We saw in previous chapters that threat assessment and vulnerability assessment, while different, are inseparably linked. Any investigation into how damaging a particular threat will be will depend on your own vulnerability to such a threat. In the same way, it is difficult to assess vulnerability without first asking the question, “vulnerable to what?” For this reason, threat and vulnerability can be thought of as equally important elements in the SRA process. There is probably no prescriptive sequence for doing threat and vulnerability assessment (and program assessment, to come in the next module), although some security professionals have their own individual preferences. The important points are that:
1) all are essential to the SRA process
2) a valid risk assessment cannot be made without considering all three of them in their entirety, and
3) data and conclusions from each type of assessment must inform the others in a continual feedback loop.
The United Nations Department of Safety and Security defines vulnerability as follows:
Any weakness that can be exploited by a belligerent to gain access to an asset. Vulnerabilities can result from, but are not limited to: building characteristics, equipment properties, personal behaviour, locations of people, equipment and buildings or operational and personnel practices.
This course expands the definition of vulnerability slightly to include the study of certain factors that, while not necessarily weaknesses in themselves, may impact the likelihood of your being selected as a target. In all events, vulnerability assessment should be thought of as a process of examining your agency’s or office’s own unique profile in your particular environment.
Determination of weakness requires an “on the ground” assessment of the physical premises of the office, guest houses, Hotels or apartments where staff live, and associated compounds, vehicles and other equipment. This usually includes assessment of access points, walls, gates, doors and windows. But vulnerability is more complex than the physical structures alone; it must also include investigation into readiness and training of protection staff and guards, local police and other response forces. If an ambulance is needed from the local hospital, how reliable is it? How long does it usually take to arrive? These kinds of systemic questions also contribute to a thorough vulnerability assessment.
In conducting a vulnerability assessment, it is also important to consider factors that can reduce your vulnerability. Appropriate plans and equipment, readiness of staff, first aid training, and field communications protocols are all strengths that should be noted. If any of these is lacking, it may be a vulnerability. Will this require your immediate attention? Part of the answer to this question will depend on the results of your threat assessment: does the deficiency create a weakness that could increase the likelihood of an identified threat occurring, or could make its effect more severe if it happens? Here again, the inter-relationship of threat and vulnerability assessment should be apparent, and security managers must know how to analyse both their external environment and their own organization’s strengths and weaknesses.