A Vulnerability Assessment (VA) is the final step in a Security Analysis, based on information developed in all the earlier stages (Site Survey, Area Study, Threat Assessment, and External Assets Evaluation). It requires honest qualitative evaluation of strengths and weaknesses against various threats, from which we identify upgrades worth pursuing. There are several useful techniques.

While the spectrum of threats to our well-being includes many that are not violent, there certainly are a growing number that are, and these are the ones we will focus on for Vulnerability Assessment purposes. The logic and the tools we will discuss can be adapted to other types of threats as well.

The Site Survey cataloged and characterized all aspects of our site, under various defined conditions. For instance, a church might have several external doors, of varying construction, locked or unlocked at various times, although under normal conditions they should all comply with fire codes that require they cannot prevent exit from inside the building. The doors, locks and frames will have certain characteristics noted in our survey, which will also note the ability to observe entrances, approaches, and the surrounding area from various locations within the building.

The same methodical characterization will cover windows, internal doors, the structural strength of walls and partitions, intrusion detection and alarm systems, and more. Routes usable to approach and escape from the building will be identified. How is the building and the property illuminated at night, and is there emergency lighting that will function during a power outage – and for how long?

The Site Survey and the External Assets Evaluation also address the human elements: the number, location, alertness, responsiveness, and abilities of people either on the property or likely to respond in the event of a security incident.

We will have schematics of buildings and property, supplemented by lists, tables and narratives addressing all these factors and more. But all of this is essentially just collation of data. The VA, by a variety of methods, evaluates how these various elements would interact with the adversaries profiled in our Threat Assessment. From that analysis we can formulate a strategy for:

• Physical security upgrades;
• Improvements in individual preparedness and readiness;
• Security response plans and procedures; and
• An implementation plan that identifies priorities, sequencing and expenditures.

Elements of a security system

What constitutes a security system depends to an extent on the nature of the threat (size, competence, motivation, objective) and the nature of the target (persons or property). Generally, though, the elements described in our Site Survey contribute to one or more of these goals:

• Delay;
• Detection;
• Disruption;
• Active defense on site; and
• Response from off site.

We'll define each of these here, and our VA process will evaluate how well each will perform against a spectrum of threats.

Delay

Delay in a military context is achieved by barriers and obstacles: mines, razor wire, and other natural or manmade impediments to movement and access to a protected area. In a civilian context, delay is more often provided by fences, gates, walls, stout construction, locked doors and latched windows. Almost all obstacles and delays can be overcome, with sufficient will, ability, tools and time; but delay provides us several major benefits:

• Additional time for detection, as an adversary works (often noisily) to overcome the obstacle, for instance cutting through a lock, chain, or fence, breaking glass, or breaching a door by force.
• Time for communication of the threat on site, and notifications off site, before the obstacles are overcome.
• Time for people on site to react according to plan, and for responders from off site to begin their movement.
• Deterrence: when an adversary discovers delay elements in his planning and preparation phase and assesses the difficulty and time required to defeat them, it may affect his calculation of the odds of success, and he may be deterred from acting.

Detection

Detection may be aided by delay imposed on the adversary, but does not depend on it. Proper planning and vigilance, enabled by training in observation skills, counter-surveillance and identification of pre-attack indicators, can allow us to detect an adversary before he commits, or early enough in his actions and approach to enable communication, notification, and on-site response as noted above.

Disruption

Detection followed by swift action can seize the initiative and disrupt the adversary's plan, get inside his decision-making loop and force him to withdraw or face defeat. It is often said that an attacker by default seizes the initiative and forces the defender to react, but this does not have to be the case, if early detection is followed by swift and effective action.

Active defense on site

Even in the most "normal" conditions, violent threats are seldom defeated by responders arriving from off site in response to notifications like a 9-1-1 call. Where police forces are still adequately staffed and responsive, their effective response times are seldom less than 5-10 minutes after notification, and if there is no one able to oppose an aggressor on site at the outset, he will work his will unhindered until law enforcement arrives. A lot of harm can be done in 5-10 minutes. Civilians legally armed and properly trained can exercise their right to self-defense and fill that gap, saving lives and property before police arrive (if they arrive at all). Depending upon the site and its occupants, some individuals may be physically fit, tactically proficient, and able to maneuver in a small team; or they may be less mobile or less well-trained, but able to perform effectively from a static position. We take account of these varying abilities in our training, planning and rehearsals.

