“Digital Asset Based Cyber Risk Algorithmic Engine, Integrated Cyber Risk Methodology And Automated Cyber Risk Management System” in Patent Application Approval Process (USPTO 20200106801)

2020 APR 20 (NewsRx) -- By a News Reporter-Staff News Editor at Information Technology Business Daily -- A patent application by the inventor Evans, Maryellen (New York, NY), filed on September 27, 2019, was made available online on April 2, 2020, according to news reporting originating from Washington, D.C., by NewsRx correspondents.

This patent application is assigned to Cyber Innovative Technologies (New York, New York, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Embodiments of the present invention apply to the quantification of cyber risk exposures, cyber risk scoring, cyber risk amplification and cyber risk management, more specifically in terms of the risk of the digital assets across an enterprise. Digital assets are what is attacked by cybercriminals.

“Furthermore, the strategic aspects of the invention apply to cyber resiliency, cyber M&A, cyber insurance, cyber budgeting, cyber risk thresholds, cybersecurity tool return on investment (ROI), vendor cyber risk management and remediation prioritization.

“Cyber risk is now the largest business risk due.sup.1 to the increasing digitalization of a company’s business assets, the exponential growth of the internet, regulation and technology innovation. Over 85% of an organization’s assets are now in digital form.sup.2 This represents a 750% increase since 2001. Digital assets are systems, processes, data and technologies that have specific relationships. Any characteristic attributed to or derived from a digital asset will be inherited in a parent-child relationship to the other digital asset across the organization, rolled up to the business units, subsidiaries, parent company and holding company. The digital asset cyber risk can be associated to third-party vendors. See FIG. 1.

“The average cost of a data breach in the United States today is $3.6M.sup.3 and the annual cost of cybercrime will top $8.8T by 2022.sup.4. Cyber risk is an enterprise risk. There are several common denominators that influence the amount of cyber risk today, all that require a better understanding at the board/executive level. Boards and executives are the risk owners with the fiduciary duty to protect the business assets. Today, digital assets represent the majority of business assets. Exponential growth in cyber threats is first and foremost due to the growth of the attack surface which includes the use of the internet. There has been a 600% increase in internet usage from 0.5b users in 2001 to over 4.1b users in 2017.sup.5.

“Secondly, cybersecurity regulation is finally catching up to technology. As recently demonstrated with the Facebook and Cambridge Analytica data breach where a lack of knowledge and permissions impact on an individual’s privacy and are now a major concern.sup.6. Facebook was fined $5 billion by the Federal Trade Commission (FTC) in July of 2019. Couple that with the European Union General Data Protection Regulation (GDPR).sup.7 and we are looking at fines of 4% of annual revenue or 20 m whichever is higher for non-compliance in the case of a privacy breach or misuse of an EU citizen’s privacy data. Several states in the U.S. are now enacting privacy legislation as a result of the GDPR and increased high profile privacy breaches.

“Thirdly, everything is interconnected. Over the past several decades we have seen technology that connects devices, systems and other organizations allowing for businesses to accelerate their growth. Payments processes are a good example of this. A point of sale system uses a device (technology) to authorize payments for a good or service. This payment may be sent to a 3rd party data processor who sends the payment data to a bank. This chain of interconnected processes have been a part of our business infrastructures for decades. In many cases, Middleware software has been used to connect companies across the globe. Cyber risk is not just the risk to your organization; it also includes the risk you assume when you connect to others. Couple this with the innovation associated with the Internet of Things (TOT) that according to Gartner states that we have 8.4 billion connected things in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion IoT devices by 2027.sup.8. Most of these devices have no embedded cybersecurity controls considerably increasing the attack surface. Among many examples, in 2017, Xiongmai Technology, an IoT camera manufacturer from Hangzhou admitted its cameras had been exploited by the Mirai malware to form part of a botnet that launched a distributed denial-of-service (DDoS) attack targeting websites including Twitter, PayPal, and Spotify. The assault was one of the worst in US history.sup.9

“Lastly, the heavy use of cloud technologies and vendors are creating uncertainly as to what roles are played in cybersecurity. By 2018, the typical IT department will have the minority of their applications and platforms (40%) residing in on premise systems.sup.10. The majority (up to 63%) of reported cyber breaches are related to third-party vendors.sup.11 There is little clarity on what role and responsibility the organization plays, and the vendor plays in cybersecurity and risk management.

