Visualizing Cyber Security Risks with Bow-Tie Diagrams
Journal article, Peer reviewed
Accepted version
View/ Open
Date
2018-01-19Metadata
Show full item recordCollections
- Publikasjoner fra CRIStin - SINTEF Ocean [1412]
- SINTEF Digital [2550]
- SINTEF Ocean [1489]
Abstract
Safety and security risks are usually analyzed independently, by different people using different tools. Consequently, the system analyst may fail to realize cyber attacks as a contributing factor to safety impacts or, on the contrary, design overly secure systems that will compromise the performance of critical operations. This paper presents a methodology for visualizing and assessing security risks by means of bow-tie diagrams, which are commonly used within safety assessments. We outline how malicious activities, random failures, security countermeasures and safety barriers can be visualized using a common graphical notation and propose a method for quantifying risks based on threat likelihood and consequence severity. The methodology is demonstrated using a case study from maritime communication. Our main conclusion is that adding security concepts to the bow-ties is a promising approach, since this is a notation that high-risk industries are already familiar with. However, their advantage as easy-to-grasp visual models should be maintained, hence complexity needs to be kept low.