What is a Vulnerability Assessment & Why Do I Need One?
Vulnerability Assessments are intended to be instruments that clarify real risks with some kind of reliable, objective course of action leading to the targeted dedication of resources toward the protection of basic assets. More specifically, these are assets, which if degraded or destroyed would effectively stop operations for an extended period of time – or worse in addition – altogether.
There is one large problem. There are so many versions of these types of assessments that it can become overwhelming and confusing to the consumer. Let’s take a look at what is out there.
Traditional Risk Vulnerability Assessment
Historically, Risk Vulnerability Assessments have tended to examine only structural elements, such as buildings, facilities and infrastructure. Engineering analyses of the built ecosystem would effectively determine the following:
• The vulnerability of structures based on the building kind.
• The construction materials.
• The foundation kind and elevation.
• The location within a Special Flood danger Area (SFHA).
• The wind load capacity, and other factors.
Today, Risk Vulnerability Assessments are performed for a variety of people, character, and resources. The following are typical elements, or styles you might find in a Risk Vulnerability Assessment.
basic Facilities Analyses
basic facilities analyses focus on calculating the vulnerabilities of meaningful individual facilities, lifelines, or resources within the community. Because these facilities play a central role in disaster response and recovery, it is important to protect them to ensure that service interruption is reduced or deleted. basic facilities include police, fire, and rescue departments; emergency operation centers; transportation routes; utilities; basic governmental facilities; schools; hospitals; etc. In addition to identifying which basic facilities are generally unprotected to hazards due to direct location in or close closeness to high-risk areas (e.g., 100-year flood plain), further assessments might be conducted to determine the structural and operational vulnerabilities.
Built ecosystem Analyses
Built ecosystem analyses focus on calculating the vulnerabilities of noncritical structures and facilities. The built ecosystem includes a variety of structures such as businesses, single- and multi-family homes, and other man-made facilities. The built ecosystem is prone to damage and/or destruction of the structures themselves, in addition as damage or loss of contents (i.e., personal possessions and inventory of goods). When structures become inhabitable and people are forced to move from their homes and businesses, further social, emotional, and financial vulnerabilities can consequence. As such, assessments can indicate where to concentrate outreach to homeowners and collaboration with businesses to incorporate danger mitigation measures.
Societal analyses focus on calculating the vulnerability of people of different ages, income levels, ethnicity, capabilities, and experiences to a danger or group of hazards. unprotected populations are typically those who are minorities, below poverty level, over age 65, single parents with children, age 25 years and older without a high school diploma, households that require public assistance, renters, and housing units without vehicles, to name a few. The term “special consideration areas” indicate areas where populations reside whose personal resources or characteristics are such that their ability to deal with hazards is limited. For example, these areas generally contain higher concentrations of low-to-moderate-income households that would be most likely to require public assistance and sets to retrieve from disaster impacts. Structures in these areas are more likely to be uninsured or under-insured for danger damages, and persons may have limited financial resources for pursuing individual danger mitigation options. These are also areas where other considerations such as mobility, literacy, or language can considerably impact disaster recovery efforts. These areas could be most dependent on public resources after a disaster and consequently could be good investment areas for danger mitigation activities.
Environmental analyses focus on calculating the vulnerability of natural resources (e.g., include bodies of waters, prairies, slopes of hills, abundant or threatened species and their basic habitats, wetlands, and estuaries) to natural hazards and other hazards that consequence from the impact of natural hazards, such as oil spills or the release of pesticides, hazardous materials, or sewage into areas of environmental concern. Environmental impacts are important to consider, because they not only threaten habitats and species, but they can also threaten public health (e.g., water quality), the performance of economic sectors (e.g., agriculture, energy, fishing, transportation, and tourism), and quality of life (e.g., access to natural landscapes and as a hobby activities). For example, flooding can consequence in contamination whereby raw sewage, animal carcasses, chemicals, pesticides, hazardous materials, etc. are transported by sensitive habitats, neighborhoods, and businesses. These circumstances can consequence in major cleanup and remediation activities, in addition as natural resource degradation and bacterial illnesses.
