Apparatus and method for assessing financial loss from cyber threats capable of affecting at least one computer network

US 9,762,605 B2
Filed: 02/01/2016
Issued: 09/12/2017
Est. Priority Date: 12/22/2011
Status: Active Grant

First Claim

Patent Images

1. Apparatus for assessing financial loss from cyber threats capable of affecting at least one computer network, the threat including at least one electronic threat, the computer network comprising a plurality of IT systems and a plurality of business processes operating on the plurality of IT systems, the apparatus comprising at least one processor configured pursuant to programming code in a non-transitory computer readable memory coupled to the processor, the non-transitory computer memory storing instructions executable by the processor that cause the processor to:

predict future cyber threat activity using a Monte Carlo method based on stochastic modeling of actual past observed computer network cyber threat activity, to receive observed cyber threat data from a database, the list of observed cyber threats including information, for each threat, of identification of at least one computer system targeted, to extrapolate future event frequency, to produce a profile of predicted cyber threat activity, wherein for each actual observed cyber threat on the computer network, an identifier, a name, a description of the threat, a temporal profile specifying frequency of occurrence, a target (or targets) for the threat and a severity score for the (each target) are included in the cyber threat data within the database,output the predicted future threat activity to one or more firewalls to improve their accuracy in correctly identifying cyber threats actually observed on the one or more computer networks to improve the accuracy of the apparatus and stochastic modeling of assessing financial loss from cyber threats on an ongoing basis,determine expected downtime of each system of the plurality of IT systems in dependence upon said predicted threat activity including the severity scores and extrapolated future event frequency,determine loss for each of the plurality of business processes dependent on the downtimes of the IT systems, andadd losses for the plurality of business processes so as to obtain a combined financial loss arising from the cyber threat activity.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and method for assessing financial loss posed by cyber threats capable of affecting at least one computer network in which a plurality of systems operate based on statistical modelling of cyber threat events to determine predicted threat activity, to determine expected downtime of each system in dependence upon said predicted cyber threat activity, to determine financial loss for each of a plurality of operational processes dependent upon the downtimes of the systems, to add financial losses for the plurality of processes so as to obtain a combined financial loss arising from the cyber threat activity, to determine pricing of insurance, to determine cost benefit analysis of computer network security upgrades.

25 Citations

View as Search Results

15 Claims

1. Apparatus for assessing financial loss from cyber threats capable of affecting at least one computer network, the threat including at least one electronic threat, the computer network comprising a plurality of IT systems and a plurality of business processes operating on the plurality of IT systems, the apparatus comprising at least one processor configured pursuant to programming code in a non-transitory computer readable memory coupled to the processor, the non-transitory computer memory storing instructions executable by the processor that cause the processor to:
- predict future cyber threat activity using a Monte Carlo method based on stochastic modeling of actual past observed computer network cyber threat activity, to receive observed cyber threat data from a database, the list of observed cyber threats including information, for each threat, of identification of at least one computer system targeted, to extrapolate future event frequency, to produce a profile of predicted cyber threat activity, wherein for each actual observed cyber threat on the computer network, an identifier, a name, a description of the threat, a temporal profile specifying frequency of occurrence, a target (or targets) for the threat and a severity score for the (each target) are included in the cyber threat data within the database,output the predicted future threat activity to one or more firewalls to improve their accuracy in correctly identifying cyber threats actually observed on the one or more computer networks to improve the accuracy of the apparatus and stochastic modeling of assessing financial loss from cyber threats on an ongoing basis,determine expected downtime of each system of the plurality of IT systems in dependence upon said predicted threat activity including the severity scores and extrapolated future event frequency,determine loss for each of the plurality of business processes dependent on the downtimes of the IT systems, andadd losses for the plurality of business processes so as to obtain a combined financial loss arising from the cyber threat activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus according to claim 1, wherein the instructions comprise:
    - A first module configured to determine the predicted computer network cyber threat activity including, for the at least one computer network cyber threat, to receive actual observed computer network cyber threat cyber threat data from a database, to extrapolate future computer network cyber threat activity using a Monte Carlo method based on stochastic modeling of actual past observed computer network cyber threat activity, to receive observed computer network cyber threat data from a database, the list of observed computer network cyber threats including information, for each computer network cyber threat, of identification of at least one computer system targeted;
      
