Juergen Weichselgartner’s 2001 paper entitled “Disaster Mitigation: The Concept of Vulnerability Revisited” (Disaster Prevention and Management, Vol. 10, No. 2, pp. 85-94, doi:10.1108/09653560110388609) provided a nice summary of alternative definitions for the word “vulnerability” gleaned from a variety of academic publications (copied below; see original paper for citations).

• Gabor and Griffith (1980) Vulnerability is the threat (to hazardous materials) to which people are exposed (including chemical agents and the ecological situation of the communities and their level of emergency preparedness). Vulnerability is the risk context.
• Timmerman (1981) Vulnerability is the degree to which a system acts adversely to the occurrence of a hazardous event. The degree and quality of the adverse reaction are conditioned by a system’s resilience (a measure of the system’s capacity to absorb and recover from the event)
• UNDRO (1982) Vulnerability is the degree of the loss to a given element or set of elements at risk resulting from the occurrence of a natural phenomenon of a given magnitude
• Petak and Atkisson (1982) The vulnerability element of the risk analysis involved the development of a computer-based exposure model for each hazard and appropriate damage algorithms related to various types of buildings
• Susman et al. (1983) Vulnerability is the degree to which different classes of society are differentially at risk
• Kates (1985) Vulnerability is the “capacity to suffer harm and react adversely”
• Pijawka and Radwan (1985) Vulnerability is the threat or interaction between risk and preparedness. It is the degree to which hazardous materials threaten a particular population (risk) and the capacity of the community to reduce the risk or adverse consequences of hazardous materials releases
• Bogard (1989) Vulnerability is operationally defined as the inability to take effective measures to insure against losses. When applied to individuals, vulnerability is a consequence of the impossibility or improbability of effective mitigation and is a function of our ability to detect hazards
• Mitchell (1989) Vulnerability is the potential for loss
• Liverman (1990) Distinguishes between vulnerability as a biophysical condition and vulnerability as defined by political, social and economic conditions of society. She argues for vulnerability in geographic space (where vulnerable people and places are located) and vulnerability in social space (who in that place is vulnerable)
• Downing (1991) Vulnerability has three connotations: it refers to a consequence (e.g. famine) rather than a cause (e.g. drought); it implies an adverse consequence (e.g., maize yields are sensitive to drought; households are vulnerable to hunger); and it is a relative term that differentiates among socioeconomic groups or regions, rather than an absolute measure or deprivation
• UNDRO (1991) Vulnerability is the degree of the loss to a given element or set of elements at risk resulting from the occurrence of a natural phenomenon of a given magnitude and expressed on a scale from 0 (no damage) to 1 (total loss). In lay terms, it means the degree to which individual, family, community, class or region is at risk from suffering a sudden and serious misfortune
  following an extreme natural event
• Dow (1992) Vulnerability is the differential capacity of groups and individuals to deal with hazards, based on their positions within physical and social worlds
• Smith (1992) Human sensitivity to environmental hazards represents a combination of physical exposure and human vulnerability ± the breadth of social and economic tolerance available at the same site
• Alexander (1993) Human vulnerability is function of the costs and benefits of inhabiting areas at risk from natural disaster
• Cutter (1993) Vulnerability is the likelihood that an individual or group will be exposed to and adversely affected by a hazard. It is the interaction of the hazard of place (risk and mitigation) with the social profile of communities
• Watts and Bohle (1993) Vulnerability is defined in terms of exposure, capacity and potentiality. Accordingly, the prescriptive and normative response to vulnerability is to reduce exposure, enhance coping capacity, strengthen recovery potential and bolster damage control (i.e., minimize destructive consequences) via private and public means
• Blaikie et al. (1994) By vulnerability we mean the characteristics of a person or a group in terms of their capacity to anticipate, cope with, resist and recover from the impact of a natural hazard. It involves a combination of factors that determine the degree to which someone’s life and livelihood are put at risk by a discrete and identifiable event in nature or in society
• Green et al. (1994) Vulnerability to flood disruption is a product of dependence (the degree to which an activity requires a particular good as an input to function normally), transferability (the ability of an activity to respond to a disruptive threat by overcoming dependence either by deferring the activity in time, or by relocation, or by using substitutes), and susceptibility (the probability and extent
  to which the physical presence of flood water will affect inputs or outputs of an activity)
• Bohle et al. (1994) Vulnerability is best defined as an aggregate measure of human welfare that integrates environmental, social, economic and political exposure to a range of potential harmful perturbations. Vulnerability is a multilayered and multidimensional social space defined by the determinate, political, economic and institutional capabilities of people in specific places at specific times
• Dow and Downing (1995) Vulnerability is the differential susceptibility of circumstances contributing to vulnerability. Biophysical, demographic, economic, social and technological factors such as population ages, economic dependency, racism and age of infrastructure are some factors which have been examined in association with natural hazard
• Gilard and Givone (1997) Vulnerability represents the sensitivity of land use to the hazard phenomenon
• Comfort, L. et al. (1999) Vulnerability are those circumstances that place people at risk while reducing their means of response or denying them available protection
• Weichselgartner and Bertens (2000) By vulnerability we mean the condition of a given area with respect to hazard, exposure, preparedness, prevention, and response characteristics to cope with specific natural hazards. It is a measure of capability of this set of elements to withstand events of a certain physical character

