Asset-Based and Scenario-Based
Vulnerability Assessments
Vulnerability assessments tie assets to threats in an effort to identify poten-
tial vulnerabilities and countermeasures to reduce those vulnerabilities. The
level of vulnerability of each asset and threat is evaluated using either an asset-
based or a scenario-based assessment.
Asset-based vulnerability assessments are broad evaluations of assets and the
threats that impact those assets. For example, an asset-based assessment at a
jewelry store will focus on the jewelry as the primary asset in need of protec-
tion and the threats that may impact on the jewelry. Asset-based assessments
assume that every scenario cannot be imagined or that those that are imagi-
nable are too speculative to consider.
Scenario-based vulnerability assessments, on the other hand, focus on the
attacks themselves. The scenario-based assessment evaluates vulnerability by
asking how targets might be attacked. This type of assessment requires knowl-
edgeable assessment team members who have an understanding of history and
can foresee the methods used by adversaries in the future. While history is a
primary indicator, not all future threats can be anticipated based on past attack
modes. Certainly, the September 11 attacks are evidence of a new attack mode
that was not anticipated, at least not by the masses, prior to 2001. Scenario-
based assessments are advantageous in that they are better suited for assessing
high-value assets and high-consequence attacks. Unfortunately, this advantage
also creates a problem whereby lesser threats are ignored and security meas-
ures are not implemented. The scenario-based vulnerability assessment process
includes the following six steps undertaken by the vulnerability assessment
team:
1. Selects the scenario to evaluate.
2. Studies the target’s (asset) characteristics.
3. Evaluates certain types of adversaries and attack modes.
4. Evaluates the likelihood of the existing security measure’s ability to
deter, detect, or delay the attack.
5. Analyzes the consequences of the assets loss, damage, or destruction.
6. Assigns a vulnerability rating.
The attack scenarios are normally selected by the vulnerability assessment
team from the high-consequence alternatives. While the team’s goal is to be cre-
ative, the scenario must be sufficiently realistic. A fair assessment of the target’s
attractiveness, from the adversary’s perspective, is critical to accurately evalu-
ate the strengths and weaknesses of each asset. Although it is easy to theorize
about well-trained, skilled, and properly equipped adversaries, the team should
not create an infallible threat. History has shown repeatedly that adversaries
90 Strategic Security Management
Get Strategic Security Management now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
