5003 - Chapter 7 Vulnerability Identity and Assessment
Beginning with a definition of vulnerability as "any weakness that can be exploited by an adversary to gain access to an asset" (Roper, 1999, p. 63), this chapter goes into detail on the part of the risk-analysis process that deals with how to identify vulnerabilities and link them to assets held by an organization, how to analyze current organizational stance with respect to protecting the asset, and how to evaluate each asset with reference to its specific vulnerability, with a view toward deciding on what additional risk-management actions can be taken to implement appropriate protections.
Risk management in general is all about assessment and evaluation, and a realistic picture of vulnerabilities is essential because exploitation of assets = exploitation of the organization's operational and security features. That in turn has implications for personnel who are onsite. It is also important to analyze vulnerabilities from the adversary's point of view, as if by thinking like an adversary one can better gauge the proper adversarial response. A good deal of attention has to be given to facilities, or physical plant, and the weaknesses of access present there, as well as to the effectiveness of existing measures to prevent unwarranted access.
Roper cites five specific areas of concern with regard to the physical plant: building characteristics, equipment properties, personnel behavior, locations of people, equipment, and buildings, and operational and personnel practices (p. 64). It is important to notice the interpenetration of building, equipment, personnel, and activity in the foregoing list, thus linking the human factor to the physical facilities. To identify a weakness in a building, then, may also mean identifying a human weakness in respect of building and/or operational use. That is how Roper gets from consideration of physical characteristics of an organization's...