by Maksym Szewczuk CPP PSP
In an era of increasingly complex threat environments, large and interconnected critical infrastructure assets face a diverse range of physical, cyber, supply chain, and operational hazards. For entities regulated under Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act), adopting a systematic and defensible method for identifying and prioritising security risks is essential.
While ISO 31000 provides the overarching framework for risk management, the U.S.-originated CARVER methodology—originally designed for military target analysis—provides a structured, quantitative lens for assessing vulnerabilities across multi-hazard scenarios. When adapted to an all-hazards context, CARVER strengthens decision-making by helping asset owners assess where threats can cause the greatest impact and where mitigations generate the highest value.
CARVER, an acronym for Criticality, Accessibility, Recoverability, Vulnerability, Effect, and Recognisability, enables a comparative assessment of risks across diverse assets, systems, or functions. Its strength lies in prioritisation: not all vulnerabilities are equal, and CARVER offers a repeatable scoring mechanism to determine where protective security resources should be focused. This aligns well with SOCI obligations, including risk assessments, hazard identification, critical asset protection, and mandatory risk mitigation plans.
In an all-hazards environment—one that considers security threats (malicious acts), safety hazards, natural disasters, system failures, and cascading impacts—CARVER supports multi-disciplinary risk evaluation.
For example, Criticality assesses the importance of a system or asset to national resilience, safety, economic continuity, or essential service provision. A data centre supporting energy or transport operations may score highly due to cascading interdependencies. Accessibility examines how easily an adversary, hazard, or disruption can reach or affect the asset (physically or digitally), while Vulnerability measures the ease with which protection can be bypassed or overwhelmed. Combined, these elements help SOCI entities identify exploitable weak points that may require uplift through physical, cyber, operational, or design-based controls.
Recoverability and Effect align strongly with SOCI’s focus on consequence management and critical infrastructure resilience. Recoverability considers how quickly and effectively a service can be restored after an incident—an essential aspect for meeting government expectations around continuity of critical services. The Effect criterion evaluates the scope of consequences should the asset or system be compromised, including community harm, economic loss, national security impacts, or damage to public trust—core considerations for SOCI-regulated sectors.
Recognisability, often overlooked, assesses how easily a target can be identified by a threat actor or how predictable a hazard impact pathway may be, guiding organisations to consider concealment, complexity, and redundancy in system design.
When combined with ISO 31000, SOCI obligations, and modern security risk management principles such as Security by Design, CARVER offers a complementary analytical tool to deepen risk prioritisation. It can be applied during planning, design, operations, change management, or assurance activities. For maximum benefit, infrastructure operators should integrate CARVER scoring into enterprise risk assessments, security uplift programs, resilience planning exercises, and interdependency analysis, ensuring outputs inform investment and risk acceptance decisions.
Ultimately, in a regulatory environment demanding proactive and evidence-based risk reduction, CARVER provides a disciplined, transparent, and justifiable methodology. It enhances clarity on where to allocate limited resources, ensuring the highest-impact vulnerabilities are addressed first—supporting stronger resilience and compliance for Australia’s most critical assets.
Maksym Szewczuk CPP PSP holds a Master’s Degree in Security Studies and is a Security and Design Lead with Bechtel Australia. He was awareded 2024 as the OSPA Outstanding Security Manager in Australia.