Of course, this list is by no means complete; in fact, the definitions from obvious sources such as Webster’s dictionary, Department of Defense doctrine, and a host of other papers were not included.  I leave it to the readers of this blog to discover alternative definitions that are most suited for his or her particular application.  But if one was looking for a really short definition of vulnerability to sum up everything above, consider the following two (my preferences):

Vulnerability is the manifestation of the inherent states of a system that render is susceptible to harm or loss (a paraphrased definition of the notion of vulnerability offered by Prof. Yacov Haimes at the University of Virginia)

The vulnerability of an entity to realizing a specified adverse outcome following the occurrence of a particular triggering or initiating event is measured as the conditional probability of the outcome given the triggering event has occurred (an expanded version of the definition I offer in my SRA 311 class at Penn State)

Send post as PDF to

Paul Fuqua and Jerry Wilson’s book Terrorism: The Executive’s Guide to Survival (Gulf Publishing Company, 1977, ISBN: 0872018210) is a neat little gem of a text that provides practical information for executives on how to protect their person and their business.  An abstract of this book is available here.

According to the rear cover of the book, Paul Fuqua and Jerry Wilson are both veterans of the Washington DC Metropolitan Police Department.  Paul Fuqua was a police officer and later director of public information, whereas Jerry Wilson ultimately served as police chief from August 1969 through September 1974.  Both have B.S. degrees in Administration of Justice from American University, but any boost in credibility from this degree pales in comparison to their years of practical experience dealing with anti-war protesters converging on DC (imagine the need politicians felt for executive protection), the 1968 Washington DC riot in the wake of the murder of Martin Luther King, Jr. (as line officers at the time), the Watergate scandal (not sure how relevant this experience is to the book, but I felt it worth mentioning), the rise of international terrorism (e.g., airline hijackings), and other routine and extreme urban crime events.

The purpose of this book is stated in the foreground of the front cover - to help executives “know what [they] can do to prevent, bombings, kidnappings, and extortion.”  The authors emphasize the importance of this book implicitly via a background image of what appears to be splattered blood atop a black wall or broken glass (morbid, but effective; unfortunately my scan only shows a black and white image).  From the point of view of the executive reader, the question at issue is “what can I do” to prevent bombings, kidnappings, extortion, or splattered blood?  Actually, when you read the book, you quickly learn that the advice offered by the authors is more broadly geared toward risk reduction, which includes both prevention (to reduce probability of event) and protection (to reduce vulnerability).