“Most importantly, as indicated earlier the board and senior executives have the fiduciary duty to protect the business assets. However, most boards and executives are mystified by cyber. Recently, Aon announced that cyber events now rank among the top three triggers for director and officers (D&O) derivative actions.sup.12. This is game changing information that drives home the need for boards and executives to understand cyber risk and its impacts on their business as a means to rebut these claims.

“’Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.: CF Disclosure Guidance: Topic No. 2, Cybersecurity Oct. 13, 2011’”

In addition to the background information obtained for this patent application, NewsRx journalists also obtained the inventor’s summary information for this patent application: “It is therefore an object of the present invention to fill the above-noted void.

“It is another object of the invention to use a graphical user defined interface as a cyber-risk engine to create digital asset cyber risk quantification algorithms that can be used to create multiple risk models based on a series of selection functions that enables risk modeling participants to model risk across the digital assets. The invention will allow for quantification of financial cyber risk exposures in terms of data exfiltration, business interruption and regulatory loss scenarios aligned to the organization’s digital assets. Data exfiltration, business interruption and regulatory loss are directly related to how cyber insurance companies pay claims. This approach applies both to 1st party organizational and 3rd party vendor cyber risk.

“Additional impacts that act as amplifiers of the financial risk exposures that can be derived from reputational, operational and legal data.

“In addition, ‘cyber risk scores’ based on digital asset data attributes from subjective questionnaires will show gaps in the effectiveness of the cybersecurity programs that demonstrate internal cyber risk.

“It is still another object of the invention to give the user ‘cyber risk scoring’ that includes inherent risk data that shows the cyber maturity of each digital asset comparatively, which allows for a clear line of sight into which digital assets are most important, thus allowing for continuous risk monitoring of ‘crown jewel’ assets based on digital asset cyber risk exposures and comparative inherent cyber risk scores that allow for differentiation of inherent digital asset values for further cyber risk analysis providing more thought leadership and critical thinking from this new level of transparency.

“It is also an object of the invention to give the user ‘cyber risk scoring’ from residual risk metrics in near real-time based on cyber findings from cybersecurity assessments (including but not limited to the NIST Cybersecurity Framework, ISO 27001, etc.), cybersecurity tools including but not limited to vulnerabilities and incidents from integration with cybersecurity tools like vulnerability management scanners (VMS) and security incident event management (SIEM) systems. The residual cyber risk metrics are calculated in relationship to the inherent risk metrics of the digital assets to measure cyber resiliency. If residual risk rises above the stated cyber risk tolerance, alerts can be sent to digital asset owners to provide immediate notification and recommended action to be taken if required. As such, the subject system enhances rather than supplants the value of cybersecurity tools to the cyber risk management process; ensuring the business perspective rather than limiting his perspective on vulnerabilities only. This point of view impacts the resilience through real-time visual indications of changing cyber conditions, the tactics cyber teams are using, and the level of risk reduction caused by these tactics.

“Together, the subject system’s combination of the digital risk engine information including quantification metrics, inherent and residual digital asset cyber risk scores and the integrated management platform offers organizations a ‘digital asset cyber risk’ approach to the automation of complex cyber risk management strategies.

