Cybersecurity: Vulnerability Assessment (VA) and Project Management (PM) Terms and Definitions


When studying, I find creating a collection of buzzwords and terms, as well as their definitions, to help me further understand the various concepts outlined in the text. Furthermore, during homework assignments, I can then quickly reference my list of definitions and not have to comb through hundreds of pages in the textbook, trying to locate the one term the assignment is asking for.

The following post is a short collection of the buzzwords I have found in my first few pages of reading chapter two in ‘Effective Physical Security’ (Fifth Edition) by Lawrence J. Fennelly.


Three Classes of Adversaries: Insiders, outsiders, and outsiders working with insiders.

Three Ranges of Adversary Tactics: Deceit, stealth, force, or a combination of any/all three.

Deceit: The attempted demise of a security system by using untruthful approval and ID.

Stealth: Any effort to overthrow a detection system and secretly gain access to a facility.

Force: An unconcealed, aggressive attempt to overcome a security system.

Frequency: Also called rate, is the number of times an event has happened over a specific time.

Annual Loss Exposure (ALE): Sample of a frequency often used in security risk assessment.

Risk is the probable frequency and magnitude of future loss (Frequency x Magnitude = Risk)

The combination of both these elements is what we call loss exposure.

For example, if there are 6 events in a year, and each incident costs $10,000 (per loss), then the ALE is $60,000.

Likelihood: Probability, frequency, or qualitative measure of the incident, which typically implies a less demanding treatment of measure.

Detection Rate Example: The frequency at which a sensor effectively senses a human-sized object 9 times out of 10; if it successfully sensed a human-sized object 9 times out of 10, the detection rate is 0.9% or 90% (this is a statistic, not a probability).

Probability: Estimation of projected results of equal trials stated with a confidence level.

Formed based on the sum of events that are examined using the detection rate concerning the confidence level. For example, if you flip a coin 50 times and of those 50 times, 49 flips end in heads, and 51 flips end in tails, there is high confidence that the results of the flops will be 50/50.

Common Confidence Level of Security Equipment Testing: 95%

Error Rate: Mathematical accompaniment of the success rate, which is the sum of trials subtracted by the number of successes (number of failures). The terms false accept and false reject rates are used.

Discrimination: Defines a sensor’s capacity to overlook an entity that is of the proper magnitude but is not the intended target; this is frequently outside the ability of the device.

When a sensor fails to discriminate, a nuisance alarm is implemented.

Nuisance Alarm (NAR): Produced when the sensor spots an entity that is of appropriate magnitude but benign in nature (belt buckle in a metal detector).

Noise: Sensor that detects sound, chemical, or even electromagnetic sources.

Primary Functions of a PPS: Detection, delay, and response.

Design of Effective PPS: Determination of PPS objectives, initial design, evaluation of design, and finally, the redesign of the system.

Three Stages of a VA (Vulnerability Assessment): Planning, managing work, and closeout.

VA Project Management Keywords

SMEs: Subject matter experts.

Main Roles/Responsibilities of a VA Team: Project lead, systems engineer, security systems engineer, SME- sensors, SME- alarm assessment, SME- alarm communication and display (AC&D), SME- entry control, SME- delay, SME- response, SME- communication systems, SME- analyst, SME-on-site personnel.

VA Protection Objectives: Threat definition, target ID, and facility characterization.

Three Methods for Target ID: Manual entry of targets, logic diagrams to recognize areas for sabotage attacks, and use of consequence analysis to rank and screen targets.

Evaluation Tests: Functional, operability, and performance.

Function: The device is turned on and functioning normally.

Operability: The device is turned on and operating normally.

Performance: Classification of the device by reiterating the identical test enough times to create a degree of device aptitude against diverse threats; due to time, a performance test is generally not completed during a VA, especially if the VA team is external.

Facility State Examples: Normal operating hours, non-operational hours, an internal employee strike, disasters like fire or bomb threats, power outages, holidays, and shift changes.

Intrusion Detection: Defined as information of an individual or vehicle trying to gain unauthorized entry into a guarded area by an individual who can approve or introduce the appropriate response.

Intrusion detection must first discover the intrusion, produce an alarm, and then communicate that alarm to the individual or department for evaluation and proper response.

Intrusion Sensors’ Three Fundamental Characteristics of Performance: Probability of detection (Pd), NAR (nuisance alarm), and vulnerability defeat (greatly reliant on the principle of operation of a sensor and the ability of the definite threat).

Common Sensor Defeats: Bypass and spoofing.

Exterior Sensors’ Three Application Types: Buried line, self-supporting, and fence-associated. Exterior sensors are often only utilized in high-security areas like military bases.

Overall Evaluation: Sensor submission, installation, analyzing, maintenance, NAR, and accomplishment against predictable risks.

The Goal of Exterior Sensor Evaluation: Deliver an approximation of sensor performance (Pd) in contrast to definite risks, in conjunction with supporting images, notes, and comments that validate the estimation.

Factors that Cause Degradation: Simplicity of defeat of the sensor by means of bypass or spoofing and NAR.

Interior Sensors’ Three Application Types: Interior motion, boundary penetration, and proximity sensors.

Most Common Interior Sensors: Video motion detectors, glass-break sensors, passive infrared (PIR) sensors, interior monostatic microwave sensors, combo sensors (usually PIR and microwave in dual technology devices), balanced magnetic switches.


Fennelly, Lawrence J. (28 Nov 2016). Butterworth-Heinemann; 5th edition. “Effective Physical Security.”

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s