ASSESSING SCENARIO-BASED RISKS

US 20130325545A1
Filed: 06/04/2012
Published: 12/05/2013
Est. Priority Date: 06/04/2012
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for managing risks of a business enterprise, the method comprising:

identifying, with a computer system, a threat to a business enterprise;

identifying, with the computer system, based on the threat, a plurality of business enterprise assets and associated impacts;

determining, with the computer system, a plurality of threat scenarios, each threat scenario comprising a minimum and a maximum qualitative probability and a minimum and a maximum qualitative impact;

converting, with the computer system, the minimum and the maximum qualitative probability and the minimum and the maximum qualitative impact of each of the plurality of scenarios to a minimum and a maximum quantitative probability and a minimum and a maximum quantitative impact based on a risk matrix;

determining, with the computer system, a quantitative probability and a quantitative impact by generating random numbers within intervals defined by the minimum and the maximum quantitative probability and the minimum and the maximum quantitative impact;

adjusting, with the computer system, one of the quantitative probability and the quantitative impact based on a threat occurrence;

determining, with the computer system, with a simulation model, a quantitative risk of the identified threat based on the quantitative probability and the quantitative impact; and

preparing, with the computer system, an output comprising the determined quantitative risk of the identified threat for display on a graphical user interface of a computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing risks of a business enterprise include identifying a threat to a business enterprise; identifying, based on the threat, a plurality of business enterprise assets and associated impacts; determining a plurality of threat scenarios, each threat scenario including a qualitative probability and a qualitative impact; assigning a quantitative probability and a quantitative impact to each of the plurality of scenarios based on an evaluation of the qualitative probability and the qualitative impact in a risk matrix; determining, with a simulation model, a quantitative risk of the identified threat based on the assigned quantitative probability and quantitative impact; and preparing an output including the determined quantitative risk of the identified threat for display.

Citations

24 Claims

1. A computer-implemented method for managing risks of a business enterprise, the method comprising:
- identifying, with a computer system, a threat to a business enterprise;
  
  identifying, with the computer system, based on the threat, a plurality of business enterprise assets and associated impacts;
  
  determining, with the computer system, a plurality of threat scenarios, each threat scenario comprising a minimum and a maximum qualitative probability and a minimum and a maximum qualitative impact;
  
  converting, with the computer system, the minimum and the maximum qualitative probability and the minimum and the maximum qualitative impact of each of the plurality of scenarios to a minimum and a maximum quantitative probability and a minimum and a maximum quantitative impact based on a risk matrix;
  
  determining, with the computer system, a quantitative probability and a quantitative impact by generating random numbers within intervals defined by the minimum and the maximum quantitative probability and the minimum and the maximum quantitative impact;
  
  adjusting, with the computer system, one of the quantitative probability and the quantitative impact based on a threat occurrence;
  
  determining, with the computer system, with a simulation model, a quantitative risk of the identified threat based on the quantitative probability and the quantitative impact; and
  
  preparing, with the computer system, an output comprising the determined quantitative risk of the identified threat for display on a graphical user interface of a computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the simulation model comprises a Monte Carlo simulation model, anddetermining, with a simulation model, a quantitative risk of the identified threat based on the assigned quantitative probability and quantitative impact comprises executing the Monte Carlo simulation model a specified plurality of simulations.
  - 3. The method of claim 2, further comprising receiving, from a user, one or more of:
    - the specified plurality of simulations for the Monte Carlo simulation model;
      
      a specified number of impact intervals for the quantitative risk;
      
      ora threat occurrence value.
  - 4. The method of claim 3, wherein the determined quantitative risk comprises one or more of a risk probability associated with a particular one of the impact intervals, a monetary impact associated with the particular one of the impact intervals, or a maximum quantitative risk value.
  - 5. The method of claim 1, wherein determining a plurality of threat scenarios comprises correlating one or more of the plurality of business enterprise assets with one or more of the associated impacts.
  - 6. The method of claim 1, further comprising identifying a plurality of asset protection measures, wherein the associated impacts are based, at least in part, on the identified plurality of business enterprise assets and protection measures.
  - 7. The method of claim 1, wherein identifying a threat to a business enterprise comprises receiving, through a form interface, the threat from a business enterprise risk manager, andidentifying, based on the threat, a plurality of business enterprise assets and associated impacts comprises receiving, through the form interface, the plurality of business enterprise assets and associated impacts from the business enterprise risk manager.
  - 8. The method of claim 1, further comprising:
    - receiving a modification of the assigned quantitative probability from a business enterprise risk manager; and
      
      determining, with the simulation model, a revised quantitative risk of the identified threat based on the modified quantitative probability and the assigned quantitative impact.

