Fundamentals of Vulnerability Assessments

Vulnerability assessment is the objective assessment of your facility’s weaknesses through the eyes of prospective attackers who are willing to kill Forest Service employees and others to achieve their objective. A more appropriate term would be target assessment, the assessment done by someone wanting to attack your facility or the persons at the facility.

Vulnerability assessment requires thinking offensively rather than defensively. Instead of asking, “How can I secure this facility?,” someone making an assessment must ask, “When, where, and how can I successfully attack this facility?” Reduced to its simplest terms, a vulnerability assessment looks for and finds the weaknesses in locations, structures, materials, and devices that security and facility managers would normally (and mistakenly) rely on to provide a secure environment.

It is often difficult for a career employee with insider knowledge about a facility, its operation, and the people using it to conduct a vulnerability assessment. Do not allow your insider knowledge to exclude vulnerabilities simply because you are sure a particular method or attack would be unsuccessful. Do not adopt the position: “It hasn’t happened anywhere yet, so it probably won’t happen here first.” Attackers have all the creativity of a Disney Imagineer! Until the 9/11 (2001) attacks on the World Trade Center in New York City, imagination among vulnerability assessors was sometimes met with derision. As the 9/11 Commission Report (http://www.gpoaccess.gov/911/) noted on page 344, “Imagination is not a gift usually associated with bureaucracies.”

In addition to conducting your own vulnerability assessment, it may be wise to consider having an assessment conducted by outsiders with real-world target analysis and attack experience. Major corporations with very competent security forces frequently employ outsiders to conduct vulnerability assessments. Sometimes it is easier for an outsider to be brutally frank when talking about such unpleasant topics as killing people to achieve an objective.

A vulnerability assessment is not a weapon to be wielded against the Forest Service, its supervisors, and employees. It is not a finger-pointing exercise to discredit anyone. Rather, it is an effort to identify weaknesses that could be exploited by an attacker. Identifying vulnerabilities does not imply negligence or incompetence. Seeking to identify and remedy vulnerabilities is one sign of a thoughtful and competent manager.