Visualizing Cyber Security Risks with Bow-Tie Diagrams
Journal article, Peer reviewed
Accepted version
Permanent lenke
http://hdl.handle.net/11250/2490014Utgivelsesdato
2018Metadata
Vis full innførselSamlinger
- Publikasjoner fra CRIStin - SINTEF AS [5911]
- SINTEF Digital [2550]
Sammendrag
Safety and security risks are usually analyzed independently, by different people using different tools. Consequently, the system analyst may fail to realize cyber attacks as a contributing factor to safety impacts or, on the contrary, design overly secure systems that will compromise the performance of critical operations. This paper presents a methodology for visualizing and assessing security risks by means of bow-tie diagrams, which are commonly used within safety assessments. We outline how malicious activities, random failures, security countermeasures and safety barriers can be visualized using a common graphical notation and propose a method for quantifying risks based on threat likelihood and consequence severity. The methodology is demonstrated using a case study from maritime communication. Our main conclusion is that adding security concepts to the bow-ties is a promising approach, since this is a notation that high-risk industries are already familiar with. However, their advantage as easy-to-grasp visual models should be maintained, hence complexity needs to be kept low.