17.1 Introduction

Vulnerability assessment and risk assessment are in essence the same. They both seek to determine risks to a system, a building, a plant, a ship, an airplane, a country, or people. However, vulnerability assessment is usually more interested in determining vulnerabilities in a system, building, plant, ship, airplane, country, or persons from persons, organizations, or countries with intent on doing harm. It is also common to call a risk assessment a vulnerability assessment if it concerns natural disasters, such as earthquakes, hurricanes, tornados, floods, or strong storms.

In this regard, the initiating event is someone, an organization, or a country that wants to harm the system. In the case of a natural disaster, the initiating event is an earthquake or tornado. The probability of the initiating event, therefore, is 1.0 or 100%. The subsequent analysis determines where in the system the vulnerabilities reside. The same tools can be used to conduct vulnerability assessments that are used to conduct a risk assessment. The outcome of a vulnerability assessment is used by analysts to modify the system to reduce the probability of a vulnerable component or to eliminate it.

Common parts of a vulnerability assessment are: