ABSTRACT
Vulnerability management (VM) is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Risk management seeks to identify the conditions or events under which a loss may occur and then find the means to address that risk. VM typically focuses attention on technical software and system configuration vulnerabilities. There are also vulnerabilities related to corporate strategy, economics, and the environment whose detection cannot be automated. They require the attention of a risk manager. These vulnerabilities exist in areas such as business processes, strategies, and supply chains. The security industry has focused on selling products and services that require upgrades and maintenance. Most security problems result from a failure to code, patch, configure, or design in a secure manner. This is the military equivalent to a lack of training of the troops, lack of oversight by commanders, and failure to provide adequate equipment.
