ID: I202602091617
Status: idea
Tags: Diagrams, Cybersecurity
bow-tie diagram
A âbowtieâ is a diagram that visualizes the risk you are dealing with in just one, easy to understand picture. The diagram is shaped like a bow-tie, creating a clear differentiation between proactive and reactive risk management. The power of a BowTieXP diagram is that it gives you an overview of multiple plausible scenarios, in a single picture. In short, it provides a simple, visual explanation of a risk that would be much more difficult to explain otherwise.
Components
Hazard
The start of any BowTie Diagram is the Hazard. A hazard is something in, around or part of the organization which has the potential to cause damage. Working with hazardous substances, driving a car or storing sensitive data are for instance hazardous aspects of an organization while reading this article on your computer is not. The idea of a hazard is to find the things that are part of your organization and could have a negative impact if control over that aspect is lost. Examples:
- Explosive Material in the facility
- Working at height
- Driving a car
- Standalone PCs and Laptops
Top Event
Once the hazard is chosen, the next step is to define the top event. This is the moment when control is lost over the hazard. There is no damage or negative impact yet, but it is imminent. This means that the top event is chosen just before events start causing actual damage. The top event is a choice though, what is the exact moment that control is lost? This is to a large extent a subjective and pragmatic choice. Often, the top event is reformulated after the rest of the bowtie is finished. Donât worry too much at the beginning about formulation. You can start with a generic âloss of controlâ and revisit it a couple of times during the bowtie process to sharpen the formulation.
Examples:
| Hazard | Top event |
|---|---|
| Explosive Material in the facility | Explosive Material is ignited |
| Working at height | Person falls from height |
| Driving a car | Losing control over the car |
| Standalone PCs and Laptops | Unauthorized Access |
In general, you do not want the Top event to happen, because it generally means something bad.
Threats
âThreatsâ are whatever will cause your top event. There can be multiple threats. Try to avoid generic formulations like âhuman errorâ, âequipment failureâ or âweather conditions. What does a person actually do to cause the top event? Which piece of equipment? What kind of weather or what does the weather impact? You can be too specific as well, but generally, people tend to be too generic. If we take the âDriving a carâ Hazard example with the âLosing control over the carâ top event. Then we can think of these threats:
- Intoxicated driving
- Driver loses attention because of his smartphone
- A tire blowout
- Slippery road conditions
There are more that you can come up with in this situation, like I didnât mention the driver falling asleep etc. And I just ignore them because this article is there to explain the concept.
Consequences
âConsequencesâ are the result from the top event. There can be more than one consequence for every top event. As with the threats, people tend to focus on generic categories instead of describing specific events. Try not to focus on injury/ fatality, asset damage, environmental damage, reputation damage or financial damage. Those are broader categories of damage rather than specific consequence event descriptions. Try to describe events like âcar roll overâ, âoil spill into seaâ or âtoxic cloud formsâ. Besides containing more specific information, youâre also helping yourself to think more specifically when coming up with barriers. Think how you want to prevent âenvironmental damageâ versus âoil spill into seaâ. The second is an actual scenario which makes it much easier to come up with specific barriers.
Barriers
Now that we have identified and drawn out the unwanted scenarios, itâs time to look at how to control these scenarios as an organization. This is done using âbarriersâ.
Control and Recovery Barriers
Barriers in the bowtie appear on both sides of the top event. Barriers on the left side interrupt the scenario so that the threats do not occur, and if they do, not result in a loss of control (the top event). Barriers on the right side make sure that if the top event is reached, the scenario does not escalate into an actual impact (the consequences) and/or they mitigate the impact.
There are different types of barriers, which are mainly a combination of human behavior and/or hardware/technology. Once the barriers are identified, you have a basic understanding of how risks are managed. You can build on this basic barrier structure further, to deepen your understanding of where the strengths and weaknesses are. Barriers can be classified and assessed beside barrier types, to include for instance barrier effectiveness. This lets you assess how well a barrier performs, or is expected to perform, based on available data and/or relying on expert judgment. After that, you can look at the activities you have specified, to implement and maintain your barriers. This essentially means mapping you Safety Management System (SMS) onto the barriers. In addition, you can determine who is responsible for a barrier and assess the criticality of a barrier in the context of all other related information. These are all things you can do to increase your understanding of the barriers. Ultimately, linking and visualizing all this information on a barrier, gives you a holistic overview of your safety measures with relevant meta data in the context of your risk scenarios.
Escalation factors & Escalation factor barriers
Barriers are never perfect. Even the best hardware barrier can fail. Given this fact, what you need to know is why a barrier will fail. This is done using the âescalation factorâ. Anything that will make a barrier fail can be described in an escalation factor. For instance, a door that opens and closes automatically using an electrical mechanism might fail if thereâs a power failure.
Warning: be careful with escalation factors. You do not describe all the potential failure modes. Only describe the real weaknesses of your control framework and how you want to manage that.
The logical next step to manage escalation factors is to create barriers for your escalation factors, aptly named âescalation factor barriersâ. In this case, it could be a backup generator.
Applications
BowTieXP
BowTieXP is the most used application to create a BowTie diagram. But it cannot be ran natively on Linux and youâd have to use Wine or A VM to use it.