A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to,
information technology
Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...
systems,
energy supply Energy supply is the delivery of fuels or transformed fuels to point of consumption. It potentially encompasses the extraction, transmission, generation, distribution and storage of fuels. It is also sometimes called energy flow.
This supply o ...
systems,
water supply
Water supply is the provision of water by public utilities, commercial organisations, community endeavors or by individuals, usually via a system of pumps and pipes. Public water supply systems are crucial to properly functioning societies. Thes ...
systems,
transportation
Transport (in British English), or transportation (in American English), is the intentional movement of humans, animals, and goods from one location to another. Modes of transport include air, land (rail and road), water, cable, pipeline, ...
systems, and
communication
Communication (from la, communicare, meaning "to share" or "to be in relation with") is usually defined as the transmission of information. The term may also refer to the message communicated through such transmissions or the field of inquir ...
systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of
disaster management
Emergency management or disaster management is the managerial function charged with creating the framework within which communities reduce vulnerability to hazards and cope with disasters. Emergency management, despite its name, does not actuall ...
means assessing the threats from potential hazards to the population and to infrastructure.
It may be conducted in the political, social, economic or environmental fields.
Vulnerability assessment has many things in common with
risk assessment
Broadly speaking, a risk assessment is the combined effort of:
# identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and
# making judgments "on the to ...
. Assessments are typically performed according to the following steps:
# Cataloging assets and capabilities (resources) in a system.
# Assigning quantifiable value (or at least rank order) and importance to those resources
# Identifying the vulnerabilities or potential threats to each resource
# Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
"Classical
risk analysis is principally concerned with investigating the risks surrounding a plant (or some other object), its design and operations. Such analysis tends to focus on causes and the direct consequences for the studied object.
Vulnerability analysis
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
, on the other hand, focuses both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents." (Lövkvist-Andersen, ''et al.'', 2004) In general, a vulnerability analysis serves to "categorize key assets and drive the risk management process." (United States Department of Energy, 2002)
1
In the United States, guides providing valuable considerations and templates for completing a vulnerability assessment are available from numerous agencies including the Department of Energy, the Environmental Protection Agency, and the United States Department of Transportation, just to name a few.
Several academic research papers including Turner et al. (2003),
Ford and Smith (2004),
Adger (2006),
Fraser (2007)
and Patt et al. (2010)
amongst others, have provided a detail review of the diverse epistemologies and methodologies in vulnerability research. Turner et al. (2003)
for example proposed a framework that illustrates the complexity and interactions involved in vulnerability analysis, draws attention to the array of factors and linkages that potentially affects the vulnerability of a couple of human–environment systems. The framework makes use of nested flowcharts to show how social and environmental forces interact to create situations vulnerable to sudden changes. Ford and Smith (2004), propose an analytical framework, based on research with Canadian arctic communities. They suggest that, the first stage is to assess current vulnerability by documenting exposures and current adaptive strategies. This should be followed by a second stage that estimates directional changes in those current risk factors and characterizes the community's future adaptive capacity. Ford and Smith's (2004) framework utilizes historic information including how communities have experienced and addressed climatic hazards, with information on what conditions are likely to change, and what constraints and opportunities there are for future adaptation.
Standardized Government Vulnerability Assessment Services
The GSA (also known as the
General Services Administration
The General Services Administration (GSA) is an independent agency of the United States government established in 1949 to help manage and support the basic functioning of federal agencies. GSA supplies products and communications for U.S. gover ...
) has standardized the “Risk and Vulnerability Assessments (RVA)” service as a pre-vetted support service, to rapidly conduct assessments of threats and vulnerabilities, determine deviations from acceptable configurations, enterprise or local policy, assess the level of risk, and develop and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. This standardized service offers the following pre-vetted support services:
* Network Mapping
* Vulnerability Scanning
* Phishing Assessment
* Wireless Assessment
* Web Application Assessment
* Operating System Security Assessment (OSSA)
* Database Assessment
* Penetration Testing
These services are commonly referred to as Highly Adaptive Cybersecurity Services (HACS) and are listed at the US GSA Advantage website.
This effort has identified key service providers which have been technically reviewed and vetted to provide these advanced services. This GSA service is intended to improve the rapid ordering and deployment of these services, reduce US government contract duplication, and to protect and support the US infrastructure in a more timely and efficient manner.
132-45D Risk and Vulnerability Assessment
identifies, quantifies, and prioritizes the risks and vulnerabilities in a system. A risk assessment identifies recognized threats and threat actors and the probability that these factors will result in exposure or loss.
Vulnerability to Climate Change
See also
*
Vulnerability
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
*
Vulnerability index
A vulnerability index is a measure of the exposure of a population to some hazard. Typically, the index is a composite of multiple quantitative indicators that via some formula, delivers a single numerical result. Through such an index "diverse iss ...
*
Vulnerability scanner
A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detecti ...
*
Vulnerability assessment (computing) Vulnerability assessment is a process of defining, identifying and classifying the security holes in information technology systems. An attacker can exploit a vulnerability to violate the security of a system. Some known vulnerabilities are Authent ...
References
#
Handbook of International Electrical Safety Practices
#
US Department of Energy. (2002). Vulnerability Assessment Methodology, Electric Power Infrastructure
/small>
{{DEFAULTSORT:Vulnerability Assessment
Security
Risk management