Systems and methods for cyber security risk assessment

US 9,930,062 B1
Filed: 06/26/2017
Issued: 03/27/2018
Est. Priority Date: 06/26/2017
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating cyber readiness of an organization, the method comprising:

presenting, by a computer, a plurality of objective questions to a user, wherein each of the objective questions has one or more predefined answers to be selected by said user;

receiving, by said computer, answers to said plurality of objective questions from said user;

correlating, by said computer, one or more of said objective questions to a plurality of elements of an organizational safeguard;

determining based on said answers, by said computer, a risk rating for a threat origin of a cyber-attack;

determining based on said answers, by said computer, a strength rating for said organizational safeguard against said threat origin, wherein said elements of said organizational safeguard collectively determine said strength rating of said organizational safeguard;

comparing, by said computer, said risk rating of said threat origin to said strength rating of said organizational safeguard;

determining based on said comparison, by said computer, a cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and

presenting, by said computer, the cyber readiness rating of said organizational safeguard,wherein determining of said strength rating of said organizational safeguard comprises;

determining, by said computer, a strength rating for a first element of said organizational safeguard based on at least one of said answers,determining, by said computer, a strength rating for a second element of said organizational safeguard based on at least one of said answers, anddetermining, by said computer, a strength rating for a third element of said organizational safeguard based on said strength rating of said first element and said strength rating of said second element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to methods, systems, and non-transitory computer readable mediums which can evaluate cyber readiness of an organization. The methods can include: presenting a plurality of objective questions to a user; receiving answers to said plurality of objective questions from said user; determining based on said answers a risk rating for a threat origin of a cyber-attack; determining based on said answers a strength rating for an organizational safeguard against said threat origin; comparing said risk rating of said threat origin to said strength rating of said organizational safeguard; determining based on said comparison a cyber readiness of said organizational safeguard from said cyber-attack by said threat origin; and presenting the cyber readiness of said organizational safeguard. Systems and non-transitory computer readable mediums operating in a similar fashion as such systems are disclosed herein.

Citations

27 Claims

1. A method for evaluating cyber readiness of an organization, the method comprising:
- presenting, by a computer, a plurality of objective questions to a user, wherein each of the objective questions has one or more predefined answers to be selected by said user;
  
  receiving, by said computer, answers to said plurality of objective questions from said user;
  
  correlating, by said computer, one or more of said objective questions to a plurality of elements of an organizational safeguard;
  
  determining based on said answers, by said computer, a risk rating for a threat origin of a cyber-attack;
  
  determining based on said answers, by said computer, a strength rating for said organizational safeguard against said threat origin, wherein said elements of said organizational safeguard collectively determine said strength rating of said organizational safeguard;
  
  comparing, by said computer, said risk rating of said threat origin to said strength rating of said organizational safeguard;
  
  determining based on said comparison, by said computer, a cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and
  
  presenting, by said computer, the cyber readiness rating of said organizational safeguard,wherein determining of said strength rating of said organizational safeguard comprises;
  
  determining, by said computer, a strength rating for a first element of said organizational safeguard based on at least one of said answers,determining, by said computer, a strength rating for a second element of said organizational safeguard based on at least one of said answers, anddetermining, by said computer, a strength rating for a third element of said organizational safeguard based on said strength rating of said first element and said strength rating of said second element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein presenting the cyber readiness rating of said organization comprises:
    - presenting, by said computer, said threat origin and said risk rating of said threat origin; and
      
      presenting, by said computer, said organizational safeguard and said strength rating of said organization safeguard.
  - 3. The method of claim 2, additionally comprising:
    - identifying, by said computer, a relationship between said risk rating of said threat origin and said strength rating of said organizational safeguard.
  - 4. The method of claim 3, wherein said cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin comprises one of a plurality of levels, the levels being severe gap, possible concern, and okay.
  - 5. The method of claim 1, wherein said risk rating of said threat origin is determined independent from said strength rating of said organizational safeguard.
  - 6. The method of claim 1, wherein determining said risk rating of said threat origin comprises:
    - determining based on said answers, by said computer, a plurality of threat vectors, wherein the threat vectors correspond to the threat origin; and
      
      determining based on said answers, by said computer, a risk rating for each of said threat vectors.
  - 7. The method of claim 6, wherein determining said risk rating of said threat origin further comprises:
    - determining based on said risk rating for each of said threat vectors, by said computer, a cumulative risk rating of said threat origin.
  - 8. The method of claim 1 wherein determining said strength rating of said organizational safeguard additionally comprises:
    - determining, by said computer, a strength rating for a fourth element of said organizational safeguard based on at least one of said answers; and
      
      determining, by said computer, a strength rating for a fifth element of said organizational safeguard based on said strength rating of said third element and said strength rating of said fourth element.
  - 9. The method of claim 8, wherein said strength rating for said first element, said strength rating for said second element, said strength rating for said third element, said strength rating for said fourth element, and said strength rating for said fifth element are each determined using a look-up table.
  - 10. The method of claim 9, wherein the look-up table provides an outcome for each possible combination of answers to said objective question.
  - 11. The method of claim 1, additionally comprising:
    - determining based on said objective questions, by said computer, an inherent risk profile, wherein the inherent risk profile comprises a plurality of threat origins and a risk rating for each of the threat origins.
  - 12. The method of claim 1, additionally comprising:
    - determining based on said objective questions, by said computer, a preparedness profile, wherein said preparedness profile comprises a plurality of organizational safeguards and a strength rating for each of said organizational safeguards.
  - 13. The method of claim 1, wherein:
    - said strength rating of said first element is determined using a first look-up table, said strength rating of said second element is determined using a second look-up table, and said strength rating of said third element is determined using a third look-up table, andsaid third look-up table comprises each possible combination of outcomes from said first and second look-up tables.

