Patent Application Titled “Method And System For Assessing Risk Within A Network” Published Online (USPTO 20220311796): Axion Partners LLC

2022 OCT 19 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Washington, D.C., by NewsRx journalists, a patent application by the inventors DOYLE, Jonathan (Arlington, VA, US); JACKMAN, Damon (Silver Spring, MD, US), filed on March 24, 2022, was made available online on September 29, 2022.

The assignee for this patent application is Axion Partners LLC (Arlington, Virginia, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “Determination of appropriate risk to assign to a computer network is tricky. With regard to the cybersecurity insurance space, the following problems exist because risk is hard to determine. Traditionally, insurers use massive amounts of historical claims data to assess risk. Such data does not exist for cybersecurity claims. Insurers, instead, rely on that applicants self-disclose to do such risk evaluations. Further, insurers have very little ability to ensure that policyholders effectively protect their networks, which results in an increased risk of breach. Insurers are not able to provide risk reduction or minimization of losses. The amount of data an attack causes is largely determined by how long it takes to respond, and insurers do not know what is happening in real time, nor data to confirm that an exclusion applies.

“The inability to assign or evaluate risk results in much confusion in the area of cybersecurity insurance. The area of cybersecurity insurance is growing. Cybersecurity insurance premiums currently are about $5,000,000,000 and growing about 25% annually. Businesses often buy insurance because they are required to do so as a part of a contract with a customer that wants to mitigate risk from third parties. Direct cost to businesses for breaches are significant. Regulated companies and those that handle personal information also want to mitigate risk. Moreover, businesses should accurately and adequately know where potential threats exist and how to reduce the risk of a cybersecurity breach or attack.”

In addition to obtaining background information on this patent application, NewsRx editors also obtained the inventors’ summary information for this patent application: “One aspect of the present disclosure relates to a system configured for assessing risk within a network having a specified configuration, wherein the network includes hardware components and software components. The system may include one or more hardware processors configured by machine-readable instructions. The processor(s) may be configured to identify a plurality of attack techniques to target the hardware components and the software components of the network. The processor(s) may be configured to perform a first set of technical assessments from inside within the network. Each technical assessment may evaluate at least one of the attack techniques as the technique internally applies to the specified configuration of the network. The processor(s) may be configured to perform a second set of technical assessments from outside the network. Each technical assessment may evaluate at least one of the attack techniques as the technique externally applies to the specified configuration of the network. The processor(s) may be configured to determine a plurality of risk evaluations. Each risk evaluation may evaluate a defined risk to the specified configuration of the network using a corresponding technical assessment. The processor(s) may be configured to determine a plurality of risk component scores. Each risk component scores may correspond to a component within the network using at least one risk evaluation of the plurality of risk evaluations. The processor(s) may be configured to determine an overall risk score using at least two risk component scores. Each of the risk component scores may be weighted according to the corresponding component.

“Another aspect of the present disclosure relates to a method for assessing risk within a network having a specified configuration, wherein the network includes hardware components and software components. The method may include identifying a plurality of attack techniques to target the hardware components and the software components of the network. The method may include performing a first set of technical assessments from inside within the network. Each technical assessment may evaluate at least one of the attack techniques as the technique internally applies to the specified configuration of the network. The method may include performing a second set of technical assessments from outside the network. Each technical assessment may evaluate at least one of the attack techniques as the technique externally applies to the specified configuration of the network. The method may include determining a plurality of risk evaluations. Each risk evaluation may evaluate a defined risk to the specified configuration of the network using a corresponding technical assessment. The method may include determining a plurality of risk component scores. Each risk component scores may correspond to a component within the network using at least one risk evaluation of the plurality of risk evaluations. The method may include determining an overall risk score using at least two risk component scores. Each of the risk component scores may be weighted according to the corresponding component.

“Yet another aspect of the present disclosure relates to a non-transient computer-readable storage medium having instructions embodied thereon, the instructions being executable by one or more processors to perform a method for assessing risk within a network having a specified configuration, wherein the network includes hardware components and software components. The method may include identifying a plurality of attack techniques to target the hardware components and the software components of the network. The method may include performing a first set of technical assessments from inside within the network. Each technical assessment may evaluate at least one of the attack techniques as the technique internally applies to the specified configuration of the network. The method may include performing a second set of technical assessments from outside the network. Each technical assessment may evaluate at least one of the attack techniques as the technique externally applies to the specified configuration of the network. The method may include determining a plurality of risk evaluations. Each risk evaluation may evaluate a defined risk to the specified configuration of the network using a corresponding technical assessment. The method may include determining a plurality of risk component scores. Each risk component scores may correspond to a component within the network using at least one risk evaluation of the plurality of risk evaluations. The method may include determining an overall risk score using at least two risk component scores. Each of the risk component scores may be weighted according to the corresponding component.

“These and other features, and characteristics of the present technology, as well as the methods of operation and functions of the related elements of structure and the combination of parts and economies of manufacture, will become more apparent upon consideration of the following description and the appended claims with reference to the accompanying drawings, all of which form a part of this specification, wherein like reference numerals designate corresponding parts in the various figures. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of the invention. As used in the specification and in the claims, the singular form of ‘a’, ‘an’, and ‘the’ include plural referents unless the context clearly dictates otherwise.”

