Methodology

A system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating cyber risk resilience strategy is one of several essential aspects in managing enterprise risk since every enterprise is directly or indirectly dependent on information technology. Cyber risk can cause financial impact due to data breach, business interruption, ransomware, and misappropriation of intellectual property, funds, and services. Hence, every enterprise needs to understand its current cyber risk posture to inform enterprise risk management decisions for business resiliency.

This document contains public information regarding Secure System Innovation Corporation’s (SSIC’s) X-Analytics proprietary system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating cyber resilience strategy This system, method, and apparatus is part of the X-Analytics trademark and X-Analytics product suite.

A system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating cyber resilience strategy, which may be used to identify cyber risk within an enterprise, prioritize cyber risk countermeasures within an enterprise, and trend an enterprise’s path to cyber risk resilience, and which improves the efficiency and accuracy of cyber risk measurement and modeling. This system performs risk modeling based on threat likelihood information, the potential business impacts of threats exploiting known enterprise information technology weaknesses, and data on the effectiveness of controls (countermeasures) implemented by the enterprise, which determine risk scores (to include, but not limited to residual risk scores, loss probability, loss impact, and total expected loss) for particular risk scenarios that the enterprise may face.

This system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk is a continuation of the following patents:

11,379,773

Method and system for risk measurement and modeling

Vescio, Robert

11,282,018

Method and system for risk measurement and modeling

Vescio, Robert

10,453,016

Method and system for risk measurement and modeling

Vescio, Robert

10,395,201

Method and system for risk measurement and modeling

Vescio, Robert

9,747,570

Method and system for risk measurement and modeling

Vescio, Robert

X-Analytics cannot anticipate all possible losses or all possible probabilities. Therefore, X-Analyics does have a set of limitation and assumptions related to the determination of cyber exposure, prioritized guidance, and all other downstream determinations.

Limitations

- X-Analytics is informed by historical data and cybersecurity intelligence data. Even though the X-Analytics research team attempts to limit bias by including disparate datasets, all datasets include bias and some bias will always exists within X-Analytics.
- X-Analytics is built and calibrated based on known elements and does not attempt to predict unknown elements. However, it does include an understanding of poorly documented details within the Everything Else threat category.
- X-Analytics is informed by customer inputs. If those inputs are incorrect, then X-Analytics does not have the ability to validate or override incorrect inputs.
- X-Analytics determines estimated cyber exposure by aggregating data breach, interruption, misappropriation, and ransomware loss probability and severity. It does not include cyber-physical, environmental, and other rare conditions that may lead to financial loss.
- For data breach, X-Analytics determines losses between 1,000 records and 10 billion records.
- For interruption, X-Analytics determines losses between 30 minutes and 336 hours.
- For misappropriation, X-Analytics determines losses between 0.25% of revenue to 100% of revenue.
- For ransomware, X-Analytics determines losses between 30 minutes to 720 hours.
- X-Analytics determines control effectiveness related to CIS CSC, NIST CSF, Foundational controls, and Technology controls inputs. For additional frameworks and concepts, X-Analytics has to convert those frameworks and concepts to CIS CSC or NIST CSF. CRI is always converted to NIST CSF for X-Analytics integration.
- For prioritized guidance and mitigation simulation, benefit is determined as an improvement to the annual cyber exposure value. Hence, it does not determine benefit beyond 12 months.

