Hagenberg Risk Management Process (Part 3): Operationalization, Probabilities, and Causal Analysis

Computer Science > Cryptography and Security [Submitted on 10 Apr 2026] Hagenberg Risk Management Process (Part 3): Operationalization, Probabilities, and Causal Analysis Eckehard Hermann, Harald Lampesberger For risks that cannot be accepted, sufficiently mitigated, or eliminated, continuous observation is a viable approach but requires a model that can be operationalized. The Hagenberg Risk Management Process bridges this gap between qualitative risk analysis, using contextualized polar heatmaps (triage), and realtime risk management by extending Bowtie diagrams into a formal probabilistic runtime model. We introduce Realtime Risk Studio, a domain-specific modeling tool that (i) transforms Bowtie structures (causes, top event, barriers, consequences) into a directed acyclic graph (DAG) suitable for Bayesian inference, (ii) adds explicit safe-state semantics, and (iii) designates Activation Nodes as intervention points. Bowtie models are qualitative; however, Bayesian inference requires actual probabilities. As a second contribution, we present Probability Capture, a tool that complements our Realtime Risk Studio by automatically generating questionnaires from a DAG model so experts can provide estimates. The tool analyzes disagreement and aggregates conditional-probability assessments using both descriptive dispersion analysis and prior-regularized methods. Causal analysis can then provide insights into the DAG model, for example, via d-separation, adjustment-set inspection, do-calculus for what-if analysis, local independence checks, evidence updating, and impact-oriented searches for effective interventions. This workflow is illustrated with an instant-payments gateway scenario, demonstrating (a) explicit safe-state semantics, (b) Bowtie-to-DAG operationalization, (c) probability capture with visible expert noise, and (d) causal what-if analysis on a transformed and enriched model. Rather than presenting a statistical validation, the paper contributes a method and prototype system that transforms partially mitigated risks into observable, probabilistic, and intervention-ready models. Comments: 18 pages, 4 figures Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2604.09153 [cs.CR]   (or arXiv:2604.09153v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2604.09153 Focus to learn more Submission history From: Harald Lampesberger [view email] [v1] Fri, 10 Apr 2026 09:40:07 UTC (1,456 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-04 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)