Lessons Learned From Security Vulnerability Assessment Program Implementation in the Petroleum Sector Since 9-11

Abstract

Abstract Corporate security programs include a wide variety of measures and implementation approaches yielding differing results. Security vulnerability assessments (SVAs) are an important component of effective and robust security programs and multiple methodologies exist to conduct these analyses. The majority of these methodologies are derived from governmental standards and expectations, professional societies, and corporate best practices. Methodologies for the petroleum sector are summarized and outlined in the 2005 API Security Guidelines for the Petroleum Industry1. SVA's generally evaluate risks in terms of likelihood (L) and consequence (C), where likelihood is a function of target attractiveness (AT), threat (T), and vulnerability (V). Although these elements are reasonably consistent, implementation approaches taken by various industry sectors can vary significantly depending upon the overall threat and risk factors present for that industry. Fit for purpose customization is common in the petroleum industry. Customized approaches to overall SVA program management, assessment execution and the methodologies used (including asset characterization, threat assessment, vulnerability analysis, risk assessment, and countermeasures analysis and implementation) occasionally yield differing results. The effectiveness of these processes are directly related to practitioners knowledge base (e.g., familiarity with the specific risk assessment methodology being used), historical experience in conducting SVAs, and engagement at the operating line level in both initial execution and follow-up. An important concept related to fit-for-purpose customization involves close coordination between government and private sector representatives to develop and align SVA approaches that are consistent and interpretable across various sectors and still meet the needs of the involved entities.