Skip Navigation

News Home
Defence
Security
Public Safety
Law Enforcement
Transport
Sign up for Jane's News Briefs

Non-Subscriber Extract

Jane’s Facility Security Handbook: Risk Analysis

25 September 2006

Jane’s Facility Security Handbook: Risk Analysis

Red Teaming and CARVER

Red-team exercises take their name form the military planning and war gaming where the colour red is identified with enemy or adversarial/opposing forces (with the colour blue denoting friendly forces). Red-team exercises therefore shift the assessor’s perspective from that of a facility security professional to that of an adversary, enabling current security assumptions to be effectively challenged. Conducted under controlled but realistic conditions, with a well defined ‘opposing force mission’ the adversarial perspective can reveal valuable insights into a facilities physical (facility and asset-specific), informational (IT) and operational vulnerabilities. Red teaming can take many forms, from paper exercises, complex table-top exercises, IT infrastructure penetration testing (ethical hacking) as well as ‘real-life’ mock attack exercises.

A good way for a ‘red team’ to develop an opposing force mission is to consider how an adversary selects an attack venue, known as target analysis. An adversary’s analysis may take into consideration the value of the asset to the facility or owner/operator or as part of a larger concern; the adversary’s own capabilities, resources, objectives, and tactics, techniques, and procedures (TTPs).

One of the better-known target analysis tools is the U.S. Department of Defense (DoD) CARVER method. This approach is used by US military forces to analyse potential targets for military attack. It also has broad applicability in civilian security and risk management as a tool for identifying facilities and assets that may be targeted by terrorists, saboteurs, or other malevolent actors. The term ‘CARVER’ is an acronym for the tool’s six target evaluation criteria, which can be described in a civilian context as:

  • Criticality, the extent to which a successful attack would impair the target organisation’s operations;
  • Accessibility, the ease of gaining proximity to, or ingress to and egress from, an asset in order to carry out an attack;
  • Recuperability, the target’s ability to regain its pre-incident value through redundancy or repair and reconstitution of impacted assets;
  • Vulnerability, the susceptibility of an asset to attack using the means available to the adversary;
  • Effect, the attainment of the adversary’s objective as well as any unintended consequences such as collateral damage;
  • Recognisability, the ability of an adversary to locate and identify the targeted asset under attack conditions.
While the U.S. military methodology calls for assigning a value of 1 to 5 to each of the CARVER criteria for a given potential target, civilian planners can simplify or elaborate on this ranking scale to meet their needs. Additionally, the CARVER method can be applied at three different planning levels:
  • Strategic, to analyse the potential attractiveness of a given organisation (i.e. a corporation or a government agency) as a target relative to other comparable organisations;
  • Operational, to examine the potential for targeting a particular facility (i.e. a manufacturing plant or an administrative headquarters) compared with other facilities in an organisation;
  • Tactical, to compare the target value of the various assets (i.e. buildings, people) that comprise a given facility.
© 2006 Jane's Information Group

The second edition of Jane’s Facility Security Handbook has just been published. Please click here if you are interested in ordering a copy of this title.

End of non-subscriber extract