When it comes to security, we’re always faced with one big question: Where should we focus our efforts first? Businesses face a legion of threats, from physical crime to cyber threats to weather-related risk.
One tool that’s been traditionally used to manage that risk is the CARVER Matrix, a security framework with military roots that has since been adopted by the private sector. CARVER assesses and ranks threats based on six factors:
Criticality
Accessibility
Recoverability
Vulnerability
Effect
Recognizability
Due to its widespread use, business and security professionals are often interested in using CARVER to assess risk at their own sites. The reasoning is that if it was developed by the military, CARVER must be the best system for assessing risk.
That’s not always the case. CARVER isn’t appropriate for risk assessment in every non-military setting. This article will dig deeper into what CARVER is, its limitations as a risk assessment tool, and when it should be used to assess risk.
What is CARVER?
CARVER has its roots in World War II, when it was developed by the OSS as a system for target selection in the field. During the Vietnam War, the U.S. US Army Special Forces adopted and further developed CARVER as a system of target acquisition capable of ranking potential targets according to a scale.
CARVER is an acronym:
C - Criticality: How critical is the asset or site?
A- Accessibility: How easy would it be to access the site?
R - Recoverability: How easy would it be for the site to recover from an attack?
V - Vulnerability: How vulnerable is the target to an attack?
E - Effect: What effect would a compromised site have on the organization?
R- Recognizability: Do adversaries easily recognize a site or asset to be valuable?
The matrix assigns a point value to each of the factors above, on a 1-10 or 1-5 scale, creating a simple way to make a decision about attacking or defending a site. An example from a retired U.S. Army Special Operations Field Guide looks like this:
Disrupting Bulk Electric Power Supply | |||||||
|---|---|---|---|---|---|---|---|
Potential Targets | C | A | R | V | E | R | Total |
Fuel Tanks | 8 | 9 | 3 | 8 | 5 | 6 | 41 |
Fuel Pumps | 8 | 6 | 2 | 10 | 5 | 3 | 34 |
Boilers | 6 | 2 | 10 | 4 | 5 | 4 | 31 |
Turbines | 8 | 6 | 10 | 7 | 5 | 9 | 45 |
Generators | 4 | 6 | 10 | 7 | 5 | 9 | 41 |
Condensers | 8 | 8 | 5 | 2 | 5 | 4 | 34 |
Feed Pumps | 3 | 8 | 5 | 8 | 5 | 6 | 33 |
Cir. Water Pumps | 3 | 8 | 5 | 8 | 5 | 4 | 33 |
Generator Step Up Transformer | 10 | 10 | 10 | 9 | 5 | 9 | 53 |
Because the score for the transformers is highest, the transformers are most vulnerable.
CARVER has since been used by other branches of the military and government and has been used for both attack and defense purposes. It has even been used for management. However, the wide application of CARVER doesn’t always mean it’s right for your organization.
CARVER: when shouldn’t you use it?
Because CARVER was developed for the military it’s meant to be a quick, actionable assessment of inherent risk.
It’s not a comprehensive assessment of all the threats your site might foreseeably face. It’s an overview, not an in-depth analysis. Unlike a military team, you aren’t pressed for time; you have the ability to do a careful, thorough assessment encompassing many scenarios.
Additionally If you use a system like CARVER, you’re opening yourself up to a subjective interpretation of risk. I once attended a government sanctioned training course where three teams had to evaluate a water treatment facility using CARVER. Each team came up with a completely different score after assessing the facility.
For the next two hours each team deliberated on who was right and why. The instructor praised the class and stated, “This is how risk analysis should be done. It will never be consistent and the score will always be different.”
This is incorrect for risk analysis. As a litmus test, if you have two assessors using the same tool at the same site and they get different reports or scores, the tool is not an effective risk tool.
When should you use CARVER in the vulnerability assessment process?
Because CARVER is a rudimentary risk assessment tool, it can be used as the very first baseline assessment tool you use to measure the inherent risk of your site.
We recommend using a baseline assessment at the start of the assessment process, specifically a baseline self-assessment, performed by someone who is already onsite. This individual assesses their own site and sends the assessment back to the corporate security department. The assessment itself doesn’t have to be in-depth, so this is the point when CARVER can be used.
After this step, however, the assessments should be much more detailed, and experts should be sent to evaluate the highest priority sites.
What’s the best system for assessing risk?
CARVER isn’t the only risk assessment framework. There are several systems for calculating risk, and all of them have their own strengths and weaknesses.
Whichever you use, the most important thing you can do is to properly assess your physical security on a regular basis. Security risk assessment software, like Circadian Risk, allows you to collect risk data from all your sites using whichever assessment tool you choose, including CARVER. Our platform can be customized for any question set, and once an assessment is complete, it collects all your risk assessment data from all your sites into a single dashboard. This means that no matter what framework you’re using, you’ll be able to see all your risk in one screen and easily prioritize and track your remediation efforts.