As one might expect given the authors’ backgrounds, the book is very practical and not academic in the least.  The authors actually state in the Preface that “abstract theory has been subordinated to practical knowledge” (p. vii).  In this book, I personally would have chosen to use the word “guidance” in lieu of knowledge because it doesn’t get deep enough into any particular subject (though its breadth is nice and wide).  In 151 pages, the authors give the most brief historical account of bombings (Ch 1), how bombs work (Ch 2), how to prepare a risk study (Ch 3), how to deal with bomb threats (Ch 4), how to search for hidden bombs (Ch 5), how to evacuate a facility subject to a bomb threat (Ch 6), how to deal with mail bombs (Ch 7), how to protect against placement of bombs in the first place (Ch 8), how to prevent kidnapping (Ch 9), and how to deal with a kidnapping or hostage situation when one occurs (Ch 10).  All chapters following Ch 2 are packed full of guidance and procedures addressing the theme of the chapter, to include checklists and form templates and pictures when appropriate.  This book is definitely worth an hour or two of perusal if it can be picked up on the cheap.  Right now, Alibris.com has a listing for a used copy of this book for around $6.50 (say $10.00 with shipping and handling).

The following are some things I noticed that apply to the stuff I routinely think about:

• At the end of the chapter on the history of bombings (Ch 1), the authors clearly articulate that “whether or not the ultimate goals of a bombing campaign are achieved is of little interest to the individual targets of specific bombings.  For the individual victim the loss of life, limb, or property is likely to be the important consideration, regardless of the broader goals of the bomber (p. 17).  In fact, the authors highlight that the level of control in the area of event prevention is minimal, as their is “no feasible absolute procedure for the prevention of bombings” within the ability of typical protectors to implement.  Accordingly, the authors stress (in not so many words) that the emphasis of most security risk management activities are on vulnerability reduction and loss prevention (both are arguably vulnerability management, where vulnerability is taken to be probability of loss given event).  I couldn’t agree more, but to call an activity a “risk assessment” insists on at least a meager consideration of the likeliness of event.

• In their review of the history of “anti-colonial bombings” (pp. 13-14), the authors highlight activities of the Irgun Lvai Teumi group (I think this spelling is incorrect), a old-school paramilitary guerilla organization “whose objective was the creation of an independent Jewish state within its original biblical boundaries.” This objective sounds oddly similar to the activities of modern day Palestinian groups.  I recall reading something about such a group in Bruce Hoffman’s book Inside Terrorism (Columbia University Press, 1999, ISBN: 0231114699).  The way this information was presented was especially intriguing to me in light of the modern Israel-Palestinian crisis; however, since Fuqua and Wilson do not cite any of its sources and have no stated experience in terrorism studies or being witness to these events, I am forced to take their summaries with a grain of salt.  Notwithstanding the potential factual inaccuracies, the intent of this chapter was to justify why it is important to think about bomb risk.  Fortunately for the reader (though unfortunately for society), the explosive threat is broadly accepted by society as both real and significant.  But I must admit that I am tempted to pull out Dr. Hoffman’s book and give it another read.

• In their Chapter 3 on preparing a risk study, the authors offer a three step process for assessing risk that consists of (1) reviewing past histories of bombing, (2) determining critical areas of an organization that would be most affected by a bombing, and (3) reviewing security countermeasures to see whether they meet security objectives.  To implement the first step, the authors ask that you convince yourselves that bomb threats are important to consider in your specific circumstances, nothing more.  Depending on who the decision maker is, this might be easy or hard depending on the risk attitude of the decision maker, predispositions (warranted or not), external stressors, etc.  The second step asks to identify and classify all physical areas of an organization in terms of impact following an explosive event.  The classification scheme is based on a four-tier qualitative criticality rubric that, in my eyes, is simple and sweet (shown below).  The third and final step offers a comprehensive security assessment checklist that “offers a starting point for an organizations own security survey.”  Accordingly, this step offers no guidance on which checkmarks matter in different contexts; it is purely up to the decision maker to decide (and rightly so).  But as far as being a practical book for executives, some guidance should have been offered.

