Beau-TieExamples

Walkthrough — Cybersecurity data breach (Beau-Tie)

This article walks through the sample bow tie that ships with Beau-Tie. Open /editor in another tab and follow along — the diagram on screen is exactly the one we describe here. The example was chosen because it covers every mechanic of the editor (every control type, both control statuses, a meaningful residual-to-target gap) without being so large that the diagram becomes hard to read.

The risk event

Centre of the diagram, ink-coloured box:

Loss of sensitive customer data

Description: "Unauthorised access to or exfiltration of customer-identifying information." Notice the phrasing — noun-form, no embedded cause or impact. "Hackers steal data" would embed a cause; "Customers lose trust" would embed an impact. "Loss of sensitive customer data" is the event itself.

The four causes

Four pathways the event could occur through. Each is distinct enough that the controls on its line don't overlap with controls on another line:

1. Phishing of staff credentials

Three controls on this line:

  • Phishing awareness training — preventive, existing, partially effective. ("Quarterly simulated-phishing program for all staff.")
  • Email filtering — preventive, existing, effective. ("Cloud anti-spam and link-rewrite filtering at the gateway.")
  • MFA rollout — preventive, planned (0–3 months). ("Phishing-resistant MFA on all SSO-protected apps.") Renders as a dashed circle to flag that it's not yet running.

Reading the line: today, two preventive controls running with mixed effectiveness; one strong preventive control coming online within three months. The treatment story for this cause is "we know this is the weakest cause-side; we're about to materially improve it".

2. Unpatched software vulnerability

Three controls:

  • Patch management process — preventive, existing, partially effective. Monthly vendor patch rollout.
  • Vulnerability scanning — detective, existing, effective. Weekly automated scans.
  • Automated patching pipeline — preventive, planned (3–6 months). CI-driven rollout with canary stages.

Note the mix of preventive (P) and detective (D) on the same line. Detective controls don't stop the event but reduce the time-to-discovery, which feeds into the impact-side timeline.

3. Insider threat

Two controls on this line — fewer because insider threat is harder to control via mechanism, more by culture and policy. (You can see the full controls in-tool; for brevity we don't list every cause's controls here.)

4. Third-party supplier compromise

Three controls, including a planned vendor-security-assessment framework. Visible in-tool.

The two impacts

On the right side, two distinct consequence pathways. These are deliberately not paraphrases of each other — they trigger different recovery controls and drive different stakeholder conversations.

Regulatory fines and penalties

Two corrective / directive controls:

  • Breach notification protocol — corrective, existing, effective. Documented 72-hour regulator workflow.
  • Privacy compliance program — directive, existing, highly effective. Annual privacy review and DPIA for new initiatives.

These are "Di" (directive) and "C" (corrective) types — what you do before a breach to make sure the response is correct (Di) and what you do during / after a breach to limit the regulatory consequences (C).

Reputational damage

Three controls, including a planned external-PR retainer. Existing controls cover crisis communications and customer notification; the planned retainer adds external capacity for large-scale incidents.

The ratings

Three points plotted on the 5×5 matrix:

  • Residual: L4 × C4 = Extreme. Likely × Major. Today's posture, with current controls running and planned controls not yet live. The high rating reflects the partially-effective phishing training, the partially-effective patch management, and the meaningful insider-threat exposure.
  • Target: L2 × C3 = Moderate. Unlikely × Moderate. Where the rating lands once the four planned controls (MFA, automated patching, vendor assessment, PR retainer) come online over the next 3–6 months. The drop from Extreme to Moderate reflects that the planned controls materially reduce both likelihood (MFA, patching, vendor assessment all reduce trigger probability) and consequence (PR retainer reduces reputational damage severity).
  • Appetite — disabled in the sample. If enabled, would typically sit at L2 × C2 = Moderate or lower for a customer-data-breach risk at most regulated companies.

How this reads as a treatment plan

The bow tie isn't just a diagram — it's a plan. Reading it for the next 6 months:

  1. 0–3 months: ship the MFA rollout (closes the credentials-phishing pathway substantially) and the external- PR retainer (caps reputational tail risk).
  2. 3–6 months: deliver the automated patching pipeline (closes the unpatched-vulnerability pathway from partial to effective) and complete the vendor security assessment framework.
  3. Ongoing: operate existing controls; review effectiveness quarterly; revisit the bow tie if any control's effectiveness rating drops or a new cause emerges (e.g. AI-generated voice phishing in 2027).

Reach Moderate (the target) once the four planned controls land — that's the deliverable. If any planned control slips past 6 months, the residual stays at Extreme and the conversation with the risk committee needs to happen sooner.

What the export looks like

From /editor, hit Export ▾PDF report. The 6-page A4 landscape report covers:

  • Cover — Solid M + Wordmark, the risk name, owner, company, business unit, date, tags.
  • Risk statement — event statement and description, then the four causes (with descriptions) on the left half and the two impacts on the right half.
  • Bow tie diagram — full-page rasterised presentation slide. The layout and palette match what you see on screen.
  • Controls register — every one of the eleven controls as a row, grouped by cause / impact, with type, status, and effectiveness columns.
  • Risk matrix — full 5×5 matrix with the three plotted ratings (R / T) and the band labels.
  • Notes — only if the bow tie has notes. The sample doesn't.