Submit Search
Upload
Design Reviews Versus Vulnerability Assessments for Physical Security
•
0 likes
•
36 views
Roger Johnston
Follow
Sometimes Design Review are less scary than Vulnerability Assessments.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 3
Download now
Download to read offline
Recommended
Vulnerability Assessment Myths
Vulnerability Assessment Myths
Roger Johnston
Backtrack manual Part1
Backtrack manual Part1
Nutan Kumar Panda
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
Vulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
Arun Prabhakar
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
Jim Piechocki
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
Recommended
Vulnerability Assessment Myths
Vulnerability Assessment Myths
Roger Johnston
Backtrack manual Part1
Backtrack manual Part1
Nutan Kumar Panda
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
Vulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
Arun Prabhakar
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
Jim Piechocki
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
Penetration Testing Guide
Penetration Testing Guide
Badawy Abd El-Aziz
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
IT Risk managment combined
IT Risk managment combined
Glen Alleman
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
Risk assesment
Risk assesment
Arvind Kumar
Full stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
Web Application Vulnerability Management
Web Application Vulnerability Management
jpubal
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
wardell henley
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
Skybox Security
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
Vulnerability Management
Vulnerability Management
asherad
Effective Vulnerability Management
Effective Vulnerability Management
Vicky Ames
Vulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
Vulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
Risk Management
Risk Management
Ashis Kumar Chanda
Adversarial Safety Analysis
Adversarial Safety Analysis
Roger Johnston
Security Assurance
Security Assurance
Roger Johnston
More Related Content
What's hot
Penetration Testing Guide
Penetration Testing Guide
Badawy Abd El-Aziz
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
IT Risk managment combined
IT Risk managment combined
Glen Alleman
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
Risk assesment
Risk assesment
Arvind Kumar
Full stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
Web Application Vulnerability Management
Web Application Vulnerability Management
jpubal
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
wardell henley
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
Skybox Security
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
Vulnerability Management
Vulnerability Management
asherad
Effective Vulnerability Management
Effective Vulnerability Management
Vicky Ames
Vulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
Vulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
Risk Management
Risk Management
Ashis Kumar Chanda
What's hot
(20)
Penetration Testing Guide
Penetration Testing Guide
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
IT Risk managment combined
IT Risk managment combined
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
Risk assesment
Risk assesment
Full stack vulnerability management at scale
Full stack vulnerability management at scale
Web Application Vulnerability Management
Web Application Vulnerability Management
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
Vulnerability Management
Vulnerability Management
Effective Vulnerability Management
Effective Vulnerability Management
Vulnerability Assessment Presentation
Vulnerability Assessment Presentation
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Vulnerability Assesment
Vulnerability Assesment
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Risk Management
Risk Management
Similar to Design Reviews Versus Vulnerability Assessments for Physical Security
Adversarial Safety Analysis
Adversarial Safety Analysis
Roger Johnston
Security Assurance
Security Assurance
Roger Johnston
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
Anton Chuvakin
Taubenberger
Taubenberger
anesah
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
Roger Johnston
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Cyber Security Experts
Risk and testing
Risk and testing
Emi Rahmi
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Ahad
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
SUBHI7
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
Lindsey Landolfi
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
walterl4
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
gilbertkpeters11344
Explain the differences between a threat assessment- a vulnerability a.docx
Explain the differences between a threat assessment- a vulnerability a.docx
james876543264
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
Risk and Testing by Graham et al
Risk and Testing by Graham et al
Emi Rahmi
Unconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal Analysis
Roger Johnston
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDs
EMMAIntl
Process Safety Blind Spots: EXPOSED [Infographic]
Process Safety Blind Spots: EXPOSED [Infographic]
Darwin Jayson Mariano
Making the Business Case for Security Investment
Making the Business Case for Security Investment
Roger Johnston
Similar to Design Reviews Versus Vulnerability Assessments for Physical Security
(20)
Adversarial Safety Analysis
Adversarial Safety Analysis
Security Assurance
Security Assurance
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
Taubenberger
Taubenberger
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Risk and testing
Risk and testing
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
Explain the differences between a threat assessment- a vulnerability a.docx
Explain the differences between a threat assessment- a vulnerability a.docx
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
Risk and Testing by Graham et al
Risk and Testing by Graham et al
Unconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal Analysis
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDs
Process Safety Blind Spots: EXPOSED [Infographic]
Process Safety Blind Spots: EXPOSED [Infographic]
Making the Business Case for Security Investment
Making the Business Case for Security Investment
More from Roger Johnston
In Risu Veritas: Humor & Security
In Risu Veritas: Humor & Security
Roger Johnston
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)
Roger Johnston
Security Audits.pdf
Security Audits.pdf
Roger Johnston
Camera Obscura and Security/Privacy
Camera Obscura and Security/Privacy
Roger Johnston
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link
Roger Johnston
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)
Roger Johnston
Want seals with that?
