There are basically two types of security vulnerability analyses, qualitative and quantitative. The qualitative approach combines experience, prioritization and substantial descriptive narrative information. Quantitative assessments use canned checklists, which may or may not be applicable to the environment they are being used in. Starting out with quantitative methods alone does not provide a complete security picture, nor does that approach provide value.
Quantitative assessments are more suited for an organization that already has security standards stringent enough to be the basis for a checklist type of self-assessment. For example, an organization may require all facilities of a certain type to have fences, which could be one item on a checklist. However, organizations that use checklists as a basis for their assessments may not be seeing beyond the one-dimensional question on the checklist.
A similar caution applies to a pre-made checklist on a personal digital assistant. A checklist on a PDA can be a useful guide or recording device, but it is not a substitute for detailed knowledge and experience.
The goal of a security vulnerability analysis should be to shore up security so it can be measured with finite questions and the culmination of a self-assessment checklist based on that organization's environment.
The major steps for either a qualitative or quantitative security vulnerability analysis are:
1. Interviews
2. Field surveys (on-site assessment)
3. Prioritization
4. Report/budget
5. Presentation
No assessor, no matter how qualified, will be able to evaluate a facility without interviews. Interviews with key stakeholders are extremely important to evaluate vulnerabilities and make recommendations that will be culturally acceptable to the organization. Interviews should involve all facets of an organization being assessed: janitorial staff, facilities managers, risk managers, human resources, executives, middle managers, security personnel, and so on.
In addition, the assessor must conduct a field analysis during both working and non-working periods of time to evaluate or familiarize the assessor with concerns identified during the interview process. Ideally, an assessment should also involve a lighting analysis, which would be based on actual light meter readings, not perception. The culmination of the on-site assessment will begin the report portion of the document. The report should prioritize all security vulnerabilities. The prioritization also provides an outline for the formation of the final written report.
Sometimes, many concerns are raised in the security vulnerability analysis but the report recommendations fail to address those concerns. Security vulnerability analysis reports should always have recommendations; in fact, there should be multiple recommendations to manage vulnerabilities that have been identified.
The report should also provide budgetary analysis for recommended improvements in conjunction with the priority, so costs and benefits can be identified.
In addition, the report should have an executive summary to convey the priorities that should be managed. The executive summary provides a briefing for top executives. These priorities should look at broad vulnerabilities and controls: increasing lighting, securing perimeter doors, increasing awareness, implementing a key management program, and so on. The executive summary would also be the outline for a presentation to top management, which may be required, based on the overall importance of the security vulnerability analysis in the organization or in the enterprise risk management process.
Many organizations require that a security vulnerability analysis be conducted by an unbiased third party. This should not be construed as a lack of confidence in the facility or security manager, but rather a second opinion. Organizations want to make informed decisions, and rely on third party assessors to bring unbiased views and information that an assessor has collected from other engagements for the organization's benefit.
Today, organizations face many risks. When broad security concerns or risks have been identified, a security vulnerability assessment is essential to developing a security program that hits the target. 
Sean Ahrens (sean_ahrens@schirmereng.com), CPP, CSC, is a senior security consultant with Schirmer Engineering, an Aon Global company. With more than eighteen years of experience in the security industry, Ahrens has been responsible for providing security threat analysis, contingency planning, loss prevention, and force protection design and planning.
A Security Vulnerability Analysis Helps Identify Real Threats
Security Analysis Should Go Beyond Checklists, Include Recommendations
