A quantitative bow-tie cyber risk classification and assessment framework

Figures & data

Table 1. Brief description of IT-based risk/threat/maturity models, their advantage and disadvantages, and their relation to our proposed QBowtie model.

Framework	Brief Description	Pros.	Cons.	Relation to QBowtie
CVSS (Common Vulnerability Scoring System)	A standard for assessing the severity of the cyber vulnerabilities in the scale of 1 to 10	Comprehensive scoring system for vulnerabilities with an overall look for different aspects of a cyber vulnerability	It is not designed to score/classify risks. Risk is a more general concept which arises from threats to assets with vulnerabilities.	QBowtie can utilise the knowledge base of CVSS in scoring threats and escalators.
FAIR (Factor Analysis of Information Risk)	FAIR is a methodology to quantify factors relating to its risk.	It presents a structure to the taxonomy of risk factors with a methodology to quantify them.	It is not a risk assessment method.	Qbowtie can take advantage of FAIR in quantifying threats and controls.
NIST SP800 (National Institute of Standards and Technology, Special Publication)	NIST is a cybersecurity risk framework. NIST SP800 is a comprehensive countermeasure/control list for cyber threats.	It can assist companies to define adequate controls regarding their cyber vulnerabilities.	The catalogue does not provide a way to quantify the effect of controls.	QBowtie looks at the risk problem itself. Quantifying countermeasures is a part of QBowtie.
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)	A comprehensive risk assessment and evaluation procedure with four phases, from risk measurement criteria selection to identifying mitigation approaches	All the processes of IT risk assessment and evaluation are considered in OCTAVE.	Not presenting details of each step in each phase can become a problem in different areas of the IT industry.	QBowtie can be used as a risk quantification tool within OCTAVE.
CMMI (Capability Maturity Model Integration)	A 5 level maturity model that guides organisations through best case studies for continuous improvement of production methods, especially in software development.	It is a comprehensive process that sees everything regarding production maturity.	The risk management is considered as a step in the third maturity level, but no obligations are considered for the chosen method.	QBowtie can be used in maturity level 3 of CMMI as a part of the risk management phase.
TARA (Threat Agent Risk Assessment)	A threat identification/ranking and filtering methodology that prioritises mitigations regarding the importance of the threats.	It is well-structured with knowledge libraries for threat and exposure identification.	It is not designed for risk classification.	It can be used in the bow-tie analysis of QBowtie to identify threats.
CORAS	A security risk analysis framework with programming language and tools based on Unified Modelling Language (UML)	It has step by step processes from threat and risk identifications to treatments.	It does not go through details on how to find threats. This method’s utilities and documents have not been updated since 2014.	Advantage of QBowtie is that it utilises a bow-tie framework to identify every component related to risks.
IoTMM (Internet of Things Maturity Model)	A maturity model for the Internet of Things in 5 levels	Concentration on IoT design and implementation	(1) No precise methodology for risk assessment (2) Reliable quality of service is mentioned in level 3 maturity.	QBowtie can take advantage of IoTMM when identifying threats and barriers in IoT systems
OWASP (Open Web Application Security Project)	Documents, checklists, and recommendations in the field of web application security	A comprehensive look at all the threats/vulnerabilities of web platform productions.	The concentration is both on web and threats, not the risks/events.	QBowtie can take advantage of OWASP when identifying threats and barriers in web applications.

Figure 1. Outline of QBowtie method for risk classification.

Table 2. Additional Industry Loadings. (AIG and Claims Intelligence Series 2016).

Industry Rank	Sector	% of Claims	Likelihood Rating (L)
1	Financial Services	23%	(STL + 23%)
2	Communications & Technology	18%	(STL + 18%)
3	Retail	17%	(STL + 17%)
4	Business Services	9%	(STL + 9%)
5	Manufacturing/Healthcare/Other	8%	(STL + 8%)

Table 3. Additional Severity Loading by Sector. Data Source: (Ponemon Institute 2020).

Industry Rank	Sector	Ind. Cost per Capita	Severity Rating (S)
1	Healthcare Financial Services	25%	(SIS + 25%)
2	Financial Services	20%	(SIS + 20%)
3	Business Services	15%	(SIS + 15%)
4	Education & Life Sciences	10%	(SIS +10%)
5	Retail/Communications/ Technology /Manufacturing/Other	5%	(SIS + 5%)

Figure 2. Experts median scores for threat barriers.

Figure 3. Experts median scores for threat escalators.

Figure 4. Experts median scores for consequence barriers.

Figure 5. Experts median scores for consequence escalators.

Figure 6. Left hand side of bow-tie diagram for top event Data Breach illustrating threats (rectangles), barriers (ovals) and escalators (hexagons).

Figure 7. Right hand side of Bowtie diagram for top event Data Breach illustrating consequences (rectangles), barriers (ovals) and escalators (hexagons).

Figure 8. Cyber risk Matrix. The Threat is on the vertical axis, while the severity is on the horizontal. The combined score is mapped to a quadrant, and the top right represents the riskiest company, while the bottom left represents the least risky company.

Ponemon Institute 2020. “Cost of Data Breach Study: Global Overview.” https://www.ibm.com/security/data-breach. [Online; accessed 15-May-2020].

 Google Scholar