9. A non-transitory, tangible computer storage medium encoded with a computer program, the program comprising instructions that when executed by one or more computers cause the one or more computers to perform operations comprising:
- identifying a threat to a business enterprise;
  
  identifying, based on the threat, a plurality of business enterprise assets and associated impacts;
  
  determining a plurality of threat scenarios, each threat scenario comprising a minimum and a maximum qualitative probability and a minimum and a maximum qualitative impact;
  
  converting the minimum and the maximum qualitative probability and the minimum and the maximum qualitative impact of each of the plurality of scenarios to a minimum and a maximum quantitative probability and a minimum and a maximum quantitative impact based on a risk matrix;
  
  determining a quantitative probability and a quantitative impact by generating random numbers within intervals defined by the minimum and the maximum quantitative probability and the minimum and the maximum quantitative impact;
  
  adjusting one of the quantitative probability and the quantitative impact based on a threat occurrence;
  
  determining, with a simulation model, a quantitative risk of the identified threat based on the quantitative probability and the quantitative impact; and
  
  preparing an output comprising the determined quantitative risk of the identified threat for display on a graphical user interface of a computing device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory, tangible computer storage medium of claim 9, wherein the simulation model comprises a Monte Carlo simulation model, anddetermining, with a simulation model, a quantitative risk of the identified threat based on the assigned quantitative probability and quantitative impact comprises executing the Monte Carlo simulation model a specified plurality of simulations.
  - 11. The non-transitory, tangible computer storage medium of claim 10, wherein the operations further comprise receiving, from a user, one or more of:
    - the specified plurality of simulations for the Monte Carlo simulation model;
      
      a specified number of impact intervals for the quantitative risk;
      
      ora threat occurrence value.
  - 12. The non-transitory, tangible computer storage medium of claim 11, wherein the determined quantitative risk comprises one or more of a risk probability associated with a particular one of the impact intervals, a monetary impact associated with the particular one of the impact intervals, or a maximum quantitative risk value.
  - 13. The non-transitory, tangible computer storage medium of claim 9, wherein determining a plurality of threat scenarios comprises correlating one or more of the plurality of business enterprise assets with one or more of the associated impacts.
  - 14. The non-transitory, tangible computer storage medium of claim 9, wherein the operations further comprise:
    - identifying a plurality of asset protection measures, wherein the associated impacts are based, at least in part, on the identified plurality of business enterprise assets and protection measures.
  - 15. The non-transitory, tangible computer storage medium of claim 9, wherein identifying a threat to a business enterprise comprises receiving, through a form interface, the threat from a business enterprise risk manager, andidentifying, based on the threat, a plurality of business enterprise assets and associated impacts comprises receiving, through the form interface, the plurality of business enterprise assets and associated impacts from the business enterprise risk manager.
  - 16. The non-transitory, tangible computer storage medium of claim 9, wherein the operations further comprise:
    - receiving a modification of the assigned quantitative probability from a business enterprise risk manager; and
      
      determining, with the simulation model, a revised quantitative risk of the identified threat based on the modified quantitative probability and the assigned quantitative impact.

17. A system of one or more computers configured to perform operations comprising:
- identifying, with the system, a threat to a business enterprise;
  
  identifying, with the system, based on the threat, a plurality of business enterprise assets and associated impacts;
  
  determining, with the system, a plurality of threat scenarios, each threat scenario comprising a minimum and a maximum qualitative probability and a minimum and a maximum qualitative impact;
  
  converting, with the system, the minimum and the maximum qualitative probability and the minimum and the maximum qualitative impact of each of the plurality of scenarios to a minimum and a maximum quantitative probability and a minimum and a maximum quantitative impact based on a risk matrix;
  
  determining, with the system, a quantitative probability and a quantitative impact by generating random numbers within intervals defined by the minimum and the maximum quantitative probability and the minimum and the maximum quantitative impact;
  
  adjusting, with the system, one of the quantitative probability and the quantitative impact based on a threat occurrence;
  
  determining, with the system, with a simulation model, a quantitative risk of the identified threat based on the quantitative probability and the quantitative impact; and
  
  preparing, with the system, an output comprising the determined quantitative risk of the identified threat for display on a graphical user interface of a computing device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the simulation model comprises a Monte Carlo simulation model, anddetermining, with a simulation model, a quantitative risk of the identified threat based on the assigned quantitative probability and quantitative impact comprises executing the Monte Carlo simulation model a specified plurality of simulations.
  - 19. The system of claim 18, wherein the operations further comprise receiving, from a user, one or more of:
    - the specified plurality of simulations for the Monte Carlo simulation model;
      
      a specified number of impact intervals for the quantitative risk;
      
      ora threat occurrence value.
  - 20. The system of claim 19, wherein the determined quantitative risk comprises one or more of a risk probability associated with a particular one of the impact intervals, a monetary impact associated with the particular one of the impact intervals, or a maximum quantitative risk value.
  - 21. The system of claim 17, wherein determining a plurality of threat scenarios comprises correlating one or more of the plurality of business enterprise assets with one or more of the associated impacts.
  - 22. The system of claim 17, wherein the operations further comprise:
    - identifying a plurality of asset protection measures, wherein the associated impacts are based, at least in part, on the identified plurality of business enterprise assets and protection measures.
  - 23. The system of claim 17, wherein identifying a threat to a business enterprise comprises receiving, through a form interface, the threat from a business enterprise risk manager, andidentifying, based on the threat, a plurality of business enterprise assets and associated impacts comprises receiving, through the form interface, the plurality of business enterprise assets and associated impacts from the business enterprise risk manager.
  - 24. The system of claim 17, wherein the operations further comprise:
    - receiving a modification of the assigned quantitative probability from a business enterprise risk manager; and
      
      determining, with the simulation model, a revised quantitative risk of the identified threat based on the modified quantitative probability and the assigned quantitative impact.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Mordvinova, Olga, Gerashchenko, Maxym

Application Number

US13/487,373
Publication Number

US 20130325545A1
Time in Patent Office

Days
Field of Search
US Class Current

705/7.28
CPC Class Codes

G06Q 10/06 Resources, workflows, human...

ASSESSING SCENARIO-BASED RISKS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

ASSESSING SCENARIO-BASED RISKS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links