Skip to content

Vulnerability Decomposition

Prime #
1269
Origin domain
Governance Policy
Subdomain
risk decomposition → Governance Policy

Core Idea

A system's vulnerability to a named stressor factors into three terms — exposure (how much the system meets the stressor), sensitivity (harm per unit of exposure), and adaptive capacity (its ability to bound or reverse harm) — typically combined as Vulnerability = Exposure × Sensitivity / Adaptive Capacity, with each factor admitting its own intervention family.

How would you explain it like I'm…

Bumped, Hurt, or Healed

How much something gets hurt depends on three things: how often the bad thing reaches it, how much each touch hurts it, and how well it can patch itself up afterward. A turtle in its shell barely gets hurt even if it's bumped a lot, because the shell stops the touch from doing damage. So 'getting bumped a lot' is not the same as 'getting badly hurt.'

The Three Parts of Harm

When you ask how badly some specific danger can hurt a system, you can split the answer into three parts. Exposure is how much the danger actually reaches it — how close, how often, how long. Sensitivity is how much damage each bit of contact does. Adaptive capacity is how well the system protects itself, bounces back, or fixes the harm. The trick is that these are separate: a house in a flood zone (high exposure) can still be safe if it's built on tall stilts (low sensitivity). So when someone says something is 'vulnerable,' you should ask which of the three parts they mean.

Exposure, Sensitivity, Coping

Vulnerability decomposition says that a system's vulnerability to a named stressor factors into three separable terms instead of being one fuzzy score. Exposure is how much the system meets the stressor (intensity, duration, overlap); sensitivity is the harm produced per unit of exposure (how efficiently contact turns into damage); adaptive capacity is the system's ability to bound or reverse the realized harm with its own resources. A common convention combines them as Vulnerability = Exposure × Sensitivity / Adaptive Capacity, though that convention is itself a real choice. The power of splitting it this way is that each factor has its own lever: you can cut exposure, harden against per-unit damage, or strengthen the response. It also stops two common mistakes — treating high exposure as if it were high vulnerability, and forgetting that the sensitivity term often does the most work.

 

Vulnerability decomposition is the structural pattern in which a system's vulnerability to a named stressor factors into three combined terms. Exposure is the degree to which the system meets the stressor — contact intensity, duration, geographic overlap. Sensitivity is the per-unit-exposure harm, the transduction efficiency from contact to damage. Adaptive capacity (sometimes coping capacity, or its inverse, resilience) is the ability to bound or reverse realized harm through the system's own resources, structures, and responses. The pattern makes four commitments: a specified stressor without which the decomposition is ill-defined; a factorisation into the three terms with a combination convention, typically multiplicative or ratio-shaped (Vulnerability = Exposure × Sensitivity / Adaptive Capacity), the convention being a substantive choice; a clean intervention map in which each factor admits its own intervention family; and a diagnostic discipline requiring any vulnerability claim to specify which factor it concerns. That discipline prevents the routine conflation of high exposure with high vulnerability and the chronic under-attribution to the sensitivity term. It is the substrate-neutral recipe instantiated by the IPCC climate-vulnerability formula, UNDRR's disaster-risk triangle, public-health vulnerability analyses, cybersecurity's exposure-vulnerability-impact triple, and Basel-III fragility factors.

Broad Use

  • Climate adaptation: vulnerability to warming or sea-level rise factors into exposure, per-unit sensitivity, and adaptive capacity (IPCC AR4 onward).
  • Disaster risk reduction: UNDRR Sendai decomposes disaster risk into hazard, exposure, and a vulnerability split into sensitivity and adaptive capacity.
  • Public health: a population's vulnerability to a pathogen factors into contact patterns, per-contact severity, and immunity plus treatment access.
  • Cybersecurity: organisational vulnerability factors into attack-surface exposure, compromise damage, and detection-and-recovery capacity.
  • Financial systemic risk: an institution's fragility factors into the same three terms in regulatory vocabulary (Basel-III).
  • Agriculture: drought vulnerability factors into water exposure, crop sensitivity, and irrigation-and-reserve capacity.

Clarity

Dissolves two errors — conflating exposure with vulnerability (high exposure plus low sensitivity and high capacity yields low vulnerability) and conflating vulnerability with risk (which additionally needs the hazard's probability).

Manages Complexity

Turns "reduce vulnerability" into a worklist — name the stressor, quantify each factor, map candidate interventions to factors, and steer spend to the binding term by marginal return.

Abstract Reasoning

Licenses the counterfactual "hold two factors fixed, vary the third," and a sharp negative test: an intervention touching none of the three factors does not reduce vulnerability.

Knowledge Transfer

  • Climate to public health: a "reduce exposure" planner can borrow social-distancing protocols, since exposure is the same factor relabelled.
  • Cyber to finance: an "increase adaptive capacity" designer can borrow financial stress-test methodology.
  • Coastal city to hospital: the same factoring procedure that maps a flood-vulnerability budget maps a hospital's pandemic vulnerability.

Example

A coastal city told 40% of its population lives in the surge zone has stopped at exposure; factoring further reveals the binding intersection of highly sensitive pre-1980 housing and low evacuation capacity, redirecting spend for several-fold better marginal return.

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.VulnerabilityDecompositionsubsumption: DecompositionDecompositioncomposition: RiskRisk

Parents (2) — more general patterns this builds on

  • Vulnerability Decomposition is a kind of Decomposition — A multiplicative factorisation V = Exposure × Sensitivity / Adaptive-Capacity of a system-stressor pair, each factor with its own intervention family — a specialization of decomposition applied to a vulnerability scalar.
  • Vulnerability Decomposition presupposes Risk — The file: this is the recipe for the VULNERABILITY FACTOR ONLY of Risk = Hazard × Vulnerability; presupposes risk and feeds the risk equation (probability multiplied back at the risk level).

Path to root: Vulnerability DecompositionDecomposition

Not to Be Confused With

  • Vulnerability Decomposition is not Risk because risk is the full product Hazard × Vulnerability needing the hazard's probability, whereas this is the recipe for the vulnerability factor alone, bracketing probability.
  • Vulnerability Decomposition is not Stressor-Induced Adaptation because that is a dynamic process of how a system changes under stress, whereas this is a static factorisation of how much harm a stressor produces now.
  • Vulnerability Decomposition is not FMEA because FMEA enumerates and ranks many failure modes, whereas this depth-first factors one system-stressor pair into three multiplicative terms.