• Finally, the authors talk about the “three D’s of security”: “denial,” “detection,” and “deterrence.”  At first glance, I thought several items were missing from the “three D’s.”  After all, when I first started at the Department of Homeland Security in mid-2003, a different string of “D’s were tossed around the Protective Security Division (under the direction of Mr. James F. McDonnell) of the Information Analysis and Infrastructure Protection (IAIP) directorate, namely “detect,” “delay,” “defend,” and “devalue.”  So why the difference?  I think I have an answer, but I will defer responding until a later post…

Send post as PDF to

Last week’s SRA 311 (Risk Management: Assessment and Mitigation) lectures focused on all things vulnerability.  As defined in a much earlier lecture, the general qualitative (albeit probabilistic) expression for risk, R, is as follows:

R = {<e,p,o>}  (1)

where e is one of among many types of initiating events, o is one of many outcomes of concern, and the probability p is the joint probability of both e and o occurring, or:

p = Pr(e,o) = Pr(e)Pr(o|e)  (2a)

= Pr(o)Pr(e|o)  (2b)

where Pr(e) is the probability of event and Pr(o|e) is the vulnerability to realizing outcome o given e has occurred.  The use of the curly braces “{” and “}” in Eq. 1 implies that risk is the complete set of triplets for all possible combinations of e and o for a given situation (i.e., cross product of E and O, where E and O are the sets of all events and outcomes, respectively).  And it must be kept in mind that the scope of the risk analysis constrains how e, o, and p are assessed.

Common, but Apparently Different, Expressions for Risk. Now, the experienced risk practitioner might question why Eqs. 1 and 2 look so dramatically different than the prototypical formula for risk:

Risk = Threat × Vulnerability × Consequence (3)

As it turns out, the “colloquial” expression for risk in Eq. 3 is identical to the expression I put forward in Eq. 1.  To see this, let’s examine what Eq. 3 actually says.  The “colloquial” expression for risk states that risk is the combination of threat and vulnerability and consequence, that is, the “×” denotes the cartesian product and not the more restrictive arithmetic product.  Equation 1 says the same thing, namely that risk is the combination of all pairings of initiating events (e.g., threats), outcomes (e.g., consequences), and the probability that binds them.  This probability, according to Eq. 2a, is largely a function of the system states that enable event e to result in outcome o (e.g., vulnerabilities).  Again, Eqs. 1 and 3 are essentially the same, although I must admit that it is much easier to explain Eq. 3 to decision makers than it is to even come close to explaining Eq. 1.

So what about the commonly accepted definition of risk as “probability times consequence?”  This simplification of risk is actually equivalent to Eq. 2a under certain assumptions.  Equation 2a provides a means for expressing the full probability distribution over the space of potential outcomes.  If the outcomes o are expressed on a cardinal or ratio scale, then one can find the expected value of the vulnerability term, where the expected value is actually the expected loss given occurrence of an event (see any basic textbook on probability and statistics to see how this is done).  With vulnerability expressed as expected loss, Eq. 2a reduces to a probability times a consequence.  Alternatively, one can decompose the vulnerability term into two distinct probabilities as follows:

Pr(o|e) = Pr(o|e,s)Pr(s|e)  (4)

where Pr(s|e) is the probability of adversary success given attack (obviously this value is one when natural events are considered) the Pr(o|e,s) is the probability of an outcome given a successful attack.  Here, one can find the expected value of the outcome probability Pr(o|e,s) to arrive at a value for expected loss given a successful attack.  Again, Eq. 2a reduces to a probability times a consequence, albeit this time the probability is the product Pr(e)Pr(s|e) and the consequence is the expected loss given adversary success.  In fact, this is the form of Eq. 2a that is most often used in probabilistic security risk methods.  But it is important to note that Eq. 4 is just one version of Eq. 2a, and that there are many others that are simpler or more complex depending on the needs of the decision maker.  But in the end, Eq. 2 (both a and b) is the most general conceptual expression for risk.

