SEC401 Threat and VulnerabilityManagementCopyright ©201.docx

SEC/401 Threat and Vulnerability
Management
Copyright ©2018 by University of Phoenix. All rights reserved.
SYLLABUS
Course Description
This course highlights a methodical approach to security
management. Students will learn the steps necessary to carrying
out a comprehensive security risk assessment with consideration
for physical facilities, personnel, equipment, and
operating systems. Students will evaluate techniques and
current trends for identifying and managing security risks and
vulnerabilities associated with potential threats.
Course Dates
Aug 14, 2018 - Sep 17, 2018
Faculty Information
• Academic Policies
• Instructor Policies
University policies are subject to change. Be sure to read the
policies at the beginning of each class. Policies may be
slightly different depending on the modality in which you attend
class. If you have recently changed modalities, read the
policies governing your current class modality.
Academic Resources
• Student Program Handbook

Instructions
Review the Student Program Handbook.
• Learning Team Toolkit
Instructions
Review the Learning Team Toolkit.
• Web Links Library
Instructions
View the Web Links Library.
Get Ready for Class
• Familiarize yourself with the textbooks used in this course.
Instructions
Broder, J. F., & Tucker, E. (2012). Risk analysis and the
Security Survey (4th ed.). Waltham, MA: Elsevier.
White, John M. (2014). Security Risk Assessment: Managing
Physical and Operational Security (1st ed.). Butterworth-
Heinemann.
Course Materials
All electronic materials are available on your student website.
Faculty and students/learners will be held responsible for
understanding and adhering to all policies contained within the
following two documents (both located on your student
website):
Policies
George Gallitano, PhD (PRIMARY)Name :
Email Address :
Phone Number : (781) 854-1659
https://ecampus.phoenix.edu/secure/aapd/CSS/Handbooks/index.

html
https://ecampus.phoenix.edu/content/material/materialhandler.as
px?contentTypeID=1&urlSource=https://www.apollolibrary.com
/LTT/lttauth.aspx
https://ecampus.phoenix.edu/secure/aapd/CJ/CJCourseWebLinks
/
Week1 Aug, 14 - Aug, 20
Threat and Risk Assessment
Tasks
1.1 Evaluate the process and various steps of a security risk
assessment.
1.2 Identify types of assets and loss implications.
1.3 Identify methods of collecting intelligence and identifying
potential threats.
1.4 Determine general and specific types of threats to which
businesses, facilities, organizations or individuals might be
exposed.
1.5 Estimate the probability and criticality of threats to
determine risk.
1.6 Identify the value of prioritizing threats based on risk.
Objectives/Competencies
Required Learning Activities
• Week One Watch Me First
Watch the Week One Watch me First.
Instructions
• Risk Analysis and the Security Survey, Ch. 2

• Security Risk Assessment, Ch. 1
• Week One Electronic Reserve Readings
Read this week's Electronic Reserve Readings.
Instructions
• Courtroom Security
Watch the "Courtroom Security? What Every Cop Should Know:
In the Line of Duty" video.
Instructions
Assignments
See the student website for additional recommended learning
activities that may help you learn this week's concepts.
Title Type Due Points
Week One Participation
Instructions:
Participate in class discussion.
Individual Aug 20, 2018 11:59 PM 4
• Getting Started with VitalSource
http://www.apollolibrary.com/Library/err/goerr.aspx?s=1006&fr
mCourse=6108&frmWeek=1&header=0
https://contentproxy.phoenix.edu/login?url=https://fod.infobase.
com/PortalPlaylists.aspx?aid=7967&xtid=52618