Assumptions

- X-Analytics designed the risk grid with 10 threat categories and 11 asset groups that are most represented in historical data and cybersecurity intelligence data. This creates 110 risk scenarios. Each risk scenario is the intersection of a threat category with an asset group.
- For threat, X-Analytics leverages the VERIS taxonomy, which is beneficial in categorizing threat varieties within each threat category.
- For impact, X-Analytics determines impact by combining confidentiality, integrity, and availability. Components of confidentiality are assumed, integrity is calculated by combining backend assumptions, confidentiality, and availability components, and availability is always provided by the customer.
- For asset availability, X-Analytics assumes that all customers have servers & applications, network, and people.
- For inherent risk, X-Analytics multiplies threat x impact for each of the 110 risk scenario.
- For control effectiveness, X-Analytics determines control effectiveness (or countermeasure benefit) by combining maximum benefit of each control and the customer's control implementation per each of the 110 risk scenarios.
- For residual risk, X-Analytics multiplies inherent risk by (1 - control effectiveness).
- For cyber exposure per loss category, X-Analytics combines the sum of all possible losses by the probability of that loss occurring.
- For cyber exposure severity, X-Analytics assumes "low" is the 10th percentile of loss, "medium" is the 50th percentile of loss, "high" is the 90th percentile of loss, and "worst-case" is the 97th percentile of loss.
- If selected by the customer, there are a variety of assumptions based on industry vertical. This includes threat profile, elements of impact profile, and elements of exposure profile.

This document generally relates to cyber risk measurement and modeling (also known as cyber risk factor analysis), and more specifically related to systems, methods, and apparatuses for improving accuracy in cyber risk assessment and prioritization of cyber risk countermeasures.

Additionally, we have integrated this system, method, and apparatus within a SaaS-based (cloud-based) application, which improves the efficiency and accuracy of cyber risk measurement and modeling. The SaaS-based applications includes integrity and validation checks, guarantees that identical inputs will determine identical results (within a specific software version), reduces human error associated with manual and offline modeling methods, and offers the full potential of computer processing capabilities to enhance efficiency from inputs to determined results.

The SaaS-based application supports the notion of parent and child enterprise objects, as well as third party and supply chain members. The parent/child structure allows for the plurality of cyber risk amongst business units (or profiles) with different cyber risk profiles.

The user or operators of each profiles will move through the process defined in the above figure. The user or operator for each supplier relationship will move through the process defined in in the above figure. The supplier results will aggregate into the profile view. The business unit and supplier results will aggregate into the overview.

A major aspect of risk management for enterprises is the question of how cyber security and other information system resources should be allocated. Many types of businesses and other institutions face markedly different cybersecurity threats and categorized losses, and enterprises must be able to prioritize their finite budgets and other finite enterprise resources based on what they anticipate being the most likely and severe losses. Improperly prioritizing resources toward fending off lower-priority threats risk wasting those resources and leaving inadequate resources available for dealing with higher priority threats.

With limited options, enterprises typical draw cybersecurity risk characterizations from highly subjective sources, such as compliance and maturity questionnaires, somewhat subjective risk algorithms, such as value at risk modeling, or objective data sources, such as log monitoring and end point protection products. Each of these solutions represents a portion of the complete cyber risk calculus, which means they can improperly inform an enterprise.

With the above subjective sources, subjective algorithms, and objective data sources, the qualification or quantification of risk is inconsistent and may only represent one or two of the three variables of the traditional risk formula, expressed as Risk = Threat x Vulnerability x Cost or the modified risk formula (as expressed in US patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570) expressed as Risk = Threat x Impact x (1 – Control Effectiveness).

As an example, an enterprise may use a subjective NIST Cyber Security Framework (CSF) assessment to determine the implementation posture of NIST CSF sub-categories (commonly known as controls) within the enterprise. The NIST CSF assessment may indicate a maturity score (0 to 5) or a percent implementation score (0 to 100%). In either case, the maturity score or implementation score only aligns with a subset of control effectiveness and does not provide any indication of threat or impact, hence representing an incomplete understanding of risk.

As a second example, an enterprise may use a subjective algorithm, such as a VaR simulator or Monte Carlo simulator, to determine the impact from a specific cyber scenario (such as ransomware). A Monte Carlo simulator will determine a loss magnitude and loss frequency. However, a Monte Carlo simulator requires historical data (which may or may not be available to the enterprise), a list of assumptions (which could be based on expert opinion or statistical analysis), and the definition of a cyber risk scenario (which may only be a small subset of all risks). Further, a Monte Carlo simulator assumes that all returns are independent and identically distributed, which is not true when analyzing empirical cyber impact data. In other words, a Monte Carlo simulator may contain extreme bias, may lack integrity, and may include a scope deficit. Even the financial services industry struggles with the use of Monte Carlo simulators, which is sometimes known as “nonsensical” VaR modeling.

