of violence due to present geo-political circumstances, such as media outlets, churches, financial institutions, and major events involved in capitalism, free speech, or religion.

• Public events that require a security plan.

• An entity that desires an office emergency plan.

Corporate Liability

There are OSHA guidelines regarding Violence in the Workplace that are generally unenforceable. However, when it comes to personal safety, any corporate entity can be held liable for not addressing worker safety concerns.

Negligence is defined as a party’s failure to exercise the prudence and care that a reasonable person would exercise in similar circumstances to prevent injury to another party. Generally, the plaintiff in these cases must prove the following in order to be awarded restitution, compensation or reparations for their losses:

• That the defendant had a duty of care;

• That the defendant failed to uphold this duty;

• That this negligence led to the plaintiff’s injury or death;

• The actual damages that were caused by the injury.

Gross negligence is usually understood to involve an act or omission in reckless disregard of the consequences affecting the life or property of another. For example, several employees of a company have formally complained to management about being approached by strangers in the parking ramp. No one takes any proactive action. Eventually, an employee of the company is sexually assaulted in the parking ramp. Is the company liable?

Critical Infrastructure

Homeland Security Presidential Directive 7 previously identified 17 critical infrastructure and key resource sectors that require protective actions to prepare for and mitigate against a terrorist attack or other hazards.

The sectors are:

• agriculture and food

• banking and finance

• chemical

• commercial facilities

• commercial nuclear reactors – including materials and waste

• dams

• defense industrial base

• drinking water and water treatment systems

• emergency services

• energy

• government facilities

• information technology

• national monuments and icons

• postal and shipping

• public health and health-care

• telecommunications

• transportation systems including mass transit, aviation, maritime, ground or surface, rail or pipeline systems

85% of all critical infrastructures are owned and operated by the private sector. The U.S. economy is the primary target of terrorism, accessed through these infrastructures, including cyber-security.

According to the Department of Homeland Security, more than 7,000 facilities, from chemical plants to colleges, have been designated “high-risk” sites for potential terrorist attacks. The facilities include chemical plants, hospitals, colleges and universities, oil and natural gas production and storage sites, and food and agricultural processing and distribution centers. The department compiled the list after reviewing information submitted by 32,000 facilities nationwide. It considered factors such as proximity to population centers, the volatility of chemicals on site and how the chemicals are stored and handled. Experts long have worried that terrorists could attack chemical facilities near large cities, in essence turning them into large bombs. Experts say it is a hallmark of Al Qaeda, in particular, to leverage a target nation’s technological or industrial strength against it, as terrorists did in the September 11 terrorist attacks.

The greater use of computer systems to monitor and control the U.S. water supply has increased the importance of cyber-security to protect the country’s utilities, a top official for a large water company said recently. “There are new vulnerabilities and threats every day of the week,” said the security director for American Water, one of the country’s largest water service companies. “The technology has advanced, along with the threat’s access.” The industrial water control systems and other utility companies use common technology platforms such as Microsoft Windows, which leaves them vulnerable to attacks from hackers or enemy states seeking to disrupt the country’s water supply. In addition, a major natural disaster such as a hurricane could shut down servers, forcing a disruption in the supply of water and waste-water services. Most of the nation’s water supply infrastructure is privately owned so the U.S. Homeland Security Department must work with industry as well as state and local agencies to help protect critical infrastructure.

Owners of our nation’s critical infrastructure are told to protect everything all the time. This approach is flawed for two reasons. First, there is no effective value proposition for investing in security. Asking a CEO to protect everything all the time is not reasonable, especially in the absence of any consistent or actionable intelligence. Second, there is no definitive consensus in the private sector of the level of risk.

The Benefits of a Vulnerability Assessment

• Identification of Critical Assets.

• Identification of Real-Risk.

• Risk Mitigation Planning.

• Emergency Planning.

• Reduced Liability.

• Reduced Insurance Rates.

• Protection of Critical Assets.

• Peace of Mind.

The Assault Prevention Vulnerability Assessment

We have dedicated several years to developing a strategic formula that had to accomplish two things:

1. It would incorporate the recommended approach and framework agreed upon by experts.

2. It would establish an approach and method of filtering through all the versions of assessments as defined above, with a formula that would consider the key principles in each version.

Assault Prevention Note: The term “Vulnerability Assessment” is today often associated with IT Security and computer systems. That is not the focus of this article.

© 2009 Terry Hipp

Sources: Wikipedia, ASIS, Sandia National Laboratories, Assault Prevention LLC