In our last two posts, we looked at three tools you already use to help provide a safely functioning system at the front end – HAZOP, HAZID, and FMECA – and recommended their use for CyberSecurity. In our most recent post, we looked specifically at utilizing HAZOPs for CyberSecurity. In this post, we’ll take a look at HAZIDs for the same purpose.
First, here is an overview of the HAZID methodology:

The HAZID can build on the HAZOP (if one was completed) or can be utilized on a standalone basis.
In order to accommodate CyberSecurity in our HAZID, we need to add the following elements:
- In the Preparatory Step:
- Within Objectives, define:
- System Network Topology including all access points
- External Users including contractor access, application access, classes of users
- Internal Users including application access, classes of users.
- Within Operations, define:
- Access policies
- User responsibilities
- Management of Change Policy
- In the Systems, include Data Collection:
- Formats for operational access logs
- Current activity logs for existing or “as like” assets
- Typical network traffic
- Within the Team, include at least one CyberSecurity subject matter expert (SME)
- Within Objectives, define:
- In Hazard Identification, include:
- Unauthorized access (malicious or accidental)
- Misuse of information (or privilege) by an authorized user
- Data leakage or unintentional exposure of information
- Loss of data
- Disruption of service or productivity
- Other specific hazards based on regulatory environment, geographic region, asset characteristics
- In Scenario Definition, include:
- Organizational Risk Management
- User Provisioning
- Administration
- User Authentication
- Infrastructure Data Protection
- Data Center Physical & Environmental Security
- Continuity of Operations
- In Cause and Frequency Analysis, understand the latest attacks and their regimes:
- 3 billion Yahoo accounts were hacked in 2016, one of the biggest breaches ever. (Oath.com)
- Uber reported in 2016 that hackers stole the information onover 57 million drivers and riders. (Uber)
- 412 million subscriber accounts were stolen from Friendfinder’s sites in 2017. (LeakedSource)
- 148 million consumers were impacted by the 2017 Equifax Breach. (Equifax)
- According to recent statistics, there are over 130 targeted, large-scale, breaches in the U.S. per year, a number that is growing by 27 percent annually. (Accenture)
- Thirty-one percent of organizations have experienced cyber-attacks on operational technology infrastructure. (Cisco)
- There are an estimated 24,000 malicious mobile apps blocked on a daily basis. (Symantec)
- The average number of breached records by country was 24k in 2017. The country with the most breaches was India with over 33k records; the US had over 28k. (PonemonInstitute’s 2017 Cost of Data Breach Study)
- In Consequences Analysis include:
- Security breach or attack
- Lose or compromise your customers’ data
- Employees’ data at risk
- DDoS (Distributed Denial of Service) attack
- Monetary loss
- Violation of laws, regulations
- Intellectual property or trade secrets at risk
- Hit with a virus/ransomware
- Damaging downtime
- Reputational damage
- Physical data loss
- In Options to Decrease Frequencies include:
- Reduce the network target area
- Modify network topology
- In options to Mitigate Consequences include:
- Safe, virus free backups
- Isolated backup systems
- Insurance
- In Cost Benefit Assessment understand and translate these costs to your organization:
- Global average cost of a data breach is $3.86 million
- The average cost, globally, for each lost or stolen record containing sensitive and confidential information is $148 per record.
- US is leading in the most data breaches, with an average cost of $7.91 million.
- Canada has a $4.74 million average cost for data breaches, and Germany is $4.67 million.
- Countries with the smallest average cost was Brazil ($1.24 million) and India ($1.77 million.)
- Mean time companies took to identify their breaches was 197 days.
- Companies that contained their breach within 30 days ended up saving over $1 million vs. those that took over 30 days to resolve the situation.
- Average cost to deploy security automation is $2.88 million.
- Without cybersecurity solutions, a company could risk up to $4.43 million in breach costs.
That’s it for recognizing CyberSecurity in your HAZID. Next, we’ll look at putting CyberSecurity into your FMECA.

Read the blog entries on our website – www.athensgroupservices.com, join our LinkedIn Group, and subscribe to our newsletter.