top of page

A Vulnerability Analysis Framework

Updated: Oct 13, 2020

Vulnerability Analysis

A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.

Vulnerability analysis is related to Business Impact Analysis (BIA) but takes a particular focus, that of identifying specific weaknesses.

The vulnerability analysis framework in the diagram below is from the Security Risk Management Body of knowledge.

Figure 1: SRMBOK Vulnerability Analysis Model

There are many vulnerability analysis models and tools but CARVER and OCTAVE are two other examples.

CARVER¹ is an example of a vulnerability analysis tool and stands for:

  1. Criticality - a measure of the public health and economic impacts of an attack

  2. Accessibility - the ability to physically access and egress from a target

  3. Recuperability - the ability of system to recover from an attack

  4. Vulnerability - the ease of accomplishing an attack

  5. Effect - the consequences or amount of direct loss from an attack as measured by loss in production

  6. Recognizability - ease of identifying a target

OCTAVE² can also be useful in determining vulnerability and stands for:

Operationally Critical Threat, Asset, and Vulnerability Evaluation


¹ Nutrition, Center for Food Safety and Applied.‘CARVER +Shock Primer’. FDA, 19 March 2019.

² Caralli, Richard A., James F. Stevens, Lisa R. Young, and William R. Wilson.‘Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process’: Fort B

463 views0 comments

Recent Posts

See All


bottom of page