A quantitative bow-tie cyber risk classification and assessment framework

Research output: Contribution to journalArticlepeer-review

Abstract

Cyber-attacks pose a growing threat to global commerce that is increasingly reliant on digital technology to conduct business. Traditional risk assessment and underwriting practices face serious shortcomings when encountered with cyber threats. Conventional assessment frameworks rate risk based on historical frequency and severity of losses incurred, this method is effective for known risks; however, due to the absence of historical data, prove ineffective for assessing cyber risk. This paper proposes a conceptual cyber risk classification and assessment framework, designed to demonstrate the significance of proactive and reactive barriers in reducing companies’ exposure to cyber risk and quantify the risk. This method combines a bow-tie model with a risk matrix to produce a rating based on the likelihood of a cyber-threat occurring and the potential severity of the resulting consequences. The model can accommodate both historical data and expert opinion and previously known frameworks to score the Threats, Barriers and Escalators for the framework. The resultant framework is applied to a large city hospital in Europe. The results highlighted both cyber weaknesses and actions that should be taken to bolster cyber defences. The results provide a quick visual guide that is assessable to both experts and management. It also provides a practical framework that allows insurers to assess risks, visualise areas of concern and record the effectiveness of implementing control barriers.

Original languageEnglish
Pages (from-to)1619-1638
Number of pages20
JournalJournal of Risk Research
Volume24
Issue number12
DOIs
Publication statusPublished - 2021
Externally publishedYes

Keywords

  • Bow-tie analysis
  • Cyber risk
  • Cybersecurity
  • Insurance
  • Risk classification

Fingerprint

Dive into the research topics of 'A quantitative bow-tie cyber risk classification and assessment framework'. Together they form a unique fingerprint.

Cite this