The system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk contains a process for determining control effectiveness.
This process references US patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570.
The control effectiveness system, method, and apparatus is just one component of the entire system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk.
The control effectiveness component expands into a defined system, method, and apparatus for measuring, modeling, and reducing control deficiencies.
Control Effectiveness expands into additional detail. (1) Data defined industry control maturity baseline expands into use of historical and cyber risk intelligence data. (2) Data defined control effectiveness expands into use of historical and cyber risk intelligence data. (3) Historical and cyber risk intelligence control effectiveness data expands into a process that combines data defined industry control maturity baseline and data defined control effectiveness. (4) Operator defined industry selection expands into specific operator inputs. (5) Operator defined asset applicability expands into specific operator inputs. (6) Operator defined control implementation expands into specific operator inputs for macro, mezzo, and detailed control implementations. (7) Operator control implementation inputs expands into a process that combines operator defined industry selection, operator defined asset applicability, and operator defined control implementation. (8) Control effectiveness measurement expands into a process that combines historical and cyber risk intelligence control effectiveness data and operator control implementation inputs. (9) Control effectiveness model expands into a process that determines control effectiveness amongst the 110 risk scenarios. (10) Control effectiveness results expands into a sample output. (11) Control effectiveness ranking expands into a sample prioritization of control deficiencies.
Data Defined Control Maturity
This system, method, and apparatus considers 21 industry verticals, such as Retail and Healthcare. Historical and cyber risk intelligence data determines an annual control implementation baseline for each industry vertical amongst the CIS Cyber Security Controls (version 8).
This system, method, and apparatus considers the same industry verticals defined in Figure 17.
This system, method, and apparatus determines the annual industry control maturity baseline by leveraging historical and cyber risk intelligence data. For each industry, there is a determine control maturity baseline value on a scale of 0 to 5. 5 represents an optimized maturity, while a 0 represents no maturity. The control maturity baseline value is an average value, with an option to consider 25th and 75th percentiles. Please see example below:
Financial and Insurance Services (NAICS Code 512) = 2.63
Retail Trade (NAICS Code 44, 45) = 2.25
Healthcare (NAICS Code 62) = 2.75
Manufacturing (NAICS Code 31, 32, 33) = 2.38
Accommodation and Food Services (NAICS Code 72) = 1.88
The industry control implementation baseline value is difficult to leverage in macro form. Therefore, this system, method, and apparatus converts the control maturity baseline to a specific maturity value for each of the 18 CIS CSC controls.
As a first step, this system, method, and apparatus converts the 0 to 5 maturity value to a 0 to 3 implementation group value. As an example, the Accommodation and Food Services 1.88 maturity value is converted to 1.13 implementation group (IG) value. The formula is ( Maturity Value / 5 ) x 3 = Implementation Group Value.
As a second step, this system, method, and apparatus propagates the implementation group value to each of the 18 CIS CSC control to determine a baseline implementation value. An implementation group value of 1 would mean that 100% implementation group 1 sub-controls are implemented, an implementation group value of 1.5 would mean that a 100% of implementation group 1 sub-controls are implemented and 50% of implementation group 2 sub-controls are implemented, and a implementation group value of 3 would mean that 100% of implementation group 1, group 2, and group 3 sub-controls are implemented.
Data Defined Control Effectiveness
This system, method, and apparatus uses historical and cyber risk intelligence data determines control effectiveness for each of the 18 CIS CSC controls intersecting with each of the 110 risk scenarios.
As a first step, this system, method, and apparatus categorizes historical and cyber risk intelligence incidents are amongst the 10 threat categories. Due to multi-step attack patterns, this system, method, and apparatus categorizes many of the incidents in more than one threat category.
As a second step, this system, method, and apparatus further categorizes historical and cyber risk intelligence incidents are amongst the 11 asset groups. Due to multi-step attack patterns, this system, method, and apparatus categorizes many of the incidents in more than one asset group.
As a third step, this system, method, and apparatus finds common patterns in the incident data. If the pattern ratio aggregates to 80% or greater, than the pattern is tagged “primary”. If the ratio pattern aggregates between 5% and 15%, then the pattern is tagged “secondary”. If the ratio pattern aggregates between 1% and 4%, then the pattern is tagged “tertiary”. If the ratio pattern aggregates to less than 1%, then it is considered insignificant and not used within X-Analytics.
As a fourth step, this system, method, and apparatus associates each incident pattern to one or more CIS CSC control. As an example, the phishing incident pattern associates with CIS CSC #14 Security Awareness Training. Primary incident patterns associate with primary controls, secondary incident patterns associated with secondary controls, and tertiary incident patterns associate with tertiary controls. In some of the risk scenarios, certain controls will have zero control effectiveness because there is not an incident pattern association.
