vulnerability management thesis

• Svensk webbplats
• Student Portal
• Staff Portal

Search results

Search tips

• Make sure there are no spelling errors
• Try different search terms or synonyms
• Narrow your search for more hits

Courses for Exchange Students

Job Opportunities

How can we help?

Find Employees

Dissertation: Vulnerability Analysis for Critical Infrastructures

Yuning Jiang defends her thesis "Vulnerability Analysis for Critical Infrastructures".

The dissertation will be held in Insikten, Portalen, but will also be livestreamed on Zoom.

Join the livestream:

https://his-se.zoom.us/j/61136229490?pwd=eGZiWmRaa2d0ejBqVWpraG8vWjdQdz09

The rapid advances in information and communication technology enable a shift from diverse systems empowered mainly by either hardware or software to cyber-physical systems (CPSs) that drive critical infrastructures (CIs), such as energy and manufacturing systems. However, alongside the expected enhancements in efficiency and reliability, the induced connectivity exposes these CIs to cyberattacks such as the Stuxnet and WannaCry ransomware cyber incidents. Therefore, the need to improve cybersecurity expectations of CIs through vulnerability assessments cannot be overstated. Yet, CI cybersecurity has intrinsic challenges due to the convergence of information technology (IT) and operational technology (OT) as well as the cross-layer dependencies inherent to CPS based CIs. Different IT and OT security terminologies also lead to ambiguities induced by knowledge gaps in CI cybersecurity. Moreover, current vulnerability-assessment processes in CIs are mostly subjective and human-centered. The imprecise nature of manual vulnerability assessment operations and the massive volume of data cause an unbearable burden for security analysts. Latest advances in cybersecurity solutions based on machine-learning promise to shift such burden to digital alternatives. Nevertheless, the heterogeneity, diversity and information gaps in existing vulnerability data repositories hamper accurate assessments anticipated by these ML-based approaches. To address these issues, this thesis presents a comprehensive approach that unleashes the power of ML advances while still involving human operators in assessing cybersecurity vulnerabilities within deployed CI networks.

Specifically, this thesis proposes data-driven cybersecurity indicators to bridge vulnerability management gaps induced by ad-hoc and subjective auditing processes as well as to increase the level of automation in vulnerability analysis. The proposed methodology follows design science research principles to support the development and validation of scientifically-sound artifacts. More specifically, the proposed data-driven cybersecurity architecture orchestrates a range of modules that include: (i) a vulnerability data model that captures a variety of publicly accessible cybersecurity-related data sources; (ii) an ensemble-based ML pipeline method that self-adjusts to the best learning models for given cybersecurity tasks; and (iii) a knowledge taxonomy and its instantiated power grid and manufacturing models that capture CI common semantics of cyber-physical functional dependencies across CI networks in critical societal domains.

This research contributes data-driven vulnerability analysis approaches that bridge the knowledge gaps among different security functions, such as vulnerability management through related reports analysis. This thesis also correlates vulnerability analysis findings to coordinate mitigation responses in complex CIs. More specifically, the vulnerability data model expands the vulnerability knowledge scope and curates meaningful contexts for vulnerability analysis processes. The proposed ML methods fill information gaps in vulnerability repositories using curated data while further streamlining vulnerability assessment processes. Moreover, the CI security taxonomy provides disciplined and coherent support to specify and group semantically-related components and coordination mechanisms to harness the notorious complexity of CI networks such as those prevalent in power grids and manufacturing infrastructures. These approaches learn through interactive processes to proactively detect and analyze vulnerabilities while facilitating actionable insights for security actors to make informed decisions.

Sokratis Katsikas, Professor, Norwegian University of Science and Technology

Supervisors

Main supervisor: Yacine Atif, Professor, University of Skövde Jianguo Ding, Associate Professor, Blekinge Institute of Technology Manfred A. Jeusfeld, Professor, University of Skövde Birgitta Lindström, Associate Professor, University of Skövde Christoffer Brax, PhD, Combitech AB

Raimundas Matulevičius, Professor, University of Tartu Mikael Asplund, Associate Professor, Linköping University Tomas Olovsson, Associate Professor, Chalmers University of Technology Marcus Nohlberg, Associate Professor, University of Skövde

PhD Student Informatics

Yuning jiang.

School of Informatics

Last updated 27/06/24: Online ordering is currently unavailable due to technical issues. We apologise for any delays responding to customers while we resolve this. For further updates please visit our website: https://www.cambridge.org/news-and-insights/technical-incident

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings .

Login Alert

• > Journals
• > Social Policy and Society
• > Volume 16 Issue 3
• > The Many Faces of Vulnerability

Article contents

Introduction, vulnerability as designation: normative dimensions, vulnerability and social control, vulnerability as a problematic cultural trope, theorising vulnerability, theoretical frames for social vulnerability, vulnerability as a universal condition, emerging challenges in vulnerability studies, the many faces of vulnerability.

Published online by Cambridge University Press:  01 February 2017

Social injustices, structural and personal crises as well as intensifying stress on some citizens seem increasing preoccupations in contemporary society and social policy. In this context, the concept of vulnerability has come to play a prominent role in academic, governmental and everyday accounts of the human condition. Policy makers and practitioners are now concerned with addressing vulnerability through an expansive range of interventions. As this special issue draws attention to, a vulnerability zeitgeist or ‘spirit of the time’ has been traced in contemporary welfare and disciplinary arrangements (Brown, 2014 , 2015 ), which now informs a range of interventions and approaches to social problems, both in the UK and internationally. As prominent examples, ‘vulnerable’ people are legally entitled to ‘priority need’ in English social housing allocations (Carr and Hunter, 2008 ), vulnerable victims of crime are seen as requiring special responses in the UK criminal justice system (see Roulstone et al ., 2011 ; Walkgate, 2011 ), ‘vulnerable adults’ have designated ‘protections’ under British law (Dunn et al ., 2008 ; Clough, 2014 ) and vulnerable migrants and refugees are increasingly prioritised within international immigration processes (Peroni and Timmer, 2013 ). There is a long tradition in the field of social policy of critiquing the implications of particular concepts as mechanisms of governance, from poverty (Townsend, 1979 ; Lister, 2004 ) and social exclusion (Levitas, 1998 ; Young 1999 ) to risk (Beck, 1992 ; Kemshall, 2002 ) and resilience (Ecclestone and Lewis, 2014 ; Wright, 2016 ). Yet while vulnerability seems to be one of the latest buzzwords gathering political and cultural momentum, critiques and empirical studies of how it is operationalised in different policy and practice contexts are less well elaborated.

Social injustices, structural and personal crises as well as intensifying stress on some citizens seem increasing preoccupations in contemporary society and social policy. In this context, the concept of vulnerability has come to play a prominent role in academic, governmental and everyday accounts of the human condition. Policy makers and practitioners are now concerned with addressing vulnerability through an expansive range of interventions. As this special issue draws attention to, a vulnerability zeitgeist or ‘spirit of the time’ has been traced in contemporary welfare and disciplinary arrangements (Brown, Reference Brown, Harrison and Sanders 2014 , Reference Brown 2015 ), which now informs a range of interventions and approaches to social problems, both in the UK and internationally. As prominent examples, ‘vulnerable’ people are legally entitled to ‘priority need’ in English social housing allocations (Carr and Hunter, Reference Carr and Hunter 2008 ), vulnerable victims of crime are seen as requiring special responses in the UK criminal justice system (see Roulstone et al ., Reference Roulstone, Thomas and Balderson 2011 ; Walkgate, Reference Walkgate 2011 ), ‘vulnerable adults’ have designated ‘protections’ under British law (Dunn et al ., Reference Dunn, Clare and Holland 2008 ; Clough, Reference Clough 2014 ) and vulnerable migrants and refugees are increasingly prioritised within international immigration processes (Peroni and Timmer, Reference Peroni and Timmer 2013 ). There is a long tradition in the field of social policy of critiquing the implications of particular concepts as mechanisms of governance, from poverty (Townsend, Reference Townsend 1979 ; Lister, Reference Lister 2004 ) and social exclusion (Levitas, Reference Levitas 1998 ; Young Reference Young 1999 ) to risk (Beck, Reference Beck 1992 ; Kemshall, Reference Kemshall and Kemshall 2002 ) and resilience (Ecclestone and Lewis, Reference Ecclestone and Lewis 2014 ; Wright, Reference Wright 2016 ). Yet while vulnerability seems to be one of the latest buzzwords gathering political and cultural momentum, critiques and empirical studies of how it is operationalised in different policy and practice contexts are less well elaborated.

