INTEGRATING VULNERABILITY AND RISK ANALYSES OF VARIOUS DISCIPLINES

This paper examines the importance of integrating vulnerability assessments and risk analyses (RA) of various disciplines; specifically physical security, cyber security and safety hazard analysis. The identification of vulnerabilities and associated risk in these disciplines is extremely important to the overall management and protection of facilities, systems and personnel. Each discipline has identified methodologies and processes for conducting risk analysis with six (6) common elements within these methodologies. These common elements are: 1) threat analysis; 2) target identification; 3) facility/system characterization; 4) identification of existing protection measures; 5) vulnerability identification and risk analysis, including mitigating factors if necessary; and 6) documentation of results. Although the results can be different and subject matter expertise is diverse among the disciplines, the processes are similar. The integration of the RA results is vital to management in order to ensure assets are protected and available funding is allocated appropriately. Budgets are limited for all corporations; therefore, analyzing the results from all disciplines allows cost benefit analyses to direct funding allocation and risk acceptability Additionally, identified vulnerabilities in one discipline can impact the level of risk for another discipline. For example: a weakness in the first layer of physical protection could be considered low risk yet directly affects cyber and safety hazard analyses. Without the knowledge of this weakness, the other disciplines assume adequate protection and take greater credit for an area resulting in skewed results and possibly higher risk. Additionally, if an analysis results in low or no risk, the documentation is typically not protected effectively and at times may be released outside the organization. It is a certainty, potential adversaries/intruders both inside and outside the organization are continually gathering information and integrating that information to fit the pieces of the puzzle together. Unless the organization itself is also doing that integration, facilities, systems and personnel are vulnerable and open for compromise.