Developed by the military for assessing risk in the field, the CARVER Matrix is a security tool that assesses and ranks threats based on six factors: criticality, accessibility, recoverability, vulnerability, effect, and recognizability.
As a system created by the military, private business security SMEs are often interested in using CARVER to assess risk at their own sites. However, CARVER isn’t always appropriate for risk assessment in non-military settings. This article will dig deeper into what CARVER is, its limitations as a risk assessment tool, and when it should be used to assess risk.
What is CARVER?
CARVER has its roots in World War II, when it was developed by the OSS as a system for target selection in the field. During the Vietnam War, the U.S. US Army Special Forces adopted and further developed CARVER as a system of target acquisition capable of ranking potential targets according to a scale.
As probably know by this point, CARVER is an acronym:
C - Criticality: How critical is the asset or site?
A- Accessibility: How easy would it be to access the site?
R - Recoverability: How easy would it be for the site to recover from an attack?
V - Vulnerability: How vulnerable is the target to an attack?
E - Effect: What effect would a compromised site have on the organization?
R- Recognizability: Do adversaries easily recognize a site or asset to be valuable?
The matrix assigns a point value to each of the factors above, on a 1-10 or 1-5 scale, creating a simple way to make a decision about attacking or defending a site. An example from a retired U.S. Army Special Operations Field Guide looks like this:
Disrupting Bulk Electric Power Supply | |||||||
---|---|---|---|---|---|---|---|
Potential Targets | C | A | R | V | E | R | Total |
Fuel Tanks | 8 | 9 | 3 | 8 | 5 | 6 | 41 |
Fuel Pumps | 8 | 6 | 2 | 10 | 5 | 3 | 34 |
Boilers | 6 | 2 | 10 | 4 | 5 | 4 | 31 |
Turbines | 8 | 6 | 10 | 7 | 5 | 9 | 45 |
Generators | 4 | 6 | 10 | 7 | 5 | 9 | 41 |
Condensers | 8 | 8 | 5 | 2 | 5 | 4 | 34 |
Feed Pumps | 3 | 8 | 5 | 8 | 5 | 6 | 33 |
Cir. Water Pumps | 3 | 8 | 5 | 8 | 5 | 4 | 33 |
Generator Step Up Transformer | 10 | 10 | 10 | 9 | 5 | 9 | 53 |
Because the score for the transformers is highest, the transformers are most vulnerable.
CARVER has since been used by other branches of the military and government and has been used for both attack and defense purposes. It has even been used for management. However, the wide application of CARVER doesn’t always mean it’s right for your risk assessment.
The weaknesses of CARVER
Because CARVER was developed for the military it’s meant to be a quick, actionable assessment of inherent risk. It’s not a comprehensive assessment of all the threats your site might foreseeably face. It’s an overview, not an in-depth analysis. Unlike a military team, you aren’t pressed for time; you have the ability to do a careful, thorough assessment encompassing many scenarios.
Additionally If you use a system like CARVER, you’re opening yourself up to a subjective interpretation of risk. I once attended a government sanctioned training course where three teams had to evaluate a water treatment facility using CARVER. Each team came up with a completely different score after assessing the facility.
For the next two hours each team deliberated on who was right and why. The instructor praised the class and stated, “This is how risk analysis should be done. It will never be consistent and the score will always be different.” This is incorrect for risk analysis. As a litmus test, if you have two assessors using the same tool at the same site and they get different reports or scores, the tool is not an effective risk tool. A vulnerability should be consistent, but the countermeasure to accept or improve that risk might be different.
When can you use CARVER in the vulnerability assessment process?
Because CARVER is a rudimentary risk assessment tool, it can be used as the very first baseline assessment tool you use to measure the inherent risk of your site - if you’re committed to using CARVER.
We recommend using a baseline assessment at the start of the assessment process, specifically a baseline self-assessment, performed by someone who is already onsite. This individual assesses their own site and sends the assessment back to the corporate security department. The assessment itself doesn’t have to be in-depth, so this is the point when CARVER can be used.
After this step, however, the assessments should be much more detailed, and experts should be sent to evaluate the highest priority sites. In addition, experts should work through scenario-based assessments, evaluating the risk of each foreseeable threat. By creating comprehensive plans around scenarios, your sites will be better protected than if you had just used a baseline assessment.
To learn more about how Circadian Risk can help you create self-assessments, contact us now for a demo.