CARVER stands for Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first. Let me write down what each component means in terms of information security:
Criticality: The target value. How vital is this to the overall organization? A target is critical when its compromise or destruction (failure to provide any of the CIA triad components) has a highly significant impact in the overall organization.
Accessibility: How easily can I reach the target? What are the defenses? Do I need an insider? Is the target computer off the internet?
Recoverability: How long will it take for the organization to replace, repair, or bypass the destruction or damage caused to the target?
Vulnerability: What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible Zero-day exploits?
Effect: What’s the impact of the attack on the organization? Similar to the first point (Criticality) this point should also analyze possible reactions from the organization.
Recognizability: Can I identify the target as such? How easy is to recognize that a specific system / network / device is the target and not a security countermeasure. Is it visible to customers?