My firm conducts security vulnerability assessments and threat assessments for our clients on a regular basis. A common problem we have found with many clients is that they often confuse vulnerability assessments with threat assessments. It is important to know the differences, the purposes and objectives, the outcomes and the limitations of each type. It is equally important to conduct both types.

In a nutshell, the purpose of a vulnerability assessment is to improve security by finding and identifying weaknesses, while the purpose of a threat assessment is to determine exactly what type of security is necessary. And while both are critical to protect your firm, your employees, your physical property, etc., it is also necessary to understand that it is not possible to achieve zero vulnerability.

Vulnerability Assessment

A vulnerability assessment is a methodical and logical process in which specific tools and techniques are used to assess systems, technologies and procedures in order to identify weaknesses and vulnerabilities to potential attacks, to improve security, and to provide counter-measures to risks. A vulnerability assessment should be conducted at regular intervals. It is not a test that you can “pass”, nor is there a “one-size fits all” method.

Vulnerabilities are always present in many ways and they can change over time. You can’t eliminate them entirely, you can’t use a software package to find them, and you can’t just walk around with a checklist and find them. And importantly, you can’t assume that since you haven’t had an incident that you are secure. While most vulnerability areas can be found and eradicated, you need to understand that they can’t all be fully eliminated.

Threat Assessment

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Where a vulnerability assessment identifies weaknesses and vulnerabilities, a threat assessment is a method of assessing and anticipating:

• who might attack
• what/where they might attack
• what goals they have
• the probability of a “when-where-and-why scenario”
• what kind of, and how much, security is needed

Again, you cannot “pass” this test. You cannot determine the details of a possible attack, but you can use the intelligence data to become proactive to develop countermeasures in order to protect the buildings, infrastructures, data, personnel, etc.

The most important thing in conducting vulnerability and threat assessments is that you have them done by assessors who are both competent and who are willing to be honest with you. Remember, it is not bad news to find the vulnerabilities or to determine possible threats. It is the best way of being pro-active to protect your company and its assets.