A Vulnerability Analysis Framework

Updated: Oct 13

Vulnerability Analysis


A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.


Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.


Vulnerability analysis is related to Business Impact Analysis (BIA) but takes a particular focus, that of identifying specific weaknesses.


The vulnerability analysis framework in the diagram below is from the Security Risk Management Body of knowledge.

Figure 1: SRMBOK Vulnerability Analysis Model


There are many vulnerability analysis models and tools but CARVER and OCTAVE are two other examples.


CARVER¹ is an example of a vulnerability analysis tool and stands for:

  1. Criticality - a measure of the public health and economic impacts of an attack

  2. Accessibility - the ability to physically access and egress from a target

  3. Recuperability - the ability of system to recover from an attack

  4. Vulnerability - the ease of accomplishing an attack

  5. Effect - the consequences or amount of direct loss from an attack as measured by loss in production

  6. Recognizability - ease of identifying a target

OCTAVE² can also be useful in determining vulnerability and stands for:

Operationally Critical Threat, Asset, and Vulnerability Evaluation



¹ Nutrition, Center for Food Safety and Applied.‘CARVER +Shock Primer’. FDA, 19 March 2019. http://www.fda.gov/food/food-defense-programs/carver-shock-primer.

² Caralli, Richard A., James F. Stevens, Lisa R. Young, and William R. Wilson.‘Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process’: Fort B

Recent Posts

See All

Other Security Frameworks

Security Frameworks The following is a partial list of sources for security-related frameworks. Their presence here is not an endorsement, just a resource if you are looking for more references. I hav

©2019 by Julian Talbot