Summary of WEBINAR - Security risk assessment – A HAZOP for cyber-security (CyHAZOP)

Summary of the Webinar: "Security Risk Assessment – A HAZOP for Cyber-Security (CyHAZOP)"

Main Ideas and Concepts:

• Introduction to CyHAZOP:

  The webinar presents the CyHAZOP method developed by Ristech to address gaps in traditional cybersecurity risk assessments, adapting the well-known HAZOP methodology for cybersecurity contexts.

• Need for a New Methodology:

  Traditional cybersecurity risk management is often viewed as complex and expensive, leading to a lack of understanding within businesses. The CyHAZOP aims to simplify and clarify the process.

• Three-Stage Approach:
  • Pre-Workshop: Preparation involving gathering necessary documentation and defining the scope.
  • Workshop: Conducting the risk assessment with stakeholders.
  • Post-Workshop Reporting: Producing a comprehensive report summarizing findings and recommendations.
• Key Changes from Traditional HAZOP:
  • Node Definition: Nodes are defined using a "zone and conduit" approach, which considers both physical and logical groupings of assets.
  • Threat Environment: Identification of relevant threat vectors to focus the assessment.
  • Guide Words and Deviations: Custom guide words related to cybersecurity are introduced to better capture security risks.
  • Security Controls: Assessment of existing security measures and their effectiveness.
  • Risk Assessment Model: Adaptation of the DREAD model to include attack path enablement, allowing for a nuanced understanding of risk.
• Scalability and Customization:

  The CyHAZOP method is designed to be scalable across various standards and environments, making it adaptable to different organizational needs.

• Workshop Structure:

  The workshop is structured to encourage participation from various stakeholders, including IT personnel, to foster a collaborative approach to risk assessment.

• Final Reporting:

  The final report includes a summary of the workshop, identified risks, and recommendations for improvement.

Methodology/Instructions:

• Pre-Workshop Preparation:
  • Gather schematics, network diagrams, previous assessments, and relevant documentation.
  • Create a briefing pack for workshop participants.
• Workshop Execution:
  • Conduct the workshop with a facilitator and a scribe.
  • Discuss each node using defined guide words and deviations.
  • Document findings and actions in real-time.
• Post-Workshop Reporting:

  Compile a formal report including:

  • Design information summary
  • Workshop summary
  • Identified gaps and actions
  • Security recommendations

Speakers:

• Steve Lewis: Senior Director at Ristech, UK.
• Stephen French: Principal Consultant in Information and Cyber Security at Ristech, London.

This summary encapsulates the key themes and methodologies discussed in the webinar, providing a clear understanding of the CyHAZOP approach to cybersecurity risk assessment.

Notable Quotes

— 03:02 — « Dog treats are the greatest invention ever. »

— 03:10 — « Cyber security risk management is seen as an incredibly expensive and sometimes complicated and technical endeavor. »

Category

Educational

Video