As a third example, an enterprise may use an objective data source, such as a log monitoring product, to determine the volume of cyber events. The enterprise may use the volume of cyber events to better understand its threat profile. The enterprise may directly analyze the volume of each event or may use a deviation formula to easily determine if events volumes are increasing or decreasing based on a known baseline value. Even though this data provides objective threat analysis, it does not provide an understanding of impact or control effectiveness, hence representing an incomplete understanding of risk.

As a fourth example, an enterprise may decide not to measure and model cyber risk. An enterprise may not want to warrant the cost of such a solution and may not want to truly understand the realities of cyber risk. However, this lack of risk determination does not eliminate enterprise cyber risk, nor does it solve for the existence of enterprise cyber risk.

Embodiments of X-Analytics relate generally to systems, methods, and apparatuses for assessing cyber risk within an enterprise environment, more particularly to augmenting the modeling calibration by including additional data, such as historical data, cyber risk intelligence data, and enterprise-specific data, in the overall threat, impact, control, and incident data sets, by using a series of automated simulations to pinpoint and prioritize risk reduction, and by using trend analysis to address cyber risk within the context of the enterprise’s risk resilience journey.

In typical systems and methods to model cyber risk, operators may augment data in various ways to fit a particular outcome. Data manipulation erodes the quality and integrity of the overall system, method, and apparatus, which could misinform the allocation of an enterprise’s finite budget and other finite enterprise resources. This invention directly addresses this concern by using objective and representative data sets and a fixed data structure that are outside of the operator’s control or manipulation. Further, this invention provides a set of fixed operator inputs to ensure the results align with the profile of the enterprise.

Many cyber risk applications are based on compliance and regulatory standards that assume that all controls are equal, and that data breach is the primary loss category. Embodiments of this invention show that all controls are not equal, that each enterprise has a unique exposure profile, and that ransomware, business interruption, misappropriation of intellectual property, funds, and services are relevant loss categories in conjunction with data breach.

With a proper understand of cyber risk, and enterprise can effectively prioritize finite budget and other finite enterprise resources toward risk remediation and risk transfer mechanisms.

An enterprise may understand an improved system, method, and apparatus for risk measurement, modeling, reducing, and addressing cyber risk. According to an exemplary embodiment, such a system, method, and apparatus may be used to improve performance of one or more systems, applications, information-technology-based processes, or other enterprise profiles (such as a business unit) by improving the efficiency of finite resource allocation to address various threats to one or more systems, applications, information-technology-based processes, or other enterprise profiles (such as a business unit) and improving the quality of information used to manage threats.

The X-Analytics System, Method, and Apparatus.

X-Analytics represents such an improved system, method, and apparatus for risk measurement, modeling, reducing, and addressing cyber risk. The enterprise operator (or operators) provides input elements within the measurement section and reacts to outputs provided within the reducing and addressing sectors. The entire system, method, and apparatus, when built within a SaaS-based application, provides a means of automation that closely aligns with an ever-changing threat velocity, and provides an enterprise with a means to allocate finite budget and other finite enterprise resources during the entire risk resilience journey.

Additional embodiments, described herein, will expand upon each element defined within X-Analytics system.

As an example, additional embodiments described herein, will expand upon the measurement section.

1

Threat measurement will expand into operator inputs and use of historical data and cyber risk intelligence data.

2

Impact measurement will expand into operator inputs and use of historical data and cyber risk intelligence data.

3

Control effectiveness measurement will expand into operator inputs and use of historical data and cybers risk intelligence data.

4

Exposure measurement will expand into operator inputs and use of historical data and cybers risk intelligence data.

As a second example, additional embodiments described herein, will expand upon the modeling section.

1

Threat modeling will expand into sequential steps that combine operator inputs and historical data and cybers risk intelligence data.

2

Impact modeling will expand into sequential steps that combine operator inputs and historical data and cyber risk intelligence data.

3

Inherent risk modeling will expand into sequential steps that combine determined results from the threat model and impact model.