Want seals with that?
Roger Johnston
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)
Roger Johnston
Election Security 2020
Election Security 2020
Roger Johnston
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability Assessment
Roger Johnston
Understanding Vulnerability Assessments
Understanding Vulnerability Assessments
Roger Johnston
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms
Roger Johnston
Vulnerability Assessments
Vulnerability Assessments
Roger Johnston
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)
Roger Johnston
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)
Roger Johnston
Unconventional Security Devices
Unconventional Security Devices
Roger Johnston
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)
Roger Johnston
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)
Roger Johnston
How to Remove Voter's Ink
How to Remove Voter's Ink
Roger Johnston
Common Security Reasoning Errors
Common Security Reasoning Errors
Roger Johnston
More from Roger Johnston
(20)
In Risu Veritas: Humor & Security
In Risu Veritas: Humor & Security
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)
Security Audits.pdf
Security Audits.pdf
Camera Obscura and Security/Privacy
Camera Obscura and Security/Privacy
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)
Want seals with that?
Want seals with that?
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)
Election Security 2020
Election Security 2020
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability Assessment
Understanding Vulnerability Assessments
Understanding Vulnerability Assessments
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms
Vulnerability Assessments
Vulnerability Assessments
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)
Unconventional Security Devices
Unconventional Security Devices
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)
How to Remove Voter's Ink
How to Remove Voter's Ink
Common Security Reasoning Errors
Common Security Reasoning Errors
Recently uploaded
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
costume and set research powerpoint presentation
costume and set research powerpoint presentation
phoebematthew05
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Precisely
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
ngoud9212
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Recently uploaded
(20)
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
The transition to renewables in India.pdf
The transition to renewables in India.pdf
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
costume and set research powerpoint presentation
costume and set research powerpoint presentation
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Design Reviews Versus Vulnerability Assessments for Physical Security
1.
Journal of Physical Security 12(3), 30-32 (2019) 30 Viewpoint Paper Design Reviews Versus Vulnerability Assessments for Physical Security* Roger G. Johnston, Ph.D., CPP Right Brain Sekurity http://rbsekurity.com A Vulnerability Assessment (VA) involves identifying and perhaps testing/demonstrating security flaws and likely attack scenarios, then recommending changes to how the security device, system, or program is designed or used. This is done in hopes of improving security. Getting security managers and organizations to pursue a VA can be challenging. For one thing, VAs often get confused with other, more familiar and comfortable analysis techniques which either (1) aren't primarily about vulnerabilities at all, or (2) that do have something minor to say about vulnerabilities but aren't typically very good at profoundly uncovering new vulnerabilities.[1,2] For example, a VA is not a “test” or a “certification” process for a security product or program. It is something quite different from “Red Teaming”, penetration testing, security surveys, Threat Assessments, Risk Management, fault/event trees, and Design Basis Threat—though these things might well be worth doing. Another impediment to arranging for VAs is that are typically time-consuming and relatively expensive. This is especially true given that VAs should ideally be done period- ically and iteratively from the earliest design stage through marketing and deployment of a new security product, system, strategy, or program. Perhaps more daunting, VAs are often feared by security managers and organizations because an effective VA will inevitably uncover multiple vulnerabilities. In my view, this is the wrong mindset for thinking about security, but it nevertheless is quite common. Finding a vulnerability is actually good news because vulnerabilities are always present in large numbers, and finding one means we can potentially do something about it. Moreover, it is my experience that serious vulnerabilities can often be mitigated or eliminated with simple changes to the design of a security product/program, or how it is used. But the security improvements aren’t possible if the vulnerabilities go unrecognized! I have found that many security managers and organizations are much more comfortable with a “Design Review”, rather than a Vulnerability Assessment. Arranging for a review of the design of a security product, system, strategy, or program is more familiar—and a whole lot less scary—than targeting security flaws. In a Design Review, there is a brief ________________ *This paper was not peer reviewed.
2.