Economic analyses focus on calculating the vulnerability of major economic sectors and the largest employers within a community. Economic sectors can include agriculture, mining, construction, manufacturing, transportation, wholesale, retail, service, finance, insurance, and real estate industries. Economic centers are areas where danger impacts could have large, negative effects on the local economy and would consequently be ideal locations for targeting certain danger mitigation strategies.
Assessments of the largest employers can help indicate how many people and what types of industries could be impacted by negative impacts from natural hazards. Some of the most devastating disaster costs to a community include the loss of income associated with business interruptions and the loss of jobs associated with business closures.
The dominant problem with the traditional Risk Vulnerability Assessments approach of evaluating “everything” is the time and cost factors. This kind of assessment, albeit thorough, it very time consuming and expensive.
“Risk Assessment” is the determination of quantitative and/or qualitative value of risk related to a concrete situation and a recognized, perceived or possible threat. This term today is most often associated with risk management.
Example: The Environmental Protection Agency uses risk assessment to characterize the character and extent of health risks to humans (e.g., residents, workers, and as a hobby visitors) and ecological receptors (e.g., birds, fish, wildlife) from chemical contaminants and other stresses that may be present in the ecosystem. Risk managers use this information to help them decide how to protect humans and the ecosystem from stresses or contaminants.
“Risk Management” is a structured approach to managing uncertainty related to a threat, a ordern of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, ergonomics, death and lawsuits). Financial risk management, however, focuses on risks that can be managed using traded financial instruments. The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by ecosystem, technology, humans, organizations and politics. however it involves all method obtainable for humans, or in particular, for a risk management entity (person, staff, and organization).
(ASIS) is the largest organization for security professionals, with more than 36,000 members worldwide. established in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address general security interests. The ASIS International Guidelines Commission recommended approach and framework for conducting General Security Risk Assessments:
1. Understand the organization and clarify the people and assets at risk. Assets include people, all types of character, chief business, networks, and information. People include employees, tenants, guests, vendors, visitors, and others directly or indirectly connected or involved with an enterprise. character includes tangible assets such as cash and other valuables and intangible assets such as intellectual character and causes of action. chief business includes the dominant business or endeavor of an enterprise, including its reputation and goodwill. Networks include all systems, infrastructures, and equipment associated with data, telecommunications, and computer processing assets. Information includes various types of proprietary data.
2. Specify loss risk events/vulnerabilities. Risks or threats are those incidents likely to occur at a site, either due to a history of such events or circumstances in the local ecosystem. They also can be based on the inherent value of assets housed or present at a facility or event. A loss risk event can be determined by a vulnerability examination. The vulnerability examination should take into consideration anything that could be taken advantage of to carry out a threat. This course of action should highlight points of weakness and assist in the construction of a framework for later examination and countermeasures.
3. Establish the probability of loss risk and frequency of events. Frequency of events relates to the regularity of the loss event. For example, if the threat is the assault of patrons at a shopping mall, the frequency would be the number of times the event occurs each day that the mall is open. Probability of loss risk is a concept based upon considerations of such issues as prior incidents, trends, warnings, or threats, and such events occurring at the enterprise.
4. Determine the impact of the events. The financial, psychological, and related costs associated with the loss of tangible or intangible assets of an organization.
5. Develop options to mitigate risks. clarify options obtainable to prevent or mitigate losses by physical, procedural, logical, or related security processes.
6. Study the feasibility of implementation of options. Practicality of implementing the options without significantly interfering with the operation or profitability of the enterprise.
7. Perform a cost/assistance examination.
Do You Need A Vulnerability Assessment?
There are approximately 30,000 incorporated cities in the United States.
