Researchers Submit Patent Application, “System And Methods For Vulnerability Assessment And Provisioning Of Related Services And Products For Efficient Risk Suppression”, for Approval (USPTO 20230351456): Aon Risk Consultants Inc.

2023 NOV 20 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Washington, D.C., NewsRx journalists report that a patent application by the inventors Bolas, Jeffrey (Brooklyn, NY, US); Dan, Nicholas (Chicago, IL, US); Dhesi, Mani (London, GB); Hogg, Jason (Bedford, NY, US); Moreira, Cory Allen (Palm Harbor, FL, US); Peckman, Adam (London, GB); Uriarte, Christopher (Fort Lauderdale, FL, US), filed on December 21, 2022, was made available online on November 2, 2023.

The patent’s assignee is Aon Risk Consultants Inc. (Chicago, Illinois, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Cybersecurity risk relates, in some examples, to losses arising from compromise of sensitive data (e.g., payment data held by merchant or medical data held by health care providers), computer system penetration, compromise of personal information related to identity fraud, and eventualities of the like. These sorts of losses can arise from malefactors who adjust their actions in response to present-tense environmental variables governing opportunity: newly discovered exploits, recent trends in cyber security, and so on. Assessment of cyber security risk has heretofore relied heavily upon human capital, resulting in subjective risk assessments based upon individual experts’ methods and professional background. Consequently, the factors that are significant in cyber risk assessment of an individual or an entity’s systems, properties and facilities change rapidly, but their risk assessment continues to be performed by individuals and is therefore performed with a level of expertise that can be no better than the particular individual assigned to the task. Moreover, as risk factors emerge in one industry, knowledge of those factors tends to remain confined to professionals within that industry, leaving other industries vulnerable, and rendering the vulnerability assessments performed in those other industries under-informed.

“An additional complicating matter in the marketplace for cyber risk assessment and mitigation is that third party services available for assisting an individual or enterprise in managing cybersecurity risk must be found and subscribed to on an individual basis. For example, an individual may seek out services to detect and prevent identity fraud, or to determine whether his or her personal information is already compromised and published on the dark web. A small or medium size business may, for example, seek secure managed virtual private network (VPN) services. These sorts of service are sold individually, and a consumer must hunt and peck from website-to-website to understand the array of offerings, and intelligently select from among them. Additionally, this hunt-and-peck process carries with it the possibility that a service provider or insurer loses the opportunity to provide services to a would-be client, in the event that the client leaves the provider’s website to seek out companion services published elsewhere. It also raises the prospect that an insurer or service provider may be ignorant of one or more of the risk suppression services its client imposes because the service was subscribed to via another vendor, where the transaction was “out of sight” of the insurer or service provider.

“There exists a need for risk assessment that is not beholden to individual subjective judgment, elimination of delays in identifying potential service providers and insurers for protecting against cybersecurity risk, and elimination of the present-day hunt-and-peck process for locating risk suppression services.

“Additionally, it may be the case that the operator of the platform desires to assess the risk of users or the organizations they represent vis-a-vis more than one variety of hazard. For example, in addition to assessing cyber security risks, the operator of the platform may desire to assess the risk of the user or the organization he represents with regard to violation of a regulatory framework such as the European Union’s General Data Protection Regulation or the United States’ Health Insurance Portability and Accountability Act. It is inefficient to have to reprogram the platform to attend to each of these various hazards.

“There exists a need to suppress database call load in such contexts and to allow for such platforms to be refocused from hazard to hazard while reducing the programming effort required for such refocusing.”

As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventors’ summary information for this patent application: “In one aspect, the present disclosure relates to a platform and methods for cyber security vulnerability assessment and management. The platform and methods may enable an automated or semi-automated cyber security resilience evaluation. Scoring for the evaluation may be performed to identify risks or exposures of an enterprise’s information technology (IT) systems to various cyber security threats. The assessment provided by the platform and methods may include a graphical display enabling an end user to identify weaknesses across a number of security domains. Further, security sub-domain assessments may direct users to specific areas needing improvement. The enterprise may be assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise’s present state. Further, the platform and methods may provide one or more recommendations for mitigating one or more cyber security risks including, in some examples, products, services, and insurance policies. The user may be presented with a prospective vulnerability score representing an improvement in score upon applying one or more remedies.

