METHOD AND TOOL FOR INFORMATION SECURITY ASSESSMENT THAT INTEGRATES ENTERPRISE OBJECTIVES WITH VULNERABILITIES

US 20100333002A1
Filed: 06/29/2009
Published: 12/30/2010
Est. Priority Date: 06/29/2009
Status: Active Grant

First Claim

Patent Images

1. A method to assess information security vulnerability of an enterprise comprising:

storing enterprise objectives in a computer system;

storing enterprise resources determined using a value criterion, a rareness criterion, an inimitability criterion and a non-substitutability criterion in the computer system;

storing enterprise information assets in the computer system;

mapping the enterprise objectives with the enterprise resources;

mapping the enterprise information assets with the enterprise resources;

determining a threat analysis using an attack tree using the enterprise resources and the information assets; and

determining a risk value using the attack tree.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a method to assess information security vulnerability of an enterprise includes storing enterprise objectives in a computer system, storing enterprise resources determined using a value criterion, a rareness criterion, an inimitability criterion and a non-substitutability criterion in the computer system and storing enterprise information assets in the computer system. The method also includes mapping the enterprise objectives with the enterprise resources and mapping the enterprise information assets with the enterprise resources. The method further includes determining a threat analysis using an attack tree using the enterprise resources and the information assets and determining a risk value using the attack tree.

28 Citations

View as Search Results

20 Claims

1. A method to assess information security vulnerability of an enterprise comprising:
- storing enterprise objectives in a computer system;
  
  storing enterprise resources determined using a value criterion, a rareness criterion, an inimitability criterion and a non-substitutability criterion in the computer system;
  
  storing enterprise information assets in the computer system;
  
  mapping the enterprise objectives with the enterprise resources;
  
  mapping the enterprise information assets with the enterprise resources;
  
  determining a threat analysis using an attack tree using the enterprise resources and the information assets; and
  
  determining a risk value using the attack tree.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising identifying the enterprise objectives using mission statements.
  - 3. The method of claim 1, further comprising identifying the enterprise objectives using enterprise goals.
  - 4. The method of claim 1, further comprising storing enterprise resources determined using criteria added to the computer system by a user through a graphical user interface.
  - 5. The method of claim 1 wherein storing enterprise resources comprises storing enterprise resources provided by a user through a graphical user interface.
  - 6. The method of claim 1 wherein storing enterprise information assets in the computer system comprises storing a data file comprising the information assets.
  - 7. The method of claim 1 wherein storing enterprise information assets in the computer system comprises storing enterprise information assets provided by a user through a graphical user interface.
  - 8. The method of claim 1 wherein the mapping of enterprise objectives with enterprise resources comprises mapping the enterprise objectives with enterprise resources provided by a user through a graphical user interface.
  - 9. The method of claim 1 wherein the mapping enterprise resources with enterprise information assets comprises mapping of enterprise resources with enterprise information assets provided by a user using a graphical user interface.
  - 10. The method of claim 1, wherein determining a threat analysis using an attack tree comprises forming the attack tree using a data file that embeds an attack tree model,
  - 11. The method of claim 1 wherein determining a threat analysis using an attack tree comprises using additional values and attributes for leaf node values of the attack tree that are defined and added by a user through a graphical user interface.

12. An article comprising:
- a machine-readable medium that stores executable instructions to assess information security vulnerability of an enterprise, the instructions causing a machine to;
  
  store enterprise objectives in a computer system;
  
  store enterprise resources determined using a value criterion, a rareness criterion, an inimitability criterion and a non-substitutability criterion in the computer system;
  
  store enterprise information assets in the computer system;
  
  map the enterprise objectives with the enterprise resources;
  
  map the enterprise information assets with the enterprise resources;
  
  determine a threat analysis using an attack tree using the enterprise resources and the information assets; and
  
  determine a risk value using the attack tree.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The article of claim 12, further comprising instructions causing a machine to identify the enterprise objectives using enterprise goals.
  - 14. The article of claim 12 wherein the identification of enterprise resources can be implemented using additional criteria added to the computer system by a user.
  - 15. The article of claim 12 wherein the identification of enterprise resources can be implemented using a graphical user interface.
  - 16. The article of claim 12 wherein storing enterprise information assets in the computer system comprises storing a data file comprising the information assets.

17. An apparatus to assess information security vulnerability of an enterprise, comprising:
- circuitry to;
  
  store enterprise objectives in a computer system;
  
  store enterprise resources determined using a value criterion, a rareness criterion, an inimitability criterion and a non-substitutability criterion in the computer system;
  
  store enterprise information assets in the computer system;
  
  map the enterprise objectives with the enterprise resources;
  
  map the enterprise information assets with the enterprise resources;
  
  determine a threat analysis using an attack tree using the enterprise resources and the information assets; and
  
  determine a risk value using the attack tree.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17 wherein the circuitry comprises at least one of a processor, a memory, programmable logic or logic gates.
  - 19. The apparatus of claim 17 wherein the circuitry to map enterprise resources with enterprise information assets comprises circuitry to map enterprise resources with enterprise information assets provided by a user using a graphical user interface.
  - 20. The apparatus of claim 17, wherein the circuitry to determine a threat analysis using an attack tree comprises circuitry to form the attack tree using a data file that embeds an attack tree model,

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bugra Karabey, Nazife Baykal
Original Assignee
Bugra Karabey, Nazife Baykal
Inventors
Karabey, Bugra, Baykal, Nazife

Granted Patent

US 8,353,045 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/764
CPC Class Codes

G06Q 10/10 Office automation; Time man...

G06Q 40/02 Banking, e.g. interest calc...

METHOD AND TOOL FOR INFORMATION SECURITY ASSESSMENT THAT INTEGRATES ENTERPRISE OBJECTIVES WITH VULNERABILITIES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND TOOL FOR INFORMATION SECURITY ASSESSMENT THAT INTEGRATES ENTERPRISE OBJECTIVES WITH VULNERABILITIES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links