A system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating cyber risk resilience strategy is one of several essential aspects in managing enterprise risk since every enterprise is directly or indirectly dependent on information technology. Cyber risk can cause financial impact due to data breach, business interruption, ransomware, and misappropriation of intellectual property, funds, and services. Hence, every enterprise needs to understand its current cyber risk posture to inform enterprise risk management decisions for business resiliency.
This document contains public information regarding Secure System Innovation Corporation’s (SSIC’s) X-Analytics proprietary system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating cyber resilience strategy This system, method, and apparatus is part of the X-Analytics trademark and X-Analytics product suite.
A system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating cyber resilience strategy, which may be used to identify cyber risk within an enterprise, prioritize cyber risk countermeasures within an enterprise, and trend an enterprise’s path to cyber risk resilience, and which improves the efficiency and accuracy of cyber risk measurement and modeling. This system performs risk modeling based on threat likelihood information, the potential business impacts of threats exploiting known enterprise information technology weaknesses, and data on the effectiveness of controls (countermeasures) implemented by the enterprise, which determine risk scores (to include, but not limited to residual risk scores, loss probability, loss impact, and total expected loss) for particular risk scenarios that the enterprise may face.
This system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk is a continuation of the following patents:
X-Analytics cannot anticipate all possible losses or all possible probabilities. Therefore, X-Analyics does have a set of limitation and assumptions related to the determination of cyber exposure, prioritized guidance, and all other downstream determinations.
This document generally relates to cyber risk measurement and modeling (also known as cyber risk factor analysis), and more specifically related to systems, methods, and apparatuses for improving accuracy in cyber risk assessment and prioritization of cyber risk countermeasures.
Additionally, we have integrated this system, method, and apparatus within a SaaS-based (cloud-based) application, which improves the efficiency and accuracy of cyber risk measurement and modeling. The SaaS-based applications includes integrity and validation checks, guarantees that identical inputs will determine identical results (within a specific software version), reduces human error associated with manual and offline modeling methods, and offers the full potential of computer processing capabilities to enhance efficiency from inputs to determined results.
The SaaS-based application supports the notion of parent and child enterprise objects, as well as third party and supply chain members. The parent/child structure allows for the plurality of cyber risk amongst business units (or profiles) with different cyber risk profiles.
The user or operators of each profiles will move through the process defined in the above figure. The user or operator for each supplier relationship will move through the process defined in in the above figure. The supplier results will aggregate into the profile view. The business unit and supplier results will aggregate into the overview.
A major aspect of risk management for enterprises is the question of how cyber security and other information system resources should be allocated. Many types of businesses and other institutions face markedly different cybersecurity threats and categorized losses, and enterprises must be able to prioritize their finite budgets and other finite enterprise resources based on what they anticipate being the most likely and severe losses. Improperly prioritizing resources toward fending off lower-priority threats risk wasting those resources and leaving inadequate resources available for dealing with higher priority threats.
With limited options, enterprises typical draw cybersecurity risk characterizations from highly subjective sources, such as compliance and maturity questionnaires, somewhat subjective risk algorithms, such as value at risk modeling, or objective data sources, such as log monitoring and end point protection products. Each of these solutions represents a portion of the complete cyber risk calculus, which means they can improperly inform an enterprise.
With the above subjective sources, subjective algorithms, and objective data sources, the qualification or quantification of risk is inconsistent and may only represent one or two of the three variables of the traditional risk formula, expressed as Risk = Threat x Vulnerability x Cost or the modified risk formula (as expressed in US patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570) expressed as Risk = Threat x Impact x (1 – Control Effectiveness).
As an example, an enterprise may use a subjective NIST Cyber Security Framework (CSF) assessment to determine the implementation posture of NIST CSF sub-categories (commonly known as controls) within the enterprise. The NIST CSF assessment may indicate a maturity score (0 to 5) or a percent implementation score (0 to 100%). In either case, the maturity score or implementation score only aligns with a subset of control effectiveness and does not provide any indication of threat or impact, hence representing an incomplete understanding of risk.
As a second example, an enterprise may use a subjective algorithm, such as a VaR simulator or Monte Carlo simulator, to determine the impact from a specific cyber scenario (such as ransomware). A Monte Carlo simulator will determine a loss magnitude and loss frequency. However, a Monte Carlo simulator requires historical data (which may or may not be available to the enterprise), a list of assumptions (which could be based on expert opinion or statistical analysis), and the definition of a cyber risk scenario (which may only be a small subset of all risks). Further, a Monte Carlo simulator assumes that all returns are independent and identically distributed, which is not true when analyzing empirical cyber impact data. In other words, a Monte Carlo simulator may contain extreme bias, may lack integrity, and may include a scope deficit. Even the financial services industry struggles with the use of Monte Carlo simulators, which is sometimes known as “nonsensical” VaR modeling.
