A statistical method that uses probability to update the likelihood of an event based on new evidence. Bayes nets (Bayesian networks) are graphical models that represent probabilistic relationships between variables. In cyber, this helps refine risk probabilities as more data or intelligence becomes available.

• A cybersecurity team initially assesses the probability of a successful phishing attack at 20%. After receiving new threat intelligence about a highly sophisticated phishing campaign targeting their industry, they use Bayesian statistics to update the probability to 45%. A Bayes net could model the dependencies between user training, email filtering, and attack success.

A visual representation of risk that combines elements of both fault tree analysis (causes of an event) and event tree analysis (consequences of an event). It shows the pathways from causes to an event and from the event to its consequences, with barriers (controls) to prevent or mitigate them.

• A "knot" in the bow tie is a data breach. On the left side, causes could be "unpatched software" or "phishing attack." Barriers on the left are "patch management program" or "security awareness training." On the right side, consequences could be "data loss" or "reputational damage." Barriers on the right are "incident response plan" or "data encryption."

Qualitative techniques for gathering information. Brainstorming involves a group generating ideas freely. Structured interviews follow a rigid set of questions, while semi-structured interviews allow for some flexibility and follow-up questions. Used to identify potential risks, vulnerabilities, and impacts from diverse perspectives.

• Brainstorming: A security team holds a session to identify all possible ways a new cloud application could be compromised. Semi-structured Interview: Interviewing IT staff and business unit leaders about their perceived cyber risks, allowing for deeper dives into specific concerns raised.

A systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster or disruption. It identifies time-sensitive functions and resources, determining Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

• An organization determines that its e-commerce website generates $10,000 per hour in revenue. A BIA identifies that if the website is down for more than 4 hours, the financial impact becomes severe, and the RTO for the website is set at 2 hours.

A structured technique to identify the potential causes of an undesirable event and the potential consequences that could arise from it. It's often used to understand complex risk scenarios.

• Cause: An employee clicks on a malicious link in an email. Event: Malware infects a workstation. Consequences: Data exfiltration, network spread, system downtime, reputational damage.

A diagramming technique used to identify the root causes of a problem or undesired effect. It categorizes potential causes into main branches (e.g., people, process, technology, environment) to facilitate thorough analysis.

• For the "Effect" of "Frequent Security Incidents," branches could be "People" (lack of training), "Process" (no clear incident response plan), "Technology" (outdated antivirus), and "Environment" (unsecured public Wi-Fi).

A simple and effective tool for risk identification and control verification. Pre-defined lists of questions or items are used to ensure that specific steps are followed, or certain conditions are met.

• A checklist used before deploying a new server: "Is the operating system patched to the latest version?", "Are default passwords changed?", "Are unnecessary ports closed?", "Is antivirus installed and updated?".

A structured communication technique that aims to obtain expert consensus on a particular topic. It involves iterative rounds of questionnaires and feedback, with anonymous responses, to reduce bias and encourage independent thought.

• A cybersecurity firm uses the Delphi method to estimate the likelihood of a zero-day exploit targeting a specific software vulnerability in the next year. Experts provide individual estimates, receive aggregated feedback, and revise their estimates over several rounds until a consensus or narrow range is reached.

A visual tool that maps out possible decisions and their potential outcomes, including associated probabilities and costs/benefits. It helps in making optimal decisions under uncertainty.

• A security team needs to decide whether to invest in a new advanced threat detection system. The decision tree branches would include "Invest" or "Don't Invest," with subsequent branches for potential outcomes like "Threat Detected," "Threat Missed," "Cost of System," and "Cost of Breach," each with probabilities.

While traditionally associated with ecological impact, in cybersecurity, this can refer to assessing risks arising from the operating environment of IT systems, including physical security, external dependencies (e.g., cloud providers), and regulatory landscapes.

• Assessing the risks associated with hosting critical data in a data center located in a region prone to natural disasters (physical environmental risk) or the legal and compliance risks of storing customer data across different geopolitical boundaries (regulatory environment).

A top-down, deductive analytical technique used to determine the combinations of basic events that could lead to a specific undesirable "top event." It's represented as a logic diagram using gates (AND, OR).

• Top Event: "Critical Business System Downtime." Branches could be "Database Failure" (AND Gate: "Hardware Failure" AND "No Backup") or "Network Outage" (OR Gate: "Router Failure" OR "ISP Disruption").

Originally from food safety, this systematic preventive approach can be adapted to identify "critical control points" in a cybersecurity process where specific controls are essential to prevent or mitigate a significant cyber "hazard."

• Hazard: "Unauthorized data access." Critical Control Point: The access control mechanism on a critical database. The organization would then monitor and verify the effectiveness of this control point (e.g., strong authentication, regular access reviews).

