Fentress Blog

The Importance of the CARVER Method in Security Assessments

Written by Morgan Sears | Feb 9, 2024

As a security assessor, I continue to seek ways to improve my ability to provide clients with the best information about their concerns. I strive to seek training on new and improved methods of identifying security gaps and issues within the facility I am assessing.

My continued desire for improvement has led me to become a Certified CARVER Assessment Professional and to be able to apply the CARVER method toward future Threat, Risk, and Vulnerability Assessments.

So, what is the CARVER method, and why is it essential to determine facility vulnerabilities? 

What is the CARVER Method?

The CARVER method is an analytical tool used within a security vulnerability assessment to understand threats, weaknesses, and attack probability that can impact a facility. CARVER is an acronym, and this tool assesses and ranks threat areas based on the six factors found within its name. By using the acronym while assessing a facility, you are asking:

  • Criticality - Where are the facility’s critical systems, single points of failure or choke points?
  • Accessibility - How accessible are the facility’s critical systems, operations, or assets?
  • Recoverability - How much recovery time is needed after an adverse event?
  • Vulnerability - How effective is the security system against an adversary’s ability to access the facility?
  • Effect - What lasting effect would an attack have on the facility and surrounding area?
  • Recognizability - Is this site known, or could it be known as vulnerable to an attacker?

A matrix would be created during a security assessment, and a point system would be assigned to different facility areas. For example, vulnerable assets at a school building being assessed could include the vestibule/front door area, access through secondary exterior doors, and any access points to a building’s HVAC system.

Based on the questions from the CARVER acronym, each factor would then be scored on a 1-5 scale. The higher the number, the greater the risk and attack probability. A score of 5 for a CARVER factor would suggest that a specific area is most vulnerable or most likely to be attacked; a score of 1 would indicate that a particular location is least vulnerable or least likely to be attacked.

An example of what a CARVER matrix would look like when assessing a facility:

Facility Example

C

A

R

V

E

R

TOTAL

Exterior Doors

4

4

3

4

4

4

23

HVAC System

5

3

3

4

5

4

24

Parking Lot

3

5

4

2

3

2

19

Property Entrance

4

5

4

2

4

2

21

Dumpster/Recycle Containers

3

3

2

3

3

3

17

Building Generator

4

3

4

3

4

4


22

Based on the matrix above, the CARVER method shows that the HVAC system of the example facility would be the most vulnerable asset.

How the CARVER Method Benefits a Security Assessment

For decades, the CARVER process has been used in multiple Security Vulnerability Assessments, including those for United States military bases, treatment, manufacturing and packaging facilities, and sports arenas.

Using CARVER within smaller-scale assessments, such as local government buildings or school jurisdictions, security gaps can be identified within the facility, and countermeasures can be recommended after the findings to minimize the associated risks.

Utilizing the CARVER method and inserting values within the matrix provides the assessor with critical information by identifying high-risk areas, prioritizing facility assets, and assessing vulnerabilities and subsequent consequences if the facility or occupants came under attack.

Bringing CARVER into the Future

I recently worked with a team that performed a comprehensive Threat, Risk, and Vulnerability Assessment on multiple government buildings in a local jurisdiction. The employees had previously dealt with issues related to a First Amendment Auditor and sought ideas to improve safety and security measures in targeted buildings.

Our assessment team implemented a version of the CARVER method to prioritize the criticality of risk management for the assessed facilities. This allowed us to provide the most critical and cost-effective recommendations as the top priority to the client.

I hope local jurisdictions continue to see the importance of Threat, Risk, and Vulnerability assessments. CARVER is an established method that can help identify vulnerabilities and prioritize recommendations.