As a third example, an enterprise may use an objective data source, such as a log monitoring product, to determine the volume of cyber events. The enterprise may use the volume of cyber events to better understand its threat profile. The enterprise may directly analyze the volume of each event or may use a deviation formula to easily determine if events volumes are increasing or decreasing based on a known baseline value. Even though this data provides objective threat analysis, it does not provide an understanding of impact or control effectiveness, hence representing an incomplete understanding of risk.
As a fourth example, an enterprise may decide not to measure and model cyber risk. An enterprise may not want to warrant the cost of such a solution and may not want to truly understand the realities of cyber risk. However, this lack of risk determination does not eliminate enterprise cyber risk, nor does it solve for the existence of enterprise cyber risk.
Embodiments of X-Analytics relate generally to systems, methods, and apparatuses for assessing cyber risk within an enterprise environment, more particularly to augmenting the modeling calibration by including additional data, such as historical data, cyber risk intelligence data, and enterprise-specific data, in the overall threat, impact, control, and incident data sets, by using a series of automated simulations to pinpoint and prioritize risk reduction, and by using trend analysis to address cyber risk within the context of the enterprise’s risk resilience journey.
In typical systems and methods to model cyber risk, operators may augment data in various ways to fit a particular outcome. Data manipulation erodes the quality and integrity of the overall system, method, and apparatus, which could misinform the allocation of an enterprise’s finite budget and other finite enterprise resources. This invention directly addresses this concern by using objective and representative data sets and a fixed data structure that are outside of the operator’s control or manipulation. Further, this invention provides a set of fixed operator inputs to ensure the results align with the profile of the enterprise.
Many cyber risk applications are based on compliance and regulatory standards that assume that all controls are equal, and that data breach is the primary loss category. Embodiments of this invention show that all controls are not equal, that each enterprise has a unique exposure profile, and that ransomware, business interruption, misappropriation of intellectual property, funds, and services are relevant loss categories in conjunction with data breach.
With a proper understand of cyber risk, and enterprise can effectively prioritize finite budget and other finite enterprise resources toward risk remediation and risk transfer mechanisms.
An enterprise may understand an improved system, method, and apparatus for risk measurement, modeling, reducing, and addressing cyber risk. According to an exemplary embodiment, such a system, method, and apparatus may be used to improve performance of one or more systems, applications, information-technology-based processes, or other enterprise profiles (such as a business unit) by improving the efficiency of finite resource allocation to address various threats to one or more systems, applications, information-technology-based processes, or other enterprise profiles (such as a business unit) and improving the quality of information used to manage threats.
X-Analytics represents such an improved system, method, and apparatus for risk measurement, modeling, reducing, and addressing cyber risk. The enterprise operator (or operators) provides input elements within the measurement section and reacts to outputs provided within the reducing and addressing sectors. The entire system, method, and apparatus, when built within a SaaS-based application, provides a means of automation that closely aligns with an ever-changing threat velocity, and provides an enterprise with a means to allocate finite budget and other finite enterprise resources during the entire risk resilience journey.
Additional embodiments, described herein, will expand upon each element defined within X-Analytics system.
Due to the dependent and sequential design of this system, method, and apparatus, even a slight modification in measuring section will have a direct association in altering the determine results observed into the reducing and addressing risk sections. Based on historical data and cyber risk intelligence data, there is constant change in threat, impact, control, and loss, which means there is constant change in inherent risk, residual risk, expected loss, and loss lookups. This system, method, and apparatus accounts for such changes.
As stated in the Background, each enterprise needs a proper understanding of cyber risk to effectively prioritize finite budget and other finite enterprise resources toward risk remediation and risk transfer mechanisms. This system, method, and apparatus contemplates how an enterprise makes such decisions and further compares those decisions across the collective models (as defined within X-Analytics system). As an example, an isolated decision from the threat model may misallocate finite budget, while a decision from the expected loss model refines such a decision and provides a better means of prioritization and use of finite budget.
The following description and related diagrams, tables, and screenshots disclose aspects of the X-Analytics system, directed to specific embodiments of the X-Analytics system. Without departing from the spirit or the scope of the X-Analytics system, we may devise alternate embodiments. Additionally, we have not described, in detail, well-known elements of exemplary embodiments of the X-Analytics system so as not to obscure the relevant details of the X-Analytics system. Further, to facilitate an understanding of the description discussion of several terms used herein follows.
As used herein, the word “exemplary” means “serving as an example, instance or illustration. The embodiments described herein are not limiting, but rather exemplary only. The reader of this document should not necessarily construe the described embodiments as preferred or advantageous over other embodiments.
Further, we describe herein many embodiments in terms of sequences of actions performed by, for example, elements of the X-Analytics SaaS-based application.
The following content expands upon the X-Analytics system, as described within the summary, and expands US Patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570.