USA: +1(669)289-8683 
Sign in
Instructions: Please choose a known critical infrastructure (e.g., the Golden Gate Bridge, the Port of Miami, etc.,) and then go through and complete the attached Carver and Multi-Criteria Risk Assessment Spreadsheets for that chosen Critical Infrastructure. For the Multi-Criteria Risk Assessment Spreadsheet, at least five (5) Assets/Attack Mode(s) are required. The attached instructions are self-explanatory. Please use information found online or good faith estimates in completing the spreadsheets.
CARVER_1_.xlsx
Worksheet
CARVER
Asset Name:
GW Bridge
Address:
City:
NYC
Time needed to replace asset, if possible
Additional CI sectors affected by loss of asset
State:
Zip:
Select Value:
County:
Owner:
Sector:
Susceptibility of asset to damage or destruction
Impact of loss of asset
Select Value:
Users Affected:
Economic Loss and Rebuild Cost ($):
Is the asset an “icon” representing more than a physical structure
Potential Deaths from Attack:
Select Value:
Ease of entry into the asset to cause its damage or destruction
Percentage of “back-up” capacity to offset the loss of this asset
Select Value:
Select Value:
SCORE:
122
5
CRITICALITY
ACCESSIBILITY
RECOVERABILITY
VULNERABILITY
ESPYABILITY
REDUNDANCY
Food & Agriculture
Banking & Finance
Chemical
Commercial Facilities
Communications
Critical Manufacturing
Dams
Defense Industrial Base
Emergency Services
Energy
INTERDEPENDENCY
Government Facilities
Healthcare & Public Health
Information Technology
National Monuments & Icons
Nuclear Reactors, Materials & Waste
Postal & Shipping
Transportation Systems
Water
Menu Items
SECTOR
VALUE
CRITICALITY
VALUE
VALUE
VALUE
Food & Agriculture
1
Less than 1000 people
1
Less than $10 million
1
N/A
1
Banking & Finance
2
More than 1000 people
2
Less than $25 million
2
10
2
Chemical
3
More than 10,000 people
3
Less than $50 million
3
50
3
Commercial Facilities
4
More than 25,000 people
4
Less than $100 million
4
100
4
Communications
5
More than 50,000 people
5
Less than $250 million
5
250
5
Critical Manufacturing
6
More than 100,000 people
6
Less than $500 million
6
500
6
Dams
7
More than 500,000 people
7
Less than $750 million
7
1000
7
Defense Industrial Base
8
More than 1 million people
8
Less than $1 billion
8
5000
8
Emergency Services
9
More than 2.5 million people
9
Less than $25 billion
9
10000
9
Energy
10
More than 5 million people
10
Less than $50 billion
10
50000
10
Government Facilities
11
100,000+
11
Healthcare & Public Health
12
Information Technology
13
National Monuments & Icons
14
Nuclear Reactors, Materials & Waste
15
Postal & Shipping
16
Transpostation Systems
17
ACCESSIBILITY
VALUE
RECOVERABILITY
VALUE
VULNERABILITY
VALUE
Water
18
Patrolled
1
Less than 1 month
1
Special Hardening
1
Perimeter Fencing
2
More than 1 month
2
Massive
2
Armed Security
3
More than 3 months
3
Building Purpose Unknown to Public
3
Unarmed Security
4
More than 6 months
4
Operations Structurally Dispersed
4
Access Control
5
More than 1 year
5
Concrete/Stone
5
Alarm System
6
More than 2 years
6
Structural Steel
6
Locked Area
7
More than 3 years
7
Flammable/Explosive
7
Open to Public
8
More than 4 years
8
Minor Metal Frame
8
No Control
9
More than 5 years
9
Wood Design
9
Irreplacable
10
No Security Design
10
ESPYABILITY
VALUE
REDUNDANCY
VALUE
Locally significant, non-government
1
100%
1
Locally significant, government
2
90%
2
State icon only
3
80%
3
State icon + function
4
70%
4
Regional icon only
5
60%
5
Regional icon + function
6
50%
6
National icon only
7
40%
7
National icon + function
8
30%
8
World icon only
9
20%
9
World icon + function
10
10%
10
0%
11
Results
Asset Name:
GW Bridge
Address:
0
City:
NYC
State:
0
Zip:
0
County:
0
Owner:
0
Sector:
17
Criticality
Users affected
6
25
Economic loss
9
125
Potential deaths
5
10
Total
160
