US2018375890A1PendingUtilityA1

Systems and methods for cyber security risk assessment

37
Assignee: FACTORY MUTUAL INSURANCE COMPANYPriority: Jun 26, 2017Filed: Feb 13, 2018Published: Dec 27, 2018
Est. expiryJun 26, 2037(~11 yrs left)· nominal 20-yr term from priority
H04L 63/1433G06F 21/577
37
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The present invention is directed to methods, systems, and non-transitory computer readable mediums which can evaluate cyber readiness of an organization. The methods can include: presenting a plurality of objective questions to a user; receiving answers to said plurality of objective questions from said user; determining based on said answers a risk rating for a threat origin of a cyber-attack; determining based on said answers a strength rating for an organizational safeguard against said threat origin; comparing said risk rating of said threat origin to said strength rating of said organizational safeguard; determining based on said comparison a cyber readiness of said organizational safeguard from said cyber-attack by said threat origin; and presenting the cyber readiness of said organizational safeguard. Systems and non-transitory computer readable mediums operating in a similar fashion as such systems are disclosed herein.

Claims

exact text as granted — not AI-modified
We claim: 
     
         1 . A method for evaluating cyber readiness of an organization, the method comprising:
 presenting, by a computer, a plurality of objective questions to a user, wherein each of the objective questions has one or more predefined answers to be selected by said user;   receiving, by said computer, answers to said plurality of objective questions from said user;   determining based on said answers, by said computer, a risk rating for a threat origin of a cyber-attack;   determining based on said answers, by said computer, a strength rating for an organizational safeguard against said threat origin;   comparing, by said computer, said risk rating of said threat origin to said strength rating of said organizational safeguard;   determining based on said comparison, by said computer, a cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and   presenting, by said computer, the cyber readiness rating of said organizational safeguard.   
     
     
         2 . The method of  claim 1 , wherein presenting the cyber readiness rating of said organization comprises:
 presenting, by said computer, said threat origin and said risk rating of said threat origin; and   presenting, by said computer, said organizational safeguard and said strength rating of said organization safeguard.   
     
     
         3 . The method of  claim 2 , additionally comprising:
 identifying, by said computer, a relationship between said risk rating of said threat origin and said strength rating of said organizational safeguard.   
     
     
         4 . The method of  claim 3 , wherein said cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin comprises one of a plurality of levels, the levels being severe gap, possible concern, and okay. 
     
     
         5 . The method of  claim 1 , wherein said risk rating of said threat origin is determined independent from said strength rating of said organizational safeguard. 
     
     
         6 . The method of  claim 1 , wherein determining said risk rating of said threat origin comprises:
 determining based on said answers, by said computer, a plurality of threat vectors, wherein the threat vectors correspond to the threat origin; and   determining based on said answers, by said computer, a risk rating for each of said threat vectors.   
     
     
         7 . The method of  claim 6 , wherein determining said risk rating of said threat origin further comprises:
 determining based on said risk rating for each of said threat vectors, by said computer, a cumulative risk rating of said threat origin.   
     
     
         8 . The method of  claim 1 , additionally comprising:
 correlating, by said computer, one or more of said objective questions to a plurality of elements of said organizational safeguard, wherein said elements collectively determine said strength rating of said organizational safeguard.   
     
     
         9 . The method of  claim 8 , wherein determining of said strength rating of said organizational safeguard comprises:
 determining, by said computer, a strength rating for a first element of said organizational safeguard based on at least one of said answers; and   determining, by said computer, a strength rating for a second element of said organizational safeguard based on at least one of said answers.   
     
     
         10 . The method of  claim 9 , wherein determining of said strength rating of said first element comprises:
 determining, by said computer, a strength rating for a third element of said organizational safeguard based on said strength rating of said first element and said strength rating of said second element.   
     
     
         11 . The method of  claim 10 , wherein determining said strength rating of said organizational safeguard additionally comprises:
 determining, by said computer, a strength rating for a fourth element of said organizational safeguard based on at least one of said answers; and   determining, by said computer, a strength rating for a fifth element of said organizational safeguard based on said strength rating of said third element and said strength rating of said fourth element.   
     
     
         12 . The method of  claim 11 , wherein said strength rating for said first element, said strength rating for said second element, said strength rating for said third element, said strength rating for said fourth element, and said strength rating for said fifth element are each determined using a look-up table. 
     
     
         13 . The method of  claim 12 , wherein the look-up table provides an outcome for each possible combination of answers to said objective question. 
     
