Bow Ties and Attack Trees for Risk

by Tony Badsey-Ellis

I talk a lot about attack trees when it comes to risk assessment. I’ve been using them for over a decade now, and I think they’re better than some ‘traditional’ methods for understanding risk. There is also a strong case for using bow ties and attack trees for smarter risk assessment.

We implemented bowtie analytics in RiskTree a couple of years ago, after looking at bow tie analysis for a few years. RiskTree users can now build bow tie diagrams from their existing trees.


Firstly, what’s a Bow Tie Diagram?

Bowtie Diagram
Bowtie Diagram


This diagram shows the components of a bow tie diagram. The bad outcome you’re trying to mitigate is the core element. The yellow box above, which is optional, shows the hazard that is the cause of the bad outcome.

On the left, you’ll see the risks that might lead to a bad outcome, and the countermeasures you’ve put in place (or plan to put in place). On the right are the consequences of a bad outcome happening, and this is what a bowtie gives you that risk assessment doesn’t.

The risk side of the diagram contains elements that already exist in attack trees, so we can use them to jumpstart the bow ties.


Attack Trees

Here’s a simple attack tree:

Example RiskTree
Simple attack tree


Combining Attack Trees and Bowtie Analysis

This tree has four risks of data loss. Three from a database of customer information and one financial. If we have a particular concern about the loss of customer identity information, we can model this as a bowtie. The three relevant risks (Steal database ×2 and Copy records) will be on the left of our bad outcome, together with their countermeasures (in green):




What are the consequences of losing customer identity information?

The Information Commissioner’s Office (ICO) will be very interested and will probably levy a fine. People will be less willing to transact with us, and our sales will fall. These can be added to the right-hand side as consequences.


bow tree example



Consequences can have mitigations applied to them, in other words actions that we have done or could do to reduce the impact. In this example, demonstrating to the ICO that we have followed the principles of GDPR might reduce the fine, as it will show that we have not been negligent in our data handling. And, we could have an advertising campaign that could be brought forward to offset a drop in sales. If required, we could pay for targeted PR to help address damage to our brand reputation. Like the countermeasures, the mitigations are placed on the pathway to each consequence:


Bowtie example



So, we now have a reasonably sophisticated bow tie diagram modelling customer ID theft, built around data from our original attack tree augmented with additional knowledge. RiskTree lets us take the analysis on to another level though. Since we have assessed each of our risks, we know how bad they could be. We can also perform an assessment of each consequence, by thinking about its impact dimensions.

What types of impact might a consequence have? The ICO fine will have a financial and legal impact, and the sales fall will impact us financially, operationally and reputationally. We can score these impacts on a High/Medium/Low scale.

For example, the ICO fine could be 4% of global turnover, so we rate this as High. The legal impact will depend on how much effort is absorbed in dealing with the ICO and whether we challenge the fine; for the purposes of this example, we rate it as Medium.

ICO fine

The mitigations affect these values in a similar way to countermeasures affecting risk values. Following GDPR might reduce the fine, but not necessarily significantly. So we could assess this mitigation as having a moderate financial impact.


The benefits of attack trees and bowties

RiskTree can now analyse the data from both sides of the bow tie and come up with an overall assessment for the bad outcome. Since we know which countermeasures and mitigations are in existence and which are planned, we can create the usual intrinsic / residual / target views.


bowtie example


This example only used a single bad outcome on a small tree. With a larger tree, more typical of those we see with our clients, you can build up several bow ties and assess them all. You’ll then see which outcomes matter most, and which mitigations are most crucial.



Bow ties can be used to analyse factors that reduce countermeasure effectiveness. As well as embed numeric information into quantitative risk analysis using Monte Carlo methods. Look out for future posts to explain RiskTree’s support for these functions.



Learn more about RiskTree here.