Risk Analysis: Different Methods Produce Varying Insights to Address Potential Risk


The bow tie analysis method visually depicts the pathway from a risk event to its potential consequences (Hatch, 2018). This approach allows for quick communication of the relationship between risks, controls, and outcomes. By identifying the threat, preventative control, hazard, mitigative controls, and the consequence, the diagram quickly conveys all of the necessary information to understand the big picture. Optional color coding can convey more granular information to managers or stakeholders.


Managing Cyber Security Risks using the bowties provides an excellent example of a bow tie diagram for sensitive information data in use and for unauthorized access to online confidential data (Moar, 2017). This approach shows the problems that can occur, their consequences, and how to mitigate the risk on a visual diagram. The bow tie diagram provides value by conveying meaning regarding a particular hazard. This problem-solving approach would also be useful in responding to a business concern from management by visually laying out the problems to discuss an appropriate scenario and solution as a group. This allows groups to discuss complex issues in a productive and intuitive manner.



Alternately, The Delphi method provides an iterative approach to risk analysis by anonymously asking expert options through questionnaires iteratively until a conscientious is reached (Chowdhury et al., 2022). This approach allows experts to identify and prioritize risk while avoiding influence from other experts or employees. The journal suggests an important difference between the Delphi method and the bow tie analysis method. The Delphi method provides speculation from expert feedback in an easy-to-understand academic format from multiple field experts where concrete data is lacking, whereas the bow tie method addresses quantified risks.


Because the visually presented bow tie method gives team members a general understanding of risks, causes, consequences, and preventative and mitigative controls, it is often used for detailed risk assessment and management to provide a starting place for discussion. The Delphi method lacks visuals and provides added expert support to analysis used for strategic decision-making on uncertain scenarios. The different approaches provide a different perspective for analysis.


When looking at Delphi, the focus is to identify expert analysis to apply to a risk situation that lacks concrete data. When looking at Markov analysis, the focus is to prioritize risk based on the probability of harm in the future. The bow tie analysis method considers a risk scenario and analyzes the cause and effect. The fault tree analysis identifies the causes of system failures. The OCTAVE approach identifies the organization’s information security risks. 


While many approaches provide insight into risk analysis, the methods vary in application. Some methods work better at different moments in the risk assessment process. For example, the bow tie analysis provides a starting place for discussion, whereas the Delphi method provides further insight into areas in the discussion that lack depth for insight. These methods should be carefully studied to create a comprehensive toolbelt for addressing risk at any stage of the risk assessment.



Reference:


Chowdhury, N., Katsikas, S., & Gkioulos, V. (2022). Modeling effective cybersecurity training frameworks: A Delphi method-based study. Computers & Security, 113(102551). https://doi.org/10.1016/j.cose.2021.102551



Hatch, D. (2018). Bowtie Analysis and Barrier-Based Risk Management. ISPE. https://ispe.org/pharmaceutical-engineering/january-february-2018/bowtie-analysis-and-barrier-based-risk-management


Moar, P. (2017, April 19). Managing Cyber Security Risks using Bowties. CGE Risk Management. https://www.wolterskluwer.com/en/expert-insights/managing-cyber-security-risks-using-bowties

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more