The 2005 edition of Country Reports on Terrorism recorded a total of 11,153 terrorist incidents worldwide. A total of 74,217 civilians became victims of terrorists in that year, including 14,618 fatalities. The annual report to Congress includes examination from the National Counter-terrorism Center, a U.S. intelligence clearinghouse, which found only a slight increase in the overall number of civilians killed, injured or kidnapped by terrorists in 2006. But the attacks were more frequent and deadlier, with a 25 percent jump in the number of terrorist attacks and a 40 percent increase in civilian fatalities from the past year. In 2006, NCTC reported, there were a total of 14,338 terrorist attacks around the world. These attacks targeted 74,543 civilians and resulted in 20,498 deaths.
It is comparatively easy to disrupt major delivery systems of sets in major cities by simple acts of sabotage. When that truly happens, there is likely to be a shutdown of transportation routes and delivery of basic sets, including communications, food, water and gasoline. How long will it be before there is extensive panic, chaos and public unrest?
The economic and death toll from natural disasters are on the rise. It is arguable as to whether we are experiencing more natural disasters than decades ago. It is more likely in any case increases have been noted are due to more people living in more areas, and better equipment and methods of detection. Between 1975 and 1996, natural disasters worldwide cost 3 million lives and affected at the minimum 800 million others. In the United States, damage caused by natural hazards costs close to one billion dollars per week.
Remember the California earthquakes? Public safety officials along with citizens did an noticeable job responding to the destruction. Lives were saved. Contrast that to hurricane Katrina, in which public safety officials and emergency response teams were basically frozen and ineffective.
The Katrina disaster was due to several factors; poor planning throughout the years, the character of the event, poor coordination between agencies. Katrina serves to reinforce the misguided belief of safety by the federal or state government only. Individual communities must be prepared. Now imagine for a moment that there was appropriate emergency planning for New Orleans being under water in the event those levees broke down and flooded for in any case reason. It should have looked something like this:
*If the levees did break, vehicles would be inoperable, and people would be stranded. This leaves boats and helicopters as the rationale alternatives to disseminate emergency supplies and to provide rescue efforts.
*An emergency shelter (the dome) is designated as such, and food and water stockpiles are within quick logistical reach.
*Emergency personnel are given response stations and locations.
*Police, fire and state resources are coordinated with several types of contingency plans using many scenarios.
*Coordination with federal officials is a crap-shoot for any state; take it if you can get it but don’t count on it.
*With Katrina everyone is quick to point the finger at the federal government. Granted, the response was terrible, but what had the state and local government done to plan for what seemed to be unavoidable? Had individual residents considered taking personal steps to protect their families with something as simple as an inflatable raft along with some additional food and water?
Do you have identifiable assets, which if seriously degraded, compromised or destroyed, would threaten the mission of your organization? Do you have concern regarding a specific threat? An organization’s specific assets may include a person, a thing, a place, or a procedure.
• A person being stalked or that has received specific threats.
• A municipality that desires security plans for basic assets.
• A corporation whose vision and mission may be compromised by vulnerabilities to their basic assets.
• An agency or corporation that has a person of such value that if he or she were kidnapped or attacked the agency or corporation would suffer serious setback.
• A gated community desiring an effective screening course of action for anyone who enters or an effective neighborhood response to an emergency.
• The physical location of documents or basic information that, if stolen or destroyed, would throw the organization into chaos.
• An institution that has a meaningful history of problem employees who have caused damage and as a consequence that institution may be interested in methods of effectively screening possible employees.
• An organization that, because of its geopolitical presence in the world or demographic location of its facility, desires basic safety measures at its location and safety awareness tactics for its employees.
• A corporation or agency that is exposed to a greater risk of violence due to present geo-political circumstances, such as media outlets, churches, financial institutions, and major events involved in capitalism, free speech, or religion.
• Public events that require a security plan.
• An entity that desires an office emergency plan.
There are OSHA guidelines regarding Violence in the Workplace that are generally unenforceable. However, when it comes to personal safety, any corporate entity can be held liable for not addressing worker safety concerns.
