A quantitative bow-tie cyber risk classification and assessment framework

Cyber-attacks pose a growing threat to global commerce that is increasingly reliant on digital technology to conduct business. Traditional risk assessment and underwriting practices face serious shortcomings when encountered with cyber threats. Conventional assessment frameworks rate risk based on historical frequency and severity of losses incurred, this method is effective for known risks; however, due to the absence of historical data, prove ineffective for assessing cyber risk. This paper proposes a conceptual cyber risk classification and assessment framework, designed to demonstrate the significance of proactive and reactive barriers in reducing companies’ exposure to cyber risk and quantify the risk. This method combines a bow-tie model with a risk matrix to produce a rating based on the likelihood of a cyber-threat occurring and the potential severity of the resulting consequences. The model can accommodate both historical data and expert opinion and previously known frameworks to score the Threats, Barriers and Escalators for the framework. The resultant framework is applied to a large city hospital in Europe. The results highlighted both cyber weaknesses and actions that should be taken to bolster cyber defences. The results provide a quick visual guide that is assessable to both experts and management. It also provides a practical framework that allows insurers to assess risks, visualise areas of concern and record the effectiveness of implementing control barriers.