In the academic literature, many texts use vulnerability as an entry point for discussing inequalities or adversities of some kind, with the concept drawn on to anchor consideration of diverse interests and concerns. Prominent amongst these are insecurity, relative economic or social disadvantage, limited coping capacity and unmet need. Certain texts have emphasised how it is possible to be vulnerable yet able to cope or avoid harm (see Daniel, Reference Daniel 2010 ; Walkgate, Reference Walkgate 2011 ). Attention to vulnerability often appears alongside research and ideas concerned with ‘risk’ (see Beck, Reference Beck 2009 ) – one of the most theorised terms in the social sciences – yet as has been noted elsewhere (Brown, Reference Brown 2015 ), vulnerability remains firmly in the shadow of its conceptual cousin. People are sometimes described as vulnerable in relation to something specific, sometimes the designation is used as a stand-alone term. How vulnerability is deployed in research is to some extent contingent on the historical, political and disciplinary context in which the concept is utilised and, as many scholars have pointed out, wider and narrower uses overlap or are used inter-changeably. At the level of policy texts and everyday discourse, individuals and groups are labelled as ‘vulnerable’ in relation to a dizzying array of factors, with various practical implications operating through the use of the term, often implicitly.

The vagueness and malleability of vulnerability can result in a problematic lack of analytic clarity which in turn can have important implications for interventions and practices. As with other popular policy concepts such as social exclusion (Young, Reference Young 1999 ) or anti-social behaviour (Burney, Reference Burney 2005 ), the use of vulnerability is often normative, implying deviation from usually undefined standards of life or behaviour, and as supporting powerful moral and ethical projects. This has led some to argue that accounts of vulnerability tend to be firmly anchored in prominent and long-running social policy debates and narratives about ‘deserving’ and ‘undeserving’ citizens (Brown, Reference Brown 2015 ). Moral and ethical dimensions of vulnerability are shaped by diverse political standpoints. Certain scholars have noted that the term is creeping further into understandings of the relations between state and citizen, with implications for citizenship such as diminished view of the human subject, erosion of collective movements and expansion of state-sponsored social control (Furedi, Reference Furedi 2008 ; McLaughlin, Reference McLaughlin 2012 ; Ecclestone, Reference Ecclestone 2016 ). Others have emphasised its relevance in discussion and the operation of interventions for the most disadvantaged, and the sometimes problematic implications of this in terms of exclusivity (Brown, Reference Brown 2011 , Reference Brown 2015 ). Therefore, while vulnerability has a deep discursive connection with connotations of empathy and compassion, and can be used in pursuit of enhanced support for certain individuals or groups, there is increasing attention to the ways in which it can also serve regulatory functions (Harrison and Sanders, Reference Harrison, Sanders, Dearling, Newburn and Somerville 2006 ) when deployed in a normative way.

At the same time though, accounts of vulnerability that seek to resist these potentially pathologising framings have also been advanced. A growing number of scholars have been carefully theorising vulnerability in order to chart the multiple dimensions of substantive environmental and social problems faced by individuals or groups (Chambers, Reference Chambers 1989 ; Bankoff et al ., Reference Bankoff, Frerks and Hilhorst 2004 ; Emmel and Hughes, Reference Emmel and Hughes 2010 ). Ideas about ‘universal’ or shared human vulnerability have also been burgeoning within some disciplinary fields, where the notion is used as the basis for a citizenship model posed as an alternative to liberal models of understanding the individual in society (see Goodin, Reference Goodin 1985 ; Turner, Reference Turner 2006 ; Fineman, Reference Fineman 2008 ; Mackenzie et al ., Reference Mackenzie, Rogers and Dodds 2014 ). For theorists taking a ‘universal’ approach, vulnerability is a fundamental feature of the human condition, biologically imperative and permanent, but also connected to the personal, economic, social and cultural circumstances within which individuals find themselves at different points in their lives.

Very little work has been done to bring these different understandings of vulnerability together. This article addresses that gap, aiming to provide an overview of the key contours of how vulnerability appears and is deployed in the social sciences literature, starting with normative uses of vulnerability and critiques of those uses, then moving on to models advanced across various disciplines and territories. Our review illuminates how vulnerability tends to appear in three main forms across the various literatures: as a policy and practice mechanism, which plays out in interventions, sometimes overtly and explicitly, sometimes subtly or unnoticed; as a cultural trope or way of thinking about the problems of life in an increasingly pressured and unequal society; and as a more robust concept to facilitate social and political research and analysis. The article touches on other concepts that are closely allied with vulnerability where these are pertinent, including risk and resilience, but for reasons of space, the focus stays with vulnerability.

A key aim in drawing out some of the central themes across diverse vulnerability literatures is to identify critical challenges for research, namely understandings of human agency and questions of individual autonomy within debates about citizenship and governance. The article makes the case that a clearer grasp of the many faces of vulnerability is crucial at a time where vulnerability, used variously as vague notion, theorised concept and policy mechanism, increasingly plays a role in framing and re-working understandings of the connections between institutions, social practices, individuals and the state. We argue that more robust deployment of vulnerability and consideration of the potentially pathological implications explored in this article (and in this issue) might be steps towards mitigating risks attached to the rising popularity of vulnerability discourses and interventions.

Vulnerability appears widely across the social sciences literature as a kind of sociological shorthand or designation for worthiness, understood commonly as something innate, physical, connected to the life course (pregnancy, older age, childhood). The notion has been associated with childhood for centuries (see Rousseau; Reference Rousseau and Foxley 1792 trans. by Foxley, 1974: 52) and has more recently emerged as a key concept in developmental childhood studies (James and James, Reference James and James 2008 : 139; Brotherton and Cronin, Reference Brotherton and Cronin 2013 ). Here it is held that, because children are not fully mature, they are vulnerable to adverse influences that may disrupt the ‘normal’ completion of the developmental process. As with other more biologically inclined accounts, such an approach proceeds from the premise that some people are ‘naturally’ more vulnerable than others. The idea that some adults might be ‘innately’ vulnerable surfaces in certain (now controversial) normative accounts of disability, running counter to the highly influential ‘social model of disability’ (Barnes and Mercer, Reference Barnes and Mercer 1996 ) which emphasises processes and mechanisms through which society disables individuals. Postmodern ideas about the social construction of social problems have highlighted how such normative accounts of the human condition vary across time and space, reflecting and reinforcing social norms and structured by political, social and economic factors rather than ‘natural’ ones, and ‘innate’ accounts of vulnerability, which have often influenced policy, are often questioned on this basis.