Negligence is defined as a party’s failure to exercise the prudence and care that a reasonable person would exercise in similar circumstances to prevent injury to another party. Generally, the plaintiff in these situations must prove the following in order to be awarded restitution, compensation or reparations for their losses:
• That the defendant had a duty of care;
• That the defendant failed to uphold this duty;
• That this negligence led to the plaintiff’s injury or death;
• The actual damages that were caused by the injury.
Gross negligence is usually understood to include an act or omission in reckless disregard of the consequences affecting the life or character of another. For example, several employees of a company have formally complained to management about being approached by strangers in the parking ramp. No one takes any proactive action. ultimately, an employee of the company is sexually assaulted in the parking ramp. Is the company liable?
Homeland Security Presidential Directive 7 before identified 17 basic infrastructure and meaningful resource sectors that require protective actions to prepare for and mitigate against a terrorist attack or other hazards.
The sectors are:
• agriculture and food
• banking and finance
• commercial facilities
• commercial nuclear reactors – including materials and waste
• defense industrial base
• drinking water and water treatment systems
• emergency sets
• government facilities
• information technology
• national monuments and icons
• postal and shipping
• public health and health-care
• transportation systems including mass transit, aviation, maritime, ground or surface, rail or pipeline systems
85% of all basic infrastructures are owned and operated by the private sector. The U.S. economy is the dominant target of terrorism, accessed by these infrastructures, including cyber-security.
According to the Department of Homeland Security, more than 7,000 facilities, from chemical plants to colleges, have been designated “high-risk” sites for possible terrorist attacks. The facilities include chemical plants, hospitals, colleges and universities, oil and natural gas production and storage sites, and food and agricultural processing and dispensing centers. The department compiled the list after reviewing information submitted by 32,000 facilities nationwide. It considered factors such as closeness to population centers, the volatility of chemicals on site and how the chemicals are stored and handled. Experts long have worried that terrorists could attack chemical facilities near large cities, basically turning them into large bombs. Experts say it is a hallmark of Al Qaeda, in particular, to leverage a target nation’s technological or industrial strength against it, as terrorists did in the September 11 terrorist attacks.
The greater use of computer systems to monitor and control the U.S. water supply has increased the importance of cyber-security to protect the country’s utilities, a top official for a large water company said recently. “There are new vulnerabilities and threats every day of the week,” said the security director for American Water, one of the country’s largest water service companies. “The technology has progressive, along with the threat’s access.” The industrial water control systems and other utility companies use shared technology platforms such as Microsoft Windows, which leaves them unprotected to attacks from hackers or enemy states seeking to disrupt the country’s water supply. In addition, a major natural disaster such as a hurricane could shut down servers, forcing a disruption in the supply of water and waste-water sets. Most of the nation’s water supply infrastructure is privately owned so the U.S. Homeland Security Department must work with industry in addition as state and local agencies to help protect basic infrastructure.
Owners of our nation’s basic infrastructure are told to protect everything all the time. This approach is flawed for two reasons. First, there is no effective value proposition for investing in security. Asking a CEO to protect everything all the time is not reasonable, especially in the absence of any consistent or actionable intelligence. Second, there is no definitive consensus in the private sector of the level of risk.
The Benefits of a Vulnerability Assessment
• Identification of basic Assets.
• Identification of Real-Risk.
• Risk Mitigation Planning.
• Emergency Planning.
• Reduced Liability.
• Reduced Insurance Rates.
• Protection of basic Assets.
• Peace of Mind.
The Assault Prevention Vulnerability Assessment
We have dedicated several years to developing a strategic formula that had to accomplish two things:
1. It would incorporate the recommended approach and framework agreed upon by experts.
2. It would establish an approach and method of filtering by all the versions of assessments as defined above, with a formula that would consider the meaningful principles in each version.
Assault Prevention observe: The term “Vulnerability Assessment” is today often associated with IT Security and computer systems. That is not the focus of this article.
© 2009 Terry Hipp
supplies: Wikipedia, ASIS, Sandia National Laboratories, Assault Prevention LLC