completing the spreadsheets
DrAwesome
FINAL_14.zipFINAL_14/CARVER_1_.xlsx
Worksheet
| CARVER | ||||||
| Asset Name: | GW Bridge | |||||
| Address: | ||||||
| City: | NYC | Time needed to replace asset, if possible | Additional CI sectors affected by loss of asset | |||
| State: | ||||||
| Zip: | Select Value: | |||||
| County: | ||||||
| Owner: | ||||||
| Sector: | ||||||
| Susceptibility of asset to damage or destruction | ||||||
| Impact of loss of asset | Select Value: | |||||
| Users Affected: | ||||||
| Economic Loss and Rebuild Cost ($): | Is the asset an "icon" representing more than a physical structure | |||||
| Potential Deaths from Attack: | Select Value: | |||||
| Ease of entry into the asset to cause its damage or destruction | Percentage of "back-up" capacity to offset the loss of this asset | |||||
| Select Value: | Select Value: | |||||
| SCORE: | 122 | 5 |
CRITICALITY
ACCESSIBILITY
RECOVERABILITY
VULNERABILITY
ESPYABILITY
REDUNDANCY
Food & Agriculture
Banking & Finance
Chemical
Commercial Facilities
Communications
Critical Manufacturing
Dams
Defense Industrial Base
Emergency Services
Energy
INTERDEPENDENCY
Government Facilities
Healthcare & Public Health
Information Technology
National Monuments & Icons
Nuclear Reactors, Materials & Waste
Postal & Shipping
Transportation Systems
Water
Menu Items
| SECTOR | VALUE | CRITICALITY | VALUE | VALUE | VALUE | ||
| Food & Agriculture | 1 | Less than 1000 people | 1 | Less than $10 million | 1 | N/A | 1 |
| Banking & Finance | 2 | More than 1000 people | 2 | Less than $25 million | 2 | 10 | 2 |
| Chemical | 3 | More than 10,000 people | 3 | Less than $50 million | 3 | 50 | 3 |
| Commercial Facilities | 4 | More than 25,000 people | 4 | Less than $100 million | 4 | 100 | 4 |
| Communications | 5 | More than 50,000 people | 5 | Less than $250 million | 5 | 250 | 5 |
| Critical Manufacturing | 6 | More than 100,000 people | 6 | Less than $500 million | 6 | 500 | 6 |
| Dams | 7 | More than 500,000 people | 7 | Less than $750 million | 7 | 1000 | 7 |
| Defense Industrial Base | 8 | More than 1 million people | 8 | Less than $1 billion | 8 | 5000 | 8 |
| Emergency Services | 9 | More than 2.5 million people | 9 | Less than $25 billion | 9 | 10000 | 9 |
| Energy | 10 | More than 5 million people | 10 | Less than $50 billion | 10 | 50000 | 10 |
| Government Facilities | 11 | 100,000+ | 11 | ||||
| Healthcare & Public Health | 12 | ||||||
| Information Technology | 13 | ||||||
| National Monuments & Icons | 14 | ||||||
| Nuclear Reactors, Materials & Waste | 15 | ||||||
| Postal & Shipping | 16 | ||||||
| Transpostation Systems | 17 | ACCESSIBILITY | VALUE | RECOVERABILITY | VALUE | VULNERABILITY | VALUE |
| Water | 18 | Patrolled | 1 | Less than 1 month | 1 | Special Hardening | 1 |
| Perimeter Fencing | 2 | More than 1 month | 2 | Massive | 2 | ||
| Armed Security | 3 | More than 3 months | 3 | Building Purpose Unknown to Public | 3 | ||
| Unarmed Security | 4 | More than 6 months | 4 | Operations Structurally Dispersed | 4 | ||
| Access Control | 5 | More than 1 year | 5 | Concrete/Stone | 5 | ||
| Alarm System | 6 | More than 2 years | 6 | Structural Steel | 6 | ||
| Locked Area | 7 | More than 3 years | 7 | Flammable/Explosive | 7 | ||
| Open to Public | 8 | More than 4 years | 8 | Minor Metal Frame | 8 | ||
