The role of vulnerability in risk management

Abstract

The treatment of vulnerability at the 1988 Risk Model Builders' Workshop is examined, and a definition of vulnerability that is intuitively satisfying and provides a foundation upon which mathematical models can be built is developed. Two vulnerability models that together appear to capture the general conceptualizations of vulnerability espoused by other authors are presented. The authors also discuss the ongoing development of their expert system for risk management (M/sup 2/RISK), which will utilize knowledge about vulnerabilities of information systems and their components. M/sup 2/RISK is designed to eventually function as a full risk-management system with interface tools that will allow rapid specification of systems and easy management of system changes, and generally aid the risk-management process.<>