“To achieve the above and other objects, the present invention is directed to a method for improving the process of cyber risk management by effectively visualizing the business impacts and cyber issues from a strategic perspective. The data provided via the algorithms and integration will allow the user near real-time information regarding the dynamic nature of cybersecurity. Preferred embodiments of the subject system overcome the limitations of vulnerability only based products and deep/dark web cyber scoring products by (1) enabling participants to have a business-based understanding of how cyber risk impacts their organization; (2) enabling users to monitor and take action regarding cyber impacts in near real time to reduce cyber risk; (3) quantifying the correct amount of cyber insurance to buy; (4) providing participants with useful metrics for cyber budgeting; (5) enabling users to resource efficiently to lower cyber risk to acceptable levels; (6) score vendor cyber risk based on the digital asset the vendor can compromise; (7) enabling digital asset risk quantification metrics for cyber M&A; (8) demonstrate the risk reduction benefit used to calculate the ROI of cybersecurity tools and; (9) provides users with an automated method for cyber risk management that reduces the cost of repetitive manual methods currently in use.

“In addition, it is important to note that while the preferred embodiments of the subject system described herein reference primary usage in larger organizations over 250 people and can be used in a range of industries. Companies with lower cybersecurity maturities (generally <250 people) can utilize the compliance related functionality until their maturity increases.

“The invention can be used also by cyber insurance companies to (1) quantify how much cyber insurance to sell based on an organizations cyber risk, (2) price polices derived from internal organizationally based cyber metrics, (3) manage third party risk thereby lowering first party risk, (4) analyze risk accumulation scenarios and (5) provide for good cyber steward discounts based upon the cybersecurity posture of the customer.”

The claims supplied by the inventors are:

“1. A method for quantifying a cyber risk associated with a digital asset, the method comprising: displaying a graphical user interface having data fields for entry of data representing parameters associated with the digital asset and with a plurality of cyber risk algorithms; receiving the data entered into the data fields representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; selecting at least one cyber risk algorithm of the plurality of cyber risk algorithms based on the data entered into the data fields representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; and executing the at least one cyber risk algorithm using the data entered into the data fields representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms to generate the cyber risk associated with the digital asset.

“2. The method of claim 1, further comprising generating a webpage that specifies the cyber risk associated with the digital asset.

“3. The method of claim 1, further comprising executing multiple cyber risk algorithms of the plurality of cyber risk algorithms based on the parameters associated with the digital asset and with the plurality of cyber risk algorithms.

“4. The method of claim 3, further comprising determining the cyber risk associated with the digital asset based on outputs generated by the multiple cyber risk algorithms.

“5. The method of claim 1, further comprising determining a cyber resiliency associated with the digital asset.

“6. The method of claim 1, further comprising dynamically determining a cyber resiliency associated with the digital asset in near real time.

“7. The method of claim 1, further comprising determining a cyber insurance associated with the digital asset.

“8. The method of claim 1, further comprising comparing the cyber risk to a threshold value.

“9. The method of claim 8, further comprising determining the cyber risk fails to satisfy the threshold value.

“10. The method of claim 9, further comprising generating a notification in response to the cyber risk failing to satisfy the threshold value.

“11. The method of claim 1, further comprising determining a third party cyber risk associated with the digital asset.

“12. The method of claim 1, further comprising classifying the digital asset.

“13. The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a data exfiltration exposure associated with the digital asset.

“14. The method of claim 13, further comprising receiving at least one of the parameters associated with the digital asset describing a number of electronic data records breached during a cyber security incident.

“15. The method of claim 14, further comprising calculating the data exfiltration exposure associated with the digital asset based on the number of the electronic data records breached during the cyber security incident and a cost per each one of the electronic data records.

“16. The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a business interruption exposure associated with the digital asset.

“17. The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a regulatory exposure associated with the digital asset.

“18. The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a cyber risk exposure associated with the digital asset.

