Finding and Fixing Vulnerabilities in Information Systems

The Vulnerability Assessment and Mitigation Methodology

by Philip S. Anton, Robert H. Anderson, Richard Mesic, Michael Scheiern


Read Online Version

VAMM Tool Download

Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 1.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback143 pages $24.00 $19.20 20% Web Discount

Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge — especially when considering less well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. The authors, understanding the risks posed by new kinds of information security threats, build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure: knowledge, access, target vulnerability, non-retribution, and assessment. In addition, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.

Table of Contents

  • Chapter One


  • Chapter Two

    Concepts and Definitions

  • Chapter Three

    VAM Methodology and Other DoD Practices in Risk Assessment

  • Chapter Four

    Vulnerability Attributes of System Objects

  • Chapter Five

    Direct and Indirect Security Techniques

  • Chapter Six

    Generating Security Options for Vulnerabilities

  • Chapter Seven

    Automating and Executing the Methodology: A Spreadsheet Tool

  • Chapter Eight

    Next Steps and Discussion

  • Chapter Nine

    Summary and Conclusions

  • Appendix

    Vulnerability to Mitigation Map Values

The research described in this report was sponsored by the Defense Advanced Research Projects Agency. The research was conducted the RAND National Defense Research Institute, a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies.

This report is part of the RAND Corporation Monograph report series. The monograph/report was a product of the RAND Corporation from 1993 to 2003. RAND monograph/reports presented major research findings that addressed the challenges facing the public and private sectors. They included executive summaries, technical documentation, and synthesis pieces.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.