Threat and Vulnerability Assessment
Instructions:
Select an organization in your area that you feel is in need of
additional
security. You will use this organization for the individual
assignments in
Week One, Two, and Three.
Complete the Week One section of the Security Assessment
Worksheet.
Apply the principles of threat and risk assessment to the
organization.
Write a 700- to 1,050-word paper discussing how security
officials
determine natural, human-made, and technological threats and
risks. Include the following in your paper:
• Types of assets and their characterizations including loss
implications
• General and specific types of interior and exterior threats
• The completed Week One section of the Security
Assessment
Worksheet, submitted as an appendix in the paper
Format your paper consistent with APA guidelines.
Click the Assignment Files tab to submit your assignment.
Week2 Aug, 21 - Aug, 27
Vulnerability Assessment
2.1 Research and evaluate physical security measures in the
greater area, surrounding area, on a facility premises and
within an organization's area of responsibility.
2.2 Evaluate internal security risks and vulnerabilities.
2.3 Identify vulnerabilities associated with information systems,
technology, and cyber threats.

2.4 Research and determine vulnerabilities related to physical
terrain or geographic location.
2.5 Assess security measures used by businesses, facilities,
organizations, or individuals.
2.6 Determine risks and vulnerability associated with work
behaviors.
• Week Two Watch Me First
Watch the Week Two Watch me First.
Instructions
• Week Two Electronic Reserve Readings
Instructions
http://myresource.phoenix.edu/secure/resource/SEC401r2/sec40
1_r2_security_assessment_worksheet_week1.doc

• Peter Jennings Reporting
Watch the "Peter Jennings Reporting? No Place to Hide" video.
Instructions
Assignments
Week Two Participation
Instructions:
Learning Team Charter
Instructions:
Submit the Learning Team Charter.
Learning
team
Aug 27, 2018 11:59 PM 2
Vulnerabilities Assessment
Instructions:
Use the organization you selected in Week One.
Complete the Week Two section of the Security Assessment
Worksheet.
Write a 1,050- to 1,400-word paper that discusses how security
officials
determine vulnerabilities to natural, human-made, and
technological
threats. Include the following in your paper:

• Vulnerabilities associated with informational,
technological, natural,
and human-made threats
• Vulnerabilities associated with personnel and work
behaviors
• Transportation vulnerabilities
• Socio-economic and criminal activity factors associated
with the
environment surrounding the area
• Vulnerabilities associated with neighboring businesses
• The completed Week Two section of the Security
Assessment
https://ecampus.phoenix.edu/content/material/materialhandler.as
px?contentTypeID=1&urlSource=https://www.apollolibrary.com
/LTT/lttauth.aspx
Week3 Aug, 28 - Sep, 03
Managing Vulnerabilities and Applying Countermeasures
3.1 Examine risk management options for security.
3.2 Create plans for countermeasures, recovery, and operational
back-up.

3.3 Evaluate the pros and cons of working from a floor plan for
security application.
3.4 Examine the application of countermeasures for physical,
personal, and information security threats.
3.5 Recall testing and measurement methods, reliability, and
validity for meeting security goals, objectives, and metrics.
3.6 Evaluate the effectiveness of physical, personal, and
information security systems.
3.7 Assess overall strengths and weakness of a comprehensive
security system.
3.8 Perform a cost-benefit analysis to include actual benefits as
well as estimated benefits through deterrence.
• Week Three Watch Me First
Watch the Week Three Watch me First.
Instructions
• Week Three Electronic Reserve Readings

Instructions
Assignments
Week Three Participation
Instructions:
Individual Sep 03, 2018 11:59 PM 4
Countermeasures’ Strengths and Weaknesses
Instructions:
Review Category 4 in the Security Assessment Checklist.
Research modern security countermeasures associated with
Category
4: Physical Security.
Create a 5- to 7-slide presentation summarizing the strengths
and
weaknesses associated with the modern physical security
countermeasures found in your research.
Format your presentation consistent with APA guidelines.
Learning
team
Sep 03, 2018 11:59 PM 5