      output the predicted future computer network cyber threat activity to one or more firewalls to improve their accuracy in correctly identifying computer network cyber threats actually observed on the one or more computer networks, to improve the accuracy of the apparatus and stochastic modeling of assessing financial loss from computer network cyber threats on an ongoing basis,a second module configured to determine the expected downtime of each IT system of the plurality of IT systems in dependence upon said predicted computer network cyber threat activity including the severity scores and extrapolated future computer network cyber threat event frequency; and
      
      a third module configured to determine the loss for each of a plurality of business processes dependent on the downtimes of each of the plurality of IT systems and to add losses for the plurality of business processes so as to obtain a combined financial loss arising from the predicted future computer network cyber threat activity.
  - 3. The apparatus according to claim 1, wherein the apparatus is configured to model a set of past observed computer network cyber threat events so as to obtain at least one model parameter, wherein at least one model parameter includes at least one parameter indicating goodness of fit of the model, using regression, weighted regression, linear regression, exponential regression, at least two different models, and to obtain at least two different sets of model parameters.
  - 4. The apparatus according to claim 1, comprising a user interface which is configured to;
    - present at least one model parameter to a userpresent an outcome of stochastic modeling to a user, and todisplay at least one of the financial losses and the combined financial loss on a display device.
  - 5. The apparatus according to claim 1, wherein the apparatus is configured to:
    - predict future threat events using at least one model parameter anda stochastic model using said at least one model parameterrandomly draw at least one variable according to a predefined distribution and use said at least one variable in the stochastic modelpredict a distribution of future computer network cyber threat events using a Monte Carlo method by repeating a simulation, andallow for parameter uncertainty.
  - 6. The apparatus according to claim 1, wherein the apparatus is configured to store at least one of the financial losses and the combined financial loss in a storage device.
  - 7. The apparatus according to claim 1, wherein financial loss is expressed as:
    - expected loss, defined as estimated loss frequency multiplied by estimated loss severity, summed for all exposures;
      
      a priori minimum insurance risk premium value, and insurance loss reserve value.
  - 8. The apparatus according to claim 1, wherein the past list of observed computer network cyber threats includes, for each observed computer network cyber threat, information, identifying at least one IT system, and a temporal profile defined in terms of day, period of day and frequency of occurrence.
  - 9. The apparatus according to claim 1, wherein the frequency of occurrence of the past observed computer network cyber threat includes at least one period of time, and corresponding frequency of occurrence for the at least one period of time.
  - 10. The apparatus according to claim 1, wherein the one or more processors is configured pursuant to programming code to provide at least two modules includinga first module configured to predict future computer network cyber threat activity using a Monte Carlo method, andto output the predicted future computer network cyber threat activity to a second module.

11. A computer-implemented method, the method being performed by a computer system having one or more computer processors and a non-transitory computer readable memory in which programming code is stored, whereupon execution of the programming code by one or more computer processors the computer system performs operations comprising:
- predicting future cyber threat activity, for each of a plurality of computer network cyber threats, using a Monte Carlo method based on stochastic modeling of actual past observed computer network cyber threat activity, to receive observed cyber threat data from a database, the list of observed cyber threats including information, for each threat, of identification of at least one computer system targeted, to extrapolate future event frequency, to produce a profile of predicted cyber threat activity, wherein for each actual observed cyber threat on the computer network, an identifier, a name, a description of the threat, a temporal profile specifying frequency of occurrence, a target (or targets) for the threat and a severity score for the (each target) are included in the cyber threat data within the database, output the predicted future threat activity to one or more firewalls to improve their accuracy in correctly identifying cyber threats actually observed on the one or more computer networks to improve the accuracy of the apparatus and stochastic modeling of assessing financial loss from cyber threats on an ongoing basis,wherein for each given threat the method comprises;
  
