All enterprises are vulnerable to security risk

assets and processes, which form the enterprise’s value addition activities.
The organisation’s tangible or intangible assets and processes are classified according to their value or business impact in the company’s operations.
In reality all enterprises are vulnerable to security risk threats regardless of size.
Enterprise assets may be exposed to security risk threats, which commonly manifest as theft, fraud or corruption.
The source of these threats which can impact on asset integrity, availability and confidentiality are associated with human conduct on the basis of root cause analysis.
Therefore assets, vulnerability and human conduct are interrelated but generally vulnerability refers to a weakness of an asset or a process that a threat may take advantage of to occur.
Common terms associated with vulnerabilities include security lapse, loopholes, security breaches, connivance just to mention a few.
A security lapse or loophole in asset or process protection may leads to actual loss occasioned through human conduct in the form of theft, fraud and corruption.
The existence of vulnerability does not necessarily mean that a threat will definitely occur but is a pointer to its probability of occurrence relative to existing functional security requirements and internal controls.
In other words, “uncertainty” of an event occurring forms the basis of risk management.
Security conscious management and entrepreneurs will therefore take proactive and reactive measures to prevent or minimise the possibility of vulnerability being exploited.
Such measures will be in the form of appropriate defence in-depth functional security protective measures and internal controls the scope of which is determined by the extent of the vulnerability rating.
In practice, these measures include target hardening and removal through physical security actions, deployment of competent security personnel, access control management systems, key management requirements and cash handling systems.
Others include security checkpoints, surveillance and intelligence gathering systems, incident response systems, critical path transaction processing systems, IT security intelligent systems, management and supervisory controls.
Probability of occurrence is mainly an issue of effectiveness of existing controls and estimation through past incidents, audit reports and generally prevailing security circumstances.
Watching the horizon is therefore important in order to be aware of current security issues.
A periodic security risk vulnerability assessment should be carried out by a Security Risk Champion in association with other functions of the organisation notably human resources, audit and risk, finance, IT, operations, procurement or the entrepreneur to provide integration, co-ordination and consolidation.
Because today’s supply chain processes are mostly IT driven, it is therefore imperative to enlist the services of an IT security expert to conduct that part of IT transaction processing vulnerability assessment.
It should also be noted that some internal and external elements also carry out vulnerability assessments either independently or in cahoots for their own mala fide purposes.
Inside jobs and connivance are not uncommon in organisations.
Some employees who enrich themselves through vulnerability exploitation may resist or refuse upgrading or transfer, deciding even to quit the job and then later carry on with vulnerability exploitation from outside!
In some instances the vulnerability assessment programme may face resistance or unnecessary delays due to conflicting motives and power sources within the organisation.
The methods and techniques of vulnerability assessment are not mentioned in this article due to space limitations. Failure to carry out a security risk vulnerability assessment can result in expending security efforts on wrong assumptions, which may cause leakages with consequent impact on asset integrity, availability and confidentiality.
This could be detrimental to the survival and growth of the organisation, particularly if the rate of loss occurrence is high and frequent in the absence of effective functional security requirements.