- What is the difference between a risk assessment and a vulnerability assessment?
The term “risk” refers to the level of exposure to a given threat. Risk assessment is the identification of potential harms or losses of an asset as a result of threat exploiting vulnerability. Risk assessment determines the most critical and likely dangers and evaluates their probability.
Vulnerability assessment is an important part of the risk assessment. It examines “the weaknesses that would make an asset more susceptible to damage from a hazard”. It is defined as a gap in our protection efforts that allow us to determine the possibility of loss and implement a strategy of avoiding risks. Vulnerability assessment can be narrower than risk assessment. It involves monitoring at “the system elements and layout and their failure modes based on a given set of threats” (Baker, 2003).
Based on the results of vulnerability assessment, the risk assessment measures the likelihood of a fail in the system, the potential costs of such failures, and the level of tolerance of these consequences.
2. Should vulnerability assessments of critical infrastructure be required by law?
The law does not require the full elimination of risk, but practical protection of people. For example, accidents, illness, lost output or machinery damages could affect one’s business. The consequences could be very harmful not only for the business itself but also for the owner (e.g. cost increase, court trial and others). In this case, business owners are required to assess the risks on their working place so that the risks are controlled. This is made via the provision of vulnerability assessment that provides the basis for developing a strategy of improving system functioning against identified threats and risks. In this context, vulnerable assessment for critical infrastructure should be required by law. Having regular communication between security staff and local law enforcement authorities, including training and exercises for emergency responders would reduce fire loads for example, and thus reduce the accidents.
References
Baker, G. (2003). A Vulnerability Assessment Methodology for Critical Infrastructure Facilities. Institute for Infrastructure and Information Assurance. (1), p1-15. http://www.gao.gov/products/GAO-12-378
FEMA. (2012). Risk Assessment . Available: http://www.ready.gov/risk-assessment. Last accessed 3rd July 2013.
Isuarance Institute for Business& Home Safety. (2012). Every Business Should Consider a Risk and Vulnerability Assessment. Available: http://www.disastersafety.org/commercial_maintenance/commercial-vulnerability-assessment_ibhs/. Last accessed 3rd July 2013.
Perrin,C. (2009). Understanding risk, threat, and vulnerability. Available: http://www.techrepublic.com/blog/security/understanding-risk-threat-and-vulnerability/1897. Last accessed 3rd July 2013.