  modeling a set of past observed computer network cyber threat events to obtain an estimate of at least one model parameter;
  
  performing a Monte Carlo simulation of the given computer network cyber threat by;
  
  predicting future computer network cyber threat events using the at least one model parameter and a stochastic model using a projection of at least one model parameter which is based on the estimate of at least one model parameter and on a randomly-drawn variable according to a predefined distribution and to use said at least one variable in the stochastic model andpredicting a distribution of future computer network cyber threat events by repeating the simulation using a plurality of variables,determining expected downtime of each IT system in dependence upon said predicted future computer network cyber threat activity,determining financial loss for each of a plurality of operational processes dependent on the downtimes of the IT systemsadding losses for the plurality of processes to obtain a combined financial loss arising from the future computer network cyber threat activity.
- View Dependent Claims (12, 14)
- - 12. The method according to claim 11, wherein the predicting computer network cyber threat activity based on stochastic modeling of past observed computer network cyber threat events includesmodeling a set of past observed computer network cyber threat events so as to obtain at least one model parameter, andpredicting future computer network cyber threat events using at least one model parameter and a stochastic model using said at least one model parameter.
  - 14. The method of claim 11, in which the computer system includes at least two modules, wherein the method further comprises:
    - using a first module to predict future computer network cyber threat activity and to output the predicted future computer network cyber threat activity to a second module.

13. A computer readable medium having a computer program thereon, which when executed by a computer system having one or more computer processors and a non-transitory computer readable memory, causes the computer system to perform steps comprising:
- to predict, for each of a plurality of computer network cyber threats, future cyber threat activity using a Monte Carlo method based on stochastic modeling of actual past observed computer network cyber threat activity, to receive observed cyber threat data from a database, the list of observed cyber threats including information, for each threat, of identification of at least one computer system targeted, to extrapolate future event frequency, to produce a profile of predicted cyber threat activity, wherein for each actual observed cyber threat on the computer network, an identifier, a name, a description of the threat, a temporal profile specifying frequency of occurrence, a target (or targets) for the threat and a severity score for the (each target) are included in the cyber threat data within the database, output the predicted future threat activity to one or more firewalls to improve their accuracy in correctly identifying cyber threats actually observed on the one or more computer networks to improve the accuracy of the apparatus and stochastic modeling of assessing financial loss from cyber threats on an ongoing basis;
  
  wherein execution of the computer program causes the computer system to perform, for each given threat, steps further comprising;
  
  modeling a set of past observed computer network cyber threat events to obtain an estimate of at least one model parameter;
  
  performing a Monte Carlo simulation of the given computer network cyber threat by;
  
  predicting future computer network cyber threat events using the at least one model parameter and a stochastic model using a projection of at least one model parameter which is based on the estimate of at least one model parameter and on a randomly-drawn variable according to a predefined distribution and to use said at least one variable in the stochastic model and predicting a distribution of future computer network cyber threat events by repeating the simulation using a plurality of variables.
- View Dependent Claims (15)
- - 15. The non-transitory computer readable memory of claim 13, wherein the computer program, when executed by the computer system, causes the computer system to include at least two modules including a first module configured to predict future computer network cyber threat activity and to output the predicted future computer network cyber threat activity to a second module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Phillip King-Wilson
Original Assignee
Phillip King-Wilson
Inventors
King-Wilson, Phillip
Primary Examiner(s)
Tolentino, Roderick

Application Number

US15/012,182
Publication Number

US 20160197953A1
Time in Patent Office

589 Days
Field of Search

726 26- 30
US Class Current
CPC Class Codes

G06Q 40/08 Insurance

H04L 63/1433 Vulnerability analysis

Apparatus and method for assessing financial loss from cyber threats capable of affecting at least one computer network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for assessing financial loss from cyber threats capable of affecting at least one computer network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links