Bow-Tie Diagram From Threats

Overview

This page displays the Bow-tie diagram from specific Threats. 

In Riskion, we refer to threats, causes, hazards, and sources interchangeably.  While they may have slightly different nuances depending on the context in which they are used, they serve the same purpose -- they are all threats/sources of risk (for Risk Events) or sources of opportunity (for Opportunity Events). In our sample model, we are using the terminology "Source(s)".

The bow-time diagram for the analysis of the Event "Failed Integration with Failure Monitoring System Network" from source "Public Relations"  is displayed below.

The selected Event is displayed at the center of the diagram (circle). Its background color varies based on the event's %risk. 

The Sources of the selected event are displayed on the left side of the diagram (green boxes). 

The Objectives of the selected Event are at the right (blue boxes).

The specific Source ("Human Factor") from which the event is being analyzed is selected from the Likelihood Hierarchy at the left.

You can view and analyze the following information: 

• L - Likelihood of Sources 
• V - Vulnerabilities of events to sources
• C - Consequences of Events on Objectives
• P - Priority of Events on Objectives

Focusing on the first source and objective on the diagram:

1. The Likelihood (L) of the Source  "Inadequate Trained Staff" given the source "Human Factor" is 10.47%  
2. The Vulnerability (V) of the Event "Failed Integration with Future Monitoring System Network" from source "Inadequately Trained Staff" is 6.64% 
3. The Consequence  (C) of the Event "Failed Integration with Future Monitoring System Network" on the Objective "Loss of Company Reputation" is 46.70% 
4. The Priority (P) of Objective "Loss of Company Reputation" is 4.28%   (overall or global impact)

The Likelihood of the event to a given source (L*V), and the Impact of the event (C*P) on a given objective are shown on the connecting lines to the source/objective boxes:

• The Likelihood of the Event  "Failed Integration with Future Monitoring System Network" to the source "Inadequately Trained Staff" given "Human Factor" is 0.69%
• The Impact of the Event "Failed Integration with Future Monitoring System Network"  on the Objective "Loss of Company Reputation" is 2.0% 

The summation of (∑ "L*V") event's likelihoods from each event is the Likelihood of the Event, and the summation (∑ "C*P") event's impact on each objective is the Impact of the Event -- given the selected source.

The event "Failed Integration with Future Monitoring System Network" has Likelihood and Impact due to source "Human Factor" 7.56% and 6.25% respectively. 

The Event's risk is then computed by Likelihood * Impact:

4.51% * 6.25% = 0.28% (as shown at the top of the Event)

You can select another Event to analyze from the Events list pulldown at the top:

and you can select another source by clicking a node from the Likelihood Hierarchy at the left:

Select Participant or Group

The bow-tie for the "All  Participants" group is displayed by default.  By selecting from the "Participants  and Groups" dropdown, you can display the bow-tie analysis for another participants or group:

Define Event Color (Region) 

Default colors are already provided for the events on the diagram based on the event's %risk. 

You can change this by clicking

Here you can specify the limits: Rh (risk high) and Rl (risk low) both for percentage or monetary. 

Given the limits, you can specify the 3 regions/colors: 

• High Risk
• Mid (in-between) Risk
• Low Risk

Export Bow-tie to Excel or Image Format

Click to export the bowtie into a .xlsx file. 

Click  link to download the diagram as an image file (.jpeg)

Show Monetary Values

You can show the Monetary Values for Impacts and Risks.

Clicking  will open a modal where you can specify the monetary values. 

Simulated vs Computed Event Likelihoods, Impacts, and Risks (Flaw of Averages)

The risk of an event is the product of the event's likelihood and impact.  However, the computed likelihood of an event may depend on the event being caused by more than one threat. If these threats are not mutually exclusive, then the computed likelihood, based on the occurrence of the event from several can exceed the actual likelihood.  If in the real world an event takes place due to one threat, it is irrelevant that it would have also occurred due to another threat had the first one not caused the event.  This 'if' condition is a non-linearity in computation. To arrive at the actual likelihood of an event, we can use simulations that will avoid the 'double counting'.

Similarly, an objective that suffers consequences from one event, may also suffer consequences from other events.  The consequences can be cumulative but they cannot exceed the entire value of the objective so that this is another non-linearity that can be addressed with simulation.

Riskion has an option to show computed and simulated results.

Calculated results are displayed by default, checking the Simulated checkbox displays the simulated results. 

If all events have at most one threat, or all threats are mutually exclusive,  then the computed and simulated event likelihoods will be the same --  but this is rarely the case.

If each objective has losses due to only one event, then the computed and simulated impacts will be the same -- but this is rarely the case.

Preferences

Click the button to open the display and simulation settings modal. 

• Events Numbers - select from ID, Inder, or Rank 
• Display Settings
  • Consequences simulation mode: Diluted or Undiluted 
  • WRT calculation (applicable only when a lower node is selected) 
  • Show Total Risk - show hide the Total Risk below the grid for Diluted 
  • Decimals 
  • Show cents of Monetary Values 
• Simulation Settings
  • Number of trials
  • Seed
  • Keep Seed
  • User Source Groups
  • User Event Groups