A glossary issued in 2008 by the US Federal Emergency Management Agency (FEMA) lists 40 different definitions of vulnerabilities, each referring to a specific field of activity.
The concept of resilience with respect to a given threat is the lowest common denominator of many of the said definitions. Therefore, vulnerability does not have a real meaning itself, but gets one only if considered within a wider context: risk.
Therefore, vulnerability is a dependent variable, the determination of which necessarily involves a broader risk analysis and evaluation process. The vulnerability of assets relying on the same security systems varies significantly depending on whether the assets are located in Bern or in Baghdad.
However, this absolutely intuitive concept poses quite a few problems in operational terms, making it necessary to set up a process that is, first and foremost, flexible (i.e. able to detect changes in the level of threat) and, at the same time, provides Employers with definite parameters on which to rest their evaluations and action plans.
The Vulnerability Assessment Tool (VAT) developed by IFI Advisory is based on the above assumptions and aims to provide a deterministic assessment of the gaps affecting the protection of a given asset. By protection systems, we do not only mean the active and passive security components of the asset, but also the general security organisation (the so-called ‘human factor’), the ability to cope with any critical situations, the Employer’s compliance with current regulations and other areas that may be variously classed as vulnerabilities.
Through the operationalisation of international standards and best practices, the VAT establishes – for each of the fields under consideration (each of which is, therefore, a different variation of the concept of vulnerability) – a benchmark against which to identify and measure any protection system gaps.
This benchmark varies according to the level of threat in the area where the asset is located, so as to ensure compliance with the principle of proportionality that has to underlie any risk assessment process. The VAT methodology is based on checklists with closed-ended questions that leave no room for ambiguity, keeping the assessor’s evaluation within well-defined boundaries. In operational terms, the threat level definition (which the system does automatically thanks to a link with a specific tool) results in ad hoc checklist, which can be further customised based on the type of asset under assessment.
By aggregating the scores resulting from each of the answers to the checklist questions, and through a specific calculation algorithm, the VAT returns a numerical value showing the vulnerability of an asset, i.e. its resilience to any potential security threats identified beforehand. Expressing the vulnerability of a given asset as a number makes synchronic comparisons (between multiple assets) and diachronic comparisons (on the same asset in two distinct moments) easier.
The numerical value is on a scale ranging from 0 to 100, divided into five ordered types of vulnerability. In this way, assessment results are immediately comprehensible and make further comparisons easier.
In sum, the VAT allows users to:
- Not make vulnerability analysis depend on the assessor’s bias and discretionary power, but make it rest on stable and objective parameters;
- Compare an indefinite number of assets, identifying any common/recurring gaps;
- Reinforce minimum asset protection, reducing the number of harmful events;
- Set priorities for intervention based on both asset vulnerability and asset criticality, so as to comply with any budget and resource limits;
- Monitor and measure the effectiveness of post-assessment mitigation plans and, consequently, the performance of the personnel involved in security activities;
- Clearly identify roles and responsibilities within the Organisation, highlighting any grey areas that may slow down or hinder the risk management process;
- Centralise the risk management activities to provide the Employer with a clear and always updated overview of the risks which the Company is exposed to.
In his “De constantia sapientis”, well-known philosopher Lucio Anneo Seneca says: “the invulnerable is not that which is never struck, but that which is never wounded“. Mutatis mutandis, we can say that an organisation is ‘invulnerable’ when it is able to effectively protect its strategic assets; however, the asset protection process cannot overlook its own limits and the real and potential threats which it has to deal with.
In this regard, the VAT is an extremely valuable tool, as it rationalises the entire risk management process and support – first of all in methodological and organisational terms – Security Managers and Employers.