A vulnerability study is a comprehensive assessment of all current physical security measures and operational characteristics that affect the facility’s ability to detect, deter, delay and respond to threats.

Included in the study is an examination of the physical systems and procedures used by the response team to manage the system and respond to identified threats. During the vulnerability study, the system’s performance capabilities are tested to verify the life safety features of the systems. For example, a company may have an existing access control system. There is usually an interface between the electric locking systems and the building fire alarm system to meet fire code requirements. These interfaces are tested during the vulnerability study to ensure proper operation.

Prepare to Conduct the Survey

A vulnerability study begins with a review of the physical threat assessment. The threat assessment identifies the assets that require protection and the threats to those assets. To prepare for the vulnerability study and physical survey, develop a written plan to help keep the study on track. When conducting the study, there are many distractions. A written plan outlines the steps in the proper sequence to completion.

The plan should include at least the following:
  • An inspection of all identified assets.
  • Establishing a protected perimeter for each asset.
  • An assessment of the physical barricades that comprise the protected perimeter.
  • An identification of each opening that provides human access (of any kind) to the asset.
  • A definition of the use of that opening (e.g., ordinary and usual access, emergency exit only, freight only, etc.).
  • Means of control for each opening in each protected perimeter.
  • Lighting conditions around the protected perimeters.
  • An assessment of the means to affect the critical infrastructure that supports the asset (power, water, gas, etc.).
  • A review of employee identification procedures.
  • A review of visitor controls.
  • An evaluation of the effectiveness of existing security systems in light of identified threats.
  • A review of incident reporting procedures (if not done during the physical threat assessment).
  • A review of written security response procedures (if not done during the physical threat assessment).
  • A review of post instructions for the existing security force (if not done during the physical threat assessment).

Means and Methods

A comprehensive study includes all of the elements necessary to detect, deter, delay and respond to manmade physical security threats. The techniques used in making this determination are:

Technique 1: Inspect Asset and Establish a Perimeter

Using the floor plans and plot plans provided by the company, identify all of the assets in the protected areas. In many cases, the assets are simply the areas where work is taking place. A useful method of making these identifications is to highlight the asset in a meaningful way on the floor plans and plot plans.

Technique 2: Establish a Security Perimeter Around Each Asset

The perimeters are usually walls or fence lines that encircle the asset. Please note that the term “circle” when used to define protected perimeters is a general term and not used to mean a “round” circle. The perimeter is simply the parts of the infrastructure that enclose the asset. Often these circles follow the contours of the surrounding structure and have a variety of shapes.

Physical security perimeters are concentric circles around each asset with each succeeding circle widening and having progressively lower levels of security. In that way, the most valuable resources receive the greatest focus of security system measures. Define the perimeters on the floor and plot plans by marking the walls and fence lines that encircle the assets.

Some typical elements of perimeter development include:

  • An assessment of the likelihood of intrusion by unauthorized personnel to areas of critical assets (people or property).
  • The facility’s mission and objectives.
  • A determination of consequences of loss from perpetrators with deliberation and intent.
  • A review of existing countermeasures to threats, including emergency procedures and insurance reimbursement as a result of anticipated losses.