| No Control | 9 | More than 5 years | 9 | Wood Design | 9 | ||
| Irreplacable | 10 | No Security Design | 10 | ||||
| ESPYABILITY | VALUE | REDUNDANCY | VALUE | ||||
| Locally significant, non-government | 1 | 100% | 1 | ||||
| Locally significant, government | 2 | 90% | 2 | ||||
| State icon only | 3 | 80% | 3 | ||||
| State icon + function | 4 | 70% | 4 | ||||
| Regional icon only | 5 | 60% | 5 | ||||
| Regional icon + function | 6 | 50% | 6 | ||||
| National icon only | 7 | 40% | 7 | ||||
| National icon + function | 8 | 30% | 8 | ||||
| World icon only | 9 | 20% | 9 | ||||
| World icon + function | 10 | 10% | 10 | ||||
| 0% | 11 |
Results
| Asset Name: | GW Bridge | ||
| Address: | 0 | ||
| City: | NYC | ||
| State: | 0 | ||
| Zip: | 0 | ||
| County: | 0 | ||
| Owner: | 0 | ||
| Sector: | 17 | ||
| Criticality | |||
| Users affected | 6 | 25 | |
| Economic loss | 9 | 125 | |
| Potential deaths | 5 | 10 | |
| Total | 160 | ||
| Accessibility | |||
| Value | 7 | 0.98 | |
| Recoverability | |||
| Value | 5 | 15 | |
| Vulnerability | |||
| Value | 9 | 0.99 | |
| Espyability | |||
| Value | 8 | 0.955 | |
| Redundancy | |||
| Value | 6 | 0.75 | |
| SCORE: | 121.60850625 | ||
| Food & Agriculture | TRUE | 1 | |
| Banking & Finance | FALSE | 0 | |
| Chemical | 0 | ||
| Commercial Facilities | FALSE | 0 | |
| Communications | TRUE | 1 | |
| Critical Manufacturing | 0 | ||
| Dams | 0 | ||
| Defense Industrial Base | TRUE | 1 | |
| Emergency Services | TRUE | 1 | |
| Energy | FALSE | 0 | |
| Government Facilities | 0 | ||
| Healthcare & Public Health | 0 | ||
| Information Technology | 0 | ||
| National Monuments & Icons | 0 | ||
| Nuclear Reactors, Materials & Waste | 0 | ||
| Postal & Shipping | TRUE | 1 | |
| Transpostation Systems | FALSE | 0 | |
| Water | 0 | ||
| INTERDEPENDENCY | 5 |
Tables
| CRITICALITY | VALUE | SCORE | VALUE | SCORE | VALUE | SCORE | |||
| Less than 1000 people | 1 | 1 | Less than $10 million | 1 | 1 | N/A | 1 | 0 | |
| More than 1000 people | 2 | 3 | Less than $25 million | 2 | 3 | 10 | 2 | 1 | |
| More than 10,000 people | 3 | 5 | Less than $50 million | 3 | 5 | 50 | 3 | 3 | |
| More than 25,000 people | 4 | 10 | Less than $100 million | 4 | 10 | 100 | 4 | 5 | |
| More than 50,000 people | 5 | 15 | Less than $250 million | 5 | 15 | 250 | 5 | 10 | |
| More than 100,000 people | 6 | 25 | Less than $500 million | 6 | 25 | 500 | 6 | 15 | |
| More than 500,000 people | 7 | 40 | Less than $750 million | 7 | 40 | 1000 | 7 | 25 | |
| More than 1 million people | 8 | 75 | Less than $1 billion | 8 | 75 | 5000 | 8 | 40 | |
| More than 2.5 million people | 9 | 125 | Less than $25 billion | 9 | 125 | 10000 | 9 | 75 | |
| More than 5 million people | 10 | 200 | Less than $50 billion | 10 | 200 | 50000 | 10 | 125 | |
| 100,000+ | 11 | 200 | |||||||
| ACCESSIBILITY | VALUE | SCORE | RECOVERABILITY | VALUE | SCORE | VULNERABILITY | VALUE | SCORE | |
| Patrolled | 1 | 0.99 | Less than 1 month | 1 | 1 | Special Hardening | 1 | 0.9 | |
| Perimeter Fencing | 2 | 0.98 | More than 1 month | 2 | 3 | Massive | 2 | 0.9 | |
| Armed Security | 3 | 0.9 | More than 3 months | 3 | 5 | Building Purpose Unknown to Public | 3 | 0.95 | |
| Unarmed Security | 4 | 0.95 | More than 6 months | 4 | 10 | Operations Structurally Dispersed | 4 | 0.95 | |