Normative accounts of vulnerability are also used to highlight situational concerns (Brown, Reference Brown 2015 ; and see also Mackenzie et al ., Reference Mackenzie, Rogers and Dodds 2014 ), where the term is used to demarcate or describe particular adverse experiences, transgressions or groups of people who may be in circumstances of social difficulty. Situational vulnerability draws attention to the potential or possibility for harm as well as occurrences of actual harm having occurred (see Goodin, Reference Goodin 1985 ; Mackenzie et al ., Reference Mackenzie, Rogers and Dodds 2014 ). Examples of situational vulnerability might include groups such as homeless people, women who sell sex, asylum seekers and refugees, Roma communities, women experiencing domestic violence, drug users, poorer people and prisoners (especially women), but might also include more general populations such as women, or black and ethnic minority groups (see Peroni and Timmer, Reference Peroni and Timmer 2013 ). Here, the use of the concept of vulnerability is often drawn on to emphasise biographical experiences, individual or collective, which demand special treatment or exceptions to be made in policy and practice processes. In a context where constructions of the objects and subjects of social interventions are predominantly configured in essentialising ways, notions of vulnerability and transgression often appear in a simultaneous framing (Dobson, Reference Dobson 2015 ), which can support hierarchies of legitimacy in criminal justice interventions (Walkgate, Reference Walkgate 2011 ).

Situational vulnerability configurations can emphasise the active input of a problematic or malign third party or structural force, but might also be imagined to contain elements of individual agency or choice. Thus accounts of situational vulnerability may contain socio-political, family or community elements. Narratives which highlight the situational vulnerabilities of certain groups may be linked with increasingly visible ideas about ‘victimhood’ and concerns regarding the particular obligations that society is assumed to owe to those classified as ‘victims’ (see Walkgate, Reference Walkgate 2011 ). However, in policy at least, these tend to remain focussed at individual level rather than on national or transnational economic, political forces, or on large cultural changes affecting the whole of society. Whilst some activists and social movements have regarded the identification of vulnerability as an important means of obtaining external, usually state-sponsored, protection for certain individuals or groups (see McLaughlin, Reference McLaughlin 2012 ), others associate ideas about innate or situational vulnerability as a pervasive form of ‘victim blaming’ (Wishart, Reference Wishart 2003 ), focussing attention on individual deficit rather than wider structural issues and problems.

A growing literature across a wide variety of disciplines and empirical research arenas has started to critique the increasingly prevalent normative use of vulnerability discourses, especially in policy. These writings share concerns about social divisions, exclusion and behavioural regulation. In a context of broader moves to narrow welfare provision and to make entitlements increasingly conditional on certain behaviours (see Dwyer, Reference Dwyer 1998 ; Flint, Reference Flint and Flint 2006 ; Harrison and Sanders, Reference Harrison and Sanders 2014 ), critics of normative vulnerability narratives have argued that these can reinforce rather than challenge pathologies of difference (Harrison and Sanders, Reference Harrison, Sanders, Dearling, Newburn and Somerville 2006 ; and see also Quesada et al ., Reference Quesada, Hart and Borbois 2011 ). These authors have underscored how ideas about vulnerability (especially when deployed in policy) can be controversial due to how these can mix concerns about risk to certain groups with anxieties about risks from these groups (see Harrison and Sanders, Reference Harrison, Sanders, Dearling, Newburn and Somerville 2006 ; Brown, Reference Brown 2011 ), and can give limited space for acknowledgement of human agency (see Brown and Sanders, this issue), augmenting tendencies for ‘vulnerable’ people to be ‘done to’ by policy-makers (see also Hasler, Reference Hasler, Swain, French, Barnes and Thomas 2004 ).

Such writings connect understandings and uses of vulnerability, whether by the state or as part of a progressive politics, with an intensification of social control (Furedi, Reference Furedi 2008 ; Mclaughlin, Reference McLaughlin 2012 ; Ecclestone and Lewis, Reference Ecclestone and Lewis 2014 ; Ecclestone, Reference Ecclestone 2016 ), playing a role in facilitating a wrestling of power from receivers of services. Behavioural dimensions of vulnerability management techniques have been highlighted as having important implications for questions of ‘difference’; for example, forms of social control expressed through vulnerability rationales in policy and practice might be gendered, raced, classed and ableist within a deeply unequal society (see Harrison with Hemingway, Reference Harrison, Hemingway, Harrison and Sanders 2014 ). Disability scholars in particular have been at the forefront of arguing that when vulnerability discourses are operationalised, they are bound up with disempowering and patronising social processes, undermining the position and rights of citizens and diminishing attention to the responsibility of society in creating adversity (see Wishart, Reference Wishart 2003 ; Hasler, Reference Hasler, Swain, French, Barnes and Thomas 2004 ; Hollomotz, Reference Hollomotz 2009 ). These dangers can have the paradoxical outcome of increasing lived vulnerabilities (Hollomotz, Reference Hollomotz 2011 ). Other accounts of paternalism and pathologisation appear in policy areas from mental health (Moon, Reference Moon 2000 ; Warner, Reference Warner, Peterson and Wilkinson 2008 ) and sex work (see Phoenix and Oerton, Reference Phoenix and Oerton 2005 ; Munro and Scoular, Reference Munro and Scoular 2012 ), to those considered to be Muslim ‘extremists’ (Richards, Reference Richards 2011 ; Coppock and McGovern, Reference Coppock and McGovern 2014 ).

The potential for vulnerability to serve controlling forces under the guise of assistance and protection has also been noted by scholars working in a range of areas including teenage parenting (Van Loon, Reference Van Loon, Peterson and Wilkinson 2008 ), disadvantaged youth (Brown, Reference Brown 2015 ) and trafficked women/children (O'Connell Davidson, Reference O'Connell Davidson 2011 ; FitzGerald, Reference FitzGerald 2016 ). In parallel with critiques of ‘risk’ (see O'Malley, Reference O'Malley 2000 ; Taylor-Gooby, Reference Taylor-Gooby 2000 ), social policy scholars have argued that the management of vulnerability in practice might also be understood as a moral enterprise within a context of moves to ‘responsibilise’ individuals (Munro and Scoular, Reference Munro and Scoular 2012 , Reference Munro, Scoular, Duff, Farmer, Marshall, Ranzo and Tadross 2013 ). Parallels to debates about resilience are useful to note here (see Wright, Reference Wright 2016 ). Scholars concerned with creeping state intervention in citizens’ lives have argued that vulnerability as a policy mechanism is deeply problematic (see Ecclestone, this issue), not least because an internalisation and normalisation of vulnerability can expand mechanisms for self-governance, where individuals regulate their own behaviour in ways that conform to particular norms about ‘correct’ or ‘appropriate’ behaviours.

Some sociologists have argued that there are prominent social, philosophical and political trends to configure an increasing number of citizens as ‘vulnerable’, undermining expectations that the human subject is capable of agency, rationality and autonomy. They argue that vulnerability has taken off as a way of understanding the self in contemporary society because it resonates with and reinforces diminished expectations of human subjects (see Furedi, Reference Furedi 2008 ; McLaughlin, Reference McLaughlin 2012 ; Frawley, Reference Frawley 2015 ; Ecclestone, this issue). This strand of critique argues that vulnerability is becoming a pervasive and problematic defining feature of the state's relationship to the individual. For McLaughlin ( Reference McLaughlin 2012 ), for example, vulnerability now occupies a position at the forefront of individuals’ relationships with social structures, a development that he sees as directly linked with a decline in the power of collective social movements and political activism and, in turn, enthusiasm for claims to social justice based on recognition of vulnerability. In a related vein, Furedi ( Reference Furedi 2003 ) has linked vulnerability to a ‘culture of fear’, where anxieties about risk-taking have become central to experiences of everyday life, bolstering an ever-expanding state into more and more areas of our lives (Furedi, Reference Furedi 2007 , Reference Furedi 2008 ). Frawley ( Reference Frawley 2015 ) argues that a decline in political optimism about social and economic progress, and a corresponding turn to the ‘therapeutic’ in left/Liberal agendas for social justice, has contributed to the rise of vulnerability as a cultural metaphor to describe a hugely expanding range of experiences and responses to them. From this perspective, vulnerability reflects a different type of problematic normative framing that, citing Furedi, Reference Furedi 2004 ; Frawley ( Reference Frawley 2015 ) sees as creating a ‘morality of low expectations’.

