Visualizing Cyber Security Risks with Bow-Tie Diagrams

  • Karin Bernsmed
  • Christian Frøystad
  • Per Håkon MelandEmail author
  • Dag Atle Nesheim
  • Ørnulf Jan Rødseth
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10744)


Safety and security risks are usually analyzed independently, by different people using different tools. Consequently, the system analyst may fail to realize cyber attacks as a contributing factor to safety impacts or, on the contrary, design overly secure systems that will compromise the performance of critical operations. This paper presents a methodology for visualizing and assessing security risks by means of bow-tie diagrams, which are commonly used within safety assessments. We outline how malicious activities, random failures, security countermeasures and safety barriers can be visualized using a common graphical notation and propose a method for quantifying risks based on threat likelihood and consequence severity. The methodology is demonstrated using a case study from maritime communication. Our main conclusion is that adding security concepts to the bow-ties is a promising approach, since this is a notation that high-risk industries are already familiar with. However, their advantage as easy-to-grasp visual models should be maintained, hence complexity needs to be kept low.


Security Safety Risk assessment Bow-tie diagrams Maritime communication 



The research leading to these results has been performed as a part of the Cyber Security in Merchant Shipping (CySiMS) project, which received funding from the Research Council of Norway under Grant No. 256508, and the SafeCOP-project, which received funding from the ECSEL Joint Undertaking under Grant No. 692529. We appreciate all the feedback and comments from Professor Guttorm Sindre at NTNU and anonymous reviewers that helped us improve this paper.


