Vulnerability and Threat Assessments for Higher Ed

What Are They, and Why Do I Care? I Have a Pandemic to Deal With!

— by Scott Ondik PE, CPP, RCDD and Randy Riley PSP

Security Consultants Scott Ondik and Randy Riley discuss higher education campus vulnerability and threat assessments, addressing what areas of vulnerability are critiqued during the assessment, why these assessments are particularly important to college or university settings, which key members within an institution are involved in the process, and how the assessments help make campuses safer for their population.

Scott: Randy, how do you describe a vulnerability and threat assessment?

Randy: To best explain a vulnerability and threat assessment (VTA), let’s outline the key components and differences between a vulnerability and a threat. A vulnerability is a weakness or exposure that allows a threat to occur, whereas a threat is something that can exploit a vulnerability and cause harm to an asset. An example of a threat would be a COVID-19 outbreak on campus. A related vulnerability would be large groups of people gathering in small spaces.

A VTA is performed to analyze safety and security risk and potential negative impact on assets. Assets include not only property, but people and information (such as software or databases).

The VTA evaluates numerous factors, including assets, critical area exposure, electronic and physical security, property location, crime trends, operational procedures, preparedness training, and the established policies of the campus. Once the vulnerabilities and threats are identified, their probability and associated negative impacts can be determined, and the overall risks can be evaluated.

The assessment results allow for the development of appropriate risk mitigation or remediation methods. The process can be represented graphically using a VTA Life Cycle model. This graphic may look familiar, as the Centers for Disease Control and Prevention calls it the Vulnerability Management Life Cycle and has applied it to the COVID-19 crisis. It works equally well as a VTA model.

Randy: Why is a VTA important for higher education campuses?

Scott: Of course, a primary goal of higher education facilities is to keep their students, faculty, and staff safe. Considering that a higher education campus is often its own “city,” this presents numerous challenges. A significant hurdle may be balancing an open, welcoming campus environment with a high level of safety and security. Open campuses are inherently more difficult to secure than closed facilities with limited access points. Additionally, campuses need to be aware that their property, information, and critical assets could be vulnerable to threats as well. The VTA plays a crucial role in identifying key areas of vulnerability and affords campus leaders the opportunity to take proactive corrective actions based on the findings of the assessment. Safety and security on campuses will be improved by implementing commensurate risk mitigation measures when deficiencies are identified through a VTA.

Scott: Randy, as some of our readers have probably never performed a VTA, can you explain the steps that would apply when performing a higher education campus VTA?

Randy: The assessment process is comprehensive and includes numerous stakeholders and aspects of the campus. The first step is to look for vulnerabilities from the “outside in,” which is ideally from a potential threat or intruder’s perspective. Then, review the various mitigation measures and safety features, which include perimeter security and controlled access, campus lighting, emergency phones, mass notification systems, emergency training schedules, and campus police and security staff functions. Electronic security systems must be evaluated, including access control, intrusion detection, duress alarms, and video surveillance. Regarding physical security, key areas looked at during the assessment include residence halls, areas frequently traversed, parking lots and garages, and stadiums and locations on campus that house critical equipment such as labs and data centers. Operational aspects are another key area covered during the assessment. This includes a comprehensive review of established security standard operating policies and procedures as well as a review of the campus’s emergency preparedness plan. When beginning the VTA process, institution stakeholders should be engaged by a security professional to develop a collaborative and accurate fact-finding process.

Randy: What key personnel from the campus need to be involved?

Scott: I believe a successful VTA should include interactive meetings with key campus administrators, information technology and facilities staff, and department directors as well as campus security and police management personnel. Engagement with local authorities and first responders is extremely critical for understanding the interactive relationship between the campus and emergency personnel. Valuable information is discovered during meetings and interviews with the various stakeholders that provides the security professional a comprehensive understanding of the current security program, current processes, essential needs, and vulnerable areas of the campus.

Scott: Lastly Randy, how would you explain the VTA’s contribution to the higher education campus’s overall emergency plan?

Randy: A higher education provider’s emergency preparedness plan must address a broad range of major emergencies, including fires, extended power outages, criminal activity, hazardous chemicals releases, security breaches, financial malfeasance, medical and emergency medical response, weather, and other events impacting the life and safety of the campus population. That said, with everything going on in the world with respect to the COVID-19 outbreak, we have never faced more challenges with respect to keeping our campus populations safe. The effect of COVID-19 has caused school administrators, security professionals, and really anyone in positions where the safety of others is a priority, to consider a more balanced, thoughtful, and all-encompassing approach to safety measures.

The preparedness plan must also consider impact on business continuity as a result of an emergency and define how the campus and staff are to respond both during and following the adverse condition. Considering the wide range of subjects and potential scenarios the emergency plan is required to cover, the VTA will evaluate and address many important factors that play into a campus’s overall preparedness for emergency situations.

Scott Ondik is a senior IT and security designer with NV5 Engineering & Technology (formerly The Sextant Group) in Denver CO.  Randy Riley is a security practitioner in Las Vegas NV. This article was first published in the September/October issue of APPA’s Facilities Manager magazine. Use the form below and share your thoughts with Scott and Randy on vulnerability and threat assessments.

Contact NV5