In work on the increasing normalisation of vulnerability in the education system and beyond, Ecclestone ( Reference Ecclestone 2016 ; see also this issue) has noted two problematic implications of its growing resonance. First, ever-expanding and competing claims on vulnerability as a means of seeking and gaining more support can obscure more acute claims for social harms experienced by the most disadvantaged and divert resources from them. Second, appropriation of vulnerability by the liberal Left as a foundation for ‘progressive’ politics emphasises psycho-emotional dimensions of vulnerability. In a context of a prevailing sense of crisis about mental health, she notes this risks creating a form of cultural priming in a circular process of defined need and externally offered psycho-emotional support. Writers concerned about vulnerability as a cultural phenomenon argue that this can bolster advancement of state-sponsored strategies for managing individuals through new forms of self-governance (Furedi Reference Furedi 2004 ; Ecclestone and Brunila, Reference Ecclestone and Brunila 2015 ; Frawley, Reference Frawley 2015 ; Ecclestone, Reference Ecclestone 2016 ), raising concerns about appropriating universal vulnerability (see below) as a counter to pathologising or oppressive depictions of agency can turn subtly from progressive understandings and enactments of empathy and collective understanding to normative forms of interventions that aim to shape relationships and behaviours, closing down expectations of rational autonomy, debate and challenge (see Ecclestone, this issue). Critiques of the ways in which vulnerability narratives can serve regulatory functions signal the need to scrutinise what constitutes ‘acceptable’ and ‘unacceptable’ forms of moralising or normative framing and how these align with old notions of liberal, Left and Right political understandings. They also highlight a need for more nuanced critiques of what it means to have a ‘progressive’ understanding of vulnerability.

Arising from critiques of a normative moral/ethical project described in the preceding sections is an expanding literature that seeks to position conditions and experiences of vulnerability in sociological and other theory. Sometimes used in seeking to understand what have been called ‘wicked problems’, or highly intractable, complex matters with ambiguous and contested solutions (see Rittel and Weber, Reference Rittel and Webber 1973 ; Richardson, Reference Richardson 2011 ; Bache et al ., Reference Bache, Reardon and Anand 2015 ), vulnerability can be understood as connected with increasing demand for citizens to find new ways of coping with the changing nature and sense of risks in society. ‘Risk society’ theorists (Giddens, Reference Giddens 1991 ; Beck, Reference Beck 1992 ; Bauman, Reference Bauman 2000 ) have argued that modernisation processes, rapid quickening of the pace of change and an apparent loosening of the structural ties that bind and constrain the lives and life courses of individuals, have resulted in citizens feeling less in control of their lives and willing to experiment with or seek control of particular individual and social risks in new ways. Such ideas have obvious explanatory power in terms of the popularity of ideas about vulnerability and, indeed, the ‘risk society’ thesis is often a point of reference in explorations of vulnerability (Beck, Reference Beck 2009 : 178; Misztal, Reference Misztal 2011 ; Kirby, Reference Kirby 2006 ). While providing compelling accounts of social process at an abstract level, recourse to notions of risk society, liquid modernity and structuration tend to obscure the somewhat ‘compounded sets of facts and relations’ (Wright Mills, Reference Wright Mills 1959 : 34) social scientists of vulnerability have sought to describe, interpret and explain. These accounts are the focus of the second part of this article.

Vulnerability has been a key concept in the natural sciences and international development literature for decades, offering a way of framing and analysing varying levels of exposure to poverty (Chambers, Reference Chambers 1989 ), hazards/disasters (Watts and Bohle, Reference Watts and Bohle 1993 ) and the effects of globalisation (Kirby, Reference Kirby 2006 ). Spatial or environmental theories of vulnerability alert us to the concept's link with ‘assets’ or the ability to cope with adversity, as well as to the capacity of institutional practices to cushion the effects of negative events. This literature offers, primarily, a structural account of vulnerability, focussing often on geographical areas and bringing into view the role of institutions and resources in shaping the varying detrimental impacts of a range of hazards on certain populations and not others (Adger, Reference Adger 2006 ; Bradshaw, Reference Bradshaw 2013 , offer useful overviews). Studies in this tradition have involved quantitative metrics to develop social vulnerability indices according to key variables (see Hewitt, Reference Hewitt 1997 ; Ebert et al ., Reference Ebert, Kerle and Stein 2009 ) and spatially or geographically focussed approaches (see Cutter, Reference Cutter 1996 ; Bankoff et al ., Reference Bankoff, Frerks and Hilhorst 2004 ). Attention to vulnerability in this arena seems often to appear alongside increasing attention to ‘resilience’ (see Pugh Reference Pugh 2014 for resilience as a buzzword in policy and also Chandler, Reference Chandler 2014 ; Wright, Reference Wright 2016 ) or ‘geo-risk’, and these accounts are orientated towards social and environmental systems rather than the circumstances of particular individuals. This literature underlines distinctions in approaches between individual/psychological vulnerability and collective modes of vulnerability, which are also paralleled in commentary on resilience (see Wright, Reference Wright 2016 ).

Chambers’ ( Reference Chambers 1989 ) analysis of systems that give rise to vulnerability has had a substantial influence on this tradition. Chambers sees vulnerability as related to defencelessness, defining it as referring to ‘exposure to contingencies and stress, and difficulty coping with them’ (p. 33):

Vulnerability thus has two sides: an external side of risks, shocks and stress to which an individual or household is subject; and an internal side which is defencelessness, meaning a lack of means to cope without damaging loss. (Chambers, Reference Chambers 1989 : 33)

Developing this definition further, Watts and Bohle ( Reference Watts and Bohle 1993 ) map locally and historically specific configurations of poverty, hunger and famine using ‘co-ordinates’ of vulnerability (p. 45) simplified as follows: (i) risk of exposure to crises, stress and shocks; (ii) risk of inadequate capacities to cope with these; and (iii) risk of severe consequences arising in these instances. Watts and Bohle ( Reference Watts and Bohle 1993 : 46) explore ‘choice’ and ‘constraint’; or ‘degrees of freedom’ which determine exposure, coping capacity and potentiality. Drawing on Sen's ( Reference Sen 1981 ) work which powerfully argues that entitlement of an individual stands for a set of differently constituted commodity bundles acquired through the use of various legal channels open to a person, Watts and Bohle ( Reference Watts and Bohle 1993 ) argue that vulnerability is mediated by entitlements and capabilities, shaped by institutional and environmental structures, and also by the spaces where human agency operates.

