How can you use the eight vulnerability factors listed above to assess the vulnerability of your own organization? One way might be to rank your own organization or office in each category. For example, you could use a standard set of descriptors from “Highly Vulnerable” to “Not Vulnerable” and then rate yourself in each category.
Alternatively, you might use a comparative or “benchmarking” approach. The idea is to compare your level of vulnerability using the factors presented above with that of other organizations operating in the same environment. Choose four or five (or more) organizations facing the same threat environment as you, and list your organization beside them. Next, for each vulnerability factor, rank the organizations in comparison to one another, including your own office. Assign the strongest or safest organization for each factor the number 1. Assign the weakest or most vulnerable organization number 6 (or 5 etc., depending on the number of targets being examined). Of course, you will not have complete information, but estimate as best you can (it may be useful to conduct this process with partners to compare perceptions).
A generic example is filled out in full in the matrix below.
The advantage of this approach is that it approximates the thought process of many criminals (including terrorists) who target their victims by looking for “the weakest in the herd” or the “softest target.” If your organization is at the bottom compared to other nearby organizations in several vulnerability factors, it may indicate that threats may be directed at you rather than others, since you represent a “softer target”. This format is also very useful in presenting the findings of your vulnerability analysis to senior officers and budget offices to graphically explain why you are asking for funds to reduce vulnerability!
Finally, remember that to be of value, the data generated from the assessment of the different vulnerability factors must be correlated with each other, and with data from your threat assessment.
For example, say that your assessment reveals that you have the most valuable property of any similar potential target in your immediate environment. If so, your next question might be, how great a threat is theft in this area? To answer this you will return to the results of your threat assessment (do not forget to include change analysis). Is the threat high? If so, then you certainly will not want to be among the bottom of the rankings for appropriate security measures, among several other relevant factors. If your assessment indicates that you are comparatively weak in a number of vulnerability factors that relate to a threat that you have evaluated as high, this should be cause for concern—you will have to do something about it. You are now on your way to making an informed assessment of overall risk in your environment.
Vulnerability assessment is a critical activity in the SRM approach. The field level activities done to carry out this work will usually also involve threat assessment as discussed in the previous module and program assessment as will be discussed in the next.
The eight key factors to consider in conducting your vulnerability assessment are:
Use these vulnerability factors by benchmarking your own organization’s vulnerabilities against those of others in the same working environment.
This kind of comparison can quickly guide you in areas that may need improvement. Using the logic of the lion on the hunt, you do not want to be seen as the weakest animal in the herd.
Use this information to correlate vulnerabilities and threats. Are you particularly vulnerable in areas that create opportunities for a specific kind of threat? If so, you will need to take additional measures.