Vulnerability assessment of the EU PRoTECT project

From Securipedia
Jump to navigation Jump to search

Within the EU PRoTECT project municipalities have performed vulnerability assessments on specific public spaces in their region that can be considered soft targets for terrorist attacks. For this purpose, the EU Vulnerability Assessment Tool developed by DG Home was used and a specific manual for municipalities and local law enforcement agencies was developed. This EU VAT is an example of how to identify and analyze vulnerabilities that can be used to focus on determining what kind of measures are needed to mitigate these vulnerabilities.

The EU Vulnerability Assessment Tool manual

DG HOME has developed the EU Vulnerability Assessment Tool (VAT) (2019) with the main objective of providing practical support to Member States to enhance the protection of public spaces by facilitating on-site vulnerability assessments. Within the PRoTECT project, a manual for this EU VAT was developed to specifically aid municipalities and their stakeholders in identifying vulnerabilities of their public spaces of interest (soft targets) in order to strengthen their protection against terrorism.

The EU VAT Manual describes (1) who should perform such an assessment and why, (2) the steps that are needed before using the tool, (3) what different steps are involved in the assessment and how to record te results of the assessment, and (4) what can be done with the results and what next steps can be taken.

Security management and assessing vulnerabilities

It is important to mention that the vulnerability assessment was organized by a managing body, in the case of the PRoTECT project the five municipalities[VG(v1] . It is essential to involve relevant stakeholders such as the local law enforcement agency. The managing has the lead in developing a security plan for the PSOI. Generally, developing a security plan is an ongoing process – threats and other circumstances change, requiring the security plan to be continually adapted as well. In the case of protecting a PSOI against terrorist attacks, it is assumed that even though a certain activity at the PSOI may be unique, there are some common aspects related to the PSOI: the method of planning, managing the activity and other security related aspects.


Developing and maintaining a security plan is a cyclic process, generally involving the following steps:

1.       Security audit/inspection (policy, constraints, site and activity characteristics, threats, security measures, vulnerabilities, risks, etc.);

2.       Decision making (budgets, priorities, schedules, risk acceptance, go/no-go by the management body, etc.);

3.       Security plan (development/adjustment, and ratification by the management body);

4.       Implementation and (periodic) verification of security measures (in accordance with the security plan).


The aspect of risk assessment involves three consecutive processes[1]:

1.       Risk identification (identifying threats and threat scenarios)

2.       Risk analysis (determining consequences, probabilities, risk levels and vulnerabilities)

3.       Risk evaluation (determining priorities, risk treatment actions, risk acceptance)

The vulnerabilities of a PSOI and the possible risks of an attack can be identified by examining the PSOI (geographical layout, accessibility for vehicles, natural or emplaced security measures, etc) and devising viable attack scenarios. Scenarios should at least mention the threat type (e.g. shooter), the aim of the attack, with what means and how the terrorist carries out the attack. Conceiving scenarios can be an activity carried out by a team of experts from all the relevant stakeholders that is put together by the managing body. This means that to be able to carry out the assessment, different experts need to be present and gathered to go through all steps. In the risk analysis process, the consequences (i.e. impact, severity) and probability (i.e. likelihood, chance) of each attack scenario are determined by the team of experts, considering all factors of influence.

Before using the tool: getting started

Before using the EU VAT, it is important to determine a managing body. The managing body is an individual, organization or group of organizations that takes up the responsibility to identify and work on counter terrorism regarding PSOIs. This can be a law enforcement agency, a municipality or possibly also the owner of the public space. The management will most likely involve various stakeholders in decisions concerning site security, such as local government, emergency services, retailers, etc. In the case of the PRoTECT project, the managing bodies are the municipalities involved that will identify their vulnerabilities against various terrorist attacks and identify their soft targets. This managing body needs to take the following actions:

1.       Create clear understanding of the organization of the PSOI (who is involved (stakeholders) and their roles and responsibilities, geographical boundaries of the site, the plans for the events and risk evaluation criteria) and gather all relevant information.

