***** Vulnerability Assessment of Physical Protection Systems. By Mary Lynn Garcia; published by Elsevier Butterworth-Heinemann; available from ASIS International, Item #1674, 703/519-6200 (phone), www.asisonline.org (Web); 382 pages; $50 (ASIS members), $55 (nonmembers).

Mary Lynn Garcia’s book Design and Evaluation of Physical Protection Systems (Butterworth-Heinemann, 2001), is considered by many to be the standard reference for physical protection systems. Garcia’s follow-up, Vulnerability Assessment of Physical Protection Systems, picks up where the former title left off by providing a thorough analysis of the vulnerability assessment (VA) process.

This new book is just as focused, comprehensive, and readable as its predecessor, and the information in the two books dovetails so elegantly that it is difficult to discuss one without the other. Yet Vulnerability Assessment is a self-contained book that stands firmly on its own merit.

Garcia begins with an overview of VA project management, paying close attention to the delegation of tasks among various subject-matter experts who are involved in the VA process. With this overview, project managers can assign each aspect of the VA to the person best suited to the task.

More than half the book is devoted to giving details the data-collection processes for subsystems of various physical protection systems, such as ID badges for access control and video displays of alarm systems. Many types of problems, related to both design and technology, are discussed in depth with the aid of copious flow charts and illustrations.

A section on analysis lays out various attack scenarios using what are called “adversary sequence diagrams,” or ASDs. In Garcia’s words, these diagrams illustrate “the paths that adversaries can follow to accomplish sabotage or theft goals.” ASDs are vital to the success of vulnerability assessments and are thus examined in close detail.

Even the best VA has limited value if its results can’t be effectively conveyed. Thus, one section focuses on reporting VA findings, giving step-by-step instructions on presenting findings to clients clearly and concisely, without sacrificing technical detail.

No security professional involved at any level in the VA process for physical protection systems can afford to operate without this field manual. It combines theory with technical data to create a usable tool. Students will also find this book to be an immensely important resource for understanding VA processes in depth. Topping it off is a handy section of appendices including all of the checklists, worksheets, and briefing templates necessary for any VA project.

Reviewer: Dan Bergevin is the principal of Catfield International, an intelligence and security firm based in the Salt Lake City, Utah, area.