	US 11,888,859 B2
	Associating a security risk persona with a phase of a cyber kill chain
Margaret Cunningham, Austin, TX (US); and Clifford Charles Wright, Oxfordshire (GB)
Assigned to Forcepoint LLC, Austin, TX (US)
Filed by Forcepoint, LLC, Austin, TX (US)
Filed on Dec. 11, 2020, as Appl. No. 17/119,803.
Application 17/119,803 is a continuation of application No. 16/557,560, filed on Aug. 30, 2019, granted, now 10,999,296.
Application 16/557,560 is a continuation in part of application No. 16/415,726, filed on May 17, 2019, granted, now 10,834,097, issued on Nov. 10, 2020.
Application 16/557,560 is a continuation in part of application No. 17/119,803.
Application 17/119,803 is a continuation in part of application No. 16/162,655, filed on Oct. 17, 2018, granted, now 10,530,786, issued on Jan. 7, 2020.
Application 16/162,655 is a continuation of application No. 15/963,729, filed on Apr. 26, 2018, granted, now 10,129,269, issued on Nov. 13, 2018.
Application 15/963,729 is a continuation in part of application No. 15/878,898, filed on Jan. 24, 2018, granted, now 10,063,568, issued on Aug. 28, 2018.
Application 15/878,898 is a continuation of application No. 15/720,788, filed on Sep. 29, 2017, granted, now 9,882,918, issued on Jan. 30, 2018.
Claims priority of provisional application 63/017,400, filed on Apr. 29, 2020.
Claims priority of provisional application 62/964,372, filed on Jan. 22, 2020.
Claims priority of provisional application 62/839,060, filed on Apr. 26, 2019.
Claims priority of provisional application 62/506,300, filed on May 15, 2017.
Prior Publication US 2022/0006818 A1, Jan. 6, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 9/00 (2022.01)

CPC H04L 63/14 (2013.01)

20 Claims

1. A computer-implementable method for performing a security operation, comprising:

monitoring an entity, the monitoring observing an electronically-observable data source;

deriving an observable based upon the monitoring of the electronically-observable data source;

identifying a security related activity, the security related activity being based upon the observable from the electronic data source;

analyzing the security related activity, the analyzing the security related activity using a security risk persona and a human-centric factor associated with the entity;

associating the security risk persona with a phase of a cyber kill chain; and,

performing a security operation on the security related activity via a security system, the security operation disrupting performance of the phase of the cyber kill chain, the security operation being performed by at least one of an endpoint device and a security analytics system, the endpoint device executing the security operation on a hardware processor associated with the endpoint device, the security analytics system executing the security operation on a hardware processor associated with the security analytics system; and wherein

the security risk persona is included within a human-centric risk modeling framework, the human-centric risk modeling framework enabling quantification of the human-centric factor associated with the entity, the human-centric factor comprising a motivation factor, a stressor factor and an organizational dynamics stressor factor, the human-centric factor having an associated effect on the entity, the motivation factor representing a user entity behavior that provides an indication of a motivation for enacting the user entity behavior, the stressor factor representing an issue influencing the user entity behavior, the organizational stressor factor representing an event occurring within an organization affecting the user entity behavior.