Managing Vulnerability
Instructions:
Resource: University of Phoenix Material: Floor Plan
Use the organization you selected in Week One.
Complete the Week Three sections of the Security Assessment
Worksheet.
Write a 1,050- 1,400-word paper that discusses how security
officials
manage identified vulnerabilities regarding natural, man-made,
and
technological threats. Include the following in your paper:
• The role and effectiveness of on-site security personnel
• Appropriate countermeasures based on risk and
vulnerabilities
• How to communicate priorities effectively to stakeholders
• A cost estimate and a description of the benefit in relation
to the
selection of countermeasures
• Risk management options
• Recovery and operational backup plans
• How to evaluate the effectiveness of the security program
• The completed Week Three section of the Security
Assessment
Create a representation of the organization's floor plan that
includes the
current security countermeasures.
Include this representation as an appendix to your paper.
Week4 Sep, 04 - Sep, 10
Criminal Activity and Terrorism

4.1 Assess the deterrent effect on crime and terrorist activity
associated with the application of a methodical and
comprehensive security plan.
4.2 Analyze case studies involving crimes against property.
4.3 Evaluate case studies involving crimes against persons.
4.4 Analyze incidents of terrorist activity and assess
vulnerabilities associated with each target or asset.
4.5 Compare the benefits and limitations of prevention vs.
enforcement.
• Week Four Watch Me First
Watch the Week Four Watch me First.
Instructions
1_r2_security_assessment_checklist_week3.doc
1_r2_floor_plan_week3.doc

• Week Four Electronic Reserve Readings
Instructions
• The Interrogator
Watch the "The Interrogator" video.
Instructions
Assignments
Week Four Participation
Instructions:
Security Assessment
Instructions:
Choose one of the following organizations for this assignment:
• Bank
• Hospital
• Prison
• Industrial complex
• Retail shopping center
Conduct a security assessment of the organization.
Write a 700- to 1,050-word assessment of threats, estimated
risk, and
vulnerabilities.

Include at least two threats associated with terrorism, two
threats
associated with crime, and two nature-made threats.
Learning
team
Sep 10, 2018 11:59 PM 5
Terrorism and Criminal Activity
Instructions:
For this assignment, you will choose from the following
options:
• Option 1: Terrorism and Criminal Activity Paper
• Option 2: Terrorism and Criminal Activity Presentation
Read the instructions in the University of Phoenix Material:
Terrorism
and Criminal Activity and select one option to complete the
assignment.
1_r2_terrorism_criminal_activity_ao_week4.doc
1_r2_terrorism_criminal_activity_ao_week4.doc

Week5 Sep, 11 - Sep, 17
Principles of Emergency Management
5.1 Examine the concept of preparedness and describe the
symbiotic relationship this has with effective security
management.
5.2 Evaluate potential risks and emergency management
countermeasures for nature-made incidents.
5.3 Evaluate potential risks and emergency management
countermeasures for human-made incidents.
5.4 Identify key personnel and describe the benefits of an
emergency management team.
5.5 Identify the various elements required for an emergency
management plan.
5.6 Determine what human and tangible resources are needed
and available for emergency response contingencies.
5.7 Evaluate the issues and vulnerabilities associated with
emergency response to include training, resource allocation,
and supervision.
5.8 Assess the elements of a comprehensive evaluation process
for an emergency management plan and describe how
after-action reports can affect the security assessment process.
• Week Five Watch Me First
Watch the Week Five Watch me First.
Instructions
• A Message from the Instructional Designer
Watch the "A Message from the Instructional Designer" video.
Instructions

• Week Five Electronic Reserve Readings
Instructions
• Preparing for Emergencies
Watch the "Preparing for Emergencies: Cutting Edge
Communications Comedy Series" video.
Instructions
Assignments
Week Five Participation
Instructions:

Emergency Management Plan
Instructions:
Apply the Security Assessment Checklist to the organization
your team
selected in Week Four.
Prepare a comprehensive emergency management plan based on
actions to mitigate security threats.
Identify preventative and mitigating actions that will reduce
loss.
Create a 15- to 20- slide presentation detailing an emergency
management plan that will be presented to management.
Address the
following questions in your plan:
• What are the strengths and weaknesses of the organization?
• Who are key personnel and what are the duties associated
with
incident response and recovery?
• What improvements would you make to reduce loss?
• What is the estimated cost for preventing and mitigating
threats?
• What are the estimated savings from applying the
emergency
management plan?
• What is the total cost analysis?
Format your presentation consistent with APA guidelines.
Learning
team
Sep 17, 2018 11:59 PM 25
All trademarks are property of their respective owners.
University of Phoenix® is a registered trademark of Apollo

