Overall risk in a system

US 7,613,625 B2
Filed: 11/09/2004
Issued: 11/03/2009
Est. Priority Date: 03/29/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:

inputting into a risk assessment database a plurality of risks for an information technology system by utilizing at least one computer having a risk analysis program, wherein each of the risks represent a security vulnerability for the information technology system;

associating the plurality of risks with at least one severity band in a risk echelon and storing said association in a memory storage device;

assigning a risk value to each of the plurality of risks that represents a value of danger associated with the risk;

for each of the plurality of risks, assigning a risk rank to the risk that indicates the magnitude of the risk value assigned to the risk;

determining, with the risk analysis program stored on the at least one computer, a band limit value for the at least one severity band, wherein the band limit value indicates a risk limit value for the risk values associated with the at least one severity band;

for each of the plurality of risks, determining, with the risk analysis program stored on the at least one computer, a corresponding coefficient factor based on the assigned risk rank and the band limit value for the at least one severity band associated with the risk, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value;

summing, with the risk analysis program stored on the at least one computer, each of the corresponding coefficient factors together to determine a coefficient factor summation;

multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk multiplicand to determine a risk product, wherein the risk multiplicand is defined as

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method and system for assessing the overall risk in at least part of an information technology system includes inputting into a risk assessment database a plurality of identified risks in a system; associating the risks to at least one severity band in a risk echelon; assigning a value to each risk; multiplying each risk value by a coefficient factor; and summing the factored risk values to determine the overall risk. The method preferably includes modifying the security implementation of the information technology system and determining the modified overall risk. The system preferably includes an automated vulnerability detection scanner to gather risk information, which is stored on a database and used in calculating the overall risk.

65 Citations

View as Search Results

25 Claims

1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
- inputting into a risk assessment database a plurality of risks for an information technology system by utilizing at least one computer having a risk analysis program, wherein each of the risks represent a security vulnerability for the information technology system;
  
  associating the plurality of risks with at least one severity band in a risk echelon and storing said association in a memory storage device;
  
  assigning a risk value to each of the plurality of risks that represents a value of danger associated with the risk;
  
  for each of the plurality of risks, assigning a risk rank to the risk that indicates the magnitude of the risk value assigned to the risk;
  
  determining, with the risk analysis program stored on the at least one computer, a band limit value for the at least one severity band, wherein the band limit value indicates a risk limit value for the risk values associated with the at least one severity band;
  
  for each of the plurality of risks, determining, with the risk analysis program stored on the at least one computer, a corresponding coefficient factor based on the assigned risk rank and the band limit value for the at least one severity band associated with the risk, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value;
  
  summing, with the risk analysis program stored on the at least one computer, each of the corresponding coefficient factors together to determine a coefficient factor summation;
  
  multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk multiplicand to determine a risk product, wherein the risk multiplicand is defined as
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1 wherein the value assigned to each risk is the mean value of the at least one severity band in which the risk is assigned.
  - 3. The method according to claim 1 wherein the corresponding coefficient factor for each risk is smaller for risks in bands of lower severity.
  - 4. The method according to claim 3 wherein the corresponding coefficient factors are determined such that the overall risk value does not exceed the upper risk value of the highest severity band containing a risk.
  - 5. The method of claim 1, further comprising identifying a modification to the information technology system based on the overall risk.
  - 6. The method of claim 5, wherein the modification comprises at least one of system architecture, security protocol, security procedure, and organizational responsibility.

7. A computer-implemented method for identifying an overall risk in at least part of an information technology system comprising:
- (a) identifying a plurality of individual risks for an information technology system, wherein each of the risks represent a security vulnerability for the information technology system;
  
  (b) associating, with a risk analysis program stored on a computer, each of the plurality of individual risks with a corresponding severity risk band in a risk echelon; and
  
  (c) determining, with the risk analysis program stored on the computer, an overall risk according to;
  
  determining a mean risk value of the highest severity risk band containing a risk; and
  
  ,for each risk in the highest severity risk band, adding an incremental risk value to the mean risk value;
  
  wherein;
  
  the incremental risk value is determined according to an associated risk band for each of the individual risks of the risk echelon and a rank of each of the individual risks in the risk echelon.
- View Dependent Claims (8, 9)
- - 8. The method according to claim 7 further comprising identifying a modification to the information technology system according to the overall risk.
  - 9. The method of claim 8, wherein the modification comprises at least one of system architecture, security protocol, security procedure, and organizational responsibility.

10. A computer-implemented method for assessing a risk in at least part of an information technology system comprising:
- (a) inputting into a memory storage device an association of a plurality of risks identified in the information technology system to at least one corresponding severity band in a risk echelon by utilizing at least one computer having a risk analysis program, wherein each of the plurality of risks represent a security vulnerability for the information technology system;
  
  (b) adding to an initial overall risk value a value of one half of the difference between an upper limit of a highest severity band containing a risk and the initial overall risk value to determine, with the risk analysis program stored on the at least one computer, an intermediate overall risk value, the initial overall risk value being a lower limit of the highest severity band containing a risk;
  
  (c) for each additional risk in the highest severity band containing a risk, using the risk analysis program stored on the at least computer to add successively one-half of the difference between the upper limit of the highest severity band containing a risk and the intermediate overall risk value to re-determine the intermediate overall risk value, and assign a most recent risk from the highest severity band used to re-determine the intermediate overall risk value as a final risk;
  