     
         14 . The method of  claim 1 , additionally comprising:
 determining based on said objective questions, by said computer, an inherent risk profile, wherein the inherent risk profile comprises a plurality of threat origins and a risk rating for each of the threat origins.   
     
     
         15 . The method of  claim 1 , additionally comprising:
 determining based on said objective questions, by said computer, a preparedness profile, wherein said preparedness profile comprises a plurality of organizational safeguards and a strength rating for each of said organizational safeguards.   
     
     
         16 . A system for evaluating cyber readiness of an organization, the system comprising:
 a memory storage device; and   a processor in communication with said memory storage device and configured to:
 present a plurality of objective questions to a user, wherein each of the objective questions has one or more predefined answers to be selected by said user; 
 receive answers to said plurality of objective questions from said user; 
 determine based on said answers a risk rating for a threat origin of a cyber-attack; 
 determine based on said answers a strength rating for an organizational safeguard against said threat origin; 
 compare said risk rating of said threat origin to said strength rating of said organizational safeguard; 
 determine based on said comparison the cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and 
 present the cyber readiness rating of said organizational safeguard. 
   
     
     
         17 . The system of  claim 16 , wherein presenting the cyber readiness rating of said organization comprises:
 presenting said threat origin and said risk rating of said threat origin; and   presenting said organizational safeguard and said strength rating of said organization safeguard.   
     
     
         18 . The system of  claim 17 , additionally comprising:
 identifying a relationship between said risk rating of said threat origin and said strength rating of said organizational safeguard.   
     
     
         19 . The system of  claim 18 , wherein said cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin comprises one of a plurality of levels, the levels being severe gap, possible concern, and okay. 
     
     
         20 . The system of  claim 16 , wherein determining said risk rating of said threat origin comprises:
 determining based on said answers a plurality of threat vectors, wherein the threat vectors correspond to the threat origin; and   determining based on said answers a risk rating for each of said threat vectors.   
     
     
         21 . The system of  claim 20 , wherein determining said risk rating of said threat origin to cyber-attack further comprises:
 determining based on said risk rating for each of said threat vectors a cumulative risk rating for said threat origin.   
     
     
         22 . The system of  claim 16 , wherein the processor is additionally configured to:
 correlate one or more of said objective questions to a plurality of elements of said organizational safeguard, wherein said elements collectively determine said strength rating of said organizational safeguard.   
     
     
         23 . The system of  claim 22 , wherein determining of said strength rating of said organizational safeguard comprises:
 determining a strength rating for a first element of said organizational safeguard based on at least one of said answers; and   determining a strength rating for a second element of said organizational safeguard based on at least one of said answers.   
     
     
         24 . The system of  claim 23 , wherein determining of said strength rating of said first element comprises:
 determining a strength rating for a third element of said organizational safeguard based on said strength rating of said first element and said strength rating of said second element.   
     
     
         25 . The system of  claim 24 , wherein determining of said strength rating of said organizational safeguard additionally comprises:
 determining a strength rating for a fourth element of said organizational safeguard based on at least one of said answers; and   determining a strength rating for a fifth element of said organizational safeguard based on said strength rating of said third element and said strength rating of said fourth element.   
     
     
         26 . The system of  claim 25 , said strength rating for said first element, said strength rating for said second element, said strength rating for said third element, said strength rating for said fourth element, and said strength rating for said fifth element are each determined using a look-up table. 
     
     
         27 . The system of  claim 26 , wherein the look-up table provides an outcome for each possible combination of answers to said objective questions. 
     
     
         28 . The system of  claim 16 , wherein the processor is additionally configured to:
 determine based on said objective questions an inherent risk profile, wherein the inherent risk profile comprises a plurality of threat origins and a risk rating for each of the threat origins.   
     
     
         29 . The system of  claim 16 , wherein the processor is additionally configured to:
 determine based on said objective questions a preparedness profile, wherein said preparedness profile comprises a plurality of organizational safeguards and a strength rating for each of said organizational safeguards.   
     
     
         30 . A non-transitory computer-readable medium tangibly storing computer program instructions which when executed by a processor, causes the processor to:
 present a plurality of objective questions to a user, wherein each of the objective questions has one or more pre-defined answers to be selected by said user;   receive answers to said plurality of objective questions from said user;   determine based on said answers a risk rating for a threat origin of a cyber-attack;   determine based on said answers a strength rating for an organizational safeguard against said threat origin;   compare the risk rating of said threat origin to said strength rating of said organizational safeguard;   determine based on said comparison a cyber readiness rating of said organizational safeguard from said cyber-attack by said threat origin; and   present the cyber readiness rating of the organizational safeguard.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.