Vulnerability As Notion and Vulnerability as Measure. As a notion, Professor Yacov Haimes at the University of Virginia defined vulnerability as “the manifestation of the inherent states of a system that can be exploited to adversely affect that system” (see “On the Definition of Vulnerabilities in Measuring Risks to Infrastructures” by Yacov Haimes, Risk Analysis, Vol. 26, No. 2, pp. 293-296 (2006), doi:10.1111/j.1539-6924.2006.00755.x).  According to this definition, a system is said to be vulnerable if there exists a combination of system states that renders it susceptible to adverse effects (outcomes) arising from a particular exploit (initiating event).  Consistent with this definition is the measure of vulnerability according to the term Pr(o|e).  This vulnerability term can be read as follows: “vulnerability is expressed as the probability of a given outcome following the occurrence of a specified event.” This probability is shaped by the performance of the system under the stress imposed on it by the initiating event, where higher values of this probability for a given combination of (e,o) indicate a greater susceptibility to harm of loss.

A more generic definition for vulnerability was offered in the paper “Vulnerability and Risk: Some Thoughts from a Political and Policy Perspective” by Sarewitz et al and published in Risk Analysis, Vol. 23, No. 4, pp. 805-810 (2003) (required reading for a large fraction of the class): “vulnerability is the inherent characteristics of a system that create the potential for loss.”  While similar to the definition posited by Haimes in the context of protecting infrastructures against acts of terrorism, the Sarewitz definition is more generic in that it asserts that vulnerability creates risk (where risk is defined as, in the more restrictive sense of security, as the potential for harm).  In fact, Sarewitz et al. emphasizes that “understanding and reducing vulnerabilities does not demand accurate predictions of the incidence of’ events.  This statement is 100% consistent with Eq. 2 in that vulnerability reduction yields a reduction in risk even in the probability of event remains unchanged.  For security managers this point is particularly important given the fact that it is insanely difficult to express likeliness of adversary actions in quantitative form.  Perhaps it is no surprise that vulnerability assessment is the prime focus of a security professional’s career, where the meager threat assessment (i.e., event likeliness assessments) are then used to help prioritize vulnerabilities for management attention.  Risk management, then, examines the actions taken by security practitioners to reduce the vulnerability for those event/outcome pairs that make management most nervous.

Extreme Events. Sarewitz et al. also made another point I think is very important: “extreme events are created by context.”  I wrote at length about this point in a previous post on natural perils, natural hazards, and natural disasters.  In themselves, events are not disasters; for example, a hurricane is not labeled a disaster until it has affected some system.  Before then, a hurricane is simply an event that one might label as a peril or hazard.  The label “disaster” is assigned only to events that have occurred and wrought a significant toll on the interests of an individual or group of individuals.  An extreme event is a game changer event, and much like a disaster is one that disturbs the affected system enough to change its configuration with respect to its pre-event state (e.g., population redistribution, new reactive policies, etc.).  It makes no sense to assess the vulnerability with respect to disastrous events because the mere label of disaster implies significant vulnerability.  Whether or not an event becomes a disaster depends on the magnitude of the vulnerability to outcomes one labels as disastrous given an event has occurred.  That is, the context of the matter determines which outcomes are disastrous and which are not, and the vulnerability assessment then can produce insights into the potential for disaster in the face of a triggering event.

How Vulnerability Assessment Is Done. Unlike previous lectures where I was able to provide guidance on constructing complete sets of events and outcomes, I could not offer my students similar tools for doing vulnerability assessment.  Why?  Because vulnerability assessments fall under the category of messy problems.  While it may be straightforward to articulate potential causes of harm and define a set of undesirable consequences, it is not a trivial matter to make defensible statements about the probability that an event will lead to a particular outcome.  Such statements insist that the analyst possess intimate knowledge of all aspects of the system under study, to include its security system, structural configuration, and response and recovery capabilities.  Even if you reduce the vulnerability problem into separable components (e.g., protection vulnerability and response vulnerability such as is described in a paper I coauthored), the level of knowledge required to do a vulnerability analysis is quite extensive.  Yet, people manage to do vulnerability assessment anyway.  How do they do it?

