Updated: Oct 13
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.
Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.
Vulnerability analysis is related to Business Impact Analysis (BIA) but takes a particular focus, that of identifying specific weaknesses.
The vulnerability analysis framework in the diagram below is from the Security Risk Management Body of knowledge.
Figure 1: SRMBOK Vulnerability Analysis Model
There are many vulnerability analysis models and tools but CARVER and OCTAVE are two other examples.
CARVER¹ is an example of a vulnerability analysis tool and stands for:
Criticality - a measure of the public health and economic impacts of an attack
Accessibility - the ability to physically access and egress from a target
Recuperability - the ability of system to recover from an attack
Vulnerability - the ease of accomplishing an attack
Effect - the consequences or amount of direct loss from an attack as measured by loss in production
Recognizability - ease of identifying a target
OCTAVE² can also be useful in determining vulnerability and stands for:
Operationally Critical Threat, Asset, and Vulnerability Evaluation
¹ Nutrition, Center for Food Safety and Applied.‘CARVER +Shock Primer’. FDA, 19 March 2019. http://www.fda.gov/food/food-defense-programs/carver-shock-primer.
² Caralli, Richard A., James F. Stevens, Lisa R. Young, and William R. Wilson.‘Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process’: Fort B