As a fifth step, this system, method, and apparatus distributes a control effectiveness value to each of the 18 CIS CSC controls for each of the 110 risk scenarios. This system, method, and apparatus evenly distributes 80% amongst all primary tagged controls, evenly distributes 15% amongst all secondary tagged controls, and evenly distributed 4% amongst all tertiary tagged controls. If a control does not have a primary, secondary, or tertiary tag, then it’s assigned 0.0% control effectiveness.
Historical and Cyber Risk Intelligence Control Effectiveness Data
This system, method, and apparatus combines the data defined industry control maturity baseline and the data defined control effectiveness for control effectiveness measurement for each of the 21 industry verticals to determine data defined earned control effectiveness. For each industry vertical, this system, method, and apparatus determined data defined earned control effectiveness for each of the 110 risk scenarios.
Operator Defined Industry Selection
This system, method, and apparatus provides an operator input for industry selection. The operator selected industry determines which industry control maturity baseline is used for control effectiveness. For more information, please see here.
Operator Defined Asset Applicability
This system, method, and apparatus provides an operator input for asset applicability. The operator selected asset applicability determines which risk scenarios (from the residual risk grid) are applicable for control effectiveness. For more information, please see here.
Operator Defined Control Implementation
This system, method, and apparatus provides an operator input for control implementation. The control implementation input divides into three options: a macro-option, a mezzo-option, and a detailed-option.
The macro-option gives the operator a quick and efficient input selection. In this case, the operator selects a maturity value from 0 to 5. 5 represents an optimized maturity, while a 0 represents no maturity. This system, method, and apparatus uses the same from process from “Data Defined Industry Control Maturity Baseline” to convert the 5-point maturity scale to a 3-point implementation group value to a specific implementation percent value for each of the 18 CIS CSC controls.
The mezzo option gives the operator an ability to select an implementation percent value for each of the 18 CIS CSC controls. Enterprise knowledge and data should inform the operator’s answers. This system, method, and apparatus also provides a mechanism and translation for the operator to upload an audit report that determines implementation value for each of the 18 CIS CSC controls.
The detailed option gives the operator a granular selection that results in a very precise answer of control implementation amongst the 10 threat categories, 11 asset groups, and 18 CIS CSC controls. Even though this option should be informed by detailed enterprise knowledge and data and takes more time to answer, it does provide the most accurate depiction of the enterprise control implementation.
This system, method, and apparatus repeats the above diagram for each of the 18 CIS CSC controls.
Operator Control Implementation Inputs
This system, method, and apparatus organizes and structures the operator control implementation inputs for enterprise-specific control effectiveness measuring and modeling. This system, method, apparatus stages, archives, and links the operator control implementation inputs to the control effectiveness model.
Control Effectiveness Measurement
This system, method, and apparatus combines historical and cyber risk intelligence control effectiveness data and operator control implementation input to determine control effectiveness measurement.
This system, method, and apparatus repeats the process the above diagram for all 18 controls per risk scenario and further repeats for all 110 risk scenario. In total, this system, method, and apparatus repeats the above diagram for a total of 1,980 times.
Control Effectiveness Model
This system, method, and apparatus aggregates the control effectiveness measurement results for each of the 18 CIS CSC controls per risk scenario.
This system, method, and apparatus repeats the process, in the above table, for each of the 110 risk scenarios to determine the control effectiveness grid.
This system, method, and apparatus converts non-applicable risk scenarios to a “blank” value to prevent operator confusion between non-applicable scenarios and zero percent control effectiveness.
Control Effectiveness Results
This system, method, and apparatus does not display the control effectiveness grid to the operator. However, the user can realize the benefits of control effectiveness by observing the residual risk grid, the delta between the risk grid (with inherent risk values) and the residual risk grid, the mitigation simulator (with inherent risk selection), and the Control Framework (CIS CSC) dashboard.
In the first example, the user can observe the benefits of control effectiveness by comparing the delta between inherent risk and residual risk.
Residual Risk Grid (with inherent risk values)
Residual Risk Grid (includes benefit of control effectiveness)
In the second example, the user can realize the benefits of control effectiveness by observing the mitigation simulator with inherent risk selection.
In the third example, the user can realize the benefits of control effectiveness by observing the Control Framework (CIS CSC) dashboard. This dashboard displays the current implementation value of each CIS CSC control and shows the control effectiveness benefit if each control were implemented at 100%.
This system, method, and apparatus supports current and monthly control effectiveness measurement, modeling, and results. As such, it is possible to generate control effectiveness trending based on shifts in historical and cyber risk intelligence control effectiveness data and operator defined control implementation data.
Control Effectiveness Rankings
This system, method, and apparatus automatically ranks all control effectiveness results. The operator may use the control effectiveness ranking to prioritize finite enterprise budget and other finite enterprise resources.