2.       Create a team of experts that will perform the vulnerability assessment together (include stakeholders that have detailed knowledge of the PSOI, security policies and expertise on counter-terrorism).

3.       Create and decide on a work method with the team of experts, on how to perform the vulnerability assessment. In the case of PRoTECT this was done by workshop sessions with all relevant stakeholders.

Assessing the Public Space of Interest: 5 steps

It is recommended to kick-off by displaying a topographical map to the team, detailing the boundaries of the main site and surrounding sites, and describing the general function of each surrounding site in relation to the activity on the main site. When possible, organize a visit to the PSOI.

Step 1: Characteristics of the site

Write the necessary details like the main site's name, if there are specific activities happening (like a festival, market or something else) and when this activity occurs. The dates and times are important to be aware if an activity is occurring regularly or is incidental. Second, write down the details of the site, the name and address, in which phase of the EU VAT the site fits and what the expected crowd density is. It is possible that the crowd density differs on specific times, please add this if relevant. Finally, it is useful to fill in the team members and the date of assessment.

Step 2: Existing security measures

Gather together with the team of experts, the existing security measures you are aware of regarding the specific site. This can be a natural measure, for instance a wall that can create a blockage or to hide behind, or emplaced measures, for instance surveillance police teams or road blocks. Within the PRoTECT project the measures were categorized by the use of technology solutions.

Step 3: Scenario per threat type

Use each other’s creativity and expertise to assess scenario’s according to ten potential terrorist threat types mentioned by the EU VAT. The ten potential threat types used are:

  1. Fire arms attack - small calibre pistol or semi/full-automatic rifle;
  2. Sharp object attack - knifes, machete, other sharp and blunt objects;
  3. Vehicle attack - use of vehicle as a weapon by ramming large crowds;
  4. Improvised Explosive Device (IED) - left/concealed in objects or goods (based on home-made or commercial explosives);
  5. Person-Born Improvised Explosive Device (PBIED) - explosives concealed on a person (suicide or carrier);
  6. Unmanned Aerial Vehicle Improvised Explosive Device (UAVIED) - explosives delivered by a remote-controlled airborne device;
  7. Vehicle-Borne Improvised Explosive Devise (VBIED) - explosives concealed inside a vehicle (or its cargo);
  8. Chemical attack - threat object concealed in goods or carried items (e.g. canister or UAV dispensed);
  9. Biological attack - threat object concealed in goods or carried items (e.g. canister or UAV dispensed);
  10. Radiological attack - threat object concealed in goods or carried items (e.g. canister or UAV dispensed).

Step 4: Consequence and probability

For each scenario, one should assess with the team of experts what the consequence and probability are for each scenario. For each site (area) of the PSOI and considering existing measures, each scenario should be followed trough to identify the lack of measures that could create a vulnerability if either or both consequence and probability are high.

Step 5: Analysis and results

Finally, when all consequences and probabilities have been determined for a site, check for any inconsistencies or dependencies among the scenarios, consequences and probabilities, and make adjustments where necessary. Possibly repeat this activity once all record templates for all sites have been completed. Determine level of risk for each scenario, for instance by using a risk matrix (risk low, medium and high) and record this.

What’s next

Once an overall insight into the vulnerabilities of the PSOI is available, follow-up actions can be taken. The security experts’ team can suggest mitigation options for some or all of the attack scenarios to the management body. Also, using the results from using the EU VAT, the managing body can evaluate the risks, deciding which risks to mitigate and how (in part based on the options provided by the security team) and which risks to accept. Furthermore, informing and involving the stakeholders. Finally, gathering information on solutions and getting the measures implemented to mitigate vulnerabilities.


Footnotes and references

  1. Systematic techniques for risk assessment are described in the IEC 31010:2009 standard.