Journal of Physical Security 12(3), 30-32 (2019) 31 review of the design and engineering issues, and then recommendations are offered for improving the design or the use protocol. Fewer vulnerabilities, attack scenarios, and countermeasures are developed in a Design Review than for a VA, and they are typically not tested or demonstrated like in a VA. While a Design Review will not permit as deep an understanding of vulnerability issues as a VA, it still offers the security manager or organization the opportunity to improve their security at modest cost in a short period of time. Moreover, in my experience, about half of the organizations that arrange for a Design Review eventually commission a Rudimentary Vulnerability Assessment (RVA) or a Comprehensive Vulnerability Assessment (CVA) once they see the results and recommendations from the Design Review, and that those results aren’t all that frightening. Most of the work that went into the Design Review is directly applicable to conducting either a RVA or a CVA. The main differences between a RVA and a CVA are time, cost, and the number of vulnerabilities, attacks, and countermeasures that can be found and demonstrated. An alternative to a Design Review is a Market Analysis where a new security product is compared to existing products. Potential applications and end users are also identified. A Market Analysis can be a relatively non-frightening way to introduce some vulnerabilities issues and potential countermeasures without seeming to overtly criticize the security product or service. The bottom line: sometimes a Design Review or a Market Analysis can sneak in information about vulnerabilities, attack scenarios, and possible countermeasures in a more palatable way than a Vulnerability Assessment. This can be helpful for security managers and organizations who are hesitant or fearful of learning about their security vulnerabilities, or don’t have the time or funding for a true Vulnerability Assessment. About the Author Roger G. Johnston, Ph.D, CPP is head of Right Brain Sekurity (http://rbsekurity.com), a company devoted to design reviews, vulnerability assessments, market analyses, and R&D for physical security. LinkedIn: http://www.linkedin.com/in/rogergjohnston. References 1. RG Johnston, “Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities”, Journal of Physical Security 4(2), 30-34, 2010, http://jps.rbsekurity.com. 2. RG Johnston and JS Warner, “Debunking Vulnerability Assessment Myths”, SecurityInfoWatch, August 6 & 13, 2013, Part 1:
3.
Journal of Physical Security 12(3), 30-32 (2019) 32 http://www.securityinfowatch.com/article/11078830/experts-discuss-commonly-held- misconceptions-about-vulnerability-assessments Part 2: http://www.securityinfowatch.com/article/11108983/experts-discuss-the- characteristics-of-good-vulnerability-assessors
Download now
![Journal of Physical Security 12(3), 30-32 (2019)
30
Viewpoint Paper
Design Reviews Versus Vulnerability Assessments for Physical Security*
Roger G. Johnston, Ph.D., CPP
Right Brain Sekurity
http://rbsekurity.com
A Vulnerability Assessment (VA) involves identifying and perhaps testing/demonstrating
security flaws and likely attack scenarios, then recommending changes to how the security
device, system, or program is designed or used. This is done in hopes of improving
security.
Getting security managers and organizations to pursue a VA can be challenging. For one
thing, VAs often get confused with other, more familiar and comfortable analysis
techniques which either (1) aren't primarily about vulnerabilities at all, or (2) that do have
something minor to say about vulnerabilities but aren't typically very good at profoundly
uncovering new vulnerabilities.[1,2] For example, a VA is not a “test” or a “certification”
process for a security product or program. It is something quite different from “Red
Teaming”, penetration testing, security surveys, Threat Assessments, Risk Management,
fault/event trees, and Design Basis Threat—though these things might well be worth doing.
Another impediment to arranging for VAs is that are typically time-consuming and
relatively expensive. This is especially true given that VAs should ideally be done period-
ically and iteratively from the earliest design stage through marketing and deployment of a
new security product, system, strategy, or program.
Perhaps more daunting, VAs are often feared by security managers and organizations
because an effective VA will inevitably uncover multiple vulnerabilities. In my view, this is
the wrong mindset for thinking about security, but it nevertheless is quite common.
Finding a vulnerability is actually good news because vulnerabilities are always present in
large numbers, and finding one means we can potentially do something about it. Moreover,
it is my experience that serious vulnerabilities can often be mitigated or eliminated with
simple changes to the design of a security product/program, or how it is used. But the
security improvements aren’t possible if the vulnerabilities go unrecognized!
I have found that many security managers and organizations are much more comfortable
with a “Design Review”, rather than a Vulnerability Assessment. Arranging for a review of
the design of a security product, system, strategy, or program is more familiar—and a
whole lot less scary—than targeting security flaws. In a Design Review, there is a brief
________________
*This paper was not peer reviewed.](https://image.slidesharecdn.com/designreviews2020-200201160648/85/design-reviews-versus-vulnerability-assessments-for-physical-security-1-320.jpg)