“19. A system, comprising: a hardware processor; and a memory device, the memory device storing instructions, the instructions when executed causing the hardware processor to perform operations, the operations comprising: receiving a request for a cyber security service from a client device; sending a webpage to the client device, the webpage generating a graphical user interface having data fields for entry of data representing parameters associated with a digital asset and with a plurality of cyber risk algorithms for providing the cyber security service; receiving the data from the client device, the data entered into the data fields, the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; receiving electronic cyber security answers from the client device, the electronic cyber security answers describing cyber security impacts associated with the digital asset, the electronic cyber security answers responsive to electronic prompts displayed by the graphical user interface generated by the webpage; calculating a data exfiltration exposure associated with the digital asset, the data exfiltration exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; selecting a first cyber security algorithm of the plurality of cyber risk algorithms based on the data exfiltration exposure associated with the digital asset; calculating a business interruption exposure associated with the digital asset, the business interruption exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; selecting a second cyber security algorithm of the plurality of cyber risk algorithms based on the business interruption exposure associated with the digital asset; calculating a regulatory exposure associated with the digital asset, the regulatory exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; selecting a third cyber security algorithm of the plurality of cyber risk algorithms based on the regulatory exposure associated with the digital asset; determining a cyber risk score associated with the digital asset, the cyber risk score based on the electronic cyber security answers describing the cyber security impacts associated with the digital asset; determining a cyber exposure associated with the digital asset, the cyber exposure based on i) executing the first cyber security algorithm selected based on the data exfiltration exposure, ii) executing the second cyber security algorithm selected based on the business interruption exposure, iii) executing the third cyber security algorithm selected based on the regulatory exposure, and iv) the cyber risk score based on the electronic cyber security answers describing the cyber security impacts; and sending the cyber exposure associated with the digital asset to the client device in response to the request for the cyber security service.

“20. A memory device storing instructions that when executed cause a hardware processor to perform operations, the operations comprising: receiving a request for a cyber security service from a client device; in response to the request for the cyber security service, sending a webpage to the client device, the webpage generating a graphical user interface having data fields for entry of data representing parameters associated with a digital asset and with a plurality of cyber risk algorithms for providing the cyber security service; receiving the data from the client device, the data entered into the data fields, the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; receiving electronic cyber security answers from the client device, the electronic cyber security answers describing cyber security impacts associated with the digital asset, the electronic cyber security answers responsive to electronic prompts displayed by the graphical user interface generated by the webpage sent to the client device; calculating a data exfiltration exposure associated with the digital asset, the data exfiltration exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; in response to the data exfiltration exposure associated with the digital asset, selecting a first cyber security algorithm of the plurality of cyber risk algorithms; calculating a business interruption exposure associated with the digital asset, the business interruption exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; in response to the business interruption exposure associated with the digital asset, selecting a second cyber security algorithm of the plurality of cyber risk algorithms; calculating a regulatory exposure associated with the digital asset, the regulatory exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; in response to the regulatory exposure associated with the digital asset, selecting a third cyber security algorithm of the plurality of cyber risk algorithms; determining a cyber risk score associated with the digital asset, the cyber risk score based on the electronic cyber security answers describing the cyber security impacts associated with the digital asset; determining a cyber exposure associated with the digital asset, the cyber exposure based on i) executing the first cyber security algorithm selected in response to the data exfiltration exposure, ii) executing the second cyber security algorithm selected in response to the business interruption exposure, iii) executing the third cyber security algorithm selected in response to the regulatory exposure, and iv) the cyber risk score based on the electronic cyber security answers describing the cyber security impacts; and sending another webpage to the client device, the another webpage specifying the cyber exposure associated with the digital asset as a result of the cyber security service.”

URL and more information on this patent application, see: Evans, Maryellen. Digital Asset Based Cyber Risk Algorithmic Engine, Integrated Cyber Risk Methodology And Automated Cyber Risk Management System. Filed September 27, 2019 and posted April 2, 2020. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220200106801%22.PGNR.&OS=DN/20200106801&RS=DN/20200106801

(Our reports deliver fact-based news of research and discoveries from around the world.)