4

Control effectiveness modeling will expand into sequential steps that combine operator inputs and historical data and cyber risk intelligence data.

5

Residual risk modeling will expand into sequential steps that combine determined results from inherent risk model and control effectiveness model.

6

Loss probability modeling will expand into sequential steps that combine operator inputs and historical data and cyber risk intelligence data.

7

Loss severity modeling will expand into sequential steps that combine operator inputs and historical data and cyber risk intelligence data.

8

Expected loss modeling will expand into additional steps that combine that combine determined results from loss probability model and loss severity model.

9

All simulation models, such as control effectiveness simulation model, will expand into additional steps that combine pre-derived simulated operator inputs and determined results from associated models.

As a third example, additional embodiments described herein, will expand upon the reducing section.

1

Threat results will expand into a set of determined results within a defined structure and

2

ranked from most likely to least likely.

2

ranked from most likely to least likely.

3

Inherent risk results will expand into a set of determined results within a defined structure and

4

ranked from most risky to least risky.

4

ranked from most risky to least risky.

5

Control effectiveness results will expand into a set of determined results within a defined structure, and further defined within the context of a cybersecurity

framework (such as CIS Critical Security Controls, version 8), and

6

This is ranked from least implemented to most implemented.

6

This is ranked from least implemented to most implemented.

7

Residual risk results will expand into a set of determined results within a defined structure and

8

ranked from most risky to least risky.

8

ranked from most risky to least risky.

9

Expected loss results will expand into a set of determine results divided into loss categories (such as data breach or ransomware) and

10

ranked from most

expected loss to least expected loss.

10

ranked from most expected loss to least expected loss.

11

Loss lookup results will expand into a set of determined results within the context of the loss category and

12

ranked from highest to lowest.

12

ranked from highest to lowest.

13

Simulated results will expand into a set of determined results divided into loss categories and within the context of a cybersecurity framework and

14

ranked from most beneficial control to least beneficial control.

As a fourth example, additional embodiments described herein, will expand upon the addressing section.

1

Threat addressing will expand into trend analysis and options for specifically addressing threat.

2

Inherent risk addressing will expand into trend analysis and options for specifically addressing inherent risk.

3

Residual risk addressing will expand into trend analysis and options for specifically addressing residual risk.

4

Expected loss addressing will expand into trend analysis and options for specifically addressing expected loss by loss category.

5

Loss lookup or actual loss addressing will expand into options for specifically addressing actual loss.

Due to the dependent and sequential design of this system, method, and apparatus, even a slight modification in measuring section will have a direct association in altering the determine results observed into the reducing and addressing risk sections. Based on historical data and cyber risk intelligence data, there is constant change in threat, impact, control, and loss, which means there is constant change in inherent risk, residual risk, expected loss, and loss lookups. This system, method, and apparatus accounts for such changes.

As stated in the Background, each enterprise needs a proper understanding of cyber risk to effectively prioritize finite budget and other finite enterprise resources toward risk remediation and risk transfer mechanisms. This system, method, and apparatus contemplates how an enterprise makes such decisions and further compares those decisions across the collective models (as defined within X-Analytics system). As an example, an isolated decision from the threat model may misallocate finite budget, while a decision from the expected loss model refines such a decision and provides a better means of prioritization and use of finite budget.

The following description and related diagrams, tables, and screenshots disclose aspects of the X-Analytics system, directed to specific embodiments of the X-Analytics system. Without departing from the spirit or the scope of the X-Analytics system, we may devise alternate embodiments. Additionally, we have not described, in detail, well-known elements of exemplary embodiments of the X-Analytics system so as not to obscure the relevant details of the X-Analytics system. Further, to facilitate an understanding of the description discussion of several terms used herein follows.

As used herein, the word “exemplary” means “serving as an example, instance or illustration. The embodiments described herein are not limiting, but rather exemplary only. The reader of this document should not necessarily construe the described embodiments as preferred or advantageous over other embodiments.

Further, we describe herein many embodiments in terms of sequences of actions performed by, for example, elements of the X-Analytics SaaS-based application.

The following content expands upon the X-Analytics system, as described within the summary, and expands US Patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570.