By /

Back to: Data Center Physical Security Professional

0

Lesson 7.1: TVRA (Threat Vulnerability Risk Assessment)

1. Learning Objectives

By the end of this lesson, you will be able to:

  • Define the core security equation: Risk = Threat x Vulnerability x Impact.
  • Distinguish between a Threat (external force) and a Vulnerability (internal weakness).
  • Use a 5×5 Risk Matrix to score risks and prioritize spending.
  • Apply the four Risk Treatment strategies: Avoid, Mitigate, Transfer, Accept.

2. The Security Equation

You cannot eliminate all risks. You must calculate which ones matter.

Risk = Threat x Vulnerability x Impact

  1. Threat: Anything that can cause harm (e.g., Earthquake, Thief, Hacker, Power Outage).
  2. Vulnerability: A weakness in your defense that allows the threat to succeed (e.g., No generator, Broken door lock, Unpatched server).
  3. Impact: The cost if the bad thing happens (e.g., $1M in lost revenue, loss of reputation, injury).

The Goal: We usually cannot change the Threat (we can’t stop the rain). We can reduce the Vulnerability (fix the roof) to lower the Risk.

3. The TVRA Methodology

A TVRA is a formal document created before a data center is built, and updated annually.

Step 1: Asset Identification

What are we protecting?

  • Primary: The Data (Customer Information).
  • Secondary: The Hardware (Servers, Generators).
  • Tertiary: The People (Staff).

Step 2: Threat Assessment

What could hurt us?

  • Natural: Flood, Fire, Earthquake, Lightning.
  • Criminal: Theft, Vandalism, Terrorism, Industrial Espionage.
  • Operational: Power failure, Cooling failure, Human error.

Step 3: Vulnerability Assessment

Where are we weak?

  • Example: “The threat is a Truck Bomb. The vulnerability is that our building is only 5 meters from the road.”

4. Scoring: The Risk Matrix

We score every risk on a 1–5 scale to visualize them.

  • Probability (Likelihood): 1 (Rare) to 5 (Almost Certain).
  • Severity (Impact): 1 (Minor) to 5 (Catastrophic).

The Calculation:

  • Scenario A (Meteor Strike): Probability (1) x Severity (5) = Risk Score 5 (Low).
  • Scenario B (Hard Drive Theft): Probability (4) x Severity (4) = Risk Score 16 (High).

The Result: You spend your budget fixing Scenario B, not Scenario A.

5. Risk Treatment Strategies

Once you have a score, you have four choices (The 4 Ts):

  1. Terminate (Avoid): Stop the activity that causes the risk.
    • Example: Risk of flooding is too high. Solution: Do not build the data center in that city.
  2. Treat (Mitigate): Add security controls to lower the score.
    • Example: Risk of truck bomb. Solution: Install K12 Bollards (Mitigation). Now the risk is lower.
  3. Transfer (Share): Shift the financial burden to someone else.
    • Example: Fire risk. Solution: Buy Insurance. If it burns down, the insurance company pays.
  4. Tolerate (Accept): The cost of fixing it is higher than the cost of the damage.
    • Example: The risk of a meteor hitting the roof. Solution: Do nothing. It’s too expensive to build a meteor-proof roof for such a rare event.

6. Practical Application: Running a TVRA

Scenario: A Data Center in a tropical city.

  • Threat: Hurricane (High Probability: 4).
  • Vulnerability: The generator fuel tank is located in the basement (flood prone).
  • Impact: If it floods, generators fail -> Total outage (Catastrophic: 5).
  • Initial Risk Score: 4 x 5 = 20 (Critical).

Proposed Treatment (Mitigate):

  • Move the fuel tank to the roof.
  • New Vulnerability Score: Low (1).
  • New Risk Score: 4 x 1 = 4 (Acceptable).