Vulnerability Assessment

Introduction

Vulnerability analysis is the phase in which we evaluate the protection systems capable of mitigating the critical risks that appear in the risk matrix. These systems are evaluated through on-site audits. Taking into account their suitability for the intellectual capital employed (dimensioning and training), the material resources used (adequacy and quantity), Norms and Procedures (adherence and respect), Management Capacity (direction / clarity and control) / monitoring) and Organizational Culture (acceptance and risk culture).

This analysis is based on the measurement of the Vulnerability Index (IV), that is, an index that measures existing gaps in existing protection systems to cope with the various risks.

The Vulnerability Index (IV) can be obtained in two ways: by applying the Parameterized Vulnerability Analysis Worksheets or by using the Vulnerability Index Calculation Reference Table (Summary Method).

Vulnerability Analysis: Parametric Method

Ideally, the Vulnerability Index should be obtained by using the Parameterized Vulnerability Analysis Worksheets application, which is developed based on standardized check lists with 5 classification levels. Although such a procedure requires more time than using the Vulnerability Index Calculation Reference Table, its accuracy is much greater than guiding the measures to be taken afterwards (such as: projects and corrective actions) to improve the systems evaluated.

In general, we can say that IVis obtained after applying the Parametrized Vulnerability Analysis Worksheets “in loco” and applied a “weighted arithmetic mean” of the systems that were analyzed, obtaining the Vulnerability Index (IV). In fact, a rational model, similar to FMEA, can be used to define the weights of each question in the parametric Check list. In this case, the result presents a level of assertiveness and precision greater than the simple application of weights to each item of the parameter list ( Parameterized Vulnerability Analysis Worksheet ).

The Parameterized Vulnerability Analysis Worksheet allows the evaluation of protection systems based on parametric lists with five levels, based on the best practice in the market. In this way, a very precise diagnosis is obtained, which will serve as a basis for the definition of the projects and / or actions required to reduce vulnerabilities and mitigate risks.

Another advantage of using this process is that parametric lists, once made, can be used countless times to audit the effectiveness of protection systems and to assist in the achievement of gap analysis and in the preparation of risk mitigation plans.

The following is an example of a Parameterized Vulnerability Analysis Worksheet that is used by crash numbers to do the collection of data in the field work. Through them it is possible to verify the level of effectiveness of the company’s risk management systems and processes.

Once the work of structuring and parameterizing them has been completed, the Parameterized Vulnerability Analysis Worksheets have been shown to be a simple, adequate and efficient tool for efforts to identify and quantify risks.

Its application enables faster execution time and lower costs by replacing senior-level professionals with Junior-level professionals in the initial phases of the analysis.

Thus, those more experienced professionals are preserved for the work of reviewing reports and supervision while the “Juniors” perform the work of crash numbers.

Another characteristic is the universality of the methodology that allows the elicitation of the knowledge of the most diverse areas for the preparation of the spreadsheets, requiring only the specialists of the areas in an initial phase to make them, but allowing its execution in a homogeneous and decentralized way, generating speed and economy in this vulnerability assessment process.

The result of the parametric analyzes will generate the Parameterized Vulnerability Analysis Table that comes from the result of the compilation of the Parameterized Vulnerability Analysis Worksheets. It provides an overview of the various systems and their respective levels of effectiveness.

In addition, the application of the Parameterized Risk Analysis Worksheets allows the visualization of possible solutions to the existing problems since each parameter defined as level one was based on a solution considered a reference or “Best Practice” by the market.

The compiled result of an evaluation carried out with the Parameterized Vulnerability Analysis Worksheet in patrimonial security protection systems follows:

vulnerability 2
Another possible way to use this table is to use color-coding instead of numbers. Such a procedure facilitates visualization and allows rapid identification of the most vulnerable systems.

vulnerability 3
When using the Parameterized Vulnerability Analysis Table, you can also use the Corrective Needling Framework that provides a reference between the Level of Vulnerability and its Corrective Need. In this way it allows a quick and practical understanding of the Parameterized Vulnerability Analysis Table, whether it is expressed by color or numbers, easily allowing the visualization of vulnerabilities that are grouped logically, systemically and properly classified
vulnerability 3

Vulnerability Analysis: Method Summary

If specific Parameterized Vulnerability Analysis Worksheets are not ready for a specific theme or evaluation area (remember that each risk is tied to a specific protection system which is evaluated by a set of vulnerability analysis sheets of its own) or we do not have the availability of time to prepare, it can be estimated much faster using the Vulnerability Index Calculation Table (Summary Method). However, it should be remembered that the accuracy of this process is significantly lower than that of the previous process.

In the case of opting for this second option, the table below is used:

vulnerability 4
To facilitate the understanding of the use of the factors of the Reference Table of Calculation of the Index of Vulnerability has the description of the items of the formula below:

vulnerability 5

It is important to emphasize that the level of distortion is even greater when using unfounded assumptions (“feeling“) rather than using the Vulnerability Index Calculation Reference Table (the Vulnerability Index Calculation Summary Method) or the Spreadsheets of Parametrized Risk Analysis (Parametric Method for calculating Vulnerability Index).

Heat Map of Vulnerabilities

At this stage a Heat Map Vulnerability of Protection Systems (vulnerability map) is generated, allowing the risk manager to have a clear idea of where the greatest gaps are in their protection systems. This Heat Map of Vulnerabilities is nothing more than a dashboard that gives the risk manager an overview of the level of effectiveness of their protection systems by areas of the organization, as shown below:

vulnerability 6

The Heat map provides a clear prioritization of actions and investments to be made in protection systems. You have the option of creating Heat maps at various levels of detail when using the parametric method.

vulnerability 7