| Access Control | 5 | 0.95 | More than 1 year | 5 | 15 | Concrete/Stone | 5 | 0.96 | |
| Alarm System | 6 | 0.9 | More than 2 years | 6 | 25 | Structural Steel | 6 | 0.96 | |
| Locked Area | 7 | 0.98 | More than 3 years | 7 | 40 | Flamable/Explosive | 7 | 0.97 | |
| Open to Public | 8 | 0.99 | More than 4 years | 8 | 75 | Minor Metal Frame | 8 | 0.98 | |
| No Control | 9 | 0.999 | More than 5 years | 9 | 125 | Wood Design | 9 | 0.99 | |
| 1 | Irreplacable | 10 | 200 | No Security Design | 10 | 0.999 | |||
| ESPYABILITY | VALUE | SCORE | REDUNDANCY | VALUE | SCORE | ||||
| Locally significant, non-government | 1 | 0.9 | 100% | 1 | 0.001 | ||||
| Locally significant, government | 2 | 0.9 | 90% | 2 | 0.5 | ||||
| State icon only | 3 | 0.92 | 80% | 3 | 0.6 | ||||
| State icon + function | 4 | 0.925 | 70% | 4 | 0.65 | ||||
| Regional icon only | 5 | 0.93 | 60% | 5 | 0.7 | ||||
| Regional icon + function | 6 | 0.935 | 50% | 6 | 0.75 | ||||
| National icon only | 7 | 0.95 | 40% | 7 | 0.8 | ||||
| National icon + function | 8 | 0.955 | 30% | 8 | 0.85 | ||||
| World icon only | 9 | 0.99 | 20% | 9 | 0.9 | ||||
| World icon + function | 10 | 0.995 | 10% | 10 | 0.95 | ||||
| 0% | 11 | 1 |
FINAL_14/CARVER_tools_1_.pdf
CARVER CARVER is a methodology first used by the Department of Defense Special Forces to rank targets so that their resources could be used efficiently. The user would estimate Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability as nominal scores that were added and then ranked. The methodology was later adapted for Homeland Security. The CARVER tool that was used by practitioners had proprietary data tables behind it to weigh user inputs appropriately. This tool makes those tables available so that the user can experiment with weighting and modeling if desired.
Using the Tool For this simple tool, only one asset can be evaluated for each spreadsheet. To evaluate a set of assets, we recommend making a number of copies of the Excel file with one evaluation for each file. All data is input into the Worksheet tab while all the tables are on the Tables tab. The Menu Items and Results tabs are used to store values temporarily and are it is not recommended that users modify these. To begin, input enough data to uniquely identify the asset to be evaluated. This is not used in any calculation so not all is required, but at a minimum, a unique name is helpful. You may also place this asset into a specific sector. Criticality assesses the impact of the loss of this asset. Note that CARVER is not threat mode specific so you are to consider any threat possible.
• Users Affected is not casualties, but rather people impacted by the loss of this asset. If it is a bridge and 100,000 people will not be able to get to work, then these people are affected.
• Economic Loss and Rebuild Cost is and estimate of the financial damage associated with the loss of this asset. Economic loss and rebuild cost are summed together in this estimate, so be sure that if you include economic loss for one asset, you include it throughout your assessment.
• Potential Deaths form Attack is an estimate of casualties associated with an attack on this asset. Again, CARVER is not threat specific so assume worst case scenario.