Group, Inc. in the United States and/or other countries.
Microsoft®, Windows®, and PowerPoint® are registered
trademarks of Microsoft Corporation in the United States and/or
other countries. All other company and product names are
trademarks or registered trademarks of their respective
companies. Use of these marks is not intended to imply
endorsement, sponsorship, or affiliation.
Trademark
1_r2_security_assessment_checklist_week5.doc
Security Assessment Worksheet
SEC/401 Version 2
1
University of Phoenix Material
Security Assessment Worksheet
Instructions
The Security Assessment Worksheet is designed to identify
individual threats specific to your organization of choice. This
worksheet will be submitted as an appendix with your
Individual Assignments in Weeks One, Two, and Three. See p. 2
for an example and a blank matrix to complete.
Weekly Breakdown:
Week One: Threat and Risk Assessment Assignment
Threats should include actions that cause immediate or
impending damage. Risk is estimated by allocating a probability
score on a scale from 1 to 10, where 1 represents a threat that is
least likely to occur and 10 represents a threat that is most
likely to occur. Criticality is estimated on a similar scale, where
a score of 1 represents a threat that causes the least damage and

10 represents a threat that causes the most damage. Add the two
scales to get the estimated risk score. Upon completion, the
ranking score is listed numerically where 1 represents the threat
with the highest risk, followed by 2 representing the second
highest risk score, and so on until all threats are ranked in order
from highest risk to lowest risk.
· Fill in the name of the organization you have chosen.
· List threats specific to the organization
· Add risk scores and rankings with scores specific to the
threats.
· Submit the Security Assessment Worksheet as an appendix in
the Week One assignment.
Week Two: Vulnerability Assignment
· Consider the vulnerability gaps associated with the chosen
organization; these include vulnerabilities associated with crime
trends, terrain, geographical location, weather patterns, and so
on.
· List current vulnerabilities under the Vulnerabilities column.
· Submit the Security Assessment Worksheet as an appendix to
the Week Two assignment.
Week Three: Managing Vulnerabilities and Applying
Countermeasures
· Apply countermeasures to prevent or mitigate the risk and
vulnerability associated with each threat.
· List countermeasures and the estimated cost under the
Countermeasures & Cost column.
· Submit the Security Assessment Worksheet as an appendix to
the Week Three assignment.
See the next page for an example Security Assessment Table
and the blank table for you to complete.
Example:

Organization Name and Address
ABC Bank, 100 Main Street, New York, NY
Week 1: Threat and Risk Assessment Paper
Week 2: Vulnerability Paper
Week 3: Managing Vulnerabilities and Applying
Countermeasures Paper
Threat
Risk
Priority
Rank
Vulnerabilities
Countermeasures & Cost
Probability
Criticality
Total
Bomb
3/10
9/10
12/20
2
Limited road to building distance, older structure
Bi-weekly Bomb detection canines, bollards
Estimated Cost:
Canines = $900/month; Bollards = $1,500
Robbery
7/10
7/10
14/20
1
No video cameras (CCTV), direct access to freeway

Silent alarms, CCTV
Estimated Cost:
CCTV = $3,000
Sniper Attack
1/10
7/10
8/20
3
Many high buildings with direct line of sight
Bullet proof glass
Estimated Cost:
Bullet proof glass = $2,000
Week 2: Vulnerability Paper
Week 3: Managing Vulnerabilities and Applying
Countermeasures Paper
Threat
Risk
Priority
Rank
Vulnerabilities
Countermeasures & Cost
Probability
Criticality
Total