14. A system for evaluating cyber readiness of an organization, the system comprising:
- a memory storage device; and
  
  a processor in communication with said memory storage device and configured to;
  
  present a plurality of objective questions to a user, wherein each of the objective questions has one or more predefined answers to be selected by said user;
  
  receive answers to said plurality of objective questions from said user;
  
  correlate one or more of said objective questions to a plurality of elements of an organizational safeguard;
  
  determine based on said answers a risk rating for a threat origin of a cyber-attack;
  
  determine based on said answers a strength rating for said organizational safeguard against said threat origin, wherein said elements of said organizational safeguard collectively determine said strength rating of said organizational safeguard;
  
  compare said risk rating of said threat origin to said strength rating of said organizational safeguard;
  
  determine based on said comparison the cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and
  
  present the cyber readiness rating of said organizational safeguard, wherein determining of said strength rating of said organizational safeguard comprises;
  
  determining a strength rating for a first element of said organizational safeguard based on at least one of said answers,determining a strength rating for a second element of said organizational safeguard based on at least one of said answers, anddetermining a strength rating for a third element of said organizational safeguard based on said strength rating of said first element and said strength rating of said second element.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The system of claim 14, wherein presenting the cyber readiness rating of said organization comprises:
    - presenting said threat origin and said risk rating of said threat origin; and
      
      presenting said organizational safeguard and said strength rating of said organization safeguard.
  - 16. The system of claim 15, additionally comprising:
    - identifying a relationship between said risk rating of said threat origin and said strength rating of said organizational safeguard.
  - 17. The system of claim 16, wherein said cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin comprises one of a plurality of levels, the levels being severe gap, possible concern, and okay.
  - 18. The system of claim 14, wherein determining said risk rating of said threat origin comprises:
    - determining based on said answers a plurality of threat vectors, wherein the threat vectors correspond to the threat origin; and
      
      determining based on said answers a risk rating for each of said threat vectors.
  - 19. The system of claim 18, wherein determining said risk rating of said threat origin to cyber-attack further comprises:
    - determining based on said risk rating for each of said threat vectors a cumulative risk rating for said threat origin.
  - 20. The system of claim 14, wherein determining of said strength rating of said organizational safeguard additionally comprises:
    - determining a strength rating for a fourth element of said organizational safeguard based on at least one of said answers; and
      
      determining a strength rating for a fifth element of said organizational safeguard based on said strength rating of said third element and said strength rating of said fourth element.
  - 21. The system of claim 20, said strength rating for said first element, said strength rating for said second element, said strength rating for said third element, said strength rating for said fourth element, and said strength rating for said fifth element are each determined using a look-up table.
  - 22. The system of claim 21, wherein the look-up table provides an outcome for each possible combination of answers to said objective questions.
  - 23. The system of claim 14, wherein the processor is additionally configured to:
    - determine based on said objective questions an inherent risk profile, wherein the inherent risk profile comprises a plurality of threat origins and a risk rating for each of the threat origins.
  - 24. The system of claim 14, wherein the processor is additionally configured to:
    - determine based on said objective questions a preparedness profile, wherein said preparedness profile comprises a plurality of organizational safeguards and a strength rating for each of said organizational safeguards.
  - 25. The system of claim 14, wherein:
    - said strength rating of said first element is determined using a first look-up table, said strength rating of said second element is determined using a second look-up table, and said strength rating of said third element is determined using a third look-up table, andsaid third look-up table comprises each possible combination of outcomes from said first and second look-up tables.

26. A non-transitory computer-readable medium tangibly storing computer program instructions which when executed by a processor, causes the processor to:
- present a plurality of objective questions to a user, wherein each of the objective questions has one or more pre-defined answers to be selected by said user;
  
  receive answers to said plurality of objective questions from said user;
  
  correlate one or more of said objective questions to a plurality of elements of an organizational safeguard;
  
  determine based on said answers a risk rating for a threat origin of a cyber-attack;
  
  determine based on said answers a strength rating for said organizational safeguard against said threat origin, wherein said elements of said organizational safeguard collectively determine said strength rating of said organizational safeguard;
  
  compare the risk rating of said threat origin to said strength rating of said organizational safeguard;
  
  determine based on said comparison a cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and
  
  present the cyber readiness rating of the organizational safeguard,wherein determining of said strength rating of said organizational safeguard comprises;
  
  determining a strength rating for a first element of said organizational safeguard based on at least one of said answers,determining a strength rating for a second element of said organizational safeguard based on at least one of said answers, anddetermining a strength rating for a third element of said organizational safeguard based on said strength rating of said first element and said strength rating of said second element.
- View Dependent Claims (27)
- - 27. The non-transitory computer-readable medium of claim 26, wherein:
    - said strength rating of said first element is determined using a first look-up table, said strength rating of said second element is determined using a second look-up table, and said strength rating of said third element is determined using a third look-up table, andsaid third look-up table comprises each possible combination of outcomes from said first and second look-up tables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Factory Mutual Insurance Company
Original Assignee
Factory Mutual Insurance Company
Inventors
Alkemper, Jens, Faria, Antonio
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/633,242
Time in Patent Office

274 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Systems and methods for cyber security risk assessment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for cyber security risk assessment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links