Vulnerability assessment is a key phase in the risk management process, requiring a detailed and in-depth analysis of security systems, mitigation strategies and their effectiveness in reducing the likelihood of a successful attack.
Taking inspiration from the said principles, the Vulnerability Assessment Tool (VAT) developed by IFI Security is designed to provide a deterministic assessment of the gaps in the protection systems of a given asset. By protection systems, we refer not only to the active and passive security components, but also to the general organisation of security (the so-called “human factor’”), the ability to cope with any crisis situations, Employer’s compliance with current regulations and other aspects that may, for various reasons, lead to vulnerabilities.
Through the operationalisation of international standards and best practices, for each of the areas under asessment (each of which represents a different interpretation of the concept of vulnerability), VAT sets a benchmark against which to identify and measure any protection system gaps.
The benchmark varies according to the level of threat that characterises the area where the asset is located, so as to ensure compliance with that principle of proportionality that must be the basis of all risk assessments. The VAT methodology is based on checklists with closed-ended questions that offer no room for ambiguity, keeping assessor’s judgement within well-defined boundaries. In operations terms, determining the threat level (which the VAT system does automatically by means of quantitative indicators calculated based on a certified methodology) results in an ad hoc checklist, that can be further customised depending on the type of assets under assessment.
By aggregating the scores generated by each of the answers given to the checklist questions and through a specific calculation algorithm, VAT returns a summary value, indicative of the vulnerability of an asset, i.e. its resilience with respect to potential security threats previously identified. Representing the vulnerability level of a given asset as a numerical value makes both synchronic (on multiple assets) and diachronic (on the same asset, in two distinct moments) comparisons much easier.
The numerical value is placed on a scale ranging from 0 to 100, divided into five ordered categories of vulnerability. In this way, the assessment outcome is immediately graspable, making it easier to compare multiple assets.
The assessments are also represented by means of “radar” charts (or Kiviat diagrams), which show the values relating to the level of vulnerability associated with the single analysis sections. The area of the figure obtained will be the more extensive the higher the vulnerability values associated with each section are. This graphic representation allows you to immediately grasp the areas of greatest vulnerability
Once the assessment has been completed (online or through the App available on the Apple Store and Google Play), the system automatically generates a report containing both a quantitative representation of the level of vulnerability (both in overall terms and with reference to each specific area analysed) and any notes and multimedia material uploaded during the evaluation phase; the goal is to provide governance functions with a thorough and updated overview of the security levels of their corporate assets.
In short, VAT is an extremely valuable tool for security managers and employers, allowing them to:
- Make the vulnerability analysis independent of assessor’s bias and sensitivity and make sure analysis is based on stable and objective criteria over time;
- Compare an indefinite number of assets and identify any common/recurring gaps;
- Enhance the minimum level of asset protection and reduce the number of malicious events;
- Set priorities of intervention based on how critical and vulnerable the assets of interest are, so as to comply with any budget and resource limits;
- Monitor and measure the effectiveness of the mitigation plans implemented following an assessment and, consequently, the performance of the personnel involved in security activities;
- Clearly identify roles and responsibilities within their organisations and shed light on any grey areas that may slow down or hinder the risk management process;
- Centralise risk management activities and offer a clear and always up-to-date overview of the risks their companies are exposed to.
 By “operationalisation” we mean adjusting international regulations and best practices to develop clear and targeted information, that can therefore be verified and measured.
 The system allows you to determine how critical an asset is based on the so-called “worst case scenario” concept. Specifically, the higher its economic value and the more important the personnel working there, the more critical the asset.