Seeking to elaborate critical realist models of the causal structures of vulnerability, these ideas have been utilised in social sciences work as a means of exploring nuanced and ‘textured’ understandings of lived experiences of deprivation. Emmel and Hughes ( Reference Emmel and Hughes 2010 : 171) conceptualise a longitudinal ‘social space of vulnerability’ with coordinates which relate to: (i) material shortages in households, characterised by ‘making do’ with limited resources for basic everyday needs; (ii) a lack of capacity to address needs in the present and plan for the future; and (iii) an uncertain reliance on welfare services acting to address crises when they happen (see Emmel, this issue). Central to Emmel and Hughes’ model is the idea that vulnerability involves relations between individuals and households and the institutions and services that address their basic needs. Setting out a relational account of vulnerability, in later work focussing on inter-generational patterns of disadvantage, Emmel and Hughes ( Reference Emmel, Hughes, Holland and Edwards 2014 ) further develop a ‘temporal dimension’ to how they conceptualise vulnerability, calling this their ‘Toblerone model’ (see also Emmel, this issue). According to this model, the three coordinates are the ‘face’ of the triangular vulnerability prism and the length is a fourth dimension: time. The relationship between agency and institutions is emphasised through the ways in which failures to conform with the temporal patterns of service delivery tip people into further difficulties or crises.

Whilst these critical realist social science accounts of vulnerability offer different perspectives to ecological or environmental models in certain respects, they share a concern with vulnerability as a tool for understanding socio-material realities and the structures which underpin them (see also Caraher and Reuter, this issue). In a somewhat separate strand of vulnerability scholarship, other more philosophically inclined scholars have sought to do something similar, but in a way that proceeds from the starting point that we are all vulnerable.

There is a burgeoning literature which seeks to posit a more ‘radical’ view of vulnerability, mainly located in critical legal studies (see Fineman, Reference Fineman 2008 ; Wallbank and Herring, Reference Wallbank and Herring 2014 ; Mackenzie et al ., Reference Mackenzie, Rogers and Dodds 2014 ) and ethics literature (see Goodin, Reference Goodin 1985 ). This is sometimes referred to as the ‘universal vulnerability’ approach (Turner, Reference Turner 2006 ) or the ‘vulnerability thesis’ (see Fineman, Reference Fineman 2008 , Reference Fineman, Fineman and Grear 2013 ). Generally speaking, according to the universal vulnerability approach, we are all vulnerable by virtue of our human embodiment or ‘corporality’ (we all have bodies which decay and die), but the degree of our lived vulnerability varies through the life course (Fineman, Reference Fineman 2008 ) and according to wider relational processes of differentiated politically constituted subjectification and sociality (see Goodin, Reference Goodin 1985 ; Butler, Reference Butler 2004 ; Turner, Reference Turner 2006 ; Harrison, Reference Harrison 2008 ). Vulnerability thesis scholars from a range of different disciplinary backgrounds have argued that this approach can be used to develop a citizenship model based on interdependency, empathy and a foregrounding of ethical social obligations to others (see Goodley, in Ecclestone and Goodley, Reference Ecclestone and Goodley 2014 ).

Debates amongst vulnerability theorists are evident (see Mackenzie et al ., Reference Mackenzie, Rogers and Dodds 2014 ), but commonly, these works seek to subvert the elevation of ‘active’ subjectivity, purposeful activity and ‘positive capacity’ around which dominant western philosophical traditions tend to converge (see Harrison, Reference Harrison 2008 ). Such ideas have obvious relevance for debates about autonomy, agency and citizenship within the social policy field. Fineman and Grear ( Reference Fineman and Grear 2013 : 2) make the case that the vulnerability thesis offers a powerful alternative to the ‘mythical autonomous liberal subject of neoliberal rhetoric’. Fineman's work pioneering this theory develops the idea of a ‘responsive state’, driven by meeting the practical and ethical obligations involved in the always and inevitably messy realities of the life course of our vulnerable bodies and governing vulnerability as it is lived universally (see also Clough, this issue). These ideas have been influential in critical feminist literature in particular, where authors have deployed vulnerability as a mechanism for understanding and placing importance on the role of caring for dependents within society and policy (see Kittay, Reference Kittay 1999 ; Dodds, Reference Dodds 2007 ; as well as Fineman, Reference Fineman 2008 , Reference Fineman, Fineman and Grear 2013 ). They have also been used to theorise disability in ways that seek to challenge oppression and problematic paternalism (see Beckett, Reference Beckett 2006 ; and Clough, this issue).

Certain authors have particularly stressed a relational understanding of shared human vulnerability (see Goodin, Reference Goodin 1985 ) with recognition as a key feature. Mackenzie et al ( Reference Mackenzie, Rogers and Dodds 2014 ) develop relational understandings in moral philosophy work on vulnerability and relational autonomy, with a ‘taxonomy of vulnerability’ (Mackenzie et al ., Reference Mackenzie, Rogers and Dodds 2014 : 7–9) which encompasses both inherent (or universal) and ‘context-specific’ forms of vulnerability, as well as ‘pathogenic’ forms (related to oppression and discrimination), supporting theorising which seeks to capture balances between the citizens’ rights to a self-determining life and societal and institutional obligations to protect disadvantaged citizens. In work on the September 11 terrorism attacks, Butler ( Reference Butler 2004 : 31 and 44) draws on the idea of a ‘common human vulnerability’ – bodily and inescapable – but also constituted politically and according to ‘norms of recognition’ (see also Butler, Reference Butler 2009 ). She argues that some vulnerabilities ‘count’ more than others, and that more equal recognition of vulnerability is essential in the battle for a more just society.

Universal approaches to understanding vulnerability have been brought into explorations of myriad empirical questions, with scholars experimenting with it as a way of furthering debates within their own specific area (see for example Wallbank and Herring ( Reference Wallbank and Herring 2014 ) on family law; Carr ( Reference Carr, Fineman and Grear 2013 ) on housing; Carline ( Reference Carline 2009 ) on sex work; Beckett ( Reference Beckett 2006 ) on disability; Satz ( Reference Satz, Fineman and Grear 2013 ) on animal protection; Clough [this issue] on mental capacity; and Wiles ( Reference Wiles 2011 ) on older age). In the light of this work, there seems potential for wider debate in relation to how far universal vulnerability theories might be a useful tool in work to halt or reverse the advancement of more individualised constructions of disadvantage. For social policy scholars, this literature raises interesting questions about the extent to which ideas about universal vulnerability can be operationalised meaningfully in policy settings where recipients of state welfare provision are so often characterised by understandings of agency which are insufficiently sensitive to the complex and contradictory dimensions of autonomy and human experience (see Hoggett, Reference Hoggett 2001 ).

We conclude here by highlighting four key challenges that have affected these concerns and which need addressing in further research on vulnerability. First, the ubiquity and elasticity of vulnerability generates a sense of familiarity and common-sense or assumed understandings which conceal diverse uses with enormously varied conceptual dimensions, dependent to some degree on the disciplinary contexts and theoretical underpinnings of its deployment. Whilst the malleability of vulnerability can lead to a confused sense of understanding about what is meant by the term, some have argued that it is the indistinct boundaries of the concept that make it well suited to reflect the diversity of human experiences of adversity (Wallbank and Herring, Reference Wallbank and Herring 2014 ). Different constructions of vulnerability evidently have a diverse range of trajectories with manifold implications.

Second, as we have aimed to show, social research use of the concept of vulnerability is often implicated in normative moral and ethical projects, imbued by a sense of an undefined standard of behaviour, situation or way of life, to which people should not be exposed. These projects may or may not be acknowledged explicitly. In similar ways to notions such as resilience, we have argued that this normative use can inadvertently contribute to the individualisation and psychologisation of social problems, entrenchment of social divisions and potential diminishing of entitlements and subjectivities. In particular, generic discussion of vulnerability as a shorthand for deservingness can support the acceleration of a race to the bottom for scarce resources and a narrowing of entitlement for those who do not conform to commonly held expectations of how ‘vulnerable’ people should behave. Seen in this light, critiques of subtle and overt forms of governance and self-governance through vulnerability, outlined above, signal a need for researchers to explore the further interplay between risk and vulnerability in specific policy and practice contexts.

