German cybersecurity company admeritia has developed a new resource with the launch of Cyber Decision Diagrams, a free community tool. Tailored for the industrial sector and critical infrastructure, the tool is designed to streamline and enhance decision-making processes. By democratizing technical knowledge, the tool empowers organizations to break down complex cybersecurity decisions, evaluate alternatives, and visualize outcomes through structured, engineering-grade diagrams.
Cyber Decision Diagrams provide a clear, five-step framework to help organizations clarify critical cybersecurity decisions by gaining a sharper understanding of priorities and challenges; grounding decisions in real-world contexts to ensure choices are practical and aligned with operational needs; and exploring alternatives effectively by systematically evaluating options to identify the best path forward.
By offering a structured, visual approach to decision-making, the tool equips organizations with the clarity and confidence needed to tackle cybersecurity challenges head-on. The Cyber Decision Diagrams also understand technical systems, focus on real-world impacts, and make cybersecurity decisions, regardless of the complexity of the technology.
“The diagrams help to think through cybersecurity problems and make cybersecurity decisions – to literally get all information that matters for a certain decision on one page,” Sarah Fluchs, CTO of admeritia, told Industrial Cyber. “They can be used to get clarity on how critical functions work (getting the knowledge on paper that often is only in engineer’s heads) on what security requirements matter most to prevent a High Consequence Event, on the most realistic attack path, and to compare different implementation alternatives for certain function.”
She added that the simple, five-step workflow can be followed, but many steps are optional. “There are some libraries and suggestions for each step so you never start from a blank page.”
New features can be added to the Cyber Decision Diagrams. “We’re constantly improving the diagrams and welcome your feedback. Use the feedback button in the application to share your suggestions.”
Fluchs said that the Cyber Decision Diagrams are a spin-off from research results out of admeritia’s three-year security-by-design research project, and from its commercial Security Engineering Tool (SET). “They have been developed especially for industrial/ critical infrastructure environments (but I have seen people using the CDD for purely IT environments too – there’s no reason why that shouldn’t work).”
On how can the Cyber Decision Diagrams be accessed by the OT cybersecurity community, Fluchs pointed out that it is a web application that is free and open to the public. “It runs in your browser and saves all data only temporarily in your local browser cache. We don’t track anything the user is doing, it is saved nowhere. You can download your results as a PDF. If you don’t, they’re gone.”
She also said that the Cyber Decision Diagrams are built on some core concepts of the ISA/IEC 62443 risk assessment (and CIE) – to begin by assessing consequences and focusing on essential functions.
“They don’t explicitly reference requirements from any standard, but the user is free to use standard requirements when selecting his Top 5 measures as a last step in creating his CDD,” Fluchs added.
She noted that extensive standard libraries wouldn’t work given the restriction that only browser cache is used to store data. Also, there are more extensive libraries in the SET. The tool has been designed to be a simple, efficient and low-barrier approach to create a cyber decision diagram. “We carefully designed it so that you don’t need any previous knowledge of specific concepts, methods or tools, and you certainly don’t have to be a cybersecurity pro. The 5 workflow steps include guidance on what to do.”
Fluchs said that the Cyber Decision Diagrams has been validated in real-world OT environments. “They’ve been scientifically validated in three real-world case studies at a large international chemicals producer and a functional safety component manufacturer during our research.”
Users are free to use the Cyber Decision Diagrams in presentations, publications, social media, or internal documents. However, they must include a link, so others can benefit from the tool. The SET is a commercial product based on the Cyber Decision Diagrams. “If you believe the diagrams could enhance your organization’s cybersecurity risk management, consider exploring SET.”