Accessibility allows you to indicate what security may be in place to limit access to this asset. You may choose from Patrolled, Perimeter Fencing, Armed Security, Unarmed Security, Access Control, Alarm System, Locked Area, Open to the Public, and No Control. Recoverability is the time needed to replace or repair this asset, if possible. Choose an estimate from the menu.
Vulnerability is the susceptibility of this asset to damage or destruction. Ignore anything related to access (we covered that under Accessibility) and focus instead on features of the asset that will help it to withstand or survive an attack.
• Massive refers to the size of the structure. A massive structure, like a major bridge, has low vulnerability due to its size.
• Building Purpose Unknown to Public would be like a water pumping station that looks like a non-‐descript house in a neighborhood.
• Operations Structurally Dispersed would be a facility that has a back-‐up location or can otherwise function without all of its parts operating at the same time.
• Concrete/Stone refers to the structural material used in the asset. • Structural Steel also refers to the structural material used in the asset. • Flammable/Explosive should be selected if either the asset itself burns easily
or if it contains materials that burn easily or are potentially explosive. • Minor Metal Frame again refers to the structural material used in the asset. • Wood Design refers to the structural material used in the asset. • No Security Design means that there is nothing special in the design of this
asset to reduce vulnerability. Espyability refers to whether or not the asset is merely functional or if it has iconic status at the Local, State, Regional, National, or World level. Choose from:
• Locally significant, non-‐government • Locally significant, government • State icon only • State icon + function • Regional icon only • Regional icon + function • National icon only • National icon + function • World icon only • World icon + function
Redundancy is an estimate of the percentage overlap or back-‐up capacity there is to offset the loss of this asset. Interdependency is a list of sectors that might be interdependent with this asset. For example, if this is a power station, it might be interdependent with the water sector, commercial facilities, defense industrial base, etc. Interdependency is not calculated into the CARVER score but is represented by the smaller number in the score. A CARVER score of 122-‐5 means that this asset has a score of 122 with 5 interdependencies. CARVER scores are calculated but are dimensionless. The score does not represent Risk, Resilience, Vulnerability, or anything else. The higher the score, the more likely
that asset may require resourcing. But you cannot say that an asset with a score of 100 is half as important as an asset with a score of 200.
Modifications The best place to experiment with CARVER is in the Tables tab. Here you will see all of the categories we just described here with all of the items in the menus that you can select. Notice that for each menu selection, there is an associated Score. Do not change the Value column. That is there as an identifier for that menu selection. But do experiment with changing the Scores. Should a criticality that impacts 500,000 people (score of 40) be only four times higher than that for 25,000 people (score of 10)? Maybe it should be higher. Experiment with changing scores. Test your configurations with a set of assets to make sure that it makes sense. Does the overall CARVER score go up when you expect it to? Does it decrease when you expect it to? By default, the data tables we provide are all independent but they don’t have to be. You could experiment by having a score linked to another value. For example, what if you wanted the Criticality score to be higher if the Recoverability time was longer? How would you do that?
FINAL_14/Multicriterion_documentation_1_.pdf
Multi-‐Criteria Assessment Methodology This multi-‐criteria tool is an example of a simple risk-‐based model that assesses assets independently but with multiple measures. For this example, we used a subset of the MSRAM model, at least in the way MSRAM models risk and its components.
Description Asset is a unique name of the asset to be evaluated. Attack Mode is a description of the type of attack being considered. Multiple attack modes can be considered for any asset.
We consider Asset + Attack Mode as the key data pair that uniquely identifies one assessment. An electrical switching station could be paired with an explosive device, a SCADA attack, or other mode, each of which would be considered separately.
We use the standard equation for Risk
R = T * V * C where T is Threat, V is Vulnerability, and C is Consequence. The components of each is described below. Threat is the percentage product of Intent and Capability.
• Intent is the probability that a person or group would want to damage or destroy this asset. High intent would imply knowledge of an impending attack or a credible threat.
• Capability is the probability that a person or group would have the capability to execute this attack. Note that this requires an attack mode. The capability of a group to obtain small explosives is likely to be higher than their capability to obtain radioactive material.