  1. 1.
    ISO/IEC 27005 Information technology - Security techniques - Information security risk management. Technical rep. (2008).
  2. 2.
    Digitale Sarbarheter Maritim Sektor: Technical rep. (2015).
  3. 3.
    Andrews, J.D., Moss, T.R.: Reliability and Risk Assessment. Wiley-Blackwell, Hoboken (2002)Google Scholar
  4. 4.
    Banerjee, A., Venkatasubramanian, K.K., Mukherjee, T., Gupta, S.K.S.: Ensuring safety, security, and sustainability of mission-critical cyber-physical systems. Proc. IEEE 100(1), 283–299 (2012)CrossRefGoogle Scholar
  5. 5.
    Bau, J., Mitchell, J.C.: Security modeling and analysis. IEEE Secur. Priv. 9(3), 18–25 (2011)CrossRefGoogle Scholar
  6. 6.
    Bhatti, J., Humphreys, T.: Hostile control of ships via false GPS signals: demonstration and detection. Navigation 64(1), 51–66 (2016)CrossRefGoogle Scholar
  7. 7.
    Bieber, P., Brunel, J.: From safety models to security models: preliminary lessons learnt. In: Bondavalli, A., Ceccarelli, A., Ortmeier, F. (eds.) SAFECOMP 2014. LNCS, vol. 8696, pp. 269–281. Springer, Cham (2014). Google Scholar
  8. 8.
    Byers, D., Ardi, S., Shahmehri, N., Duma, C.: Modeling software vulnerabilities with vulnerability cause graphs. In: Proceedings of the International Conference on Software Maintenance (ICSM 2006), pp. 411–422 (2006)Google Scholar
  9. 9.
    Casey, T.: Threat agent library helps identify information security risks (2007).
  10. 10.
    CGE Risk Management Solutions: Using bowties for it security (2017).
  11. 11.
    Chevreau, F.R., Wybo, J.L., Cauchois, D.: Organizing learning processes on risks by using the bow-tie representation. J. Hazard. Mater. 130(3), 276–283 (2006)CrossRefGoogle Scholar
  12. 12.
    Chockalingam, S., Hadziosmanovic, D., Pieters, W., Teixeira, A., van Gelder, P.: Integrated safety and security risk assessment methods: a survey of key characteristics and applications. arXiv preprint arXiv:1707.02140 (2017)
  13. 13.
    Cimpean, D., Meire, J., Bouckaert, V., Vande Casteele, S., Pelle, A., Hellebooge, L.: Analysis of cyber security aspects in the maritime sector. ENISA, 19 December (2011).
  14. 14.
    Cockshott, J.: Probability bow-ties: a transparent risk management tool. Process Saf. Environ. Prot. 83(4), 307–316 (2005)CrossRefGoogle Scholar
  15. 15.
    De Dianous, V., Fiévez, C.: Aramis project: a more explicit demonstration of risk control through the use of bow-tie diagrams and the evaluation of safety barrier performance. J. Hazard. Mater. 130(3), 220–233 (2006)CrossRefGoogle Scholar
  16. 16.
    DNV-GL AS: Recommended practice. Cyber security resilience management for ships and mobile offshore units in operation (2016). DNVGL-RP-0496Google Scholar
  17. 17.
    Ferdous, R., Khan, F., Sadiq, R., Amyotte, P., Veitch, B.: Analyzing system safety and risks under uncertainty using a bow-tie diagram: an innovative approach. Process Saf. Environ. Prot. 91(1), 1–18 (2013)CrossRefGoogle Scholar
  18. 18.
    Garvey, P.R., Lansdowne, Z.F.: Risk matrix: an approach for identifying, assessing, and ranking program risks. Air Force J. Logistics 22(1), 18–21 (1998)Google Scholar
  19. 19.
    Goldkuhl, G.: Pragmatism vs interpretivism in qualitative information systems research. Eur. J. Inf. Syst. 21(2), 135–146 (2012)CrossRefGoogle Scholar
  20. 20.
    Hall, P., Heath, C., Coles-Kemp, L.: Critical visualization: a case for rethinking how we visualize risk and security. J. Cybersecurity 1(1), 93–108 (2015)Google Scholar
  21. 21.
    Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004).
  22. 22.
    Paul, H.: Security: Bow Tie for Cyber Security (0x01): Ho... — PI Square (2016).
  23. 23.
    IMO: Revised guidelines for Formal Safety Assessment (FSA) for use in the IMO rule-making process (2013)Google Scholar
  24. 24.
    Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  25. 25.
    Khakzad, N., Khan, F., Amyotte, P.: Dynamic risk analysis using bow-tie approach. Reliab. Eng. Syst. Saf. 104, 36–44 (2012)CrossRefGoogle Scholar
  26. 26.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  27. 27.
    Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., Halgand, Y.: A survey of approaches combining safety and security for industrial control systems. Reliab. Eng. Syst. Saf. 139, 156–178 (2015)CrossRefGoogle Scholar
  28. 28.
    Kumar, R., Stoelinga, M.: Quantitative security and safety analysis with attack-fault trees. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), pp. 25–32. IEEE (2017)Google Scholar
  29. 29.
    Lee, W.S., Grosh, D.L., Tillman, F.A., Lie, C.H.: Fault tree analysis, methods, and applications; a review. IEEE Trans. Reliab. 34(3), 194–203 (1985)CrossRefzbMATHGoogle Scholar
  30. 30.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010). zbMATHGoogle Scholar
  31. 31.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  32. 32.
    Meland, P.H., Gjære, E.A.: Representing threats in BPMN 2.0. In: 2012 Seventh International Conference on Availability, Reliability and Security (ARES), pp. 542–550. IEEE (2012)Google Scholar
  33. 33.
    Meland, P.H., Tøndel, I.A., Jensen, J.: Idea: reusability of threat models – two approaches with an experimental evaluation. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 114–122. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  34. 34.
    Michel, C.D., Thomas, P.F., Tucci, A.E.: Cyber Risks in the Marine Transportation System. The U.S. Coast Guard ApproachGoogle Scholar
  35. 35.
    Mohr, R.: Evaluating cyber risk in engineering environments: a proposed framework and methodology. SANS Institute (2016).
  36. 36.
    Nesheim, D., Rødseth, Ø., Bernsmed, K., Frøystad, C., Meland, P.: Risk model and analysis. Technical rep., CySIMS (2017)Google Scholar
  37. 37.
    NevilleClarke: Taking-off with BowTie (2013).
  38. 38.
    Ni, H., Chen, A., Chen, N.: Some extensions on risk matrix approach. Saf. Sci. 48(10), 1269–1278 (2010)CrossRefGoogle Scholar
  39. 39.
    Nielsen, D.S.: The cause/consequence diagram method as a basis for quantitative accident analysis. Technical rep., Danish Atomic Energy Commission (1971)Google Scholar
  40. 40.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79. ACM (1998)Google Scholar
  41. 41.
    Piètre-Cambacédès, L., Bouissou, M.: Cross-fertilization between safety and security engineering. Reliab. Eng. Syst. Saf. 110, 110–126 (2013)CrossRefGoogle Scholar
  42. 42.
    Raspotnig, C., Karpati, P., Katta, V.: A combined process for elicitation and analysis of safety and security requirements. In: Bider, I., Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., Wrycza, S. (eds.) BPMDS/EMMSAD -2012. LNBIP, vol. 113, pp. 347–361. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  43. 43.
    Ruijters, E., Stoelinga, M.: Fault tree analysis: a survey of the state-of-the-art in modeling, analysis and tools. Comput. Sci. Rev. 15, 29–62 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  44. 44.
    Santamarta, R.: A wake-up call for satcom security. Technical White Paper (2014)Google Scholar
  45. 45.
    Schneier, B.: Attack trees. Dr. Dobbs J. 24(12), 21–29 (1999)Google Scholar
  46. 46.
    Sha, L., Gopalakrishnan, S., Liu, X., Wang, Q.: Cyber-physical systems: a new frontier. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008, pp. 1–9. IEEE (2008)Google Scholar
  47. 47.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley (2014)Google Scholar
  48. 48.
    Simon, H.A.: The Sciences of the Artificial. MIT Press, Cambridge (1996)Google Scholar
  49. 49.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  50. 50.
    Sun, M., Mohan, S., Sha, L., Gunter, C.: Addressing safety and security contradictions in cyber-physical systems. In: Proceedings of the 1st Workshop on Future Directions in Cyber-Physical Systems Security (CPSSW 2009) (2009)Google Scholar
  51. 51.
    Viscusi, W.K., Aldy, J.E.: The value of a statistical life: a critical review of market estimates throughout the world. J. Risk Uncertainty 27(1), 5–76 (2003)CrossRefzbMATHGoogle Scholar
  52. 52.
    Winther, R., Johnsen, O.-A., Gran, B.A.: Security assessments of safety critical systems using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  53. 53.
    Zalewski, J., Drager, S., McKeever, W., Kornecki, A.J.: Towards experimental assessment of security threats in protecting the critical infrastructure. In: Proceedings of the 7th International Conference on Evaluation of Novel Approaches to Software Engineering, ENASE 2012, Wroclaw, Poland (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Karin Bernsmed
    • 1
  • Christian Frøystad
    • 1
  • Per Håkon Meland
    • 1
    • 3
    Email author
  • Dag Atle Nesheim
    • 2
  • Ørnulf Jan Rødseth
    • 2
  1. 1.SINTEF DigitalTrondheimNorway
  2. 2.SINTEF OceanTrondheimNorway
  3. 3.Norwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations