Overall risk in a system
First Claim
1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
- inputting into a risk assessment database a plurality of risks for an information technology system by utilizing at least one computer having a risk analysis program, wherein each of the risks represent a security vulnerability for the information technology system;
associating the plurality of risks with at least one severity band in a risk echelon and storing said association in a memory storage device;
assigning a risk value to each of the plurality of risks that represents a value of danger associated with the risk;
for each of the plurality of risks, assigning a risk rank to the risk that indicates the magnitude of the risk value assigned to the risk;
determining, with the risk analysis program stored on the at least one computer, a band limit value for the at least one severity band, wherein the band limit value indicates a risk limit value for the risk values associated with the at least one severity band;
for each of the plurality of risks, determining, with the risk analysis program stored on the at least one computer, a corresponding coefficient factor based on the assigned risk rank and the band limit value for the at least one severity band associated with the risk, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value;
summing, with the risk analysis program stored on the at least one computer, each of the corresponding coefficient factors together to determine a coefficient factor summation;
multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk multiplicand to determine a risk product, wherein the risk multiplicand is defined as
3 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method and system for assessing the overall risk in at least part of an information technology system includes inputting into a risk assessment database a plurality of identified risks in a system; associating the risks to at least one severity band in a risk echelon; assigning a value to each risk; multiplying each risk value by a coefficient factor; and summing the factored risk values to determine the overall risk. The method preferably includes modifying the security implementation of the information technology system and determining the modified overall risk. The system preferably includes an automated vulnerability detection scanner to gather risk information, which is stored on a database and used in calculating the overall risk.
-
Citations
25 Claims
-
1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information technology system comprising:
-
inputting into a risk assessment database a plurality of risks for an information technology system by utilizing at least one computer having a risk analysis program, wherein each of the risks represent a security vulnerability for the information technology system; associating the plurality of risks with at least one severity band in a risk echelon and storing said association in a memory storage device; assigning a risk value to each of the plurality of risks that represents a value of danger associated with the risk; for each of the plurality of risks, assigning a risk rank to the risk that indicates the magnitude of the risk value assigned to the risk; determining, with the risk analysis program stored on the at least one computer, a band limit value for the at least one severity band, wherein the band limit value indicates a risk limit value for the risk values associated with the at least one severity band; for each of the plurality of risks, determining, with the risk analysis program stored on the at least one computer, a corresponding coefficient factor based on the assigned risk rank and the band limit value for the at least one severity band associated with the risk, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest risk value to a coefficient factor corresponding to a lowest risk value; summing, with the risk analysis program stored on the at least one computer, each of the corresponding coefficient factors together to determine a coefficient factor summation; multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk multiplicand to determine a risk product, wherein the risk multiplicand is defined as - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for identifying an overall risk in at least part of an information technology system comprising:
-
(a) identifying a plurality of individual risks for an information technology system, wherein each of the risks represent a security vulnerability for the information technology system; (b) associating, with a risk analysis program stored on a computer, each of the plurality of individual risks with a corresponding severity risk band in a risk echelon; and (c) determining, with the risk analysis program stored on the computer, an overall risk according to; determining a mean risk value of the highest severity risk band containing a risk; and
,for each risk in the highest severity risk band, adding an incremental risk value to the mean risk value; wherein; the incremental risk value is determined according to an associated risk band for each of the individual risks of the risk echelon and a rank of each of the individual risks in the risk echelon. - View Dependent Claims (8, 9)
-
-
10. A computer-implemented method for assessing a risk in at least part of an information technology system comprising:
-
(a) inputting into a memory storage device an association of a plurality of risks identified in the information technology system to at least one corresponding severity band in a risk echelon by utilizing at least one computer having a risk analysis program, wherein each of the plurality of risks represent a security vulnerability for the information technology system; (b) adding to an initial overall risk value a value of one half of the difference between an upper limit of a highest severity band containing a risk and the initial overall risk value to determine, with the risk analysis program stored on the at least one computer, an intermediate overall risk value, the initial overall risk value being a lower limit of the highest severity band containing a risk; (c) for each additional risk in the highest severity band containing a risk, using the risk analysis program stored on the at least computer to add successively one-half of the difference between the upper limit of the highest severity band containing a risk and the intermediate overall risk value to re-determine the intermediate overall risk value, and assign a most recent risk from the highest severity band used to re-determine the intermediate overall risk value as a final risk; (d) for each additional risk in bands having a severity less than the severity of the highest severity band containing a risk, adding in series a proportioned value of one half of a difference between the upper limit of the highest severity band containing a risk and the intermediate overall risk value, wherein one-half of the difference is proportioned by a coefficient factor relative to the highest risk value, to re-determine the intermediate overall risk value with the risk analysis program and assigning the most recent risk from the bands having a severity less than the severity of the highest severity band containing a risk used to re-determine the intermediate overall risk value as the final risk; and (e) assigning the intermediate overall risk value determined for the final risk as the overall risk value for the system. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-implemented method for assessing the overall risk in an information technology system comprising:
-
utilizing a risk analysis program stored on at least one computer to enter into a memory device a plurality of risks in a system, wherein each risk is associated with a component, category or method of the system; associating the risks with at least one severity band in a risk echelon and storing said associations in the memory device; assigning a numerical value to each risk utilizing the at least one computer having the risk analysis program; determining, with the risk analysis program stored on the least one computer, a band limit value for the at least one severity band that indicates a risk limit value for the numerical value assigned to each risk associated with the at least one severity band; determining, with the risk analysis program stored on the at least one computer, a coefficient factor for each of the risks, wherein the coefficient factor is determined based on the band limit value of the associated severity band for the assigned risk value and a rank of the risk within the at least one severity band, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest numerical value to a coefficient factor corresponding to a lowest numerical value; summing, with the risk analysis program stored on the at least one computer, each of the coefficient factors associated with said one of a component, category or method together to determine a coefficient factor summation; multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk multiplicand to determine a risk product, wherein the risk multiplicand is defined as - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system for conducting a risk assessment of a computer network system, the system comprising:
-
at least one risk assessment database for storing risk assessment information associated with the computer network system, the risk assessment information being recorded in the risk assessment database through user input; at least one internet scanner database for storing risk assessment information associated with the computer network system and being generated by an automated vulnerability scanner, the at least one internet scanner database being configured to share computer network system risk information with the at least one risk assessment database for analysis of a vulnerability of the computer network system; a processor for determining an overall risk value associated with at least one component associated with the computer network system according to information in the internet scanner database and the at least one risk assessment database and computer network information, wherein the overall risk value is determined according to; - View Dependent Claims (22, 23, 24, 25)
-
Specification