Patent Issued for System and methods for vulnerability assessment and provisioning of related services and products for efficient risk suppression (USPTO 11568455): Aon Risk Consultants Inc.
2023 FEB 16 (NewsRx) -- By a
The patent’s assignee for patent number 11568455 is
News editors obtained the following quote from the background information supplied by the inventors: “Cybersecurity risk relates, in some examples, to losses arising from compromise of sensitive data (e.g., payment data held by merchant or medical data held by health care providers), computer system penetration, compromise of personal information related to identity fraud, and eventualities of the like. These sorts of losses can arise from malefactors who adjust their actions in response to present-tense environmental variables governing opportunity: newly discovered exploits, recent trends in cyber security, and so on. Assessment of cyber security risk has heretofore relied heavily upon human capital, resulting in subjective risk assessments based upon individual experts’ methods and professional background. Consequently, the factors that are significant in cyber risk assessment of an individual or an entity’s systems, properties and facilities change rapidly, but their risk assessment continues to be performed by individuals and is therefore performed with a level of expertise that can be no better than the particular individual assigned to the task. Moreover, as risk factors emerge in one industry, knowledge of those factors tends to remain confined to professionals within that industry, leaving other industries vulnerable, and rendering the vulnerability assessments performed in those other industries under-informed.
“An additional complicating matter in the marketplace for cyber risk assessment and mitigation is that third party services available for assisting an individual or enterprise in managing cybersecurity risk must be found and subscribed to on an individual basis. For example, an individual may seek out services to detect and prevent identity fraud, or to determine whether his or her personal information is already compromised and published on the dark web. A small or medium size business may, for example, seek secure managed virtual private network (VPN) services. These sorts of service are sold individually, and a consumer must hunt and peck from website-to-website to understand the array of offerings, and intelligently select from among them. Additionally, this hunt-and-peck process carries with it the possibility that a service provider or insurer loses the opportunity to provide services to a would-be client, in the event that the client leaves the provider’s website to seek out companion services published elsewhere. It also raises the prospect that an insurer or service provider may be ignorant of one or more of the risk suppression services its client imposes because the service was subscribed to via another vendor, where the transaction was “out of sight” of the insurer or service provider.
“There exists a need for risk assessment that is not beholden to individual subjective judgment, elimination of delays in identifying potential service providers and insurers for protecting against cybersecurity risk, and elimination of the present-day hunt-and-peck process for locating risk suppression services.
“Additionally, it may be the case that the operator of the platform desires to assess the risk of users or the organizations they represent vis-a-vis more than one variety of hazard. For example, in addition to assessing cyber security risks, the operator of the platform may desire to assess the risk of the user or the organization he represents with regard to violation of a regulatory framework such as the European Union’s General Data Protection Regulation or the United States’ Health Insurance Portability and Accountability Act. It is inefficient to have to reprogram the platform to attend to each of these various hazards.
“There exists a need to suppress database call load in such contexts and to allow for such platforms to be refocused from hazard to hazard while reducing the programming effort required for such refocusing.”
As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “SUMMARY OF ILLUSTRATIVE EMBODIMENTS
“In one aspect, the present disclosure relates to a platform and methods for cyber security vulnerability assessment and management. The platform and methods may enable an automated or semi-automated cyber security resilience evaluation. Scoring for the evaluation may be performed to identify risks or exposures of an enterprise’s information technology (IT) systems to various cyber security threats. The assessment provided by the platform and methods may include a graphical display enabling an end user to identify weaknesses across a number of security domains. Further, security sub-domain assessments may direct users to specific areas needing improvement. The enterprise may be assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise’s present state. Further, the platform and methods may provide one or more recommendations for mitigating one or more cyber security risks including, in some examples, products, services, and insurance policies. The user may be presented with a prospective vulnerability score representing an improvement in score upon applying one or more remedies.
“In one aspect, the present disclosure relates to a platform and methods for recommending and enabling cyber security risk mitigation to mitigate cyber security vulnerabilities identified through automated or semi-automated assessment of the IT systems of enterprises. The platform and methods may provide information regarding products, services, and/or insurance policies designed to remedy one or more deficiencies in cyber security resilience in an enterprise’s IT systems. Further, the platform and methods may supply purchase mechanisms for adding the recommended product(s), service(s), and/or policy(ies) to the enterprise’s infrastructure. The purchase mechanisms may include federating one or more third party providers to integrate sales between the user and the third party through the platform. A user of an interactive cyber security assessment tool, in some embodiments, is presented with an interactive roadmap display for selecting, planning, and budgeting for applying a series of remedies to the IT infrastructure of the enterprise. Certain remedies may include dependent remedies (e.g., dependencies) which are related to and depend upon the application of a set of one or more additional remedies to mitigate one or more risks. The interactive roadmap display may include a timeline and prioritization of laying out a plan of application of multiple remedies.