“In one aspect, the present disclosure relates to a platform and methods for recommending and enabling cyber security risk mitigation to mitigate cyber security vulnerabilities identified through automated or semi-automated assessment of the IT systems of enterprises. The platform and methods may provide information regarding products, services, and/or insurance policies designed to remedy one or more deficiencies in cyber security resilience in an enterprise’s IT systems. Further, the platform and methods may supply purchase mechanisms for adding the recommended product(s), service(s), and/or policy(ies) to the enterprise’s infrastructure. The purchase mechanisms may include federating one or more third party providers to integrate sales between the user and the third party through the platform. A user of an interactive cyber security assessment tool, in some embodiments, is presented with an interactive roadmap display for selecting, planning, and budgeting for applying a series of remedies to the IT infrastructure of the enterprise. Certain remedies may include dependent remedies (e.g., dependencies) which are related to and depend upon the application of a set of one or more additional remedies to mitigate one or more risks. The interactive roadmap display may include a timeline and prioritization of laying out a plan of application of multiple remedies.

“In one aspect, the present disclosure relates to a platform and methods for presenting an interactive cyber vulnerability assessment to a user including cyber security evaluation questions presented in a number of security domains. The interactive cyber vulnerability assessment may be presented through a browser interface. The graphical user interface for the cyber vulnerability assessment may be built through parsing a document containing a set of interlinked data matrices containing information for the security domains, questions, response controls for each question, and score information corresponding to each potential response. Further, the document may include one or more matrices for storing responses and other progress information related to a user interacting with the cyber vulnerability assessment. The interactive cyber vulnerability assessment, in some embodiments, may be accessed and re-accessed by one or more users, with user progress stored within the matrices of the document for population of the interactive cyber vulnerability assessment upon future access. One user may include an expert or evaluator, presented with additional controls by the platform and methods for adding feedback or comments within a completed assessment questionnaire. The document including the completed questionnaire information and expert commentary may be used to generate a graphical report for review by an enterprise. The report may be interactive (e.g., presented via a browser).

“In one aspect, the present disclosure relates to a platform and methods for evaluating cyber security risks and vulnerability scoring based upon real life outcomes of enterprises having cyber vulnerability assessment information as well as cyber insurance claims information collected by a platform and methods for cyber security vulnerability assessment. The platform and/or methods may access incident data regarding cyber attacks as well as scores calculated for the enterprise involved in each cyber attack and analyze the information to determine target vulnerability scores for avoidance of future cyber attacks in other enterprises.

“In some embodiments, a system for collecting and managing cybersecurity assessment information using an interactive questionnaire includes a document including: a security domain matrix including a number of domain fields arranged for storing information regarding a number of security domains, where the number of domain fields includes, for each domain of the number of security domains, a progress field for collecting and storing a progress of a user of the interactive questionnaire through a respective section a number of sections of the interactive questionnaire corresponding to a respective security domain of the number of security domains; a questions matrix including a number of questions fields arranged for storing information regarding a number of questions, each question logically linked to a respective security domain of the number of security domains of the security domain matrix, where for each question of the number of questions, the number of questions fields includes at least one text string containing a question for presentation to a user of the interactive questionnaire, and at least one response control type of a number of response control types for presentation to the user of the interactive questionnaire for obtaining a response to the respective question; a responses matrix including a number of response fields arranged for storing information regarding a number of responses related to the number of questions, each response logically linked to a respective question of the number of questions of the questions matrix, where, for each response of the number of responses, the number of response fields includes a respective score of a number of response scores corresponding to the response; and a selections matrix including a number of selections fields arranged for storing information regarding user selections of a portion of the number of responses, each selection field logically linked to a respective question of the number of questions of the questions matrix. The system may include a vulnerability assessment engine configured to obtain the document, render, by processing circuitry, the document as the interactive questionnaire by parsing the security domain matrix and the questions matrix, and causing presentation of at least a portion of the number of questions and, for each question of the portion of the number of questions, the respective response control type at a remote computing device of the user, receive, from the remote computing device responsive to the user interacting with the interactive questionnaire, one or more selections of a respective one or more responses of the number of responses, and store, by the processing circuitry in the selections matrix of the document, the one or more selections.