Jeremia Hall
SEC/401
August 20, 2018
George Gallitano
1

2
One of the pillars of a security professional inside of a company
is to identify threats that will affect its resources and assets.
After the threats to the business has been determined by the
security department the next step is to identify the level of risk
that will be associated with the damage, theft, misuse or
destruction of the resource and provide an analysis to the
leadership. It is essential for security professionals to take
preventative measures to mitigate
Risk Identification
“The objective of risk identification is to understand what is at
risk within the context of the organizations explicit and implicit
objectives and to generate a comprehensive inventory of risks
based on the threats and events that might prevent, degrade,
delay or enhance the achievement of the objectives”
(web.actuaries.ie, n.d., para. 1). It is designed to help security
professionals understand what resources are at risk within both
internal and external to the organization. It is important security
personnel have the basic understanding of the resources of an
organization before they can identify the threats and risks that
are associated with each. There is three main aspect to look at
during the risk identification process: assets, exposure, and
losses. According to Broder and Tucker (2012), “Risk control
begins, logically, with the identification and classification of
the specific risks that exist in a given environment” (p. 9). To
initiate the identification process first a thorough risk
assessment needs to be conducted and will encompass
personnel, networks and policies and procedures (Broder &
Tucker, 2012). The next logical step in the process according to
Broder & Tucker (2012) is to “determine the exposure of the

organization. Security personnel should ask questions such as
what are the company exposures? How does it contribute to
damage, theft, loss of assets and personnel? “(p. 9.). Lastly, the
last consideration identified is losses. It is essential to compile
historical data from nearby organizations such as the frequency,
magnitude, and range of past losses experienced in the area that
in the same market (Broder & Tucker, 2012). Trends and
analysis may not give the entire picture, but it can provide a
brief snapshot in time to help identify risk, vulnerabilities and
rank them accordingly.
Threat Determination
Natural
It is essential to look at where a company is located
geographically when planning for natural threats. Nelson (2018)
states, “A natural hazard is a threat of a naturally occurring
event that will have a negative effect on humans. This negative
effect is what we call a natural disaster. In other words, when
the hazardous threat happens and harms humans, we call the
event a natural disaster” (para. 1). Why Nelson makes an
excellent point it is not just humans that will be impacted by
natural disasters but a business’s resources such as equipment,
buildings, etc. can be impacted. Natural hazards can come in the
form of earthquakes, tsunami’s, tornados, floods and even
landslides. There will be incidents where a company will be
unable to prevent loss from natural threats. In these types of
situations, it is vital for organizations to try and minimize
damage.
Man-Made
Man-made threats generally consist of bombs, terrorism, and
theft. There are a plethora of examples of this type of threat that
can affect a company and it is up to the security professional to
identify which ones are the most likely to occur.
Bombs. A bomb is a man-made device that is used to inflict
serious bodily harm or significant damage to property. It comes
in many different forms such as I.E.D’s, pressure bombs or just
a plain stick of dynamite. According to the Dictionary (n.d.), “it

is a container filled with explosive, incendiary material, smoke,
gas, or other destructive substance, designed to explode on
impact or when detonated by a timing mechanism, remote-
control device, or lit a fuse.” Security guards that stand watches
such as a gate guard or building should have measures in place
to look for bombs. This can be accomplished by mirrors looking
under cars, bomb-sniffing dogs or even having a vehicle bomb
scanning machine before gaining access to the facility.
Thefts. Thefts occur via internal or external personnel and
can be both physical in nature or through a cyber-attack such as
using ransomware. According to Broder & Tucker (2012).
“Most businesses will take the necessary precautions to protect
themselves against the entry of burglars and robbers onto their
premises” (p. 48). It is common for most companies to have
mitigation procedures in places such as access control both to
spaces and systems, proper combination locks such as X09’s,
security cameras (CCTV) and a roving patrol. These basic
standards will help reduce the amount of internal and external
thefts within the organization.
Technological
Technology is a vital part of how organizations operate
whether it is the Department of Defense, fortune 500 company
or a small local business. With the continued rise of technology
to gain a competitive advantage, security professionals, should
ensure that not only company data but partner and consumer
data are protected. Companies keep personally identifiable
information, assets information, financial records, etc. on
systems that can be compromised if not adequately maintained.
The Chief Security Officer and his/her personnel need to ensure
that the information is safeguarded by keeping patches, software
updates, virus scans and by using Role-Based Access Control
mitigate staff from access unauthorized information or systems.
For example, someone working in the shipping department does
not need access to Human Resources information vice versa.
Lastly having the proper policies in place for strong passwords
and maintaining logs will help reduce the chances of a cyber

