US 12,067,515 B2
Method and system for risk measurement and modeling
Robert Vescio, Reston, VA (US)
Assigned to SECURE SYSTEMS INNOVATION CORPORATION, Reston, VA (US)
Filed by Secure Systems Innovation Corporation, Reston, VA (US)
Filed on Feb. 10, 2022, as Appl. No. 17/668,585.
Application 17/668,585 is a continuation of application No. 16/658,535, filed on Oct. 21, 2019, granted, now 11,282,018.
Application 16/658,535 is a continuation of application No. 15/651,377, filed on Jul. 17, 2017, granted, now 10,453,016, issued on Oct. 22, 2019.
Application 15/651,377 is a continuation in part of application No. 15/259,084, filed on Sep. 8, 2016, granted, now 9,747,570, issued on Aug. 29, 2017.
Prior Publication US 2022/0270009 A1, Aug. 25, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. G06Q 10/00 (2023.01); G06F 21/57 (2013.01); G06Q 10/0635 (2023.01); H04L 9/40 (2022.01); G06Q 10/063 (2023.01)
CPC G06Q 10/0635 (2013.01) [G06F 21/577 (2013.01); H04L 63/1425 (2013.01); G06Q 10/063 (2013.01); H04L 63/1433 (2013.01); H04L 63/145 (2013.01); H04L 63/1458 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A computer-implemented method of identifying and mitigating information security implicit risks for at least one information system, the method comprising:
selecting a model for identifying a quantitative residual risk of a risk scenario, wherein the model comprises a plurality of inputs, the plurality of inputs comprising a threat likelihood of the risk scenario, a business impact of the risk scenario, and a control effectiveness of the risk scenario, the risk scenario comprising a threat type and a targetable system;
performing, with a processor, a plurality of assessment activities on the at least one information system based on the model and based on at least one anticipated vulnerability of the at least one information system;
determining, with the processor, from the plurality of assessment activities, the threat likelihood of the risk scenario, the business impact of the risk scenario, and the control effectiveness of the risk scenario;
determining, from the plurality of assessment activities, a plurality of results of the plurality of assessment activities, the plurality of results comprising a business profile assessment;
converting the plurality of results of the plurality of assessment activities into a plurality of confidentiality values, integrity values, and availability values;
converting at least one of the confidentiality values, the integrity values, and the availability values into a defined probability curve, the business impact of the risk scenario being generated from the confidentiality values, the integrity values, and the availability values;
generating, with the processor, from the model, the quantitative residual risk of the risk scenario;
receiving, from an operator of the at least one information system, via a user interface, an alteration to a set of implemented controls comprising at least one of adding a control or removing the control;
simulating a simulated effect of the control on an expected loss value;
comparing the simulated effect of the control on the expected loss value to a cost of generating the control;
outputting a simulation result to the operator based on the simulated effect of the control; and
modifying the at least one information system by making at least one adjustment to implement an unimplemented control.