A vulnerability assessment is a risk management process used to identify, quantify and rank possible vulnerabilities to threats in a given system. It is not isolated to a single field and is applied to systems across different industries, such as:
- IT systems
- Energy and other utility systems
- Communication systems
The key component of a vulnerability assessment is the proper definition for impact loss rating and the system’s vulnerability to that specific threat. Impact loss differs per system. For example, an assessed air traffic control tower may consider a few minutes of downtime as a serious impact loss, while for a local government office, those few minutes of impact loss may be negligible.
- Vulnerability assessments are designed to yield a ranked or prioritized list of a system’s vulnerabilities for various kinds of threats. Organizations that use these assessments are aware of security risks and understand they need help identifying and prioritizing potential issues. By understanding their vulnerabilities, an organization can formulate solutions and patches for those vulnerabilities for incorporation with their risk management system.
- The perspective of a vulnerability may differ, depending on the system assessed. For example, a utility system, like power and water, may prioritize vulnerabilities to items that could disrupt services or damage facilities, like calamities, tampering and terrorist attacks. However, an information system (IS), like a website with databases, may require an assessment of its vulnerability to hackers and other forms of cyberattack. On the other hand, a data center may require an assessment of both physical and virtual vulnerabilities because it requires security for its physical facility and cyber presence.