To main content

Visualizing cyber security risks with bow-tie diagrams

Visualizing cyber security risks with bow-tie diagrams

Category
Journal publication
Abstract
Safety and security risks are usually analyzed independently, by different people using different tools. Consequently, the system analyst may fail to realize cyber attacks as a contributing factor to safety impacts or, on the contrary, design overly secure systems that will compromise the performance of critical operations. This paper presents a methodology for visualizing and assessing security risks by means of bow-tie diagrams, which are commonly used within safety assessments. We outline how malicious activities, random failures, security countermeasures and safety barriers can be visualized using a common graphical notation and propose a method for quantifying risks based on threat likelihood and consequence severity. The methodology is demonstrated using a case study from maritime communication. Our main conclusion is that adding security concepts to the bow-ties is a promising approach, since this is a notation that high-risk industries are already familiar with. However, their advantage as easy-to-grasp visual models should be maintained, hence complexity needs to be kept low.
Client
  • Norges forskningsråd / 256508
Language
English
Affiliation
  • SINTEF Digital / Software Engineering, Safety and Security
  • Norwegian University of Science and Technology
  • SINTEF Ocean / Energi og transport
Year
2018
Published in
Lecture Notes in Computer Science (LNCS)
ISSN
0302-9743
Volume
10744
Page(s)
38 - 56