“In one aspect, the present disclosure relates to a platform and methods for presenting an interactive cyber vulnerability assessment to a user including cyber security evaluation questions presented in a number of security domains. The interactive cyber vulnerability assessment may be presented through a browser interface. The graphical user interface for the cyber vulnerability assessment may be built through parsing a document containing a set of interlinked data matrices containing information for the security domains, questions, response controls for each question, and score information corresponding to each potential response. Further, the document may include one or more matrices for storing responses and other progress information related to a user interacting with the cyber vulnerability assessment. The interactive cyber vulnerability assessment, in some embodiments, may be accessed and re-accessed by one or more users, with user progress stored within the matrices of the document for population of the interactive cyber vulnerability assessment upon future access. One user may include an expert or evaluator, presented with additional controls by the platform and methods for adding feedback or comments within a completed assessment questionnaire. The document including the completed questionnaire information and expert commentary may be used to generate a graphical report for review by an enterprise. The report may be interactive (e.g., presented via a browser).
“In one aspect, the present disclosure relates to a platform and methods for evaluating cyber security risks and vulnerability scoring based upon real life outcomes of enterprises having cyber vulnerability assessment information as well as cyber insurance claims information collected by a platform and methods for cyber security vulnerability assessment. The platform and/or methods may access incident data regarding cyber attacks as well as scores calculated for the enterprise involved in each cyber attack and analyze the information to determine target vulnerability scores for avoidance of future cyber attacks in other enterprises.”
The claims supplied by the inventors are:
“1. A method for conducting a cyber security vulnerability assessment of an enterprise, the method comprising: preparing, by processing circuitry for presentation to a first authorized representative of two or more authorized representatives of the enterprise at a first remote computing device, a first interactive survey user interface comprising a plurality of questions regarding one or more technology systems of the enterprise, wherein each question of the plurality of questions is logically linked, in a non-volatile storage region, to a respective security domain of a set of security domains, the set of security domains comprising at least two of a data security domain, a cloud and network security domain, a physical security domain, and an application security domain, and each question of the plurality of questions is logically linked, in the non-volatile storage region, to at least two answer options, each answer option corresponding to a respective answer score of at least two predetermined answer scores; obtaining, by the processing circuitry from the first authorized representative via the first interactive survey user interface, a first set of answers to a portion of the plurality of questions; storing, by the processing circuitry to the non-volatile storage region, each answer of the first set of answers logically linked to a corresponding question of the plurality of questions; preparing, by the processing circuitry for presentation to a second authorized representative of the two or more authorized representatives at a second remote computing device, a second interactive survey user interface comprising the plurality of questions wherein, for each question of the portion of the plurality of questions, a corresponding answer of the first set of answers is presented in the second interactive survey user interface; obtaining, by the processing circuitry from the second authorized representative via the second interactive survey user interface, a second set of answers to a remaining portion of the plurality of questions; storing, by the processing circuitry to the non-volatile storage region, each answer of the second set of answers logically linked to a corresponding question of the plurality of questions; for each security domain of the set of security domains, calculating, by the processing circuitry, a respective domain-level score representing aggregated predetermined answer scores from a respective subset of answers of a plurality of answers logically linked to the respective security domain, wherein the plurality of answers comprises the first set of answers and the second set of answers; identifying, by the processing circuitry for each security domain of the set of security domains, one or more attack vectors relevant to the enterprise based on at least one of the domain-level score and the subset of answers of the plurality of answers corresponding to the respective security domain, wherein the one or more attack vectors each represent a respective mechanism of cyber exploitation; for each security domain of the set of security domains, applying, by the processing circuitry for each attack vector of the one or more attack vectors, the domain-level score and/or one or more answers of the subset of answers corresponding to the respective security domain to calculate a respective sensitivity of the enterprise to the mechanism of cyber exploitation of the respective attack vector; for each security domain of the set of security domains, determining, by the processing circuitry based on the one or more attack vectors of the respective security domain and further on the respective sensitivity, at least one cost estimate associated with the one or more attack vectors; and preparing, by the processing circuitry for presentation in a report, an overview of cost estimates associated with the set of security domains.
“2. The method of claim 1, wherein calculating the respective domain-level scores comprises applying, to a portion of the plurality of answers of at least one domain of the set of security domains, a weight to the associated answer score of the respective answer.
“3. The method of claim 1, wherein the two or more authorized representatives comprise a field agent of a cyber security vulnerability assessment service provider.
“4. The method of claim 3, further comprising preparing, by the processing circuitry for presentation to the field agent at a third remote computing device, a field agent user interface comprising the plurality of questions.
“5. The method of claim 4, wherein the field agent user interface comprises at least one input control for adding information different from the information available within the plurality of questions and/or the plurality of answers, wherein the at least one input control is unavailable in the first interactive survey user interface and the second interactive survey user interface.
“6. The method of claim 1, wherein the overview of cost estimates comprises at least one cyber insurance cost.
“7. The method of claim 1, wherein the overview of cost estimates comprises a plurality of recommended mitigations to cyber security risk, wherein each recommended mitigation comprises a respective cost estimate.