Third, there is an imbalance in vulnerability studies. Much research focuses on theoretical debates and policy critiques and there are many fewer accounts that centre the empirical realities of vulnerability from the perspectives and experiences of various stakeholder groups, such as practitioners, service managers and service users/clients. This opens up important gaps between theorisations and lived experiences of vulnerability that policy scholars might be mindful of. Although disability, age and gender have received some attention in relation to the notion and realities of vulnerability in policy and practice, less is known about how these may shape other dimensions of difference, such as race and sexuality.

Finally, clearer definitions of vulnerability in research would seem important if policy and practice shortcomings and biases are to be addressed. The progressive potential and problematic dimensions of vulnerability have attracted scholars from various disciplinary traditions and empirical areas, many of whom seek to contribute to more progressive ways of thinking about the relationship between the individual and the state. In terms of research methods, careful deployment of vulnerability may have the potential to assist with theorising that animates dimensions of disadvantage and inequality in contemporary society and the ways in which these change and stay the same through time. Universal and relational vulnerability scholars would argue that these offer a way into reframing subjectivities in a direction that reflects the differentially experienced realities and inherent fragilities of life, and in ways which illuminate the duties of the state to respond appropriately. However, such accounts of vulnerability are rare, especially at the policy level, meaning that researchers have an important role to play in challenging more essentialist understandings of vulnerability.

Further consideration is required of how different narratives of vulnerability might give rise to different kinds of response. In particular, perhaps, there is a need to consider the potential for a more robust and defensible critical feminist and realist perspective. This avoids a problematic tendency for vulnerability to be characterised as a loose and vague notion or as the outcome of a moral and ethical project. Here we would argue that vulnerability is not inevitably socially constructed and therefore impossible to pin down. Rather, in making sense of vulnerability in contemporary society, we are forced to examine mechanisms which frame and re-frame corporality, adversity, agency, capability and entitlement. Given the deepening structural divisions and inequalities that shape debates about such matters, the notion of vulnerability seems set to be a key concept in the social sciences for some time to come. This makes a critical approach to research and debate on vulnerability essential, especially in relation to the ways in which vulnerability is lived and experienced in contemporary society.

This article has been cited by the following publications. This list is generated based on data provided by Crossref .

• Google Scholar

View all Google Scholar citations for this article.

Save article to Kindle

To save this article to your Kindle, first ensure [email protected] is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle .

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

• Volume 16, Issue 3
• Kate Brown (a1) , Kathryn Ecclestone (a2) and Nick Emmel (a3)
• DOI: https://doi.org/10.1017/S1474746416000610

Save article to Dropbox

To save this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you used this feature, you will be asked to authorise Cambridge Core to connect with your Dropbox account. Find out more about saving content to Dropbox .

Save article to Google Drive

To save this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you used this feature, you will be asked to authorise Cambridge Core to connect with your Google Drive account. Find out more about saving content to Google Drive .

Reply to: Submit a response

- No HTML tags allowed - Web page URLs will display as text only - Lines and paragraphs break automatically - Attachments, images or tables are not permitted

Your details

Your email address will be used in order to notify you when your comment has been reviewed by the moderator and in case the author(s) of the article or the moderator need to contact you directly.

You have entered the maximum number of contributors

Conflicting interests.

Please list any fees and grants from, employment by, consultancy for, shared ownership in or any close relationship with, at any time over the preceding 36 months, any organisation whose interests may be affected by the publication of the response. Please also list any non-financial associations or interests (personal, professional, political, institutional, religious or other) that a reasonable reader would want to know about in relation to the submitted work. This pertains to all the authors of the piece, their spouses or partners.

Cybersecurity Hazards and Financial System Vulnerability: A Synthesis of Literature

58 Pages Posted: 28 Oct 2020

Md Hamid Uddin

The University of Southampton - Malaysia Campus

Md Hakim Ali

Taylor's University

M. Kabir Hassan

University of New Orleans - College of Business Administration - Department of Economics and Finance

Date Written: 30 07, 2020

In this paper, we provide a systematic review of the growing body of literature exploring the issues related to pervasive effects of cyber-security risk on the financial system. As the cyber-security risk has appeared as a significant threat to the financial sector, researchers and analysts are trying to understand this problem from different perspectives. There are plenty of documents providing conceptual discussions, technical analysis, and survey results, but empirical studies based on real data are yet limited. Besides, the international and national regulatory bodies suggest guidelines to help banks and financial institutions managing cyber risk exposure. In this paper, we synthesize relevant articles and policy documents on cyber-security risk, focusing on the dimensions detrimental to the banking system's vulnerability. Finally, we propose five new research avenues for consideration that may enhance our knowledge of cyber-security risk and help practitioners develop a better cyber risk management framework.

Keywords: Cyber-Security, Cyber Risk, Banking Stability, IT Costs, Institutional Performance, Bank Operational Risks

Suggested Citation: Suggested Citation

Md Hamid Uddin (Contact Author)

The university of southampton - malaysia campus ( email ).

No 3, Persiaran Canselor 1, Kota Ilmu Educity Iskander Puetri, Johor 79200 Malaysia 79200 (Fax)

Taylor's University ( email )

University of new orleans - college of business administration - department of economics and finance ( email ).

2000 Lakeshore Drive New Orleans, LA 70148 United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics, related ejournals, banking & insurance ejournal.

Subscribe to this fee journal for more curated articles on this topic

Risk Management & Analysis in Financial Institutions eJournal

Monetary economics: financial system & institutions ejournal, cybersecurity, privacy, & networks ejournal, other financial economics ejournal.

What is vulnerability management?

Vulnerability management is a risk-based approach to discovering, prioritizing, and remediating vulnerabilities and misconfigurations.

• Discover Microsoft Defender Vulnerability Management

Vulnerability management defined

Vulnerability management is a continuous, proactive, and often automated process that keeps your computer systems, networks, and enterprise applications safe from  cyberattacks  and data breaches. As such, it is an important part of an overall security program. By identifying, assessing, and addressing potential security weaknesses, organizations can help prevent attacks and minimize damage if one does occur.

The goal of  vulnerability management  is to reduce the organization's overall risk exposure by mitigating as many vulnerabilities as possible. This can be a challenging task, given the number of potential vulnerabilities and the limited resources available for remediation. Vulnerability management should be a continuous process to keep up with new and emerging threats and changing environments.

How vulnerability management works

Threat and vulnerability management uses a variety of tools and solutions to prevent and address cyberthreats. An effective vulnerability management program typically includes the following components:

Asset discovery and inventory IT is responsible for tracking and maintaining records of all devices, software, servers, and more across the company’s digital environment, but this can be extremely complex since many organizations have thousands of assets across multiple locations. That’s why IT professionals turn to asset inventory management systems, which help provide visibility into what assets a company has, where they’re located, and how they’re being used.

Vulnerability scanners Vulnerability scanners usually work by conducting a series of tests against systems and networks, looking for common weaknesses or flaws. These tests can include attempting to exploit known vulnerabilities, guessing default passwords or user accounts, or simply trying to gain access to restricted areas.

Patch management Patch management software is a tool that helps organizations keep their computer systems up to date with the latest security patches. Most patch management solutions will automatically check for updates and prompt the user when new ones are available. Some patch management systems also allow for deployment of patches across multiple computers in an organization, making it easier to keep large fleets of machines secure.

