The purpose of the threat & vulnerability assessment is to investigate open source threats and vulnerabilities to include the intentional and unintentional events caused by human error, system design weakness, patches, environmental threats, and generic threat information (e.g., inadequately trained employees, dishonest employees, etc.).

CNA Corporation identifies appropriate cost-effective countermeasures to mitigate risk.  This assessment should be applied at various decision points in a system's life cycle to identify new risks.

This assessment is often referred to as an initial risk assessment because it is a review of anticipated risk based on a proposed system, proposed environment, or prior to validation of countermeasures during a security test & evaluation (ST&E).

During this assessment, we identify know system-specific and generic information technology threats in all areas of security (e.g., communications, computer/network, emanations, personnel, physical, etc.,).  The assessment is based on the impact related to the lack of system availability, loss of integrity, information compromise (e.g., loss of confidentiality), or loss of accountability.