Accessibility
Value
7
0.98
Recoverability
Value
5
15
Vulnerability
Value
9
0.99
Espyability
Value
8
0.955
Redundancy
Value
6
0.75
SCORE:
121.60850625
Food & Agriculture
TRUE
1
Banking & Finance
FALSE
0
Chemical
0
Commercial Facilities
FALSE
0
Communications
TRUE
1
Critical Manufacturing
0
Dams
0
Defense Industrial Base
TRUE
1
Emergency Services
TRUE
1
Energy
FALSE
0
Government Facilities
0
Healthcare & Public Health
0
Information Technology
0
National Monuments & Icons
0
Nuclear Reactors, Materials & Waste
0
Postal & Shipping
TRUE
1
Transpostation Systems
FALSE
0
Water
0
INTERDEPENDENCY
5
Tables
CRITICALITY
VALUE
SCORE
VALUE
SCORE
VALUE
SCORE
Less than 1000 people
1
1
Less than $10 million
1
1
N/A
1
0
More than 1000 people
2
3
Less than $25 million
2
3
10
2
1
More than 10,000 people
3
5
Less than $50 million
3
5
50
3
3
More than 25,000 people
4
10
Less than $100 million
4
10
100
4
5
More than 50,000 people
5
15
Less than $250 million
5
15
250
5
10
More than 100,000 people
6
25
Less than $500 million
6
25
500
6
15
More than 500,000 people
7
40
Less than $750 million
7
40
1000
7
25
More than 1 million people
8
75
Less than $1 billion
8
75
5000
8
40
More than 2.5 million people
9
125
Less than $25 billion
9
125
10000
9
75
More than 5 million people
10
200
Less than $50 billion
10
200
50000
10
125
100,000+
11
200
ACCESSIBILITY
VALUE
SCORE
RECOVERABILITY
VALUE
SCORE
VULNERABILITY
VALUE
SCORE
Patrolled
1
0.99
Less than 1 month
1
1
Special Hardening
1
0.9
Perimeter Fencing
2
0.98
More than 1 month
2
3
Massive
2
0.9
Armed Security
3
0.9
More than 3 months
3
5
Building Purpose Unknown to Public
3
0.95
Unarmed Security
4
0.95
More than 6 months
4
10
Operations Structurally Dispersed
4
0.95
Access Control
5
0.95
More than 1 year
5
15
Concrete/Stone
5
0.96
Alarm System
6
0.9
More than 2 years
6
25
Structural Steel
6
0.96
Locked Area
7
0.98
More than 3 years
7
40
Flamable/Explosive
7
0.97
Open to Public
8
0.99
More than 4 years
8
75
Minor Metal Frame
8
0.98
No Control
9
0.999
More than 5 years
9
125
Wood Design
9
0.99
1
Irreplacable
10
200
No Security Design
10
0.999
ESPYABILITY
VALUE
SCORE
REDUNDANCY
VALUE
SCORE
Locally significant, non-government
1
0.9
100%
1
0.001
Locally significant, government
2
0.9
90%
2
0.5
State icon only
3
0.92
80%
3
0.6
State icon + function
4
0.925
70%
4
0.65
Regional icon only
5
0.93
60%
5
0.7
Regional icon + function
6
0.935
50%
6
0.75
National icon only
7
0.95
40%
7
0.8
National icon + function
8
0.955
30%
8
0.85
World icon only
9
0.99
20%
9
0.9
World icon + function
10
0.995
10%
10
0.95
0%
11
1
image1
Multi-Criterion_Workshop_1_.xlsx
Sheet1
ASSET
ATTACK MODE
THREAT
VULNERABILITY
CONSEQUENCE
TOTAL
Intent
Capability
Score
Achievability
Target Hardness
Score
Death/Injury
Economic Loss
Environmental
National Security
Symbolic
Score
GW Bridge
Water B device by X
100%
100%
100%
10%
5%
1%
100
$5,000
$500
$6,150
$30.75
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
0%
0%
$0
$0.00
DEFINITIONS
$M
Intent
Probability that a person or gorup would want to do this
Value per statistical life (VSL)
6.5
Capability
Probability that a person or group would be able to do this
Achievability
Probability of successful attack assuming no security measures
Target hardness
Probability that the target cannot withstand the attack (lower = harder)
Death/Injury
Number of deaths or injuries as a result of attack
Economic loss
Estimated dollar value of loss due to attack
Environmental
Estimated dollar value of environmental impact
National security
Estimated dollar value of impact on national security
Symbolic
Estimated dollar value of impact due to symbolic value of target
CARVER_tools_1_
CARVER
CARVER
is
a
methodology
first
used
by
the
Department
of
Defense
Special
Forces
to
rank
targets
so
that
their
resources
could
be
used
efficiently.