A structured and systematic examination of a planned or existing process or operation to identify and evaluate problems that may represent risks to personnel, equipment, or the environment. Uses "guide words" (e.g., "no," "more of," "less of," "reverse") with process parameters.

• Applying HAZOP to a new network configuration: Guide Word: "No" Parameter: "Data Flow." Deviation: "No Data Flow." Consequence: System outage. Cause: Misconfigured firewall. Action: Review firewall rules.

A systematic method for assessing the contribution of human error to system failures or accidents. It identifies potential human errors and their consequences, and designs interventions to reduce their likelihood.

• Analyzing the process of patching a critical server to identify potential human errors like skipping a step, applying the wrong patch, or failing to verify the update, and then implementing double-check procedures or automated scripts.

A semi-quantitative method used to assess the adequacy of independent protection layers (IPLs) for preventing an undesired event or mitigating its consequences. Each IPL reduces the likelihood of the event.

• To prevent a successful ransomware attack, IPLs could include: 1. Email filtering (reduces initial infection). 2. Endpoint detection and response (EDR) (detects and blocks malware). 3. Network segmentation (limits spread). 4. Offline backups (enables recovery even if encrypted). Each layer reduces the overall risk.

A mathematical technique used to model systems that transition between different states over time, where the future state depends only on the current state (memoryless property). Useful for modeling system reliability and availability over time.

• Modeling the availability of a critical server, which can be in states like "fully operational," "degraded performance," or "failed." Markov analysis can calculate the long-term probability of the server being in each state, considering transition probabilities between states (e.g., probability of failure, probability of recovery).

A computational technique that uses random sampling to model the probability of different outcomes in a process that cannot easily be predicted due to the intervention of random variables. It's used to quantify uncertainty and risk.

• Simulating the financial impact of a data breach. Instead of a single estimate, Monte Carlo runs thousands of simulations, each with randomly varied inputs for breach size, recovery time, legal fees, and reputational damage, to generate a distribution of possible financial losses and their probabilities.

A qualitative risk assessment technique typically performed early in the design phase of a system or process. It identifies potential hazards, hazardous situations, and initial high-level risks, as well as potential controls.

• When designing a new cloud-based banking application, a PHA would identify potential hazards like "unauthorized access to customer data," "system downtime," or "fraudulent transactions," and suggest initial security measures to address them before detailed design begins.

A systematic process to determine the most effective maintenance strategy for an asset. In cyber, it can be adapted to optimize the "maintenance" (patching, configuration management, vulnerability scanning) of critical IT assets based on their criticality and failure modes.

• Applying RCM principles to a critical firewall: instead of simply patching on a schedule, RCM would analyze its failure modes (e.g., misconfiguration, software bug, hardware failure) and determine the optimal frequency and type of maintenance activities (e.g., automated configuration audits, regular performance monitoring, specific patch testing procedures) to ensure its continuous reliability.

A problem-solving method used to identify the underlying causes of a problem or incident, rather than just addressing the symptoms. A "pre-mortem" is a specific type of RCA done before a project or deployment, where the team imagines the project has failed and works backward to identify potential causes of failure.

• RCA: After a significant outage, the team uses RCA to discover that the root cause was not just a server crash, but an unpatched vulnerability exploited due to a lack of a clear patch management policy. Pre-mortem: Before launching a new customer portal, the team conducts a pre-mortem, assuming the launch failed, and identifies potential causes like "insufficient load testing" or "inadequate security testing" as potential root causes of failure.

A technique that involves developing plausible future scenarios (e.g., best-case, worst-case, most likely-case) to explore potential risks and opportunities. It helps organizations prepare for different future states.

• A cybersecurity team develops a "worst-case scenario" involving a sophisticated nation-state attack that bypasses all current defenses, leading to complete data exfiltration and system paralysis. They then analyze the potential impact and identify gaps in their current response plan.

A specialized technique used primarily in electrical and electronic systems to identify unintended operations or conditions that can occur due to subtle design flaws or component interactions, leading to unexpected behavior. While less common directly in abstract cyber risk, the concept of unintended interactions can apply.

• While not a direct fit for typical cyber risk, the concept could be applied metaphorically to software or network design: identifying how a seemingly innocuous combination of user permissions and system configurations could inadvertently create an unauthorized access path, or how two seemingly unrelated software modules interact in an unintended way to create a vulnerability. (e.g., a "feature" becomes a "bug" when combined with another feature).

A systematic, team-based qualitative risk assessment technique that involves asking "what if" questions about a system or process to identify potential deviations, hazards, and consequences. It's less rigid than HAZOP but still structured.

• Reviewing a new secure file transfer process: "What if the encryption key is lost?" "What if the recipient's system is compromised?" "What if the transfer is interrupted mid-way?" Each "what if" leads to a discussion of potential consequences and existing or required controls.