hawksight blog

How vulnerable is it? A simple guide to assessing vulnerability

Written by Paul Mercer | Oct 11, 2023 12:17:40 PM

The assessment of vulnerability in a security risk assessment is two-fold:

  1. What is the profile of the subject of your assessment?
  2. How well is it currently being protected?

Let’s take them one at a time:

1. What is the profile of the subject?

Defining the profile of the subject of your security risk assessment is to understand how attractive it is to the threat actors you have identified in your threat assessment. For example, a pickpocket will find a well-dressed lady with an easily accessible handbag more attractive than a poorly clothed man with little value on his person.

The Australian Handbook 167 has a table with definitions to assess “Target Attractiveness” from “Low to Extreme.” That said, as long as you can determine your subject's relative level of Target Attractiveness or the assets that support it, from one to five, for example, you must have achieved the aim.

Here is an example of a simple Profile or Target Attractiveness assessment for a manufacturing facility:

 

2. How well is it currently being protected?

Auditing existing security control measures is often the bread and butter of security managers. However, this process must be carried out in the context of the assets that need to be protected and the threats they need to be protected from. If done in isolation, there is no way of knowing if the controls being audited are, in fact, relevant to the prevailing threat landscape. This is as true in the digital realm as in the physical.

Julian Talbots, author of SRMBOK, the Security Risk Management body of knowledge using the Bow Tie Method, defines the need for two types of security Controls: Preventive and Responsive.

  • Preventive Security Controls (PSC) are designed to try and stop a security event.
  • Responsive Security Controls (RSC) are designed to react to a security event and limit the impact.

When designing a security strategy, PSC and RSC must be assigned to manage specific threats to specific assets.

When assessing the effectiveness of these controls, again, HB167 offer a table and definitions from Unsatisfactory to Excellent. But, again, as long as you are measuring the relative effectiveness of each control in your audit plan, you have achieved the aim.

Here is another simple example of a security audit or Control Level Effectiveness (CLE) assessment for our manufacturing facility:

 

 

 

 
View full post