The
user
would
estimate
Criticality,
Accessibility,
Recuperability,
Vulnerability,
Effect,
and
Recognizability
as
nominal
scores
that
were
added
and
then
ranked.
The
methodology
was
later
adapted
for
Homeland
Security.
The
CARVER
tool
that
was
used
by
practitioners
had
proprietary
data
tables
behind
it
to
weigh
user
inputs
appropriately.
This
tool
makes
those
tables
available
so
that
the
user
can
experiment
with
weighting
and
modeling
if
desired.
Using
the
Tool
For
this
simple
tool,
only
one
asset
can
be
evaluated
for
each
spreadsheet.
To
evaluate
a
set
of
assets,
we
recommend
making
a
number
of
copies
of
the
Excel
file
with
one
evaluation
for
each
file.
All
data
is
input
into
the
Worksheet
tab
while
all
the
tables
are
on
the
Tables
tab.
The
Menu
Items
and
Results
tabs
are
used
to
store
values
temporarily
and
are
it
is
not
recommended
that
users
modify
these.
To
begin,
input
enough
data
to
uniquely
identify
the
asset
to
be
evaluated.
This
is
not
used
in
any
calculation
so
not
all
is
required,
but
at
a
minimum,
a
unique
name
is
helpful.
You
may
also
place
this
asset
into
a
specific
sector.
Criticality
assesses
the
impact
of
the
loss
of
this
asset.
Note
that
CARVER
is
not
threat
mode
specific
so
you
are
to
consider
any
threat
possible.
• Users
Affected
is
not
casualties,
but
rather
people
impacted
by
the
loss
of
this
asset.
If
it
is
a
bridge
and
100,000
people
will
not
be
able
to
get
to
work,
then
these
people
are
affected.
• Economic
Loss
and
Rebuild
Cost
is
and
estimate
of
the
financial
damage
associated
with
the
loss
of
this
asset.
Economic
loss
and
rebuild
cost
are
summed
together
in
this
estimate,
so
be
sure
that
if
you
include
economic
loss
for
one
asset,
you
include
it
throughout
your
assessment.
• Potential
Deaths
form
Attack
is
an
estimate
of
casualties
associated
with
an
attack
on
this
asset.
Again,
CARVER
is
not
threat
specific
so
assume
worst
case
scenario.
Accessibility
allows
you
to
indicate
what
security
may
be
in
place
to
limit
access
to
this
asset.
You
may
choose
from
Patrolled,
Perimeter
Fencing,
Armed
Security,
Unarmed
Security,
Access
Control,
Alarm
System,
Locked
Area,
Open
to
the
Public,
and
No
Control.
Recoverability
is
the
time
needed
to
replace
or
repair
this
asset,
if
possible.
Choose
an
estimate
from
the
menu.
Vulnerability
is
the
susceptibility
of
this
asset
to
damage
or
destruction.
Ignore
anything
related
to
access
(we
covered
that
under
Accessibility)
and
focus
instead
on
features
of
the
asset
that
will
help
it
to
withstand
or
survive
an
attack.
• Massive
refers
to
the
size
of
the
structure.
A
massive
structure,
like
a
major
bridge,
has
low
vulnerability
due
to
its
size.
• Building
Purpose
Unknown
to
Public
would
be
like
a
water
pumping
station
that
looks
like
a
non-‐descript
house
in
a
neighborhood.
• Operations
Structurally
Dispersed
would
be
a
facility
that
has
a
back-‐up
location
or
can
otherwise
function
without
all
of
its
parts
operating
at
the
same
time.
• Concrete/Stone
refers
to
the
structural
material
used
in
the
asset.
• Structural
Steel
also
refers
to
the
structural
material
used
in
the
asset.
• Flammable/Explosive
should
be
selected
if
either
the
asset
itself
burns
easily
or
if
it
contains
materials
that
burn
easily
or
are
potentially
explosive.
• Minor
Metal
Frame
again
refers
to
the
structural
material
used
in
the
asset.
