Overall risk in a system
First Claim
1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
- (a) inputting into a risk assessment database a plurality of risks identified in the information technology system by utilizing at least one computer having a risk analysis program;
(b) associating the plurality of risks to at least one severity band in a risk echelon and storing said association in a memory storage device;
(c) assigning a value to each of the plurality of risks;
(d) for each assigned risk value, multiplying the assigned risk value by a corresponding coefficient factor determined according to the risk value, the associated severity band for the assigned risk value, and a rank of the risk within the at least one severity band, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value;
(e) adding the factored risk values to determine the overall risk by utilizing the risk analysis program;
(f) outputting an indication of the overall risk in a humanly readable form; and
(g) based on the overall risk, identifying a modification to the information technology system.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method and system for assessing the overall risk in at least part of an information technology system includes inputting into a risk assessment database a plurality of identified risks in a system; associating the risks to at least one severity band in a risk echelon; assigning a value to each risk; multiplying each risk value by a coefficient factor; and summing the factored risk values to determine the overall risk. The method preferably includes modifying the security implementation of the information technology system and determining the modified overall risk. The system preferably includes an automated vulnerability detection scanner to gather risk information, which is stored on a database and used in calculating the overall risk.
-
Citations
27 Claims
-
1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
-
(a) inputting into a risk assessment database a plurality of risks identified in the information technology system by utilizing at least one computer having a risk analysis program;
(b) associating the plurality of risks to at least one severity band in a risk echelon and storing said association in a memory storage device;
(c) assigning a value to each of the plurality of risks;
(d) for each assigned risk value, multiplying the assigned risk value by a corresponding coefficient factor determined according to the risk value, the associated severity band for the assigned risk value, and a rank of the risk within the at least one severity band, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value;
(e) adding the factored risk values to determine the overall risk by utilizing the risk analysis program;
(f) outputting an indication of the overall risk in a humanly readable form; and
(g) based on the overall risk, identifying a modification to the information technology system. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for identifying an overall risk in at least part of an information technology system comprising:
-
(a) identifying a plurality of individual risks for an information technology system;
(b) associating each of the plurality of individual risks to a corresponding severity risk band in a risk echelon utilizing a risk analysis program; and
(c) determining an overall risk utilizing the risk analysis program according to adding an incremental risk value to a mean risk value of the highest severity risk band containing a risk for each of the plurality of individual risk, the incremental risk value being determined according to an associated risk band echelon for the individual risk and a rank for the individual risk in the risk eschelon. - View Dependent Claims (8, 9)
-
-
10. A computer-implemented method for assessing a risk in at least part of an information technology system comprising:
-
(a) inputting into a memory storage device an association of plurality of risks identified in the information technology system to at least one corresponding severity band in a risk echelon by utilizing at least one computer having a risk analysis program;
(b) adding to an initial overall risk value a value of one half of the difference between an upper limit of the highest severity band and the initial overall risk value to determine an intermediate overall risk value by utilizing the risk analysis program, the initial overall risk value being a lower limit of the highest severity band containing a risk;
(c) for each additional risk in the highest severity band, adding successively one-half of the difference between the upper limit of the highest severity band and the most recent intermediate overall risk value to calculate the new most recent intermediate overall risk value by utilizing the risk analysis program;
(d) for each additional risk in bands of lesser severity, adding in series a proportioned value of one half of a difference between the upper limit of the highest severity band and the most recent intermediate overall risk value, where one-half of the difference is proportioned by a coefficient factor relative to the highest risk value, to calculate the new most recent intermediate overall risk value by utilizing the risk analysis program; and
(e) assigning the new most intermediate overall risk value determined for the last risk as the overall risk value for the system. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-implemented method for assessing the overall risk in an information technology system comprising:
-
utilizing at least one computer having a risk analysis program to enter into a memory device a plurality of risks in a system associated with a component, category or method of the system;
associating the risks with at least one severity band in a risk echelon and storing said associations in the memory device;
assigning a numerical value to each risk;
multiplying the assigned risk value by a corresponding coefficient factor determined according to the risk value, the associated severity band for the assigned risk value, and a rank of the risk within the at least one severity band, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value;
adding the factored risk values associated with said one of a component, category or method to determine the overall risk in the system for the said one of a component, category or method by utilizing the risk analysis program; and
outputting an indication of the overall risk for the said one of a component in a humanly readable form. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A system for conducting a risk assessment of a computer network system, the system comprising:
-
at least one risk assessment database for storing risk assessment information associated with the computer network system, the risk assessment information being are user-input recorded in the risk assessment database through user input;
at least one internet scanner database for storing risk assessment information associated with the computer network system and being generated by an automated vulnerability scanner, the at least one internet scanner database being configured to share computer network system risk information with the at least one risk assessment database for analysis of a vulnerability of the computer network system;
a processor for determining an overall risk value associated with at least one component associated with the computer network system according to information in the internet scanner database and the at least one risk assessment database and computer network information;
a user computer for inputting risk assessment information to and for receiving risk assessment information from said risk assessment database; and
an interface for displaying said overall risk value determined by said processor. - View Dependent Claims (24, 25, 26, 27)
-
Specification