Configuration Management Security Configuration Management (SCM) software helps to ensure that devices are configured in a secure manner, that changes to device security settings are tracked and approved, and that systems are compliant with security policies. Many SCM tools include features that allow organizations to scan devices and networks for vulnerabilities, track remediation actions, and generate reports on security policy compliance.

Security incident and event management(SIEM) SIEM  software consolidates an organization's security information and events in real time. SIEM solutions are designed to give organizations visibility into everything that's happening across their entire digital estate, including IT infrastructure. This includes monitoring network traffic, identifying devices that are trying to connect to internal systems, keeping track of user activity, and more.

Penetration testing Penetration testing software is designed to help IT professionals find and exploit vulnerabilities in computer systems. Typically, penetration testing software provides a graphical user interface (GUI) that makes it easy to launch attacks and see the results. Some products also offer automation features to help speed up the testing process. By simulating attacks, testers can identify weak spots in systems that could be exploited by real-world attackers.

Threat intelligence Threat protection  software provides organizations with the ability to track, monitor, analyze, and prioritize potential threats to better protect themselves. By collecting data from a variety of sources—such as exploit databases and security advisories—these solutions help companies identify trends and patterns that could indicate a future security breach or attack.

Remediation vulnerabilities Remediation involves prioritizing vulnerabilities, identifying appropriate next steps, and generating remediation tickets so that IT teams can execute on them. Finally, remediation tracking is an important tool for ensuring that the vulnerability or misconfiguration is properly addressed.

Vulnerability management lifecycle

The vulnerability management lifecycle has six key phases. Organizations looking to implement or improve their vulnerability management program can follow these steps.

Phase 1: Discovery

Create a full asset inventory across your organization’s network. Develop a baseline for your security program by identifying vulnerabilities on an automated schedule so you can stay ahead of threats to company information.

Phase 4: Reporting

Next, determine the various levels of risk associated with each asset based on your assessment results. Then, document your security plan and report known vulnerabilities.

Phase 2: Prioritization of assets

Assign a value to each asset group that is reflective of its criticality. This will help you understand which groups need more attention and will help streamline your decision-making process when faced with allocating resources.

Phase 5: Remediation

Now that you know which vulnerabilities are the most pressing for your business, it’s time to fix them, starting with those that pose the highest risks.

Phase 3: Assessment

The third part of the vulnerability management lifestyle is assessing your assets to understand the risk profile of each one. This allows you to determine which risks to eliminate first based on a variety of factors, including its criticality and vulnerability threat levels as well as classification.

Phase 6: Verification and monitoring

The final phase of the vulnerability management process includes using regular audits and process follow-up to ensure that threats have been eliminated.

Vulnerability management benefits

Vulnerability management helps businesses identify and fix potential security issues before they become serious  cybersecurity  concerns. By preventing data breaches and other security incidents, vulnerability management can prevent damage to a company's reputation and bottom line.

Additionally, vulnerability management can improve compliance with various security standards and regulations. And finally, it can help organizations better understand their overall security risk posture and where they may need to make improvements.

In today’s hyperconnected world, running occasional security scans and dealing with cyberthreats in a reactive manner is not a sufficient cybersecurity strategy. A solid vulnerability management process has three key advantages over ad hoc efforts, including:

Improved security and control By regularly scanning for vulnerabilities and patching them in a timely manner, organizations can make it significantly harder for attackers to gain access to their systems. Additionally, robust vulnerability management practices can help organizations identify potential weaknesses in their security posture before attackers do.

Visibility and reporting Vulnerability management provides centralized, accurate, and up-to-date reporting on the status of an organization’s security posture, giving IT personnel at all levels real-time visibility into potential threats and vulnerabilities.

Operational efficiencies By understanding and mitigating security risks, businesses can minimize system downtime and protect their data. Improving the overall vulnerability management process also decreases the amount of time required to recover from any incidents that do occur.

How to manage vulnerabilities

Once you have a vulnerability management program in place, there are four basic steps for managing known and potential vulnerabilities as well as misconfigurations.

Step 1: Identify vulnerabilities Scanning for vulnerabilities and misconfigurations is often at the center of a vulnerability management program. Vulnerability scanners—which are typically continuous and automated—identify weaknesses, threats, and potential vulnerabilities across systems and networks.

Step 2: Evaluate vulnerabilities Once potential vulnerabilities and misconfigurations are identified, they must be validated as a true vulnerability, rated according to risk, and prioritized based on those risk ratings.

Step 3: Address vulnerabilities After evaluation, organizations have a few options for treating known vulnerabilities and misconfigurations. The best option is to remediate, which means fully fixing or patching vulnerabilities. If full remediation isn’t possible, organizations can mitigate, which means decreasing the possibility of exploitation or minimizing the potential damage. Finally, they can accept the vulnerability—for example, when the associated risk is low—and take no action.

Step 4: Report vulnerabilities Once vulnerabilities are treated, it’s important to document and report known vulnerabilities. Doing so helps IT personnel track vulnerability trends across their networks and ensures that organizations remain compliant with various security standards and regulations.

Vulnerability management solutions

Clearly, having a solid vulnerability management process in place is not only a smart decision—it’s a necessary one. It's critical to find a  vulnerability management solution  that bridges the gap between teams, maximizes resources, and provides all your visibility, assessment, and remediation capabilities in a single place.

Learn more about Microsoft Security

Vulnerability management.

Bridge the gap between security and IT teams to seamlessly remediate vulnerabilities.

Microsoft SIEM and XDR

Get integrated threat protection across devices, identities, apps, email, data and cloud workloads.

Endpoint security

Secure Windows, macOS, Linux, Android, iOS, and network devices against threats.

Reduce security vulnerabilities

Get a comprehensive walk-through of threat and vulnerability management.

Frequently asked questions

What are some types of vulnerabilities in cybersecurity.

Some common types of vulnerabilities in cybersecurity include: 

• Weak passwords
• Insufficient authentication and authorization procedures, such as those that lack  2FA  and  MFA
• Unsecure networks and communications
• Malware  and viruses
• Phishing  scams
• Unpatched software and hardware vulnerabilities

Why do we need vulnerability management?

Vulnerability management is essential for any organization that relies on information technology, as it helps to protect against known and unknown threats. In today's hyperconnected world, new vulnerabilities are constantly being discovered, so it's important to have a process in place for managing them. By implementing a vulnerability management program, you can reduce the risk of exploitation and safeguard your organization against potential attacks.

What is the difference between vulnerability management and assessment?

The key difference between vulnerability management and assessment is that vulnerability management is an on-going process while vulnerability assessment is a one-time event. Vulnerability management is the process of continuously identifying, evaluating, treating, and reporting vulnerabilities. Assessment, on the other hand, is the act of determining the risk profile of each vulnerability.

What is vulnerability scanning in cybersecurity?

Vulnerability scanning is the process of identifying known and potential security vulnerabilities. Vulnerability scanners—which can be operated manually or automatically—use various methods to probe systems and networks. Once a vulnerability is found, the scanner will attempt to exploit it in order to determine whether a hacker could potentially exploit it as well. This information can then be used to help organizations patch their systems and develop a plan to improve their overall security posture.

What are some common methods for managing vulnerabilities?

There are many ways to manage vulnerabilities, but some common methods include:

• Using vulnerability scanning tools to identify potential vulnerabilities before they can be exploited
• Restricting access to sensitive information and systems to authorized users only
• Updating software and security patches regularly
• Deploying firewalls, intrusion detection systems, and other security measures to protect against attacks

Follow Microsoft

• Chat with sales

Available M-F 6 AM to 6 PM PT.

