A company called Armexa, new to me in the cybersecurity ecosystem, sent a release about an analysis they made regarding the thoroughness of risk assessments. They advocate a “bow-tie” method, detailed below. This is not my area of expertise, so I pass along as a tool in your belt.
The Blind Spots in Most Risk Assessments
Many cybersecurity assessments fall short because they only focus on one or two parts of the puzzle instead of the full picture. Here’s what often gets missed:
- Only looking at external threats: Some assessments zero in on external threats like malware, phishing or hackers accessing the OT environment from the enterprise/business networks but overlook internal threats such as maintenance laptops, accidental misconfiguration errors, and unauthorized wireless access points that can bypass perimeter security controls.
- Assuming compliance equals security: Publishing policies and following standards is important but just because an organization has them in place doesn’t mean they’re properly applied – or that they actually reduce risk.
- Overlooking “double jeopardy” scenarios: Traditional risk models plan for one thing to go wrong at a time. But cyber incidents are intentional. Attackers can, and often do, take down multiple systems at once.
- Focusing on vulnerabilities: Many assessments focus on discovery of vulnerabilities, such as outdated operating systems, known vulnerabilities (i.e., CVEs), weak passwords. Listing vulnerabilities is helpful, but without asking what would happen if the vulnerability was exploited, you’re not actually assessing risk
If you’re not linking security gaps to real operational and financial consequences, it’s almost impossible to know what really matters – or what to fix first.
The Three Elements Every Risk Assessment Should Cover
A truly effective risk assessment goes beyond simple gap analysis. It looks at the full picture by connecting three key elements:
Threats – What could cause a cyber incident?
Malware, phishing, ransomware
Human errors or insider threats
Unknown or unauthorized devices on your network
Vulnerabilities – Where are the weak spots?
Networks without proper separation
Devices that connect both IT and OT networks
Policies that are weak – or not followed at all
Consequences – What happens if something slips through?
Loss of control over key operations
Production downtime and financial losses
Safety hazards, regulatory fines, and environmental impact
Check out the web page for a discussion of weaknesses. Here they offer their better way to connect the dots—Bow Tie Analysis
Bow Tie Analysis is a visual method that clearly shows how threats, vulnerabilities and consequences are connected in a clear, structured way. It helps teams:
- See how one issue can trigger a chain of events
- Pinpoint which controls matter most, and whether they’re working
- Understand what’s still at risk, even with protection in place
- Meet regulatory expectations with a clear, easy-to-explain model
By mapping out risks in a straightforward, visual way, Bow Tie Analysis helps security teams and senior leadership understand where to focus – and where to take action first.
Is It Time to Rethink Your Approach?
If your risk assessment doesn’t connect threats, vulnerabilities and consequences, there’s a good chance some critical gaps are being overlooked. Cyber risk isn’t just an IT issue – it affects operations, finances and most importantly, safety.