The claims supplied by the inventors are:

“1. A system configured for assessing risk within a network having a specified configuration, wherein the network includes hardware components and software components, the system comprising: one or more hardware processors configured by machine-readable instructions to: identify a plurality of attack techniques to target the hardware components and the software components of the network; perform a first set of technical assessments from inside within the network, wherein each technical assessment evaluates at least one of the attack techniques as the technique internally applies to the specified configuration of the network; perform a second set of technical assessments from outside the network, wherein each technical assessment evaluates at least one of the attack techniques as the technique externally applies to the specified configuration of the network; determine a plurality of risk evaluations, wherein each risk evaluation evaluates a defined risk to the specified configuration of the network using a corresponding technical assessment; determine a plurality of risk component scores, wherein each risk component scores corresponds to a component within the network using at least one risk evaluation of the plurality of risk evaluations; and determine an overall risk score using at least two risk component scores, wherein each of the risk component scores is weighted according to the corresponding component.

“2. The system of claim 1, wherein the one or more hardware processors are further configured by machine-readable instructions to associate a known vulnerability within the specified configuration of the network with the attack technique.

“3. The system of claim 2, wherein the known vulnerability can be exploited from inside or outside the network.

“4. The system of claim 1, wherein the one or more hardware processors are further configured by machine-readable instructions to generate live data when performing the first or the second set of technical assessments, wherein the live data corresponds to the attack technique under evaluation.

“5. The system of claim 4, wherein the one or more hardware processors are further configured by machine-readable instructions to evaluate a vulnerability of the at least one attack technique inside the network to generate the live data for the first set of technical assessments.

“6. The system of claim 4, wherein the one or more hardware processors are further configured by machine-readable instructions to evaluate a vulnerability the at least one attack technique outside the network to generate the live data for the second set of technical assessments.

“7. The system of claim 1, wherein the each risk evaluation measures a risk of attack using the at least one attack technique evaluated by the technical assessment.

“8. The system of claim 7, wherein the risk corresponds to the risk of the at least one attack technique being successful against the specified configuration of the network.

“9. The system of claim 1, wherein the overall risk score corresponds to a total cyber security risk to the network.

“10. A method for assessing risk within a network having a specified configuration, wherein the network includes hardware components and software components, the method comprising: identifying a plurality of attack techniques to target the hardware components and the software components of the network; performing a first set of technical assessments from inside within the network, wherein each technical assessment evaluates at least one of the attack techniques as the technique internally applies to the specified configuration of the network; performing a second set of technical assessments from outside the network, wherein each technical assessment evaluates at least one of the attack techniques as the technique externally applies to the specified configuration of the network; determining a plurality of risk evaluations, wherein each risk evaluation evaluates a defined risk to the specified configuration of the network using a corresponding technical assessment; determining a plurality of risk component scores, wherein each risk component scores corresponds to a component within the network using at least one risk evaluation of the plurality of risk evaluations; and determining an overall risk score using at least two risk component scores, wherein each of the risk component scores is weighted according to the corresponding component.

“11. The method of claim 10, further comprising associating a known vulnerability within the specified configuration of the network with the attack technique.

“12. The method of claim 11, wherein the known vulnerability can be exploited from inside or outside the network.

“13. The method of claim 10, further comprising generating live data when performing the first or the second set of technical assessments, wherein the live data corresponds to the attack technique under evaluation.

“14. The method of claim 13, further comprising evaluating a vulnerability of the at least one attack technique inside the network to generate the live data for the first set of technical assessments.

“15. The method of claim 13, further comprising evaluating a vulnerability the at least one attack technique outside the network to generate the live data for the second set of technical assessments.

“16. The method of claim 10, wherein the each risk evaluation measures a risk of attack using the at least one attack technique evaluated by the technical assessment.

“17. The method of claim 16, wherein the risk corresponds to the risk of the at least one attack technique being successful against the specified configuration of the network.

“18. The method of claim 10, wherein the overall risk score corresponds to a total cyber security risk to the network.

“19. A non-transient computer-readable storage medium having instructions embodied thereon, the instructions being executable by one or more processors to perform a method for assessing risk within a network having a specified configuration, wherein the network includes hardware components and software components, the method comprising: identifying a plurality of attack techniques to target the hardware components and the software components of the network; performing a first set of technical assessments from inside within the network, wherein each technical assessment evaluates at least one of the attack techniques as the technique internally applies to the specified configuration of the network; performing a second set of technical assessments from outside the network, wherein each technical assessment evaluates at least one of the attack techniques as the technique externally applies to the specified configuration of the network; determining a plurality of risk evaluations, wherein each risk evaluation evaluates a defined risk to the specified configuration of the network using a corresponding technical assessment; determining a plurality of risk component scores, wherein each risk component scores corresponds to a component within the network using at least one risk evaluation of the plurality of risk evaluations; and determining an overall risk score using at least two risk component scores, wherein each of the risk component scores is weighted according to the corresponding component.

“20. The computer-readable storage medium of claim 19, wherein the method further comprises associating a known vulnerability within the specified configuration of the network with the attack technique.”

For more information, see this patent application: DOYLE, Jonathan; JACKMAN, Damon. Method And System For Assessing Risk Within A Network. Filed March 24, 2022 and posted September 29, 2022. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220220311796%22.PGNR.&OS=DN/20220311796&RS=DN/20220311796

(Our reports deliver fact-based news of research and discoveries from around the world.)