CARVER matrix

Last updated October 22, 2022

The CARVER matrix was developed by the United States Army Special Forces during the Vietnam War. CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability and is a system to identify and rank specific targets so that attack resources can be efficiently used. CARVER was developed in World War II by the OSS for the French field agents as a simple, uniformly and somewhat quantifiable means of selecting targets for possible interdiction. CARVER can be used from an offensive (what to attack) or defensive (what to protect) perspective.

History

During the Vietnam war the US Army Special Forces required a system of target acquisition that would rank potential targets according to a scale. During the war the CARVER matrix system was developed to fulfil those needs.^[1] It has been recently used in targeting terrorist groups like Jemaah Islamiyah.^[2]

Using the system

This system has been developed in order to aid Special Operations Forces (SOF) and more recently Department of Energy (DOE), Department of State (DOS), Department of Homeland Security (DHS) and various private and commercial security assets, in target selection and Risk/Vulnerability assessments by calculating the value of a given potential target and the ease with which such a target could be neutralized. Or in other words, it's a logical way of looking at what one might want to do and whether or not it is possible, based on the resources one has to work with. These factors are also the acronym of the system name CARVER: Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability.^[3]^[4]^[5] In the offensive, employing the Carver matrix can help identify targets that are vulnerable to attack and for defensive purposes the Carver matrix can indicate "High Risk" targets that require additional security assets allotted to them to prevent the degradation of said assets via enemy assault or terrorist action .^[4] In the below table is an example of such a matrix that uses the CARVER system for striking a Water sanitation center:

Target	C	A	R	V	E	R	Total
Water intake	1	1	3	4	2	1	12
Sanitation processors	3	2	1	5	5	2	18
Power center	2	3	1	2	2	1	11

Looking at the table, the target with the highest score is the Sanitation processors which have a score total of 18. Thus, using the system, more attack resources (time, money, tools, personnel etc.) should be assigned to hit the Sanitation processors.^[5]^[6]

Other uses

While designed for the military the CARVER matrix can be used for a variety of other purposes including management and setting goals. As long as you have a clear set goal in mind you can apply the system to anything. For example, a manager of a gym wants to increase his sales and membership numbers thus using the Matrix system:^[7]

Potential projects	C	A	R	V	E	R	Total
Start website	5	8	4	6	5	7	35
Referral campaign	9	9	7	8	6	9	48
Flier distribution	7	8	4	10	4	10	43

So again looking at the score we can see that starting an aggressive members referral plan would be the best option according to the matrix.

In the book Unleash the Warrior Within, Richard Machowicz identified that for most situations in life, simply grading one's choices by Criticality & Effect-on-goal/happiness is enough: one needn't do the entire matrix, as these 2 elements are the most significant.

The CARVER matrix has also formed the basis of other risk and vulnerability assessment systems including the SCALE system.

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from information disclosure, theft of, or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Security is protection from, or resilience against, potential harm caused by others, by restraining the freedom of others to act. Beneficiaries of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change.

<span class="mw-page-title-main">Vulnerability (computing)</span> Exploitable weakness in a computer system

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

Critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

In United States military doctrine, unconventional warfare is one of the core activities of irregular warfare. Unconventional warfare is essentially support provided by the military to a foreign insurgency or resistance. The legal definition of UW is:

Unconventional Warfare consists of activities conducted to enable a resistance movement or insurgency to coerce, disrupt or overthrow an occupying power or government by operating through or with an underground, auxiliary or guerrilla force in a denied area.

Water security is the basic goal of water policy and water management. A society with a high level of water security makes the most of water's benefits for humans and ecosystems and limits the risk of destructive impacts associated with water. These include too much water (flood), too little water or poor quality (polluted) water. A widely accepted definition of water security is: "Water security is the reliable availability of an acceptable quantity and quality of water for health, livelihoods and production, coupled with an acceptable level of water-related risks". Water security is framed as a situation where water-related risks are managed and water-related opportunities are captured but it is difficult to provide a set of indicators to quantify this.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise risk assessment.