Well, if one appeals to the science of Naturalistic Decision Making, meaningful vulnerability assessments insist that that the vulnerability assessor has command over the two major sources of power: pattern recognition and mental simulation (I wrote something about this in a recent post on the (very tentative) McGill descriptive vulnerability assessment model).  Pattern recognition, a power that arrives at only through experience, enables an individual to quickly pick out the most significant environmental cues relevant for a given problem and use these cues to assess the degree to which the environment is similar to other situations from his experience.  In the event of a match (the likeliness of which increases with more personal experience), an individual uses his or her mental simulation power to quickly conduct thought experiments that “challenge” the environment and predict how it will respond to different initiating events.  (notice my use of the word “quickly”: have you ever seen a former special forces solider do a vulnerability assessment?  The more experienced the soldier is, the more quickly he or she can do a vulnerability assessment that means something).  I suspect that this simulation process for vulnerability assessment is iterative in that one starts with an outcome, backs out plausible events that might yield that outcome, reappraise vulnerability with respect to each identified initiating event, and so on.  But in the end the breadth and depth of the assessment is highly sensitive to the experience, objectivity, and biases held by the assessor.

But here is my challenge - I must teach vulnerability assessment to individuals with a minimum amount of background knowledge.  How can I do this?  The solution lies in the simple fact that when under pressure to produce answers, the lack of knowledge to render a defensible judgment is typically compensated for by bias, gut feel, and guesses.  One way to enable defensible analyses is to provide students with a wide array of structured analytic techniques aimed at alleviating all those aspects of reasoning that are detrimental to the end product (much like the way the intelligence community does it).  This is my focus of Part II (risk assessment) of my course - to provide a suite of techniques to help less experienced risk assessors properly structure their thinking so as to make sense of a particular situation and explicitly identify all uncertainties.

An Exercise on Vulnerability Assessment. To highlight the difficulties in actually doing a vulnerability assessment, I had my students spend 30 minutes of the second lecture assessing the vulnerability of Penn State campus (University Park) to disaster (note that much like most questions encountered in practice, I deliberately kept the question vague).  This exercise insisted on brainstorming what types of events would be considered disastrous, then identifying a spectrum of different causes for each type of disaster.  I provided no techniques for doing this in attempt to see how my students would reason through the problem.  The responses were mixed - what constituted a disaster varied among student groups, as well what types of events could causes disaster.  Perhaps this is because not a single group put themselves in the shoes of a campus decision maker; rather, each group adopted a personal view of disasters and their causes.  As I emphasized in class, analysis done in this manner imposes the personal biases of the analyst on a problem whose answers would inform a decision maker that might have a different opinion of what a disaster is.  The first step in any risk analysis is to know your customer well enough so as to properly frame the associated questions.  Overall the exercise went well, and provided me with good insight into how to proceed with part II of the course.

My Take on the Lecture

As a whole, I think I could have done better with this week of lectures.  For one, I assumed that the students had more background knowledge in probability than they really had.  In hindsight, I should have incorporated basic concepts from probability theory throughout the discussion of vulnerability.  I will definitely try this approach in next semester’s offering of SRA 311.  However, since vulnerability is a conditional probability, I am now forced to restructure the syllabus to start with a discussion on basic probability before getting into Bayes’ rule.  Essentially, this means I need to start with event likeliness (the topic of lecture 9) before lecturing on vulnerability.

A second thing I noticed was that I really talk too much, particularly on the topic of vulnerability assessment.  While this isn’t always a problem, the topic of vulnerability assessment is dry as a bone unless one already has some experience doing it.  In attempt to liven the discussion up, I intend next semester to incorporate more in-class exercises to flex students’ neural muscles on the topic.  Some ideas I have in mind include online worksheets that ask students to make general statements of vulnerability for a variety of high-level scenarios, another case study pegged to some current event (the recent bombing in Pakistan, as horrible as it was, would have made for a good case study focused on what makes a system vulnerable), and so on.  Feel free to share your thoughts or ideas, if you have any.