• Wood
Design
refers
to
the
structural
material
used
in
the
asset.
• No
Security
Design
means
that
there
is
nothing
special
in
the
design
of
this
asset
to
reduce
vulnerability.
Espyability
refers
to
whether
or
not
the
asset
is
merely
functional
or
if
it
has
iconic
status
at
the
Local,
State,
Regional,
National,
or
World
level.
Choose
from:
• Locally
significant,
non-‐government
• Locally
significant,
government
• State
icon
only
• State
icon
+
function
• Regional
icon
only
• Regional
icon
+
function
• National
icon
only
• National
icon
+
function
• World
icon
only
• World
icon
+
function
Redundancy
is
an
estimate
of
the
percentage
overlap
or
back-‐up
capacity
there
is
to
offset
the
loss
of
this
asset.
Interdependency
is
a
list
of
sectors
that
might
be
interdependent
with
this
asset.
For
example,
if
this
is
a
power
station,
it
might
be
interdependent
with
the
water
sector,
commercial
facilities,
defense
industrial
base,
etc.
Interdependency
is
not
calculated
into
the
CARVER
score
but
is
represented
by
the
smaller
number
in
the
score.
A
CARVER
score
of
122-‐5
means
that
this
asset
has
a
score
of
122
with
5
interdependencies.
CARVER
scores
are
calculated
but
are
dimensionless.
The
score
does
not
represent
Risk,
Resilience,
Vulnerability,
or
anything
else.
The
higher
the
score,
the
more
likely
that
asset
may
require
resourcing.
But
you
cannot
say
that
an
asset
with
a
score
of
100
is
half
as
important
as
an
asset
with
a
score
of
200.
Modifications
The
best
place
to
experiment
with
CARVER
is
in
the
Tables
tab.
Here
you
will
see
all
of
the
categories
we
just
described
here
with
all
of
the
items
in
the
menus
that
you
can
select.
Notice
that
for
each
menu
selection,
there
is
an
associated
Score.
Do
not
change
the
Value
column.
That
is
there
as
an
identifier
for
that
menu
selection.
But
do
experiment
with
changing
the
Scores.
Should
a
criticality
that
impacts
500,000
people
(score
of
40)
be
only
four
times
higher
than
that
for
25,000
people
(score
of
10)?
Maybe
it
should
be
higher.
Experiment
with
changing
scores.
Test
your
configurations
with
a
set
of
assets
to
make
sure
that
it
makes
sense.
Does
the
overall
CARVER
score
go
up
when
you
expect
it
to?
Does
it
decrease
when
you
expect
it
to?
By
default,
the
data
tables
we
provide
are
all
independent
but
they
don’t
have
to
be.
You
could
experiment
by
having
a
score
linked
to
another
value.
For
example,
what
if
you
wanted
the
Criticality
score
to
be
higher
if
the
Recoverability
time
was
longer?
How
would
you
do
that?
Multicriterion_documentation_1_
Multi-‐Criteria
Assessment
Methodology
This
multi-‐criteria
tool
is
an
example
of
a
simple
risk-‐based
model
that
assesses
assets
independently
but
with
multiple
measures.
For
this
example,
we
used
a
subset
of
the
MSRAM
model,
at
least
in
the
way
MSRAM
models
risk
and
its
components.
Description
Asset
is
a
unique
name
of
the
asset
to
be
evaluated.
Attack
Mode
is
a
description
of
the
type
of
attack
being
considered.
Multiple
attack
modes
can
be
considered
for
any
asset.
We
consider
Asset
+
Attack
Mode
as
the
key
data
pair
that
uniquely
identifies
one
assessment.
An
electrical
switching
station
could
be
paired
with
an
explosive
device,
a
SCADA
attack,
or
other
mode,
each
of
which
would
be
considered
separately.
We
use
the
standard
equation
for
Risk
R
=
T
*
V
*
C
where
T
is
Threat,
V
is
Vulnerability,
and
C
is
Consequence.
The
components
of
each
is
described
below.
Threat
is
the
percentage
product
of
Intent
and
Capability.
• Intent
is
the
probability
that
a
person
or
group
would
want
to
damage
or
destroy
this
asset.
High
intent
would
imply
knowledge
of
an
impending
attack
or
a
credible
threat.
• Capability
is
the
probability
that
a
person
or
group
would
have
the
capability
to
execute
this
attack.
Note
that
this
requires
an
attack
mode.
