Overall risk in a system

US 6,895,383 B2
Filed: 03/29/2002
Issued: 05/17/2005
Est. Priority Date: 03/29/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:

(a) assigning individual risks to bands of varying severity in a risk echelon;

(b) determining the current overall risk value by calculating a mean risk value of the highest severity risk band containing a risk by utilizing at least one computer having a risk analysis program;

(c) for each additional risk in said highest severity risk band, adding a first percentage of the space between the current overall risk value and the upper limit of the highest severity band by utilizing the risk analysis program;

(d) for each existing risk in bands below the band of highest severity risk, adding a second percentage of the space between the current overall risk value and the upper limit of the highest severity band multiplied by a coefficient factor relative to the proportionate level of risks in the respective bands by utilizing the risk analysis program;

(e) outputting an indication of the current overall risk in a humanly readable form; and

(f) based on the overall risk, identifying a modification to the information technology system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method and system for assessing the overall risk in at least part of an information technology system includes inputting into a risk assessment database a plurality of identified risks in a system; associating the risks to at least one severity band in a risk echelon; assigning a value to each risk; multiplying each risk value by a coefficient factor; and summing the factored risk values to determine the overall risk. The method preferably includes modifying the security implementation of the information technology system and determining the modified overall risk. The system preferably includes an automated vulnerability detection scanner to gather risk information, which is stored on a database and used in calculating the overall risk.

167 Citations

13 Claims

1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
- (a) assigning individual risks to bands of varying severity in a risk echelon;
  
  (b) determining the current overall risk value by calculating a mean risk value of the highest severity risk band containing a risk by utilizing at least one computer having a risk analysis program;
  
  (c) for each additional risk in said highest severity risk band, adding a first percentage of the space between the current overall risk value and the upper limit of the highest severity band by utilizing the risk analysis program;
  
  (d) for each existing risk in bands below the band of highest severity risk, adding a second percentage of the space between the current overall risk value and the upper limit of the highest severity band multiplied by a coefficient factor relative to the proportionate level of risks in the respective bands by utilizing the risk analysis program;
  
  (e) outputting an indication of the current overall risk in a humanly readable form; and
  
  (f) based on the overall risk, identifying a modification to the information technology system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1 wherein the first and second percentages of space are between 10 and 60 percent.
  - 3. The method according to claim 1 wherein the first percentage of space is 50 percent.
  - 4. The method according to claim 1 further comprising modifying the security implementation of the information technology system, and determining the modified overall risk.
  - 5. The method according to claim 1 wherein the coefficient factor is the mean risk value of the band containing each existing risk divided by said mean risk value of the highest severity risk band.
  - 6. The method according to claim 1 where the first percentage is based on a number of risks.
  - 7. The method of claim 1, where the modification comprises at least one of system architecture, security protocol, security procedure, and organizational responsibility.

8. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
- (a) inputting into a memory storage device a plurality of risks identified in the information technology system by utilizing at least one computer having a risk analysis program;
  
  (b) associating the risks to at least one severity band in a risk echelon;
  
  (c) assigning the initial overall risk value to be the lower limit of the highest severity band containing a risk by utilizing the risk analysis program;
  
  (d) adding to the initial overall risk value a value of one half of the difference between the upper limit of said highest severity band and the initial overall risk value to determine an intermediate overall risk value by utilizing the risk analysis program;
  
  (e) for each additional risk in that same band, adding successively one-half of the difference between the upper limit of said highest severity band and the most recent intermediate overall risk value to calculate the new most recent intermediate overall risk value by utilizing the risk analysis program;
  
  (f) for each additional risk in bands of lesser severity, adding in series one half of the difference between the upper limit of said highest severity band and the most recent intermediate overall risk value wherein one-half of the difference is proportioned by a coefficient factor relative to the highest risk value to calculate the new most recent intermediate overall risk value by utilizing the risk analysis program;
  
  (g) taking the new most intermediate overall risk value determined for the last risk as the overall risk value for the system;
  
  (h) outputting an indication of the intermediate overall risk in a humanly readable form; and
  
  (i) based on the overall risk, identifying a modification to the information technology system.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method according to claim 8 wherein the coefficient factor is proportional to a selected risk value of the band containing the risk to which the factor is applied divided by a selected risk value of said highest severity band.
  - 10. The method according to claim 9 wherein the selected risk value of the band containing the risk to which the factor is applied is the mean risk value of that band, and the selected risk value of said highest severity band is the mean value of said highest severity band.
  - 11. The method according to claim 8 wherein the step of identifying the risks includes performing network penetrations tests by utilizing the risk analysis program.
  - 12. The method of claim 8, where the modification comprises at least one of system architecture, security protocol, security procedure, and organizational responsibility.

13. A computer-implemented method for assessing the overall risk in at least part of an information technology system, the method comprising:
- assigning a plurality of risks to one of a plurality of severity bands in a risk echelon, wherein the plurality of risk bands includes a severity band to which a highest risk is assigned having an upper band limit r_i_maxand a lower band limit r_i_max_−
  
  1;
  
  calculating the overall risk value, R, by utilizing at least one computer having a risk analysis program programmed according to the equation;
  
  $R = r_{i_{\max} - 1} + \frac{r_{i_{\max}} - r_{i_{\max} - 1}}{r_{i_{\max}} + r_{i_{\max} - 1}} \times \sum_{k = 1}^{ R } [\frac{r_{i (m_{k}) - 1} + r_{i (m_{k})}}{2^{k}}]; and$ based on the overall risk value, R, identifying a modification to the information technology system, the modification including at least one of system architecture, security protocol, security procedure, and organizational responsibility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture SPA (Accenture PLC)
Inventors
Heinrich, Nicolas
Primary Examiner(s)
Hafiz, Tariq R.
Assistant Examiner(s)
Colón, Catherine M

Application Number

US10/113,202
Publication Number

US 20030046128A1
Time in Patent Office

1,145 Days
Field of Search

705/7
US Class Current

705/7.28
CPC Class Codes

G06Q 10/0635 Risk analysis of enterprise...

G06Q 40/08 Insurance

Overall risk in a system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Overall risk in a system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links