Which statement accurately describes vulnerability analysis?

• A. It solely focuses on qualitative assessments
• B. It is unrelated to risk management
• C. It is the same as incident response planning
• D. It involves identifying and quantifying vulnerabilities

Answer: (D)

Vulnerability analysis is about uncovering weaknesses in physical security measures and measuring how serious they are. It combines information about what you’re protecting, the threats you face, existing controls, and how likely it is that those weaknesses could be exploited, to produce a risk-based view of where gaps are most significant. This helps prioritize which vulnerabilities to fix first and supports resource allocation for strengthening protection. It’s a proactive part of risk management, not a reactive incident plan. Incident response focuses on what to do during and after a security event, whereas vulnerability analysis aims to prevent events by identifying and quantifying weaknesses.