Mission Essential Vulnerability Assessments – Try Them, You Just Might Like Them
When security is an issue, does money ever stand in the way? While we’d like to think money is not a problem, when there is a security need, in reality, money is always an issue.
How do we choose where to spend limited funds? Chief security officers and security managers don’t only have to justify why they’ve spent funds, but, in the event of an incident, they may need to explain why funds were not spent, or why funds were spent at one location and not another.
An excellent tool is the concept of MEVA – Mission Essential Vulnerability Assessments.
A MEVA assessment allows a security professional to justify expenses in a clear and concise manner. A MEVA assessment allows you to compare risk, threat and value of assets and assigns a numerical value that is easily understood, especially by accountants, CFOs, CEOs and other non-security management personnel. An asset can be an item, or a building or an operational element or anything.
Help When Funding Access Control
For example, when trying to obtain funding for a new access control system or an upgrade to an existing access system, a MEVA assessment can help to justify the expense by showing the value of an asset, compared to other assets.
A MEVA assessment looks at multiple issues to determine how valuable an asset really is. A MEVA assessment equally compares multiple issues and assigns each issue a numerical value. The values are added together for a final value. Things like importance and impact add to value (the more important something is, the more valuable it is) while things like recoverability reduce value (the easier something is to replace, the less value it has). MEVA compares six items: importance, impact, recoverability, vulnerability, accessibility and recognition. Each item gets a numerical score between 1 and 10, with a score of 60 indicating the greatest value, while a score of 6 indicates the least value.
The MEVA concept allows comparison of ANY assets, and is especially useful when trying to determine where to spend funds, or to justify where funds were spent.
Subjectivity Comes into Play
Most of the definitions are somewhat subjective.
For importance, if an asset is essential to the mission completion, it rates a 9 or 10. A significant contribution to the mission ranks a 7 or 8, and a moderate contribution to the mission ranks a 5 or 6. A minor contribution to the mission ranks a 3 or 4 and no significant contribution to the mission rates a 1 or 2.
For impact, if loss of the asset causes catastrophic results, death or permanent disability, system loss or major property damage, the asset scores a 9 or 10. If loss is critical and results in permanent partial disability, major system damage, significant property damage, the asset scores a 7 or 8. Marginal results, with minor injury, minor system damage or minor property damage rates a 5 or 6. Negligible results, requiring first aid or minor medical treatment, minor system impairment rates a 3 or 4.
Recoverability has a major impact on the score.
Even if something is important, easy replacement reduces the value. While many companies put a great deal of importance on the network printer, the loss of a printer is easily remedied. Recoverability scores range from 9 or 10 for replacement, repair, or substitution requiring one month or more to a score of 1 or 2 for same day replacement, repair, or substitution.
Likewise, vulnerability is defined as being extremely vulnerable to the capabilities of identified terrorists (a 9 or 10) to not vulnerable to the capabilities of the identified terrorists (a 1 or 2).
Is It Easy to Get To?
The easier an asset is to get to, the easier it can be damaged. Accessibility scores a 9 or 10 for those assets that are easily accessible, and a 1 or 2 for assets that a not accessible or inaccessible without extreme difficulty. The harder it is to get to, the safer it is.
Recognition is also an issue. The more recognizable an asset is, the greater the risk is. If an asset and its function are clearly recognizable and it requires little or no knowledge for recognition, it rates a 9 or 10. A 1 or 2 is given if the asset and its function cannot be recognized under any conditions, except by experts.
Once all six issues are addressed, the scores are tabulated and a final value score is obtained. MEVA can be used to compare almost anything.
While not a replacement for a security survey or a threat assessment, MEVA can be a useful tool in the risk assessment process.