Geoscience Reference
In-Depth Information
conduct a vulnerability assessment and/or do not contain necessary specific evalu-
ation techniques (e.g., checklists, ranking scales, matrix categorization, or quan-
tifiable equations). There are also assessment tools, which can be used to support
vulnerability assessments, but that are not, in and of themselves, assessment meth-
odologies. These would include software platforms and formats that can store and
manipulate data or predict impact severity.
Simple Rating
Many vulnerability assessment methodologies prioritize asset vulnerabilities for
potential corrective action by defining a set of measurable criteria, rating each asset
(and the associated vulnerability) on each criterion, and qualitatively or quantita-
tively combining the individual ratings. An example of a simple, broadly appli-
cable rating approach is a target analysis process developed and practiced by special
operations forces. This process, called CARVER analysis, has been adapted and
used as part of numerous vulnerability assessment methodologies. CARVER is an
acronym that stands for criticality, accessibility, recoverability, vulnerability, effect,
and recognizability. Each factor in the acronym typically has an associated scale
(e.g., a 5-point scale), and individual assets (i.e., potential targets) are numerically
rated on each factor. A rank-order of critical assets is established on the basis of the
overall CARVER score (determined by summing the points assigned to the indi-
vidual factors). Other “rating and weighting” schemes also are used to provide a
logical and consistent basis for prioritizing vulnerabilities for importance or poten-
tial corrective actions.
Risk Matrix
A risk matrix is often used to focus vulnerability assessment results and help cat-
egorize the assets, sites, and/or systems assessed into discrete levels of risk so that
appropriate protection and mitigation measures can be applied. Figure 8.2 shows a
typical risk matrix, which conveys the notion that risk is a function of event severity
(i.e., the severity of consequences) and the likelihood of its occurrence. Likelihood
is often determined by considering the attractiveness of the targeted assets, the
degree of threat, and the degree of vulnerability.
As depicted in Figure 8.2, asset vulnerabilities that have the highest likelihood
of being successfully exploited (i.e., frequent) and that result in the highest sever-
ity (i.e., catastrophic), have the highest priority for vulnerability reduction actions
and protective measures to mitigate the risks. Similarly, asset vulnerabilities with
the lowest likelihood of being exploited (i.e., unlikely) and that result in the lowest
severity (i.e., negligible), have the lowest priority for mitigation. Many variations
of this basic approach are used with different numbers of severity and likelihood
levels, as well as definitions for those levels, to assist in focusing on the highest
priority risks.