  (d) for each additional risk in bands having a severity less than the severity of the highest severity band containing a risk, adding in series a proportioned value of one half of a difference between the upper limit of the highest severity band containing a risk and the intermediate overall risk value, wherein one-half of the difference is proportioned by a coefficient factor relative to the highest risk value, to re-determine the intermediate overall risk value with the risk analysis program and assigning the most recent risk from the bands having a severity less than the severity of the highest severity band containing a risk used to re-determine the intermediate overall risk value as the final risk; and
  
  (e) assigning the intermediate overall risk value determined for the final risk as the overall risk value for the system.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method according to claim 10 wherein the coefficient factor is proportional to a selected risk value of the band containing the risk to which the factor is applied divided by a selected risk value of the highest severity band.
  - 12. The method according to claim 11 wherein the selected risk value of the band containing the risk to which the factor is applied is the mean risk value of that band, and the selected risk value of the highest severity band is the mean risk value of said highest severity band.
  - 13. The method according to claim 10 further comprising identifying the plurality of risks according to network penetrations tests by utilizing the risk analysis program.
  - 14. The method of claim 10, further comprising identifying a modification to the information technology system according to the overall risk.
  - 15. The method of claim 14, wherein the modification comprises at least one of system architecture, security protocol, security procedure, and organizational responsibility.

16. A computer-implemented method for assessing the overall risk in an information technology system comprising:
- utilizing a risk analysis program stored on at least one computer to enter into a memory device a plurality of risks in a system, wherein each risk is associated with a component, category or method of the system;
  
  associating the risks with at least one severity band in a risk echelon and storing said associations in the memory device;
  
  assigning a numerical value to each risk utilizing the at least one computer having the risk analysis program;
  
  determining, with the risk analysis program stored on the least one computer, a band limit value for the at least one severity band that indicates a risk limit value for the numerical value assigned to each risk associated with the at least one severity band;
  
  determining, with the risk analysis program stored on the at least one computer, a coefficient factor for each of the risks, wherein the coefficient factor is determined based on the band limit value of the associated severity band for the assigned risk value and a rank of the risk within the at least one severity band, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest numerical value to a coefficient factor corresponding to a lowest numerical value;
  
  summing, with the risk analysis program stored on the at least one computer, each of the coefficient factors associated with said one of a component, category or method together to determine a coefficient factor summation;
  
  multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk multiplicand to determine a risk product, wherein the risk multiplicand is defined as
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method according to claim 16:
    - wherein the overall risk determined by the method of claim 16 is an overall risk in the system for a component; and
      
      further comprising;
      
      determining a component overall risk for each component in the system, wherein each component overall risk is an overall risk in the system for the component;
      
      multiplying each component overall risk by a participation factor to determine a plurality of factored component overall risks, wherein the participation factor represents the component participation of the component corresponding to the component overall risk;
      
      placing each of the plurality of factored overall risks into a risk echelon; and
      
      calculating an overall risk of the system based on the factored overall risks in the risk echelon.
  - 18. The method of claim 17 further comprising:
    - determining an overall average coverage for a category by, when given a plurality of methods for identifying risks and a plurality of weight factors, wherein each weight factor corresponds to a method of the plurality of methods;
      
      for each method, calculating a weighted coverage of the system in the category for the method by multiplying a coverage of the system in the category for the method with the weight factor corresponding to the method, wherein the weight factor represents an importance of the method for the category;
      
      calculating a weighted coverage summation numerator by adding each of the weighted coverages together;
      
      calculating weight summation denominator by adding each of the weight factors of the plurality of weight factors together; and
      
      dividing the weighted coverage summation numerator by the weight summation denominator.
  - 19. The method according to claim 18 further comprising:
    - determining an overall average coverage of the system by, for a plurality of categories, calculating a sum of all of the overall average coverages per category weighted with an importance coefficient factor of the category, and dividing the sum of the weighted coverages per category by a sum of the importance coefficient factors.
  - 20. The method of claim 16, further comprising:
    - identifying a modification to at least any one of the system architecture, security protocol, security procedure, and organizational responsibility.

21. A system for conducting a risk assessment of a computer network system, the system comprising:
- at least one risk assessment database for storing risk assessment information associated with the computer network system, the risk assessment information being recorded in the risk assessment database through user input;
  
  at least one internet scanner database for storing risk assessment information associated with the computer network system and being generated by an automated vulnerability scanner, the at least one internet scanner database being configured to share computer network system risk information with the at least one risk assessment database for analysis of a vulnerability of the computer network system;
  
  a processor for determining an overall risk value associated with at least one component associated with the computer network system according to information in the internet scanner database and the at least one risk assessment database and computer network information, wherein the overall risk value is determined according to;
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21 further comprising an automated vulnerability scanner tool in communication with said internet scanner database to populate said internet scanner database with risk assessment information.
  - 23. The system of claim 22, wherein said interface displays visual representation of individual risk values of vulnerabilities in the computer network system based on relative contribution to overall risk.
  - 24. The system of claim 21, wherein the risk assessment database includes information from at least one of a back office analysis, interviews with different actors of the computer network system and a physical walk through.
  - 25. The system of claim 21, wherein the at least one component is a server associated with the computer network system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture SPA (Accenture PLC)
Inventors
Heinrich, Nicolas
Primary Examiner(s)
Boswell; Beth V
Assistant Examiner(s)
Kardos; Neil R

Application Number

US10/984,057
Publication Number

US 20050114186A1
Time in Patent Office

1,820 Days
Field of Search

705/7
US Class Current

705/7.28
CPC Class Codes

G06Q 10/0635 Risk analysis of enterprise...

G06Q 40/08 Insurance

Overall risk in a system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Overall risk in a system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links