C.A.R.V.E.R a system for Threat Assessment

The CARVER framework, originally developed during World War II, was designed to help analysts determine where bomber pilots could most effectively target enemy resources. Over time, this methodology has evolved into a versatile tool for assessing risks and opportunities in various fields. CARVER can be employed both offensively, to identify competitors' vulnerabilities, and defensively, to evaluate and protect critical internal assets. It is widely regarded as a leading assessment tool, endorsed by experts and even recommended by the U.S. Department of Homeland Security for safeguarding vital infrastructure.

The CARVER Framework

CARVER is an acronym representing six critical assessment criteria:

• Criticality: How essential is an asset or system to your organization’s operations?
• Accessibility: How easy would it be for an adversary to access or attack the asset?
• Recoverability: How quickly could the asset or system recover if compromised?
• Vulnerability: How resilient is the asset to potential threats or attacks?
• Effect: What would be the impact on the organization if the asset were compromised?
• Recognizability: How likely is it that an adversary would identify the asset as a valuable target?

To use CARVER, organizations assign scores from 1 to 5 for each of the six criteria, where higher scores indicate greater risk or opportunity. By summing these scores, decision-makers can prioritize resources, mitigate risks, or capitalize on opportunities more effectively. The scoring system is flexible, allowing organizations to adapt it to their specific needs and contexts.

Example CARVER Scales

Criticality:

• 1: Non-essential to daily operations.
• 2: Used but easily worked around if unavailable.
• 3: Necessary, but downtime would cause manageable disruptions.
• 4: Loss would lead to serious financial or reputational harm.
• 5: Loss would halt operations entirely.

Accessibility:

• 1: Completely inaccessible to anyone, including potential attackers.
• 2: Limited on-site access only.
• 3: Accessible within a private network.
• 4: Publicly accessible to limited audiences.
• 5: Fully public and easily accessible.

Recoverability:

• 1: Downtime would be negligible, and recovery automatic.
• 2: Minor functionality loss; recovery is automated.
• 3: Recovery involves moderate downtime with automatic processes.
• 4: Manual intervention is required for recovery.
• 5: Irreparable; recovery is impossible.

Vulnerability:

• 1: Access requires manual intervention, such as physical activation.
• 2: Restricted to a small group with two-factor authentication (TFA).
• 3: Restricted to a small group with basic authentication measures.
• 4: Accessible to a defined group with minimal safeguards.
• 5: Poorly secured, such as a single admin account.

Effect:

• 1: No significant impact on roles or operations.
• 2: Minimal impact on some roles, occasionally.
• 3: Some roles are disrupted, or many roles experience occasional issues.
• 4: Many roles face consistent disruptions.
• 5: All roles are unable to function.

Recognizability:

• 1: Used internally in a unique and proprietary manner, unlikely to be recognized.
• 2: Recognizable to a small group of former employees or external stakeholders.
• 3: Somewhat recognizable with moderate value perception.
• 4: Widely recognizable but not always perceived as critical.
• 5: Universally recognizable as providing significant value or advantage.

Tailoring CARVER to Your Needs

The specific scores assigned to each criterion will depend on the organization’s domain, priorities, and unique circumstances. While the examples provided offer a starting point, it’s crucial to customize the framework to reflect your organization’s context accurately. By doing so, CARVER ensures consistent, objective assessments, enabling leaders to measure and address risks effectively. This clarity facilitates smarter decision-making and resource allocation, empowering organizations to navigate both challenges and opportunities with confidence.