Send post as PDF to

How do vulnerability assessors actually assess vulnerability?  This is an interesting question that I have been thinking about recently, and below are some of my initial thoughts on the issue.  Let’s begin by recalling the following expression of risk:

p = Pr(e,o)   (1)

where the joint probability of initiating event e and outcome o can be expressed in one of two ways:

Pr(e,o) = Pr(e)Pr(o|e)   (2a)

Pr(e,o) = Pr(o)Pr(e|o)   (2b)

From my experience, the more common of these two expressions is Eq. 2a as it really conforms to the more intuitive event tree view of risk (consequence following cause).  The latter expression Eq. 2b is much less commonly used, if it is even used at all.  Yet, Eq. 2b is as much an expression of risk as Eq. 2a.  I actually use part of Eq. 2b later on in this post, which is the reason why I mentioned both equations.

Now why the math?  My first hypothesis is that regardless of whether one can speak the language of probabilistic mathematics, all people think about vulnerability analysis in the same basic way, whether it be as part of one’s profession or routine risk-taking decision making.

Colloquially, when one thinks of vulnerability, one might say something to the effect of “I am vulnerable to outcome o due to event e” (where e and o is defined as before).  More common are statements such as “I am vulnerable [with respect] to e,” where the outcome is implied by the context of discussion.  For example, in the course of discussing an organization’s information systems, the statement “I am vulnerable to attack” made by the organization’s IT security manager most likely refers to a attack directed against IT infrastructure, with the outcomes being loss of confidentiality, integrity, availability, or non-repudiation. This same statement said by a pedestrian walking in downtown Los Angeles might be in reference to a physical assault against his or her person where the outcomes are injury and loss of property.  In both cases, however, these terms are in reference to the conditional assertion that the individual will suffer some type of loss should an “attack” occur.  That is, there is no assessment of the likeliness of event; only the assessment of likeliness of an adverse outcome given event.

Now, refer to Eq. 2a.  In this expression, Pr(e) is the probability of an initiating event and the conditional probability Pr(o|e) is the probability of a particular outcome given an initiating event were to occur.  In the security context, Pr(e) is viewed as a measure for likeliness of attack (i.e., the initiating event), and Pr(o|e) is the measure for conditional likeliness to a particular outcome given an attack were to occur.  I choose to label this latter parameter the “vulnerability to o from e” as it is conceptually equivalent to the manner in which statements of vulnerability are made in everyday language.  Accordingly, in terms of subjective probability, statements of vulnerability express the degree of belief held by an individual in the outcomes that will occur when confronted by a particular challenge.

Back to my original question.  How does a vulnerability assessor do a vulnerability assessment?  Ultimately, the answer to this question should take the form of a descriptive model of human reasoning.  So, as a first step in my quest toward a descriptive model of vulnerability assessment, I decided to contemplate how I, personally, would perform a vulnerability assessment.  The resulting model from this inquiry is what I will tentatively call the “McGill Descriptive Vulnerability Assessment Model“:

Step 1: Soak in the subject environment.  Without looking for anything in particular and without reference to any particular type of attack, explore the subject environment in a thorough, careful and curious manner.  Over time your brain will pick up on both glaring and subtle environmental cues suggestive of strength and weakness.

Step 2: Hypothesize outcomes of particular concern that are relevant to the problem at hand.  These outcomes “o_j” (j = 1, 2, …) can be vaguely defined as “a lot of people hurt” or “significant property damage” or “damage to reputation.”  There is no need to be crisp about the outcomes of concern at this stage.

Step 3: In a very non-quantitative way, attempt to make a judgment about Pr(o_j|E), where the set “E” (big-E) represents the union of all plausible events e_i (i = 1, 2, …) of a particular type.  That is, attempt to make a judgment about the likeliness of one or more of the “bad” outcomes identified in Step 2 assuming that some sort of vaguely-defined event (e.g., “terrorist attack,” “assault,” and so on) occurs (i.e., “E”).

Step 4: For those outcomes where the likeliness is viewed to be sufficiently “strong” (high or intense), assume that these outcome have been realized but the cause is unknown.  This step attempts to hypothesize what the most likely cause of these outcomes were.  This is a sort of pre-mortem analysis.  A list of causes (or initiating events) e_i can be developed in this manner, where the list is ranked in order of decreasing (or increasing if you prefer) likeliness.  If there is no strong feeling of vulnerability, then use this step to try to explain why and attempt to challenge yourself using alternative analysis techniques (e.g., Devil’s advocacy).

