Bow-tie diagrams are a simple and effective tool for communicating risk scenarios and assessment results to employees at all levels.
The diagrams display the links between the potential causes, preventative and mitigative controls and consequences of a major incident. The general structure of a bow-tie diagram is represented in the diagram below.
For cyber risk scenarios, bow-tie diagrams can be integrated with quantitative analysis models such as FAIR.
Jack Jones, the original author of FAIR, says that in order to quantify cyber risk two models are needed:
- A model such as bow-tie, to clearly define the risk scenario that is the object of the risk analysis
- A risk analysis model such as FAIR to quantify the cyber loss exposure.
In his award-winning book, Measuring and Managing Information Risk: A FAIR Approach, Jack proposes a simpler, linear representation of the bow-tie in the form of the following diagram.