Vulnerability & Threat Risk Assessments

Other Security Planning & Consulting services:

 
img-header2-6

All facilities face a certain level of risk associated with various threats. These threats may be the result of natural events, accidents, or intentional acts to cause harm. Regardless of the nature of the threat, facility owners have a responsibility to limit or manage risks from these threats to the extent possible.

Threat Risk Assessments
The first step in a risk management program is a threat assessment. A threat assessment considers the full spectrum of threats (i.e., natural, criminal, terrorist, accidental, etc.) for a given facility/location. We will evaluate the likelihood (FREQUENCY) of occurrence for each threat as well as the negative effects (IMPACT) of particular threats if they were to occur. For natural threats, historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, or earthquakes can be used to determine the credibility of the given threat. For criminal threats, the crime rates in the surrounding area provide a good indicator of the type of criminal activity that may threaten the facility. In addition, the type of assets and/or activity located in the facility may also increase the target attractiveness in the eyes of the aggressor. The type of assets and/or activity located in the facility will also relate directly to the likelihood of various types of accidents. For example, a facility that utilizes heavy industrial machinery will be at higher risk for serious or life-threatening job related accidents than a typical office building.

For terrorist threats, the attractiveness of the facility as a target is a primary consideration. In addition, the type of terrorist act may vary based on the potential adversary and the method of attack most likely to be successful for a given scenario. For example, a terrorist wishing to strike against the federal government may be more likely to attack a large federal building than to attack a multi-tenant office building containing a large number of commercial tenants and a few government tenants. However, if security at the large federal building makes mounting a successful attack too difficult, the terrorist may be diverted to a nearby facility that may not be as attractive from an occupancy perspective, but has a higher probability of success due to the absence of adequate security. In general, the likelihood of terrorist attacks cannot be quantified statistically since terrorism is, by its very nature, random. Hence, when considering terrorist threats, the concept of developing credible threat packages is important.

Vulnerability Assessments
Once the credible threats are identified, we will then perform a vulnerability assessment. Potential impact(s) of loss from a successful attack as well as the vulnerability of the facility/location to an attack will be examined. A key component of the vulnerability assessment is that we properly define the ratings for impact of loss and/or vulnerability. These definitions may vary greatly from facility to facility. For example, the amount of time that mission capability is impaired is an important part of impact of loss. If the facility being assessed is an Air Route Traffic Control Tower, a downtime of a few minutes may be a serious impact of loss, while for a Social Security office a downtime of a few minutes would be minor. A sample set of definitions for impact of loss is provided below. These definitions are for an organization that generates revenue by serving the public.

  • Devastating:
    The facility is damaged/contaminated beyond habitable use. Most items/assets are lost, destroyed, or damaged beyond repair/restoration. The number of visitors to other facilities in the organization may be reduced by up to 75% for a limited period of time.
  • Severe:
    The facility is partially damaged/contaminated. Examples include partial structure breach resulting in weather/water, smoke, impact, or fire damage to some areas. Some items/assets in the facility are damaged beyond repair, but the facility remains mostly intact. The entire facility may be closed for a period of up to two weeks and a portion of the facility may be closed for an extended period of time (more than one month). Some assets may need to be moved to remote locations to protect them from environmental damage. The number of visitors to the facility and others in the organization may be reduced by up to 50% for a limited period of time.
  • Noticeable:
    The facility is temporarily closed or unable to operate, but can continue without an interruption of more than one day. A limited number of assets may be damaged, but the majority of the facility is not affected. The number of visitors to the facility and others in the organization may be reduced by up to 25% for a limited period of time.
  • Minor:
    The facility experiences no significant impact on operations (downtime is less than four hours) and there is no loss of major assets.

Vulnerability is defined to be a combination of the attractiveness of a facility as a target and the level of deterrence and/or defense provided by the existing countermeasures. Target attractiveness is a measure of the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic importance of the facility. Sample definitions for vulnerability ratings are as follows:

  • Very High:
    This is a high profile facility that provides a very attractive target for potential adversaries, and the level of deterrence and/or defense provided by the existing countermeasures is inadequate.
  • High:
    This is a high profile regional facility or a moderate profile national facility that provides an attractive target and/or the level of deterrence and/or defense provided by the existing countermeasures is inadequate.
  • Moderate:
    This is a moderate profile facility (not well known outside the local area or region) that provides a potential target and/or the level of deterrence and/or defense provided by the existing countermeasures is marginally adequate.
  • Low:
    This is not a high profile facility and provides a possible target and/or the level of deterrence and/or defense provided by the existing countermeasures is adequate.

btn_download_pdf

Leave a Reply

Your email address will not be published. Required fields are marked *