Climate change and poverty are deeply intertwined because climate change disproportionally affects poor people in low-income communities and developing countries around the world. Those in poverty have a higher chance of experiencing the ill-effects of climate change due to the increased exposure and vulnerability. Vulnerability represents the degree to which a system is susceptible to, or unable to cope with, adverse effects of climate change including climate variability and extremes.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

WASH is an acronym that stands for "water, sanitation and hygiene". It is used widely by non-governmental organizations and aid agencies in developing countries. The purposes of providing access to WASH services include achieving public health gains, improving human dignity in the case of sanitation, implementing the human right to water and sanitation, reducing the burden of collecting drinking water for women, reducing risks of violence against women, improving education and health outcomes at schools and health facilities, and reducing water pollution. Access to WASH services is also an important component of water security. Universal, affordable and sustainable access to WASH is a key issue within international development and is the focus of the first two targets of Sustainable Development Goal 6. Targets 6.1 and 6.2 aim at equitable and accessible water and sanitation for all. In 2017 it was estimated that 2.3 billion people live without basic sanitation facilities and 844 million people live without access to safe and clean drinking water.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, society or organisations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon.

Counter-IED efforts are done primarily by military and law enforcement with the assistance of the diplomatic and financial communities. It involves a comprehensive approach of countering the threat networks that employ improvised explosive devices (IEDs), defeating the devices themselves, and training others. Counter-IED, or C-IED, is usually part of a broader counter-terrorism, counter-insurgency, or law enforcement effort. Because IEDs are a subset of a number of forms of asymmetric warfare used by insurgents and terrorists, C-IED activities are principally against adversaries and not only against IEDs. C-IED treats the IED as a systemic problem and aims to defeat the IED threat networks themselves.

Food defense is the protection of food products from intentional contamination or adulteration by biological, chemical, physical, or radiological agents introduced for the purpose of causing harm. It addresses additional concerns including physical, personnel and operational security.

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

Offshore installation security is the protection of maritime installations from intentional harm. As part of general maritime security, offshore installation security is defined as the installation's ability to combat unauthorized acts designed to cause intentional harm to the installation. The security of offshore installations is vital as not only may a threat result in personal, economic, and financial losses, but it also concerns the strategic aspects of the petroleum market and geopolitics.

References

↑ Bennett 2007 , p. 244
↑ Sullivan 2007 , p. 58
↑ Michaelis 2000
1 2 Fay 2007 , p. 500
1 2 FAS (2010). "Appendix D Target Analysis Process". FM 34-36. Federation of American Scientists . Retrieved March 23, 2010.
↑ Gaijinass (March 11, 2010). "CARVER Matrix: Tactical Target analysis". gaijinass. Retrieved March 23, 2010.
↑ Gaijinass (September 7, 2009). "Use the CARVER Matrix for Management". gaijinass. Retrieved March 23, 2010.

Bibliography

Bennett, Brian T. (2007). Understanding, assessing, and responding to terrorism: protecting critical infrastructure and personnel (2007 ed.). John Wiley & Sons. ISBN 0-471-77152-X.- Total pages: 466
Fay, John (2007). Encyclopedia of security management (2007 ed.). Butterworth-Heinemann. ISBN 0-12-370860-5.- Total pages: 649
Michaelis, Dean (2000). The Complete .50-Caliber Sniper Course: Hard-Target Interdiction (2000 ed.). Paladin Press. ISBN 1-58160-068-2.- Total pages: 576
Sullivan, Michael P. (December 2007). "How to win and know it: an effects-based approach to irregular warfare" (PDF). United States Navy . Naval Postgraduate School. Archived from the original (PDF) on June 23, 2010. Retrieved March 23, 2010.
Martel, Mike (August 2012). "How Does a SF A-Team Take Down a National Level Target?" (web). Retrieved August 4, 2013.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Bennett_p._244-1] Bennett 2007 , p. 244

[Sullivan_p._58-2] Sullivan 2007 , p. 58

[Michaelis_p.-3] Michaelis 2000

[Fay_p._500-4] 1 2 Fay 2007 , p. 500

[FM.34-36-5] 1 2 FAS (2010). "Appendix D Target Analysis Process". FM 34-36. Federation of American Scientists . Retrieved March 23, 2010.

[gaijinass.1-6] Gaijinass (March 11, 2010). "CARVER Matrix: Tactical Target analysis". gaijinass. Retrieved March 23, 2010.

[gaijinass.2-7] Gaijinass (September 7, 2009). "Use the CARVER Matrix for Management". gaijinass. Retrieved March 23, 2010.

[1]

[2]

[3]

[4]

[5]

[6]

[7]