Cover: Finding and Fixing Vulnerabilities in Information Systems

Finding and Fixing Vulnerabilities in Information Systems

The Vulnerability Assessment and Mitigation Methodology

Published 2004

by Philip S. Anton, Robert H. Anderson, Richard Mesic, Michael Scheiern


View Online

VAMM Tool Download

Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 1.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback143 pages $24.00

Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge — especially when considering less well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. The authors, understanding the risks posed by new kinds of information security threats, build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure: knowledge, access, target vulnerability, non-retribution, and assessment. In addition, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.

The research described in this report was sponsored by the Defense Advanced Research Projects Agency. The research was conducted the RAND National Defense Research Institute, a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies.

This report is part of the RAND monograph report series. The monograph/report was a product of RAND from 1993 to 2003. RAND monograph/reports presented major research findings that addressed the challenges facing the public and private sectors. They included executive summaries, technical documentation, and synthesis pieces.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.