By Stephen R. Melvin, PE CSP

• Threat Assessment: a list of who might choose to harm the facilities, personnel, or operations and why they might choose to do so. This can be based on open source (available to the public) or closed source (available to law enforcement professionals only), and can be comprehensive or cursory depending on how the entity wants to prioritize their results.

• Susceptibility Assessment: Natural Disasters that might impact an entity and their relative probabilities.

• Prioritization: An evaluation of which facilities or stakeholders need the most additional attention when budgeting for security/safety upgrades. There are some methodologies that will prioritize based upon a facility's contribution to the overall of the agency (e.g. Water facilities), there are some that will prioritize based upon the vulnerability of facilities to attack or disaster, and there are some that focus on the demographics within a facility. There are some that combine these factors. The factors will be different based upon the officials in charge of policy. The one thing that they all have in common is that they provide evaluators an idea of where to spend money for upgrades.

• Scenario Development: A list of scenarios that could occur based upon the current facility configuration (not the way that it will be, or could be, unless improvements are already in construction.) These scenarios may be worst case, or most probable case, or just a list of possibilities. The most important thing about these cases is that they are consistent. The next step is to rank them, and it is impossible to rank a worst case against a most probable case.

• Risk Ranking: Risk ranking should be a factor of severity and likelihood. Many Security Vulnerability Assessment (SVA) methodologies actually break down the likelihood into two parts: Probability of Attack (a relative likelihood of an adversary's attack) and Probability of Effect (a relative likelihood that the attack will be successful in spite of safeguards.) The most important thing in a risk ranking is that the Severity should be based on the consequences listed without consideration of probability, and the final Likelihood should be determined as the probability of “the stated cause, resulting from a given initial event, in spite of the listed safeguards.” For example, a severity of someone dying in a fire would be a high severity, but the probability might be low because either the likelihood of a fire is low, or because there are many safeguards which will prevent the fire from actually killing someone (e.g. sprinklers, training, etc.)

• Recommendations: These are recommendations that will reduce the likelihood of the initial event (e.g. removing all flammable materials from a room will mean that a fire cannot start in a room), reduce the likelihood that someone will get hurt from that event (e.g. installing sprinklers in a room will reduce the likelihood that someone will get hurt from a fire), or reduce the consequences of the event (e.g. switching the pool chemical from chlorine gas to sodium hypochlorite will reduce the injury if someone is exposed.).

• Revised Risk Ranking: Once the recommendations have been put into place, the effects on the risk ranking should be identified so that the readers can determine which recommendations to implement first.

In short, while Vulnerability Assessments can be quite complex to create, they can also be relatively simple to read, and with a little practice, a well written VA can tell a School/District what its estimated threats are, how likely they are, and what the School/District can do to prevent or mitigate them. Before spending any time, talent or treasure on security improvements, additional training, or policies and procedures, an entity needs to know exactly where its holes are and what benefit each dollar will get that entity.