Response from off site

In the deteriorating conditions of our society, we can anticipate situations that cannot be resolved successfully by the efforts of defenders on site. Responders from off site may be needed, and they may just as likely be family, friends, or associates rather than law enforcement in such circumstances. An historical example is the security challenges facing settlers in the western part of Massachusetts in the early to mid-1700s. Villages and even isolated homesteads sometimes came under attack by hostile Native American tribes. Even when surprised, they were frequently able to defend their homes and villages at least long enough for quick-response militia companies to come to their aid from neighboring townships a few miles away. These were the minutemen, responding on a moment's notice when the alarm was received, a force that was created to meet that exact need.

Assess what you have, not what you want (pacem Donald Rumsfeld)

Vulnerability assessment is an iterative process, as the security characteristics of a site have to be considered in relation to each threat that we have determined to be likely and/or dangerous enough to demand our attention. But while the process can be used to explore and evaluate improvements in our security posture, the starting point is an honest look at what we have right now.

Adversary Strategies and Scenarios

What in the formal VA community is called "adversary strategy" is what we have already formulated in the threat characterization stage of our Threat Assessment. It is what differentiates each particular threat from all others. However, the VA process requires that protective plans, systems, components and people must be tested against those threats to find weaknesses and identify productive upgrades and improvements in our security posture. our threat characterizations now need to be expanded and developed into specific scenarios.

While adversary strategies (or threat characterizations) differ from one another, their execution requires tactics that are often shared by other threats. For instance, any threat that targets people or property inside a structure has to get through the door – or penetrate the skin of the building in some other way. Many protection system components are chosen to defeat specific tactics, but in the absence of a Threat Assessment, those choices may have been casual or convenient ones: we just buy what look like better quality locks on the hardware store rack – that we can afford – rather than researching the topic and searching multiple sources to find the best.

Locking hardware protects against forced entry at a certain level regardless of the adversary's nature, goals or overall strategy. How effective doors, gates, and locks are – whether they actually prevent intrusion or merely require more effort to defeat, and impose more delay on the adversary – is a consequence of the adversary's strategy and capabilities. The stronger these physical security components, the more effective they will be against tactics of forced entry across the full spectrum of threats; but of course, we always face practical limitations in what level of security we can afford and accept in our everyday lives. Not every room can be a bank vault or a bunker. Choices must be made. The choices can be more informed, efficient, and effective if you look across the full spectrum of adversary strategies and the competence and capabilities they imply, and choose protective measures within your budget that are effective against the widest possible range of threats, accepting compromises and identifying weaknesses that cannot be corrected.

Adversary Scenarios are developed by adopting a "black hat" or "opposing force" perspective; and then planning, within the constraints set by a particular threat characterization, a detailed step by step method of achieving that adversary's goal. Of course, some threats will be less well organized, equipped and skilled than others. A pair of tweakers looking for a quick property grab to finance the night's drug buy are a distinctly different problem – and generally easier to delay, detect, deter, disrupt, or defeat – than professional burglars. Keep the threat's characteristics in mind and don't fall prey to the tendency to believe every adversary is "ten feet tall."

Each Adversary Scenario should be constructed along a timeline, and broken down into elements and specific tactics, with a realistic estimate of the time, tools, and skills required. If for instance, a property has a combination of natural terrain (rocky, steep, ditched, forested) and engineered barriers (gates, fences, deadfalls, or berms) that prevent or delay unauthorized approach by vehicles, then most adversary scenarios will include at least two variants: defeating the vehicle barriers, or approaching the target on foot. Time expended, tools and competencies required, chance of detection, likelihood of deterrence (deflecting the potential adversary toward an easier target) and other factors will be difficult across the spectrum of unwelcome guests. Similarly, entrance to a building might be attempted through various doors, windows, or other methods depending on the sophistication and preparedness of the adversary. Those methods and choices must be defined. It's easy to see how a single threat characterization could generate a number of adversary scenarios that need to be evaluated.

Adversary Scenarios will also include assumptions about how much time the adversary would be willing to devote to defeating each security element; this will be especially significant if alarms will alert occupants, or notifications will summon outside responders.

It is worth remembering that many bad actors – and all the most serious ones – spend considerable effort evaluating their target's characteristics and planning to defeat them. Even teenage school shooters do this. We owe ourselves at least as much effort in preparing to defeat them.

Parts 2 and 3 of this series will introduce tools and techniques for conducting the VA.