“In certain embodiments, the document includes a categories matrix including a number of categories fields arranged for storing information regarding a number of categories of each domain of the number of domains of the domains matrix, each category of the number of categories being logically linked to a respective security domain of the number of the number of security domains of the security domain matrix. For each domain of the number of security domains, the number of categories fields may include a category progress field for collecting and storing a progress of a user of the interactive questionnaire through a respective subsection of a number of subsections sections of the interactive questionnaire corresponding to a respective category of the number of categories. Each question of the number of questions of the questions matrix may be logically linked to a respective security domain of the number of security domains of the security domain matrix through a respective category of the number of categories of the categories matrix.

“In some embodiments, the vulnerability assessment engine is further configured to determine a respective score corresponding to each selection of the one or more selections, and render, in the interactive questionnaire, at least one score corresponding to the respective domain of the number of domains corresponding to a portion of the one or more selections. The vulnerability assessment engine may be further configured to, after completion of the interactive questionnaire by one or more users, calculate a number of category scores including a respective category score for each category of the number of categories by accessing respective scores for each selection of the number of selections corresponding to each category of the number of categories, and calculate, from the number of category scores, a number of domain scores corresponding to each domain of the number of domains. The vulnerability assessment engine may be configured to, after completion of the interactive questionnaire by one or more users, generate, using the document, a report including the number of category scores and the number of domain scores. The vulnerability assessment engine may be configured to, based upon at least one of the number of category scores and the number of domain scores, identify, for at least one domain of the number of domains, one or more remedies for mitigation of security vulnerabilities.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. (canceled)

“2. A system for evaluating and mitigating cybersecurity risk, the system comprising: a non-transitory computer-readable medium storing a plurality of questions related to cybersecurity risk exposure; and processing circuitry configured to perform operations comprising determining a subject security domain scheme of a plurality of security domain schemes for an entity, conducting, via network communications with one or more network-connected computing devices remote to the system, a set of interactions with one or more users associated with the entity, the set of interactions comprising sending, for display to at least one user of the one or more users, a set of questions of the plurality of questions, wherein the set of questions correspond to the subject security domain scheme, and obtaining information from the at least one user regarding a computing infrastructure of the entity, the information including a set of answers responsive to the set of questions presented by the system to the at least one user, calculating one or more vulnerability scores for the entity, wherein the calculating comprises evaluating the set of answers in view of the subject security domain scheme, determining, based at least in part on the subject security domain scheme, one or more target scores for the entity, using the one or more vulnerability scores and the information, identifying a plurality of mitigation options, each mitigation option of the plurality of mitigation options determined to improve, upon implementation, at least one vulnerability score of the one or more vulnerability scores, as part of the set of interactions, sending, for display to at least one user of the one or more users, at least one vulnerability score of the one or more vulnerability scores, at least one target score of the one or more target scores, and information regarding at least a portion of the plurality of mitigation options, and receiving, from the at least one user of the one or more users, a selection of at least one mitigation option of the plurality of mitigation options, for each respective mitigation option of the at least one mitigation option, identifying a timing of application of the respective mitigation option, and sending, for display to the at least one user, a graphical roadmap comprising each mitigation option of the at least one mitigation option, wherein the graphical roadmap comprises, for each respective mitigation option of the at least one mitigation option, the timing of the application of the respective mitigation option and at least one of an estimated cost associated with implementing the respective mitigation option, an estimated duration for implementing the respective mitigation option, and a responsible party.

“3. The system of claim 2, wherein the computing infrastructure comprises one or more hardware assets, one or more software assets, and one or more informational assets of the entity.

“4. The system of claim 2, wherein the operations comprise, for each respective mitigation option of one or more mitigation options of the at least one mitigation option: identifying a dependency mitigation option upon which the respective mitigation option relies; and determining the timing of the application of the respective mitigation option based in part on the dependency mitigation option.

“5. The system of claim 2, wherein receiving the selection of at least one mitigation option comprises receiving an indication of the respective responsible party for each mitigation option of the at least one mitigation option.

“6. The system of claim 2, wherein the plurality of mitigation options comprises at least one of a) one or more products or b) one or more services.

“7. The system of claim 6, wherein the one or more products comprises at least one cybersecurity insurance product.

“8. The system of claim 7, wherein identifying the plurality of mitigation options comprises determining eligibility of the entity for a first cybersecurity insurance product of the at least one cybersecurity insurance product.

“9. The system of claim 7, wherein the processing circuitry is further configured to perform operations comprising, as part of the set of interactions, enabling one or more of the one or more users to purchase the at least one cybersecurity insurance product.