Vulnerability is the percentage product of Achievability and Target Hardness. • Achievability is the probability of successful attack assuming no security
measures. Do not consider existing security features such as fencing, key card control, CCTV, etc. Assume that this person or group gains access to this asset with a small explosive device (for example). What is the likelihood that it would successfully disable the asset?
• Target Hardness is the probability that the target cannot withstand the attack. Note this implies that a lower value means a harder target. An asset with stand-‐off barriers and physical patrols would have a lower target hardness value than one with only light fencing.
Consequence is the sum of all consequence category estimates. All categories must be translated to a single unit (e.g. dollars, millions of dollars, lives).
• Death/Injury is the number of casualties that would be expected as a result of this attack on this asset. We use a value per statistical life (VSL) of $6.5M but this can be adjusted.
• Economic Loss is the estimated value of loss due to attack. This should include the damage to the asset itself but could also include “downstream” economic damages. For example, if a bridge is disabled, the cost to repair the bridge could be added to the estimated loss of commerce over the time it takes to repair the bridge to estimate this value. It is important to be consistent throughout all entries in this column.
• Environmental is the estimated value of the environmental impact of this attack on this asset. If there is no environmental impact, then this can be zero. In cases where a post-‐event clean up must be performed, as would be the case in a radiological, chemical, or biological attack, this could be very high.
• National Security is the estimated value of the impact of this attack on this asset on national security. An attack on a port facility, for example, might have a large impact national security, whereas an attack on a water treatment plant may have a smaller estimated value.
• Symbolic is the estimated value of impact due to the symbolic value of this target. Damage to an iconic bridge would be estimated higher than a generic bridge. Damage to a national monument would have value here where it may not have value elsewhere.
Total is the Risk calculation for this Asset-‐Attack Mode pair. It is computed, not input by the user. Assuming that consequence values were given in dollars, then the Risk calculation is also in dollars. You may use the Sort function in Excel to sort the table on Total in order to quickly identify the Asset-‐Attack Mode pairs with the highest calculated Risk.
Modifications This simple tool was built with the intention that it would be modified to meet specific uses. 1. If the components of T, C, or C are not desired, then the user may directly input
percentage values (0-‐100) in columns E or H. For consequence, a C can be directly input into column N or any of the columns I through M may be discarded if not needed. The tool will sum what values are given.
2. If you wish to add another component to Threat or Vulnerability, you may do so by adding a new column under that category, in either the red or yellow regions. Make sure that you adjust the Score column to include the new column. Also make sure that the new component is a percentage value so that it can be multiplied without affecting the other components.
3. You may also add components to Consequence easily. Add a column into the blue region, and make sure that the Score column in blue includes the new column(s) in the sum. It should do that by default.
FINAL_14/Multi-Criterion_Workshop_1_.xlsx
Sheet1
| ASSET | ATTACK MODE | THREAT | VULNERABILITY | CONSEQUENCE | TOTAL | |||||||||
| Intent | Capability | Score | Achievability | Target Hardness | Score | Death/Injury | Economic Loss | Environmental | National Security | Symbolic | Score | |||
| GW Bridge | Water B device by X | 100% | 100% | 100% | 10% | 5% | 1% | 100 | $5,000 | $500 | $6,150 | $30.75 | ||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| 0% | 0% | $0 | $0.00 | |||||||||||
| DEFINITIONS | $M | |||||||||||||
| Intent | Probability that a person or gorup would want to do this | Value per statistical life (VSL) | 6.5 | |||||||||||
| Capability | Probability that a person or group would be able to do this | |||||||||||||
| Achievability | Probability of successful attack assuming no security measures | |||||||||||||
| Target hardness | Probability that the target cannot withstand the attack (lower = harder) | |||||||||||||
| Death/Injury | Number of deaths or injuries as a result of attack | |||||||||||||
| Economic loss | Estimated dollar value of loss due to attack | |||||||||||||
| Environmental | Estimated dollar value of environmental impact | |||||||||||||
| National security | Estimated dollar value of impact on national security | |||||||||||||
| Symbolic | Estimated dollar value of impact due to symbolic value of target |