Step 5: For each e_i identified in Step 4, assess your subjective degree of belief that undesirable outcome o_j (for each j) will follow from event e_i.  This is a more refined vulnerability assessment of Pr(o_j|e_i) than Step 3 in that we are looking at specific “e_i“’s instead of the whole collection “E.”

[NOTE: you can cycle through steps 2 through 5 over and over again, each time refining the definition of e, adding o's, and so on.]

Step 6: Express your opinion of vulnerability to OUTCOME given EVENT.  A four-tier symmetric linguistic vulnerability scale of the following type can be used (as an example) to aid in expressing vulnerability where the bracketed values express lower and upper probability limits for the phrase:

• Highly Vulnerable … Pr(o|e) = [0.75, 1.00] … (odds are heavily in favor of the adversary)
• Vulnerable … Pr(o|e) = [0.50, 0.75] … (odds are in favor of the adversary)
• Invulnerable … Pr(o|e) = [0.25, 0.50] … (odds are in favor of the defender)
• Highly Invulnerable … Pr(o|e) = [0.00, 0.25] … (odd are heavily in favor of the defender)

[Note that while it may appear that step 6 departs from what one might otherwise think was part of a normative model and not a descriptive one, this is actually how I think.  So it is, in fact, descriptive, but with respect to how I think about vulnerability.]

Let’s see how this descriptive model works.  Suppose I am tasked to assess the vulnerability of my house in Maryland to damage resulting from naturally-occurring events (ignoring that I have insurance).  I admit here that nature is my assumed adversary, and perhaps is my only adversary aside from the occasional disgruntled student.  As I walk around my house, I notice a slightly lopsided roof, sturdy brick exterior, clogged gutters, new windows, canopies of trees (that seem to be on their last leg) blocking the sun, empty garbage cans in the yard, lawn junk (e.g., garden gnome) on the neighbor’s property, curbside lunch trash leftover by contractors than tend to take breaks in front of my house, loose television antennas on neighborhood rooves, etc.  I begin to think that a bad day for me would be when my roof caves in or many of my windows break, since both would cause a significant amount of property damage.  All things considered, I think my vulnerability to many broken windows is quite low, but the roof collapse worries me.  I proceed to consider a variety of causes of roof collapse, to include (in order of decreasing likeliness) tree limbs crashing down from above and excessive rain and autumn leaves weakening the integrity of my roof structure.  Returning to the outcome of concern and leveraging my structural engineering background, I now can make the following judgments:

• My roof is right now vulnerable to collapse due to falling tree limbs (any cause).
• My roof is right now highly invulnerable to roof collapse due to buildup of leaves and rain.
• My roof is right now highly invulnerable to roof collapse due to most other natural causes.
• My windows are right now highly invulnerable to significant damage due to most natural causes.

Notice the underlined words that caveat my vulnerability judgments.

• right now means the vulnerability assessment is valid only for the system in its present state and normal deviations.  If things change (e.g., adding solar panels to the roof, aged roof and windows), then the vulnerability assessment may change as well.
• most other and most are used to allow flexibility for the residual hypothesis I am not considering in my mind.  While I would be hard-pressed to articulate all of the events floating around in my head that might prompt damage, using the word most allows for me forgetting to include a few. (yes, I know this is a cop out, but supposedly more experience = more hypothesized events).

Finally, I must point out that nowhere here do I make any judgment about event likeliness.  That is, what I have here is a method for vulnerability assessment, not threat assessment.  Had I gone on to asset threat as well, the combination of threat and vulnerability (for a given pair of event and outcome) would produce a statement of risk a la Eq. 2a.

I wonder how well does this model matches that of practicing vulnerability assessors in DoD and industry, or with those focused on computers, physical sites, or the fabric of society?  Regardless of how long my model remains unrefuted (which may be a day or much longer), I will continue to seek out ways to discredit it in hopes of converging on a robust descriptive model for vulnerability assessment.

Send post as PDF to