threat from infiltrating the company’s systems. If there is a loss
of sensitive information, it could cause grave damage and
unrecoverable damage.
Conclusion
It is paramount that every organization conducts a risk
assessment whether it is a large Department of Defense
organization, fortune 500 company, courthouse, or even a local
shop in the community. Threats come in all forms, and there is
no one size fits all mitigation plan. A company’s security
professionals need to have the realization that there is no
guaranteed solution. However, they must identify and define
both acceptable and unacceptable risk and then implement
mitigation procedures. Without mitigation steps the for the
identified risk it would leave the organization open to natural
disasters, theft, cyber crimes, etc. that places the organizational
security in precarious situations.
Security Measures Worksheet
Shown below is a security measures worksheet that was
conducted for the Snohomish County District Court. It is in
Everett, WA and is in the same building with several different
human service agencies as well as across the street from the
correctional facility. On March 21, 2018, there was a bomb
threat near the courthouse and correctional facility that required
an entire block to be shut down, some personnel to evacuate and

others to remain in place until the threat was cleared.
Snohomish County District Court, 3000 Rockefeller Ave,
Everett, WA, 98201
Threat
Risk
Priority
Rank
Probability
Criticality
Total
Robbery
3/10
4/10
7/20
3
Active Shooter
5/10
10/10
15/20
1
Bomb
3/10
10/10
13/20
2

References
Broder, J. F., & Tucker, E. (2012). Risk analysis and the
security survey (4th ed.). Waltham, MA: Elsevier.
Dictionary (n.d.). Retrieved from
https://www.google.ca/search?rlz=1C1AZAA_enUS744US745&
ei=FeZ6W7yqKorI8AO
ugpQI&q=definition+of+a+bomb&oq=definition+of+a+bomb&g
s_l=psy-
ab.3..0l3j0i22i30k1l5j0i22i10i30k1j0i22i30k1.128257.133741.0
.134470.24.20.1.0.0.0.442.3328.0j3j5j3j1.12.0....0...1c.1.64.psy
ab..11.13.3339...0i13k1j0i13i30k1j0i13i10i30k1.0.Muk_u5WvQ
Do
Herald Staff. (2018). Bomb threat clears lobby at the Snohomish
County Jail. Retrieved from
https://www.heraldnet.com/news/suspicious-package-found-at-
jail-bomb-squad-
responding/
Margaret Rouse. (2018). role-based access control (RBAC).
Retrieved from
https://searchsecurity.techtarget.com/definition/role-based-
access-control-RBAC.
Nelson, S.A. (2018). Natural Hazards and Natural
Disasters. Retrieved from
https://www.tulane.edu/~sanelson/Natural_Disasters/introductio
n.htm
web.actuaries.ie(n.d.). Risk Identification. Retrieved from
https://web.actuaries.ie/sites/default/files/erm-
resources/risk_identification.pdf

SEC401 Threat and VulnerabilityManagementCopyright ©201.docx

Recommended

Recommended

More Related Content

Similar to SEC401 Threat and VulnerabilityManagementCopyright ©201.docx

Similar to SEC401 Threat and VulnerabilityManagementCopyright ©201.docx (20)

More from rtodd280

More from rtodd280 (20)

Recently uploaded

Recently uploaded (20)

SEC401 Threat and VulnerabilityManagementCopyright ©201.docx