“10. The system of claim 2, wherein presenting the graphical roadmap comprises modeling, for display to the at least one user, a graphical timeline visually mapping the timing of the application of each mitigation option of the at least one mitigation option.

“11. The system of claim 2, wherein each question of the plurality of questions is mapped to at least one security domain of the respective set of security domains corresponding to each security domain scheme of at least a portion of the plurality of security domain schemes.

“12. The system of claim 2, wherein each question of the plurality of questions is mapped to two or more potential response values, wherein each response value of the two or more potential response values is associated with a respective score of two or more potential scores.

“13. The system of claim 2, wherein the one or more vulnerability scores comprises, for each security domain of the subject security domain scheme, a respective domain-level vulnerability score.

“14. The system of claim 2, wherein the plurality of security domain schemes comprises a National Institute of Standards-Cyber Security Framework (NIST CSF) security domain scheme.

“15. A system for evaluating and mitigating cybersecurity risk, the system comprising: a non-transitory computer-readable medium storing a plurality of risk calculation schemes for quantifying cybersecurity risks to computing infrastructure components based at least in part on selections from a plurality of sets of multiple choice options; and processing circuitry configured to perform operations comprising obtaining evaluation information regarding a computing infrastructure of an enterprise, the evaluation information including a plurality of selections made responsive to the plurality of sets of multiple choice options presented to one or more users each interacting with the system via a respective user interface at a respective computing device of one or more network-connected external computing devices, calculating, by applying at least one risk calculation scheme of the plurality of risk calculation schemes to the evaluation information, at least one enterprise numeric quantification for the enterprise, determining, based at least in part on the evaluation information, at least one target numeric quantification, identifying, based at least in part on the evaluation information, one or more mitigation options, each mitigation option of the one or more mitigation options determined to improve, upon implementation, one or more enterprise numeric quantifications of the at least one enterprise numeric quantification, and preparing, for review by a representative of the enterprise, a computer-renderable interactive user interface comprising one or more user interface screens configured to present one or more enterprise numeric quantifications of the at least one enterprise numeric quantification in visual comparison to one or more target numeric quantifications of the at least one target numeric quantification, present information regarding at least a portion of the one or more mitigation options, and enable adoption of at least one mitigation option of the one or more mitigation options, wherein enabling adoption comprises providing one or more user interface controls for associating, with a selected mitigation option of the at least one mitigation option, one or more of a budget, a timing, or a responsible party, wherein, responsive to the adoption of the selected mitigation option, the computer-renderable interactive user interface is configured to render, in a roadmap display region of a provided screen of the one or more user interface screens, information regarding the selected mitigation option and the associated one or more of the budget, the timing, or the responsible party.

“16. The system of claim 15, wherein, responsive to the adoption of the selected mitigation option: the processing circuitry is configured to calculate at least one hypothetical numeric quantification representing an influence of the selected mitigation option on one or more enterprise numeric quantifications of the at least one enterprise numeric quantification; and the computer-renderable interactive user interface is configured to render, to the provided screen, one or more hypothetical numeric quantifications of the at least one hypothetical numeric quantification.

“17. The system of claim 15, wherein the processing circuitry is further configured to perform operations comprising: identifying, based on the evaluation information, a plurality of risks to the enterprise, wherein each mitigation option of the one or more mitigation options corresponds to at least one risk of the plurality of risks.

“18. The system of claim 15, wherein the at least one enterprise numeric quantification comprises an overall vulnerability score.

“19. The system of claim 15, wherein the at least one enterprise numeric quantification comprises a number of risks.

“20. The system of claim 15, wherein determining the at least one target numeric quantification comprises identifying a peer benchmark using characteristics of the enterprise.

“21. The system of claim 15, wherein the plurality of risk calculation schemes comprises a plurality of weights for applying to the plurality of selections.”

For additional information on this patent application, see: Bolas, Jeffrey; Dan, Nicholas; Dhesi, Mani; Hogg, Jason; Moreira, Cory Allen; Peckman, Adam; Uriarte, Christopher. System And Methods For Vulnerability Assessment And Provisioning Of Related Services And Products For Efficient Risk Suppression. U.S. Patent Application Number 20230351456, filed December 21, 2022 and posted November 2, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(20230351456)&db=US-PGPUB&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)