CARVER + Shock software5 might look
like Figure 3. Although the steps have
slightly different names than those used
in the HACCP flow diagram due to the
structure of the software, the process
used to identify the production process
for a vulnerability assessment is identical
to the HACCP process.
The CARVER process was originally
developed by the Department of Defense as a target development and vulnerability tool. It was an offensive
methodology adapted to defensive purposes and applied to the Nation’s food
infrastructure and industries following
CARVER is an acronym that relates
six attributes that help define the risk of
a food processing component to attack.
The attributes are the following:
• Criticality - measure of public health
and economic impacts of an attack
• Accessibility - ability to physically ac-
cess and egress from target
• Recuperability - ability of system to re-
cover from an attack
• Vulnerability - ease of accomplishing
• Effect - amount of direct loss from an
attack as measured by loss in produc-
• Recognizability - ease of identifying
“Shock” has been added to the origi-
nal six attributes to assess the combined
health, economic and psychological im-
pacts of an attack within the food indus-
Using the process requires the business to identify the key steps in the production process. The process steps are
then grouped into rooms, buildings and
facilities in accordance with the layout
of the facility. A series of questions are
posed within the software that explores
each component’s overall vulnerability
to intentional contamination based on
the above attributes.
Figure 4: CARVER Software Ranking of
The vulnerability assessment, when
completed, ranks the steps in the production process from most to least risky.
Each attribute is scored from a 1 (low) to
a 10 (high), and the attribute scores are
summed to obtain a total score. Hypothetical scores for the example are shown
in Figure 4. Note that steps 2 and 5 in
the HACCP plan received the highest
scores, identifying them as critical defense points (CDPs).
Assessment for Small
Business and HACCDP
Although the CARVER software is an
extremely useful vulnerability assessment
tool, it is not likely to be as useful for
small businesses as it may be for larger
ones. An alternative method for small
businesses that is compatible with and
builds on HACCP is proposed here by
the authors. It begins with the HACCP
flow diagram and requires someone familiar with that process to assess the vulnerability, accessibility and consequence
of contamination at each step of the
HACCP process. This simplified assessment is conducted for each step in the
HACCP flow diagram. The elements of
the assessment are described below.
Example ratings follow. It is not so
important to use these definitions as it is
to establish definitions that are meaningful for your establishment. Any rating
system used should be documented in
writing. These definitions simply suggest
the kinds of things one may think about
regarding each of the three attributes.
Is this step in your process accessible?
Could a person intent on contamination
or adulteration of your product gain access to the location, station, equipment
or process step depicted in the diagram?
Rate their access as high, moderate, low
High = Easily Accessible (e.g., target
is outside the building and there is no
perimeter fence; limited physical or
human barriers or observation; attacker
has relatively unlimited access to the tar-
get; attack can be carried out using
medium or large volumes of contami-
nant without undue concern of detec-
tion; multiple sources of information
concerning the facility and the target are
Is this step in your process vulnerable? If a person gained access to this
process step, could they successfully
complete an attack? How easy would it
be for an attacker to introduce a chemical, pathogen or other attack agent in
sufficient quantities to achieve their goal
once the target has been reached? Rate
the vulnerability as high, moderate, low
High = Target characteristics allow
for easy introduction of sufficient agents
to achieve aim.
Moderate = Target characteristics
allow reasonably high probability that
sufficient agents can be added to achieve
Low = Target characteristics allow low
probability (e.g., < 10%) that sufficient
agents can be added to achieve aim.
None = There is no possibility of introducing sufficient agents at this location even if it is accessed.
Would the consequences of a successful contamination at this step be severe?