Vulnerability Assessment - Don't Overthink This

# Vulnerability Assessment By:: [[Ross Jackson]] 2024-12-29 As the saying goes, a chain is only as strong as its weakest link. This could be a society, military, supply chain, organization, sports team, or person. Whatever “it” is, it will only be as strong as its weakest part. To understand the location of this weakness, one must conduct a vulnerability assessment. Once identified, one can determine what, if anything, is to be done to address it. Perhaps that element can be eliminated. This would “shorten” the chain by omitting the weakest link. Maybe one will focus attention on the weak element and improve its performance. One could potentially add redundancy so that if the weakest link fails, another path will be available to ensure performance. Doing any of these can improve the situation but not solve the problem. There will always be the weakest part of a system. Always. Systems are inherently robust and vulnerable. An issue associated with vulnerability assessments is that when members within a system conduct them, those members often have other work for which they are responsible. Time spent on conducting a vulnerability assessment is not spent on work execution. Often, this means that the vulnerability assessment is conducted sporadically and superficially. Even if the vulnerability assessment is conducted by people external to the system, a host of biases contribute to the organization largely ignoring the results. An effective way of conducting a vulnerability assessment is to allow an outsider to attempt to break the system. If the system is broken, it can’t be ignored. Such an outcome shows that the system is vulnerable and that exploiting that vulnerability can be consequential. This approach can be made even more effective if the compensation is based on the ability to locate and exploit the weakest link. This approach is rare for several reasons. First, breaking the system produces inefficiencies. Second, the organization might not want to know. There is a human tendency to prefer to think everything is okay rather than knowing it isn’t. As such, organizations might conduct vulnerability assessments in a way that confirms that either there are no vulnerabilities or that the identified vulnerabilities can be effectively managed. Vulnerabilities will always exist. Vulnerabilities can always be exploited. Any system can be infiltrated and coopted. A vulnerability assessment can identify what areas need to be improved and how the system can become more adaptable. Doing so requires a degree of inefficiency. This is challenging for organizational executives to accept. Ignoring this reality is perhaps the organization’s weakest link. #### Related Items [[Assessments]] [[Strategy]] [[Organization]] [[Weakness]] [[Systems Thinking]] [[Efficiency]]