As its name suggests, a vulnerability assessment is a test of a system to locate, diagnose, and correct areas of weakness that might make it susceptible in times of crisis, attack, or destabilization. Any system that is created, operated, and shaped by humans may qualify for, and may in fact require, a vulnerability assessment. The expression entered the English language in the 1980s and 1990s, and usage increased markedly after the terrorist attacks of September 2001. Vulnerability assessments have been applied to everything from computer networks to water systems.
In 1998 and 1999, Sandia National Laboratories in Albuquerque, New Mexico, in partnership with the National Law Enforcement and Corrections Technology Center-Southeast Region, assessed the vulnerability of several correctional facilities. The first step in such an assessment was to determine areas of vulnerability, and then to examine scenarios whereby those vulnerabilities are exploited. In the case of the prisons, the partnership examined classes of adversaries, including inmates and their families, along with tactics they might use, as well as all reasonable escape scenarios. It was noted that, rather than using a checklist in the design of prison security, it was advisable to apply a more advanced computer-driven analysis system. This would make it possible to consider all available means by which adversaries might achieve their objectives.
In June 2002, the nation's 54,000 drinking water systems and 16,000 wastewater agencies spent a combined $700 million on vulnerability assessments, many of which had been spurred by the terrorist attacks of the preceding fall. At the same time, the Environmental Protection Agency (EPA) and the newly created Office (now Department) of Homeland Security had called for vulnerability assessments of critical infrastructure nationwide. Some industries welcomed this call as an opportunity for new business, but members of the oil and gas industry lobbied against a plan whereby companies would conduct vulnerability assessments and the EPA would assess compliance in certain areas. Meanwhile, vulnerability assessments have remained a powerful topic in the world of computers and cybersecurity. In January 2003, for instance, the Chemical Industry Date Exchange announced the formation of a new cybersecurity unit that would conduct a vulnerability assessment of chemical companies.
█ FURTHER READING:
"EPA Security Plan for Refining, Chemical Plants Blasted." Oil & Gas Journal 100, no. 39 (September 23, 2002): 22–24.
Giodano, Vincent. "Is It Right for Your Company?" Communications News 37, no. 9 (September 2000): 66–68.
Landers, Jay. "Safeguarding Water Utilities." Civil Engineering 72, no. 6 (June 2002): 48–53.
Seewald, Nancy. "CIDX Forms Cybersecurity Unit." Chemical Week 165, no. 2 (January 15, 2003): 20.
Spencer, Debra D. "Vulnerability Assessment." Corrections Today 60, no. 4 (July 1998): 88–92.
Wright, Andrew J., et. al. "War, Recession, and Growth." ENR 249, no. 2 (July 8, 2002): 34–36.
Terrorism, Intelligence Based Threat and Risk Assessments