An experimental evaluation of bow-tie analysis for security

Purpose: Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach: This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings: The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management. Originality/value: Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well. © 2019, Per Håkon Meland, Karin Bernsmed, Christian Frøystad, Jingyue Li and Guttorm Sindre.