To learn more about how Circadian Risk can help you create self-assessments, schedule your personalized demo today.
Developed by the military for assessing risk in the field, the CARVER Matrix is a security tool that assesses and ranks threats based on six factors: criticality, accessibility, recoverability, vulnerability, effect, and recognizability.
As a system created by the military, private business security SMEs are often interested in using CARVER to assess risk at their own sites. However, CARVER isn’t always appropriate for risk assessment in non-military settings. This article will dig deeper into what CARVER is, its limitations as a risk assessment tool, and when it should be used to assess risk.
What is CARVER?
CARVER has its roots in World War II, when it was developed by the OSS as a system for target selection in the field. During the Vietnam War, the U.S. US Army Special Forces adopted and further developed CARVER as a system of target acquisition capable of ranking potential targets according to a scale.
As probably know by this point, CARVER is an acronym:
C - Criticality: How critical is the asset or site?
A- Accessibility: How easy would it be to access the site?
R - Recoverability: How easy would it be for the site to recover from an attack?
V - Vulnerability: How vulnerable is the target to an attack?
E - Effect: What effect would a compromised site have on the organization?
R- Recognizability: Do adversaries easily recognize a site or asset to be valuable?
The matrix assigns a point value to each of the factors above, on a 1-10 or 1-5 scale, creating a simple way to make a decision about attacking or defending a site. An example from a retired U.S. Army Special Operations Field Guide looks like this:
Disrupting Bulk Electric Power Supply | |||||||
|---|---|---|---|---|---|---|---|
Potential Targets | C | A | R | V | E | R | Total |
Fuel Tanks | 8 | 9 | 3 | 8 | 5 | 6 | 41 |
Fuel Pumps | 8 | 6 | 2 | 10 | 5 | 3 | 34 |
Boilers | 6 | 2 | 10 | 4 | 5 | 4 | 31 |
Turbines | 8 | 6 | 10 | 7 | 5 | 9 | 45 |
Generators | 4 | 6 | 10 | 7 | 5 | 9 | 41 |
Condensers | 8 | 8 | 5 | 2 | 5 | 4 | 34 |
Feed Pumps | 3 | 8 | 5 | 8 | 5 | 6 | 33 |
Cir. Water Pumps | 3 | 8 | 5 | 8 | 5 | 4 | 33 |
Generator Step Up Transformer | 10 | 10 | 10 | 9 | 5 | 9 | 53 |
Because the score for the transformers is highest, the transformers are most vulnerable.
CARVER has since been used by other branches of the military and government and has been used for both attack and defense purposes. It has even been used for management. However, the wide application of CARVER doesn’t always mean it’s right for your risk assessment.
The weaknesses of CARVER
Because CARVER was developed for the military it’s meant to be a quick, actionable assessment of inherent risk. It’s not a comprehensive assessment of all the threats your site might foreseeably face. It’s an overview, not an in-depth analysis. Unlike a military team, you aren’t pressed for time; you have the ability to do a careful, thorough assessment encompassing many scenarios.
Additionally If you use a system like CARVER, you’re opening yourself up to a subjective interpretation of risk. I once attended a government sanctioned training course where three teams had to evaluate a water treatment facility using CARVER. Each team came up with a completely different score after assessing the facility.
For the next two hours each team deliberated on who was right and why. The instructor praised the class and stated, “This is how risk analysis should be done. It will never be consistent and the score will always be different.” This is incorrect for risk analysis. As a litmus test, if you have two assessors using the same tool at the same site and they get different reports or scores, the tool is not an effective risk tool. A vulnerability should be consistent, but the countermeasure to accept or improve that risk might be different.
When can you use CARVER in the vulnerability assessment process?
Because CARVER is a rudimentary risk assessment tool, it can be used as the very first baseline assessment tool you use to measure the inherent risk of your site - if you’re committed to using CARVER.
We recommend using a baseline assessment at the start of the assessment process, specifically a baseline self-assessment, performed by someone who is already onsite. This individual assesses their own site and sends the assessment back to the corporate security department. The assessment itself doesn’t have to be in-depth, so this is the point when CARVER can be used.
After this step, however, the assessments should be much more detailed, and experts should be sent to evaluate the highest priority sites. In addition, experts should work through scenario-based assessments, evaluating the risk of each foreseeable threat. By creating comprehensive plans around scenarios, your sites will be better protected than if you had just used a baseline assessment.
To learn more about how Circadian Risk can help you create self-assessments, contact us now for a demo.
About the Author
