Security risk management represents an intersection of engineering, computational mathematics, behavioural psychology, and strategic policy.  Historically, risk management operated in distinct silos: industrial safety engineers focused on random mechanical failures in physical infrastructure, while information security professionals addressed logical vulnerabilities in digital networks. However, the advent of cyber-physical systems, ubiquitous connectivity, and advanced persistent threats has catalysed a necessary convergence of these disciplines. An intrusion into a digital network can now manifest as a catastrophic physical explosion, rendering traditional, isolated safety paradigms inadequate.

Expert Elicitation in High-Uncertainty Environments

When historical data is unreliable (e.g., predicting zero-day exploits), risk identification relies on expert judgment.

• Brainstorming: Common but flawed for security. It is highly vulnerable to cognitive biases, groupthink, and hierarchical dominance, often resulting in a subjective list of operational issues rather than true vulnerabilities.

• The Delphi Technique: A structured, asynchronous alternative. By utilising isolated, anonymous iterations, it mathematically builds consensus while stripping away social biases. It is highly effective for forecasting novel threats, though resource-intensive.

2. Systemic Risk Identification

• HAZOP (Hazard and Operability Studies): A bottom-up method examining node deviations. Traditional HAZOP fails in cybersecurity because it assumes failures are random and isolated. It systematically dismisses coordinated, multi-node sabotage as "double jeopardy" and must be adapted into security-informed HAZOPs.

• SWIFT (Structured What-If Technique): A top-down, checklist-driven alternative. It is efficient but strictly limited by the scope of its preparatory checklists, leaving it blind to unprecedented vectors such as novel supply chain attacks.

3. Causality, Control, and Visualisation

• FMEA/FMECA: Foundational for reliability engineering, prioritising risks via quantitative criticality. However, it is designed for predictable hardware wear and tear, making it ineffective for evaluating software logic, human factors, or malicious intent.

• Bow-Tie Analysis: Visually bridges deep engineering and executive communication by mapping proactive prevention (left side) and reactive mitigation (right side) around a central "Top Event."

• The Cyber Constraint: The Bow-Tie's visual simplicity masks interdependencies. It implies barriers are independent, whereas a single cyber event (e.g., compromised Active Directory) can simultaneously bypass multiple physical and digital barriers.

Probabilistic Logic Models

To quantify system failures mathematically, risk analysts use logical modelling.

• FTA (Fault Tree Analysis) & ETA (Event Tree Analysis): FTA deductively maps root causes top-down; ETA inductively maps consequences bottom-up. In safety engineering, both assume random, accidental failures.

• Attack Trees: The critical evolution for cybersecurity. Unlike FTA, which calculates the total probability of random decay, the Attack Trees model a rational, intelligent adversary. They abandon total probability to calculate the path of least resistance (maximum probability or minimum effort/cost).

5. Advanced Quantification and Financial Exposure

• Monte Carlo Simulations: Replaces subjective heatmaps with advanced computational algorithms. Using probability distributions (e.g., the FAIR framework), it provides corporate boards with precise Annualised Loss Expectancy (ALE). However, it suffers from a "garbage in, garbage out" dependency on threat intelligence and cannot compute unprecedented zero-days.

• Cyber Value at Risk (VaR): Translates cyber risk into executive financial metrics, quantifying the maximum potential loss over a specific timeframe at a given confidence level (e.g., 95%).

• The "Fat Tail" Pathology: Traditional VaR relies on standard normal (Gaussian) distributions, which systematically underestimate extreme, outlier events ("Black Swans"). Cyber incidents do not follow a bell curve; they exhibit fat tails. Relying solely on VaR leaves organisations catastrophically exposed to the 5% tail risk, necessitating the use of Extreme Value Theory and advanced stress testing.