Threat and Vulnerability Assessment

Threat and Vulnerability Assessment

Jeremia Hall


August 20, 2018

George Gallitano



Threat and Vulnerability Assessment

One of the pillars of a security professional inside of a company is to identify threats that will affect its resources and assets. After the threats to the business has been determined by the security department the next step is to identify the level of risk that will be associated with the damage, theft, misuse or destruction of the resource and provide an analysis to the leadership. It is essential for security professionals to take preventative measures to mitigate

Risk Identification

“The objective of risk identification is to understand what is at risk within the context of the organizations explicit and implicit objectives and to generate a comprehensive inventory of risks based on the threats and events that might prevent, degrade, delay or enhance the achievement of the objectives” (, n.d., para. 1). It is designed to help security professionals understand what resources are at risk within both internal and external to the organization. It is important security personnel have the basic understanding of the resources of an organization before they can identify the threats and risks that are associated with each. There is three main aspect to look at during the risk identification process: assets, exposure, and losses. According to Broder and Tucker (2012), “Risk control begins, logically, with the identification and classification of the specific risks that exist in a given environment” (p. 9). To initiate the identification process first a thorough risk assessment needs to be conducted and will encompass personnel, networks and policies and procedures (Broder & Tucker, 2012). The next logical step in the process according to Broder & Tucker (2012) is to “determine the exposure of the organization. Security personnel should ask questions such as what are the company exposures? How does it contribute to damage, theft, loss of assets and personnel? “(p. 9.). Lastly, the last consideration identified is losses. It is essential to compile historical data from nearby organizations such as the frequency, magnitude, and range of past losses experienced in the area that in the same market (Broder & Tucker, 2012). Trends and analysis may not give the entire picture, but it can provide a brief snapshot in time to help identify risk, vulnerabilities and rank them accordingly.

Threat Determination


It is essential to look at where a company is located geographically when planning for natural threats. Nelson (2018) states, “A natural hazard is a threat of a naturally occurring event that will have a negative effect on humans. This negative effect is what we call a natural disaster. In other words, when the hazardous threat happens and harms humans, we call the event a natural disaster” (para. 1). Why Nelson makes an excellent point it is not just humans that will be impacted by natural disasters but a business’s resources such as equipment, buildings, etc. can be impacted. Natural hazards can come in the form of earthquakes, tsunami’s, tornados, floods and even landslides. There will be incidents where a company will be unable to prevent loss from natural threats. In these types of situations, it is vital for organizations to try and minimize damage.


Man-made threats generally consist of bombs, terrorism, and theft. There are a plethora of examples of this type of threat that can affect a company and it is up to the security professional to identify which ones are the most likely to occur.

Bombs. A bomb is a man-made device that is used to inflict serious bodily harm or significant damage to property. It comes in many different forms such as I.E.D’s, pressure bombs or just a plain stick of dynamite. According to the Dictionary (n.d.), “it is a container filled with explosive, incendiary material, smoke, gas, or other destructive substance, designed to explode on impact or when detonated by a timing mechanism, remote-control device, or lit a fuse.” Security guards that stand watches such as a gate guard or building should have measures in place to look for bombs. This can be accomplished by mirrors looking under cars, bomb-sniffing dogs or even having a vehicle bomb scanning machine before gaining access to the facility.

Thefts. Thefts occur via internal or external personnel and can be both physical in nature or through a cyber-attack such as using ransomware. According to Broder & Tucker (2012). “Most businesses will take the necessary precautions to protect themselves against the entry of burglars and robbers onto their premises” (p. 48). It is common for most companies to have mitigation procedures in places such as access control both to spaces and systems, proper combination locks such as X09’s, security cameras (CCTV) and a roving patrol. These basic standards will help reduce the amount of internal and external thefts within the organization.


Technology is a vital part of how organizations operate whether it is the Department of Defense, fortune 500 company or a small local business. With the continued rise of technology to gain a competitive advantage, security professionals, should ensure that not only company data but partner and consumer data are protected. Companies keep personally identifiable information, assets information, financial records, etc. on systems that can be compromised if not adequately maintained. The Chief Security Officer and his/her personnel need to ensure that the information is safeguarded by keeping patches, software updates, virus scans and by using Role-Based Access Control mitigate staff from access unauthorized information or systems. For example, someone working in the shipping department does not need access to Human Resources information vice versa. Lastly having the proper policies in place for strong passwords and maintaining logs will help reduce the chances of a cyber threat from infiltrating the company’s systems. If there is a loss of sensitive information, it could cause grave damage and unrecoverable damage.


It is paramount that every organization conducts a risk assessment whether it is a large Department of Defense organization, fortune 500 company, courthouse, or even a local shop in the community. Threats come in all forms, and there is no one size fits all mitigation plan. A company’s security professionals need to have the realization that there is no guaranteed solution. However, they must identify and define both acceptable and unacceptable risk and then implement mitigation procedures. Without mitigation steps the for the identified risk it would leave the organization open to natural disasters, theft, cyber crimes, etc. that places the organizational security in precarious situations.

Security Measures Worksheet

Shown below is a security measures worksheet that was conducted for the Snohomish County District Court. It is in Everett, WA and is in the same building with several different human service agencies as well as across the street from the correctional facility. On March 21, 2018, there was a bomb threat near the courthouse and correctional facility that required an entire block to be shut down, some personnel to evacuate and others to remain in place until the threat was cleared.

Organization Name and Address Snohomish County District Court, 3000 Rockefeller Ave, Everett, WA, 98201
Week 1: Threat and Risk Assessment Paper
Threat Risk Priority Rank
Probability Criticality Total
Robbery 3/10 4/10 7/20 3
Active Shooter 5/10 10/10 15/20 1
Bomb 3/10 10/10 13/20 2


Broder, J. F., & Tucker, E. (2012). Risk analysis and the security survey (4th ed.). Waltham, MA: Elsevier.

Dictionary (n.d.). Retrieved from


Herald Staff. (2018). Bomb threat clears lobby at the Snohomish County Jail. Retrieved from


Margaret Rouse. (2018). role-based access control (RBAC). Retrieved from

Nelson, S.A. (2018). Natural Hazards and Natural Disasters. Retrieved from Risk Identification. Retrieved from