As a security assessor, I continue to seek ways to improve my ability to provide clients with the best information about their concerns. I strive to seek training on new and improved methods of identifying security gaps and issues within the facility I am assessing.
My continued desire for improvement has led me to become a Certified CARVER Assessment Professional and to be able to apply the CARVER method toward future Threat, Risk, and Vulnerability Assessments.
So, what is the CARVER method, and why is it essential to determine facility vulnerabilities?
The CARVER method is an analytical tool used within a security vulnerability assessment to understand threats, weaknesses, and attack probability that can impact a facility. CARVER is an acronym, and this tool assesses and ranks threat areas based on the six factors found within its name. By using the acronym while assessing a facility, you are asking:
A matrix would be created during a security assessment, and a point system would be assigned to different facility areas. For example, vulnerable assets at a school building being assessed could include the vestibule/front door area, access through secondary exterior doors, and any access points to a building’s HVAC system.
Based on the questions from the CARVER acronym, each factor would then be scored on a 1-5 scale. The higher the number, the greater the risk and attack probability. A score of 5 for a CARVER factor would suggest that a specific area is most vulnerable or most likely to be attacked; a score of 1 would indicate that a particular location is least vulnerable or least likely to be attacked.
An example of what a CARVER matrix would look like when assessing a facility:
|
Facility Example |
C |
A |
R |
V |
E |
R |
TOTAL |
|
Exterior Doors |
4 |
4 |
3 |
4 |
4 |
4 |
23 |
|
HVAC System |
5 |
3 |
3 |
4 |
5 |
4 |
24 |
|
Parking Lot |
3 |
5 |
4 |
2 |
3 |
2 |
19 |
|
Property Entrance |
4 |
5 |
4 |
2 |
4 |
2 |
21 |
|
Dumpster/Recycle Containers |
3 |
3 |
2 |
3 |
3 |
3 |
17 |
|
Building Generator |
4 |
3 |
4 |
3 |
4 |
4 |
22 |
Based on the matrix above, the CARVER method shows that the HVAC system of the example facility would be the most vulnerable asset.
For decades, the CARVER process has been used in multiple Security Vulnerability Assessments, including those for United States military bases, treatment, manufacturing and packaging facilities, and sports arenas.
Using CARVER within smaller-scale assessments, such as local government buildings or school jurisdictions, security gaps can be identified within the facility, and countermeasures can be recommended after the findings to minimize the associated risks.
Utilizing the CARVER method and inserting values within the matrix provides the assessor with critical information by identifying high-risk areas, prioritizing facility assets, and assessing vulnerabilities and subsequent consequences if the facility or occupants came under attack.
I recently worked with a team that performed a comprehensive Threat, Risk, and Vulnerability Assessment on multiple government buildings in a local jurisdiction. The employees had previously dealt with issues related to a First Amendment Auditor and sought ideas to improve safety and security measures in targeted buildings.
Our assessment team implemented a version of the CARVER method to prioritize the criticality of risk management for the assessed facilities. This allowed us to provide the most critical and cost-effective recommendations as the top priority to the client.
I hope local jurisdictions continue to see the importance of Threat, Risk, and Vulnerability assessments. CARVER is an established method that can help identify vulnerabilities and prioritize recommendations.