Cover -- PREFACE -- CONTENTS -- FIGURES -- TABLES -- SUMMARY -- ACKNOWLEDGMENTS -- ACRONYMS -- Chapter One INTRODUCTION -- WHO SHOULD USE THE VAM METHODOLOGY? -- PREVIOUS RESEARCH -- STRUCTURE OF THIS REPORT -- Chapter Two CONCEPTS AND DEFINITIONS -- SECURITY -- INFORMATION SYSTEMS -- SYSTEM OBJECT TYPES -- On the Use of the "Object" Concept -- ATTRIBUTES AS SOURCES OF VULNERABILITIES -- Security Techniques -- Chapter Three VAM METHODOLOGY AND OTHER DoD PRACTICES IN RISK ASSESSMENT -- OVERVIEW OF THE VAM METHODOLOGY -- Step 1. Identify Essential Information Functions -- Step 2. Identify Essential Information Systems -- Step 3. Identify System Vulnerabilities -- Step 4. Identify Pertinent Security Techniques from Candidates Given by the VAM Methodology -- Step 5. Select and Apply Security Techniques -- Step 6. Test for Robustness Under Threat -- OTHER DoD VULNERABILITY ASSESSMENT METHODOLOGIES -- OCTAVE -- ISO/IEC 15408: Common Criteria -- ISO/IEC 17799: Code of Practice for Information Security Management -- Operations Security -- Operational Risk Management -- Integrated Vulnerability Assessments -- The VAM Methodology Techniques Fill Critical Needs in Other Methodologies -- Chapter Four VULNERABILITY ATTRIBUTES OF SYSTEM OBJECTS -- VULNERABILITY ATTRIBUTE CATEGORIES -- A VULNERABILITY CHECKLIST AND EXAMPLE -- Insider Threat -- Inability to Handle Distributed Denial-of-Service Attacks -- IP Spoofing -- Inability to Detect Changes to IP Net, Making IP Masking Possible -- Centralized Network Operations Centers -- Common Commercial Software and Hardware Are Well Known and Predictable -- Standardized Software -- Weaknesses in Router or Desktop Applications Software -- Electronic Environmental Tolerances -- DESCRIPTION OF VULNERABILITY ATTRIBUTES -- Design and Architecture Attributes -- Behavioral Attributes -- General Attributes.

HOW VULNERABILITY PROPERTIES COMBINE IN COMMON THREATS -- Chapter Five DIRECT AND INDIRECT SECURITY TECHNIQUES -- SECURITY TECHNIQUE CATEGORIES AND EXAMPLES -- Resilience and Robustness -- Intelligence, Surveillance, Reconnaissance, and Self-Awareness -- Counterintelligence -- Denial of ISR and Target Acquisition -- Deterrence and Punishment -- HOW SECURITY TECHNIQUES COMBINE IN COMMON SECURITY APPROACHES -- Chapter Six GENERATING SECURITY OPTIONS FOR VULNERABILITIES -- MAPPING VULNERABILITIES TO SECURITY TECHNIQUES -- Security Techniques That Address Vulnerabilities -- Security Techniques That Incur Vulnerabilities -- Vulnerability Properties Can Sometimes Facilitate Security Techniques -- Striking a Balance -- Design and Usage Considerations -- REFINING THE SECURITY SUGGESTIONS -- Evaluator Job Roles -- Intel, Surveillance, & Reconnaissance (ISR) and Self-Awareness Counter-Intelligence / Denial of ISR & Target Acquisition Offense and Retribution Attack Components -- Attack Stage Relevance by Evaluator Job Role -- EXAMPLE SECURITY OPTIONS ARISING FROM THE USE OF THE METHODOLOGY -- Insider Threat -- Inability to Handle Distributed Denial-of-Service Attacks -- IP Spoofing -- Inability to Detect Changes to IP Net, Making IP Masking Possible -- Centralized Network Operations Centers -- Common Commercial Software and Hardware Are Well Known and Predictable -- Standardized Software -- Weaknesses in Router or Desktop Applications Software -- Electronic Environmental Tolerances -- Chapter Seven AUTOMATING AND EXECUTING THE METHODOLOGY: A SPREADSHEET TOOL -- INITIAL STEPS PERFORMED MANUALLY -- VULNERABILITIES GUIDED BY AND RECORDED ON A FORM -- THE RISK ASSESSMENT AND MITIGATION SELECTION SPREADSHEET -- Specifying the User Type and Vulnerability to Be Analyzed -- Evaluating the Risks for Each Attack Component -- Considering and Selecting Mitigations.

Rating Costs and the Mitigated Risks -- Chapter Eight NEXT STEPS AND DISCUSSION -- FUTURE CHALLENGES AND OPPORTUNITIES -- Guiding the Evaluation of Critical Functions and Systems -- Additional Guidance and Automation: Spreadsheet and Web-Based Implementations -- Prioritizing Security Options -- Quantitative Assessments of Threats, Risks, and Mitigations -- Integrating VAM Functions into Other Assessment Methodologies -- Using VAM to Guide Information Attacks -- Applications of VAM Beyond Information Systems -- WHAT VULNERABILITY WILL FAIL OR BE ATTACKED NEXT? -- USABILITY ISSUES -- WHY PERFORM SECURITY ASSESSMENTS? -- Chapter Nine SUMMARY AND CONCLUSIONS -- Appendix VULNERABILITY TO MITIGATION MAP VALUES -- BIBLIOGRAPHY.