Overall risk in a system
First Claim
1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
- (a) assigning individual risks to bands of varying severity in a risk echelon;
(b) determining the current overall risk value by calculating a mean risk value of the highest severity risk band containing a risk by utilizing at least one computer having a risk analysis program;
(c) for each additional risk in said highest severity risk band, adding a first percentage of the space between the current overall risk value and the upper limit of the highest severity band by utilizing the risk analysis program;
(d) for each existing risk in bands below the band of highest severity risk, adding a second percentage of the space between the current overall risk value and the upper limit of the highest severity band multiplied by a coefficient factor relative to the proportionate level of risks in the respective bands by utilizing the risk analysis program;
(e) outputting an indication of the current overall risk in a humanly readable form; and
(f) based on the overall risk, identifying a modification to the information technology system.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method and system for assessing the overall risk in at least part of an information technology system includes inputting into a risk assessment database a plurality of identified risks in a system; associating the risks to at least one severity band in a risk echelon; assigning a value to each risk; multiplying each risk value by a coefficient factor; and summing the factored risk values to determine the overall risk. The method preferably includes modifying the security implementation of the information technology system and determining the modified overall risk. The system preferably includes an automated vulnerability detection scanner to gather risk information, which is stored on a database and used in calculating the overall risk.
167 Citations
13 Claims
-
1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
-
(a) assigning individual risks to bands of varying severity in a risk echelon;
(b) determining the current overall risk value by calculating a mean risk value of the highest severity risk band containing a risk by utilizing at least one computer having a risk analysis program;
(c) for each additional risk in said highest severity risk band, adding a first percentage of the space between the current overall risk value and the upper limit of the highest severity band by utilizing the risk analysis program;
(d) for each existing risk in bands below the band of highest severity risk, adding a second percentage of the space between the current overall risk value and the upper limit of the highest severity band multiplied by a coefficient factor relative to the proportionate level of risks in the respective bands by utilizing the risk analysis program;
(e) outputting an indication of the current overall risk in a humanly readable form; and
(f) based on the overall risk, identifying a modification to the information technology system. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
-
(a) inputting into a memory storage device a plurality of risks identified in the information technology system by utilizing at least one computer having a risk analysis program;
(b) associating the risks to at least one severity band in a risk echelon;
(c) assigning the initial overall risk value to be the lower limit of the highest severity band containing a risk by utilizing the risk analysis program;
(d) adding to the initial overall risk value a value of one half of the difference between the upper limit of said highest severity band and the initial overall risk value to determine an intermediate overall risk value by utilizing the risk analysis program;
(e) for each additional risk in that same band, adding successively one-half of the difference between the upper limit of said highest severity band and the most recent intermediate overall risk value to calculate the new most recent intermediate overall risk value by utilizing the risk analysis program;
(f) for each additional risk in bands of lesser severity, adding in series one half of the difference between the upper limit of said highest severity band and the most recent intermediate overall risk value wherein one-half of the difference is proportioned by a coefficient factor relative to the highest risk value to calculate the new most recent intermediate overall risk value by utilizing the risk analysis program;
(g) taking the new most intermediate overall risk value determined for the last risk as the overall risk value for the system;
(h) outputting an indication of the intermediate overall risk in a humanly readable form; and
(i) based on the overall risk, identifying a modification to the information technology system. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer-implemented method for assessing the overall risk in at least part of an information technology system, the method comprising:
-
assigning a plurality of risks to one of a plurality of severity bands in a risk echelon, wherein the plurality of risk bands includes a severity band to which a highest risk is assigned having an upper band limit ri max and a lower band limit rimax −
1;
calculating the overall risk value, R, by utilizing at least one computer having a risk analysis program programmed according to the equation;
based on the overall risk value, R, identifying a modification to the information technology system, the modification including at least one of system architecture, security protocol, security procedure, and organizational responsibility.
-
Specification