Mitigating Attacks on Houses of Worship Part 3: Conducting a Comprehensive Vulnerability Assessment

by | Leadership, Security

In the second part of this series we introduced the idea of the holistic approach to church safety, which looks at not just the physical building, but at the church’s data, finances, and members, to ensure every important aspect of the church is addressed when assessing potential threats. This week we look at what may be the most crucial part in preventing or minimizing damage from attacks on your church – conducting a thorough and comprehensive vulnerability assessment.

According to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), the process of determining how your church is vulnerable is just as important as what your assessment finds. In conducting your assessment you should look at various types of vulnerability, but also various kind of attack, including: Active shooters, vehicle rammings, improvised explosive devices (IED), vehicle-borne IEDs, arson, edged weapons, and cyberattacks, among others. While that may sound grim or far-fetched, keep in mind, all of those types of attacks have taken place at other churches in the past decade.

Most churches have schools

A church is more than just a house of worship. This is particularly true of large churches, but even small churches have additional roles as diverse as community center, entertainment venue, and day care center. One of the most common features in a church is a school, which presents another disturbing aspect of risk assessment, because as we have been reminded once again, schools are frequently the targets or sites of attacks.

Begin by assigning roles

Conducting a vulnerability assessment begins with deciding who will lead the process. Your church’s size, location, and available resources are all factors in decisions about who assumes this role. Ideally, you will choose a Security Coordinator to lead this process with support from the Security Planning Team. Sharing decision-making responsibilities will help ensure the results of the assessment represent a consensus view and that any changes resulting from the assessment are also done as part of a consensus of your entire organization.

If the security challenges seem relatively straightforward—such as for a small, rural church—the vulnerability assessment can likely be performed in-house. However, assessments involving more complex security environments—such as a megachurch, a dense urban area, or a church that is particularly prominent— might consider reaching out to a CISA PSA to help design a tailored process that can be carried out by a team of volunteers.

PSAs (Protective Security Advisors) are subject matter experts specially trained in vulnerability mitigation and critical infrastructure protection. PSAs facilitate local CISA field activities in coordination with other Department of Homeland
Security (DHS) offices. They also advise and assist state, local, and private sector officials, as well as critical infrastructure facility owners and operators. As part of their normal roles, PSAs frequently conduct vulnerability assessments for houses of worship and schools. For more information on PSAs and how to enlist their aid in your vulnerability assessment, go to

Determine the scope of the assessment

After assigning roles, you’ll want to tailor the vulnerability assessment to your church’s specific interests and needs. To determine the scope and complexity of an assessment, consider some of the following questions:
• Why are you conducting this assessment now?
• Have you previously conducted any similar assessments? If so, how did you use the findings and recommendations?
• Have you already identified specific threats or vulnerabilities? Has your organization experienced threats or incidents of violence in the past?
• How does the location and size of your church affect your security concerns?
• Is your local community facing safety and security concerns that could affect your community?
• Do you have a budget for security measures? If not, will there be budget opportunities for security in the future?

The answers to these questions will help you develop a process that accounts for all aspects of your organization’s
security. Ideally, this will lead to clear evidence-based decision-making about priorities, wants versus needs, short- and long-term goals, budget considerations, and feasibility. In many cases, this process will result in action items that are relatively easy to implement.

Be systematic in your assessment

A systematic approach is essential to producing a high-quality, useful assessment. This method of vulnerability assessment examines an organization’s functional areas to generate findings that can be evaluated in the context of feasibility, complexity, expected benefits, cost, and resource availability. The assessment typically involves collecting data and information through talking with key personnel, performing on-site inspections and observations, reviewing records and materials such as existing security and training plans, and examining public records such as local crime statistics. Important: Document your process and findings so the process itself can be replicated and the data can be used to develop a security strategy.

To facilitate the assessment process, CISA has developed a HOUSE OF WORSHIP SECURITY SELF-ASSESSMENT tool with a series of questions designed to uncover vulnerabilities and areas for improvement. This tool can serve as a template that can be tailored to align with your church’s specific needs.

Key points to consider

To have an effective vulnerability assessment and develop a good action plan, consider multiple aspects in detail. For your facility and the surrounding property:

• Identify each of the buildings on your property, such as the main building, chapel, rectory, school, playground, community center, and parking
• Describe the number, physical design, and construction of buildings, including year and type of construction, and geographic footprint
• Define the type and number of services held, as well as the schedule and number of congregants that might use each building at any given time.

Break down your facility and the surrounding property in terms of inner, outer, and middle perimeters.

• Outer perimeter generally includes the parking facility and lots, exterior grounds, walkways, playgrounds, and the physical façade of the buildings
• Middle perimeter is a fluid area that generally refers to anything that is “on campus” but outside of the main buildings, including exterior features such as walkways, doors, and walls
• Inner perimeter is any interior space, such as the vestibule, worship area(s), administrative offices, community room, auditorium, and classrooms
When you have determined what these areas are, create a list of all outer, middle, and inner perimeter elements.

Next, identify any valuables that require protection and the potential cost of replacing them.
• Determine asset values, costs to protect assets, cost to replace assets, and costs to your organization if assets are lost
• Identify valuables, such as artwork and sacred artifacts
• Assign a relative cost for valuables, which can be evaluated as simply “high,” “moderate,” or “low”
• Make informed decisions about investing in protection for each asset.

Review protocols

Next, review your day-to-day operations and relevant administrative procedures.

  • What are your practices around visitor access?
  • Do you have emergency action or security plans in place? Do they cover a variety of scenarios, such as for active shooter, emergency preparedness, emergency evacuation, threat assessment, and school security scenarios?
  • Are your administrative policies and procedures reexamined and refreshed on a routine basis?
  • Who oversees financial operations, including offerings and collections? Do you use accounting software? Is there a system for conducting audits an oversight?

Finally, assess how likely it is that a threat would occur. Consider a range of possible scenarios and outcomes. For each risk, estimate the probability of the threat and weigh it against the potential cost and impact. Risks with a high probability of occurrence and associated costs should be ranked as high priority in the overall security strategy.

In the final chapter of this series, we’ll examine building community readiness and resilience.

Sign Up for Connections, the Worship Facility Newsletter!


9 Diseases of the Church Facility

Just as our bodies contract diseases that can lead to problems and cause pain and discomfort, many diseases can infect church facilities so that the church can experience functional problems and great discomfort. Rarely are these merely cosmetic, but are often outward...

South Korean Church Provides Inclusive Worship Experience

The Catholic Church in Gwanpyeong-dong, Daejeon, South Korea was built in November 2018. Its exterior mirrors the deck of a ship, like Noah’s Ark sailing toward the sky. Its minimalist interior has tall stained-glass windows and is 91-feet long and 55-feet wide, with...

Building a New Synagogue for Brooklyn’s Kosev Congregation

The Project Brooklyn-based Kosev Congregation contracted commercial and worship architecture firm IMC Architecture to design a prominent Jewish cultural institution in Brooklyn. Specifically, they wanted to build a new synagogue to accommodate: 300+ visitors a series...

DPA Microphones Announces New 2012 and 2015 Pencil Mics

DPA Microphones, the leading manufacturer of high-quality microphone solutions, unveils its new compact 2012 Cardioid and 2015 Wide Cardioid Microphones. Featuring a durable, reinforced construction to withstand the rigors of touring, the new mics join the brand’s...