Finding and Fixing Vulnerabilities in Information Systems

The Vulnerability Assessment and Mitigation Methodology

by Philip S. Anton, Robert H. Anderson, Richard Mesic, Michael Scheiern


Read Online Version

VAMM Tool Download

Full Document

Full Document

FormatFile SizeNotes
PDF file 1.6 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback143 pages $24.00 $19.20 20% Web Discount

Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge — especially when considering less well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. The authors, understanding the risks posed by new kinds of information security threats, build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure: knowledge, access, target vulnerability, non-retribution, and assessment. In addition, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.

Table of Contents

  • Chapter One


  • Chapter Two

    Concepts and Definitions

  • Chapter Three

    VAM Methodology and Other DoD Practices in Risk Assessment

  • Chapter Four

    Vulnerability Attributes of System Objects

  • Chapter Five

    Direct and Indirect Security Techniques

  • Chapter Six

    Generating Security Options for Vulnerabilities

  • Chapter Seven

    Automating and Executing the Methodology: A Spreadsheet Tool

  • Chapter Eight

    Next Steps and Discussion

  • Chapter Nine

    Summary and Conclusions

  • Appendix

    Vulnerability to Mitigation Map Values

The research described in this report was sponsored by the Defense Advanced Research Projects Agency. The research was conducted the RAND National Defense Research Institute, a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies.

This report is part of the RAND Corporation Monograph report series. The monograph/report was a product of the RAND Corporation from 1993 to 2003. RAND monograph/reports presented major research findings that addressed the challenges facing the public and private sectors. They included executive summaries, technical documentation, and synthesis pieces.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.