The
capability
of
a
group
to
obtain
small
explosives
is
likely
to
be
higher
than
their
capability
to
obtain
radioactive
material.
Vulnerability
is
the
percentage
product
of
Achievability
and
Target
Hardness.
• Achievability
is
the
probability
of
successful
attack
assuming
no
security
measures.
Do
not
consider
existing
security
features
such
as
fencing,
key
card
control,
CCTV,
etc.
Assume
that
this
person
or
group
gains
access
to
this
asset
with
a
small
explosive
device
(for
example).
What
is
the
likelihood
that
it
would
successfully
disable
the
asset?
• Target
Hardness
is
the
probability
that
the
target
cannot
withstand
the
attack.
Note
this
implies
that
a
lower
value
means
a
harder
target.
An
asset
with
stand-‐off
barriers
and
physical
patrols
would
have
a
lower
target
hardness
value
than
one
with
only
light
fencing.
Consequence
is
the
sum
of
all
consequence
category
estimates.
All
categories
must
be
translated
to
a
single
unit
(e.g.
dollars,
millions
of
dollars,
lives).
• Death/Injury
is
the
number
of
casualties
that
would
be
expected
as
a
result
of
this
attack
on
this
asset.
We
use
a
value
per
statistical
life
(VSL)
of
$6.5M
but
this
can
be
adjusted.
• Economic
Loss
is
the
estimated
value
of
loss
due
to
attack.
This
should
include
the
damage
to
the
asset
itself
but
could
also
include
“downstream”
economic
damages.
For
example,
if
a
bridge
is
disabled,
the
cost
to
repair
the
bridge
could
be
added
to
the
estimated
loss
of
commerce
over
the
time
it
takes
to
repair
the
bridge
to
estimate
this
value.
It
is
important
to
be
consistent
throughout
all
entries
in
this
column.
• Environmental
is
the
estimated
value
of
the
environmental
impact
of
this
attack
on
this
asset.
If
there
is
no
environmental
impact,
then
this
can
be
zero.
In
cases
where
a
post-‐event
clean
up
must
be
performed,
as
would
be
the
case
in
a
radiological,
chemical,
or
biological
attack,
this
could
be
very
high.
• National
Security
is
the
estimated
value
of
the
impact
of
this
attack
on
this
asset
on
national
security.
An
attack
on
a
port
facility,
for
example,
might
have
a
large
impact
national
security,
whereas
an
attack
on
a
water
treatment
plant
may
have
a
smaller
estimated
value.
• Symbolic
is
the
estimated
value
of
impact
due
to
the
symbolic
value
of
this
target.
Damage
to
an
iconic
bridge
would
be
estimated
higher
than
a
generic
bridge.
Damage
to
a
national
monument
would
have
value
here
where
it
may
not
have
value
elsewhere.
Total
is
the
Risk
calculation
for
this
Asset-‐Attack
Mode
pair.
It
is
computed,
not
input
by
the
user.
Assuming
that
consequence
values
were
given
in
dollars,
then
the
Risk
calculation
is
also
in
dollars.
You
may
use
the
Sort
function
in
Excel
to
sort
the
table
on
Total
in
order
to
quickly
identify
the
Asset-‐Attack
Mode
pairs
with
the
highest
calculated
Risk.
Modifications
This
simple
tool
was
built
with
the
intention
that
it
would
be
modified
to
meet
specific
uses.
1. If
the
components
of
T,
C,
or
C
are
not
desired,
then
the
user
may
directly
input
percentage
values
(0-‐100)
in
columns
E
or
H.
For
consequence,
a
C
can
be
directly
input
into
column
N
or
any
of
the
columns
I
through
M
may
be
discarded
if
not
needed.
The
tool
will
sum
what
values
are
given.
2. If
you
wish
to
add
another
component
to
Threat
or
Vulnerability,
you
may
do
so
by
adding
a
new
column
under
that
category,
in
either
the
red
or
yellow
regions.
Make
sure
that
you
adjust
the
Score
column
to
include
the
new
column.
Also
make
sure
that
the
new
component
is
a
percentage
value
so
that
it
can
be
multiplied
without
affecting
the
other
components.
3. You
may
also
add
components
to
Consequence
easily.
Add
a
column
into
the
blue
region,
and
make
sure
that
the
Score
column
in
blue
includes
the
new
column(s)
in
the
sum.
It
should
do
that
by
default.