Vulnerability management, a subdomain of IT risk management, is the continuous discovery, prioritization and resolution of security vulnerabilities in an organization’s IT infrastructure and software.

A security vulnerability is any flaw or weakness in the structure, functionality or implementation of a network or networked asset that hackers can exploit to launch cyberattacks, gain unauthorized access to systems or data or otherwise harm an organization.

Examples of common vulnerabilities include firewall misconfigurations that might allow certain types of malware to enter the network or unpatched bugs in an operating system’s remote desktop protocol that might allow hackers to take over a device.

Today’s enterprise networks are so distributed, and various new vulnerabilities are discovered daily, making effective manual or ad hoc vulnerability management nearly impossible. Cybersecurity teams typically rely on vulnerability management solutions to automate the process.

The Center for Internet Security (CIS) lists continuous vulnerability management as one of its Critical Security Controls (link resides outside ibm.com) to defend against the most common cyberattacks. Vulnerability management allows IT security teams to adopt a more proactive security posture by identifying and resolving vulnerabilities before they can be exploited.

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.

Register for the Cost of a Data Breach report

Because new vulnerabilities can arise at any time, security teams approach vulnerability management as a continuous lifecycle rather than a discrete event. This lifecycle comprises five ongoing and overlapping workflows: Discovery, categorization and prioritization, resolution, reassessment and reporting.

1. Discovery

The discovery workflow centers around vulnerability assessment, a process for checking all an organization’s IT assets for known and potential vulnerabilities. Typically security teams automate this process by using vulnerability scanner software. Some vulnerability scanners perform periodic, comprehensive network scans on a regular schedule, while others use agents installed on laptops, routers and other endpoints to collect data on each device. Security teams can also use episodic vulnerability assessments, such as penetration testing, to locate vulnerabilities that elude a scanner.  

2. Categorization and Prioritization

Once vulnerabilities are identified, they’re categorized by type (for example, device misconfigurations, encryption issues, sensitive data exposures) and prioritized by level of criticality. This process provides an estimation of each vulnerability’s severity, exploitability and the likelihood of an attack.

Vulnerability management solutions typically draw on threat intelligence sources such as the Common Vulnerability Scoring System (CVSS), an open cybersecurity industry standard, to score the criticality of known vulnerabilities on a scale of 0 to 10. Two other popular intelligence sources are MITRE’s list of Common Vulnerabilities and Exposures (CVEs) and NIST’s National Vulnerability Database (NVD). 

3. Resolution

Once vulnerabilities are prioritized, security teams can resolve them in one of three ways:

• Remediation— fully addressing a vulnerability so it can no longer be exploited, such as by installing a patch that fixes a software bug or retiring a vulnerable asset. Many vulnerability management platforms provide remediation tools such as patch management for automatic patch downloads and testing, and configuration management for addressing network and device misconfigurations from a centralized dashboard or portal.
• Mitigation— making a vulnerability more difficult to exploit and lessening the impact of exploitation without removing the vulnerability entirely. Leaving a vulnerable device online but segmenting it from the rest of the network is an example of mitigation. Mitigation is often performed when a patch or other means of remediation is not yet available. 
• Acceptance— choosing to leave a vulnerability unaddressed. Vulnerabilities with low criticality scores, which are unlikely to be exploited or unlikely to cause significant damage, are often accepted. 

4. Reassessment

When vulnerabilities are resolved, security teams conduct a new vulnerability assessment to ensure that their mitigation or remediation efforts worked and did not introduce any new vulnerabilities.

5. Reporting

Vulnerability management platforms typically provide dashboards for reporting on metrics like mean time to detect (MTTD) and mean time to respond (MTTR). Many solutions also maintain databases of identified vulnerabilities, which allow security teams to track the resolution of identified vulnerabilities and audit past vulnerability management efforts.

These reporting capabilities enable security teams to establish a baseline for ongoing vulnerability management activities and monitor program performance over time. Reports can also be used to share information between the security team and other IT teams who may be responsible for managing assets but not directly involved in the vulnerability management process. 

Risk-based vulnerability management (RBVM) is a relatively new approach to vulnerability management. RVBM combines stakeholder-specific vulnerability data with artificial intelligence and machine learning capabilities to enhance vulnerability management in three important ways.

More context for more effective prioritization. Traditional vulnerability management solutions determine criticality by using industry-standard resources like the CVSS or the NIST NVD. These resources rely on generalities that can determine the average criticality of a vulnerability across all organizations. But they lack stakeholder-specific vulnerability data that can result in dangerous over- or under-prioritization of a vulnerability’s criticality to a specific company.

For example, because no security team has the time or resources to address every vulnerability in its network, many prioritize vulnerabilities with a “high” (7.0-8.9) or “critical” (9.0-10.0) CVSS score. However, if a “critical” vulnerability exists in an asset that doesn’t store or process any sensitive information, or offers no pathways to high-value segments of the network, remediation may not be worth it.

Vulnerabilities with low CVSS scores can be a bigger threat to some organizations than others. The Heartbleed bug, discovered in 2014, was rated as “medium” (5.0) on the CVSS scale (link resides outside ibm.com). Even so, hackers used it to pull off large-scale attacks, such as stealing the data of 4.5 million patients (link resides outside ibm.com) from one of the largest US hospital chains.

RBVM supplements scoring with stakeholder-specific vulnerability data—the number and criticality of the asset that is affected, how the assets are connected to other assets, and the potential damage an exploit might cause—as well as data on how cybercriminals interact with vulnerabilities in the real world. It uses machine learning to formulate risk scores that more accurately reflect each vulnerability’s risk to the organization specifically. This enables IT security teams to prioritize a smaller number of critical vulnerabilities without sacrificing network security.

Real-time discovery. In RBVM, vulnerability scans are often conducted in real-time rather than on a recurring schedule. Additionally, RBVM solutions can monitor a broader array of assets: Whereas traditional vulnerability scanners are usually limited to known assets directly connected to the network, RBVM tools can typically scan on-premises and remote mobile devices, cloud assets, third-party apps, and other resources.

Automated reassessment. In an RBVM process, reassessment can be automated by continuous vulnerability scanning. In traditional vulnerability management, reassessment may require an intentional network scan or penetration test. 

Vulnerability management is closely related to attack surface management (ASM). ASM is the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors that make up an organization’s attack surface. The core difference between ASM and vulnerability management is one of scope. While both processes monitor and resolve vulnerabilities in an organization’s assets, ASM takes a more holistic approach to network security. 

ASM solutions include asset discovery capabilities that identify and monitor all known, unknown, third-party, subsidiary, and malicious assets connected to the network. ASM also extends beyond IT assets to identify vulnerabilities in an organization’s physical and social engineering attack surfaces. It then analyzes these assets and vulnerabilities from a hackers perspective to understand how cybercriminals might use them to infiltrate the network.

With the rise of risk-based vulnerability management (RBVM), lines between vulnerability management and ASM have become increasingly blurred. Organizations often deploy ASM platforms as part of their RBVM solution, because ASM provides a more comprehensive view of the attack surface than vulnerability management alone.

Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws that might expose your most-critical assets.

Manage IT risk, establish governance structures and increase cybersecurity maturity with an integrated governance, risk and compliance approach.

Simplify and optimize your application management and technology operations with generative AI-driven insights.

Attack surface management helps organizations discover, prioritize and remediate vulnerabilities to cyberattack.

DevSecOps automatically bakes in security at every phase of the software development lifecycle.

Data security practices and technologies protect digital information from unauthorized access, corruption or theft.

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.