“8. The method of claim 7, wherein each mitigation of the plurality of recommended mitigations is associated with a corresponding urgency of application of the respective mitigation.
“9. The method of claim 7, wherein each mitigation of the plurality of recommended mitigations is associated with a number of risks mitigated by the respective mitigation.
“10. The method of claim 7, wherein one or more mitigations of the plurality of recommended mitigations is dependent upon first applying another mitigation of the plurality of recommended mitigations.
“11. The method of claim 1, wherein the overview of cost estimates further comprises an expert commentary section including analysis entered by a field agent of a cyber security vulnerability assessment service provider via a field agent user interface comprising the plurality of questions and the plurality of answers.
“12. A system for assessing cyber security risk exposure of an enterprise, the system comprising: at least one non-transitory computer readable storage configured to store an array of question data, each question of the array of question data comprising question text, wherein each question of the array of question data is logically linked to a respective cyber security domain of a plurality of cyber security domains, and each question of the array of question data is logically linked to at least two response selections, each response selection being logically linked to a respective response value of at least two response values, and an array of answer data, each answer of the array of answer data being logically linked to a respective response value of the at least two response values of a corresponding question of the array of question data, wherein each response value is logically linked to a relative risk exposure; and a platform comprising software and/or hardware logic configured, when executed, to perform operations comprising obtaining, from at least two users of a plurality of users, at least two sets of answers to a plurality of questions presented in a cyber security questionnaire associated with the enterprise, wherein obtaining the respective sets of answers comprises preparing, for presentation to the respective user at a computing device of the respective user, an interactive user interface presenting at least a portion of the plurality of questions, each question presenting the question text of a respective question of the array of question data, receiving, via the interactive user interface, a respective set of answers of the at least two sets of answers, wherein each user of the at least two users is associated with the enterprise, and preparing the interactive user interface comprises presenting, for each question already answered in the respective set of answers of the at least two sets of answers, the answer entered corresponding to the respective question, and storing, to the at least one non-transitory computer readable storage, each answer of the at least two sets of answers logically linked to a corresponding question of the plurality of questions; for each cyber security domain of the plurality of cyber security domains, calculating a domain-level exposure value using the response values logically linked to each answer obtained in the at least two sets of answers corresponding to a question of the plurality of questions logically linked to the respective cyber security domain, identifying, for each domain of the plurality of cyber security domains, one or more attack vectors relevant to the enterprise based on at least one of the domain-level exposure value and the answers corresponding to the respective cyber security domain, wherein the one or more attack vectors each represent a respective mechanism of cyber exploitation, for each cyber security domain of the plurality of cyber security domains, applying, for each attack vector of the one or more attack vectors, the domain-level exposure value and/or one or more answers of a subset of answers corresponding to the respective cyber security domain to calculate a respective sensitivity of the enterprise to the mechanism of cyber exploitation of the respective attack vector; for each cyber security domain of the plurality of cyber security domains, estimating, based on the one or more attack vectors of the respective cyber security domain and further on the respective sensitivity, at least one cost associated with the one or more attack vectors, and preparing a report for the enterprise comprising a plurality of cost estimations associated with the plurality of cyber security domains.”
There are additional claims. Please visit full patent to read further.
For additional information on this patent, see: Bolas, Jeffrey. System and methods for vulnerability assessment and provisioning of related services and products for efficient risk suppression.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Studies from Eastern Kentucky University Yield New Data on Sustainable Development (Universal health coverage evolution, ongoing trend, and future challenge: A conceptual and historical policy review): Sustainability Research – Sustainable Development
Patent Issued for Suggesting behavioral adjustments based on physiological responses to stimuli on electronic devices (USPTO 11568166): Verily Life Sciences LLC
Advisor News
- Is there a mismatch between advisor marketing and consumer preferences?
- State health plan users may see premium increases under SC House budget proposal
- Advisor: SEC trying to ambush my defense on bad annuity sales charges
- Partner split: Grant Cardone and Gary Brecka swap charges in dueling lawsuits
- 4 things every federal worker should do to safeguard their benefits
More Advisor NewsAnnuity News
Health/Employee Benefits News
- President of Insurance Brokerage Firm and CEO of Marketing Company Charged in $161M Affordable Care Act Enrollment Fraud Scheme
- STATEHOUSE: Senate Republicans approve limiting health insurance program for Hoosiers
- State health plan users may see premium increases under SC House budget proposal
- Senate Republicans approve limits on health insurance program
- Health agents ‘optimistic’ as a new administration takes charge
More Health/Employee Benefits NewsLife Insurance News
- Whole life vs. term life: The great debate
- Prudential launches OneLeave
- Annual financial and audit reports – JPMORGAN CHASE & CO.
- Conning research: Insurers must be flexible in the 2025
- AM Best Places Credit Ratings of Banner Life Insurance Company and William Penn Life Insurance Company of New York Under Review With Developing Implications
More Life Insurance News