The system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk contains a process for determining impact.
This process references US patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570.
The impact system, method, and apparatus is just one component of the entire system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk.
The impact component expands into a defined system, method, and apparatus for measuring and modeling impact.
The impact system and method expands into additional detail. (1) Data defined industry impact assumption expands into use of historical and cyber risk intelligence data. (2) Historical and cyber risk intelligence data expands into a process that combines industry impact assumptions. (3) Operator defined industry selection expands into specific operator inputs. (4) Operator defined asset applicability expands into specific operator inputs. (5) Operator defined impact selection expands into specific operator inputs. (6) Operator impact inputs expands into a process that combines operator defined industry selection, operator defined asset applicability, and operator defined impact selections. (7) Impact measurement expands into a process that combines historical and cyber risk intelligence impact data and operator impact inputs. (8) Impact model expands into a process that determines impact amongst the 110 risk scenarios.
Data Defined Industry Impact Assumption
This system, method, and apparatus considers 21 industry verticals, such as Retail and Healthcare. Historical and cyber risk intelligence data determines confidentiality, integrity, and availability assumptions for each industry vertical, amongst the 11 asset groups.
This system, method, and apparatus considers the same industries defined within the Threat System, Method, and Apparatus.
This system, method, and apparatus determines the industry impact assumptions by leveraging historical and cyber risk intelligence data. For each industry, there is an assumption of asset commonality to determine assumed asset applicability, there is an assumption of common record blend to determine assumed confidentiality, there is an assumption of common asset uptime to determine assumed availability, and there is process that combines assumed confidentiality and availability to determine assumed integrity.
Confidentiality – the degree of privacy or secrecy related to data within an information system.
Integrity – the quality or state of an information system operating in an unimpaired condition, or the quality or state of data being complete and unaltered.
Availability – the quality or state of an information system or data being available.
As a first step in determining industry impact assumption, historical data and cyber risk intelligence date determine which assets are common within each industry vertical. As an example, healthcare devices are common in the healthcare industry vertical but are uncommon in the mining industry vertical. As another example, ICS, SCADA, and OT devices are common in manufacturing but are uncommon in the financial and insurance services industry vertical. If an asset is common within an industry vertical, then it is on (which is the value of one) within industry assumption impact grid.
As a second step in determining industry impact assumption, historical data and cyber risk intelligence data determine the common industry record blend and translating into a confidentiality value. In this case, 5 represents median confidentiality on a scale of 0 to 10.
As a third step in determining industry impact assumption, historical data and cyber risk intelligence data determine the common asset uptime. As an example, ICS, SCADA, and OT devices commonly cause noticeable business interruption if they are down for 30 minutes or longer, while end user systems uncommonly cause noticeable business interruption if they are down for 30 minutes or longer. Within this system, method, and apparatus, noticeable business interruption at 30 minutes is an availability value of 10, on a scale of 0 to 10. The grid below is purely a representative example.
As a fourth step in determining industry impact assumption, a process determines industry integrity. Since integrity is directly related to confidentiality and availability, this system, method, and apparatus determines the industry-based integrity value by averaging the confidentiality and availability value.
This system method, and apparatus repeats the above process for each of the 110 risk scenarios, per industry.
Applying Industry Impact Assumptions
This system, method, and apparatus uses a process to combine the data defined industry impact assumption to determine industry assumed impact. For each risk scenario, the average of confidentiality, availability, and integrity, multiplied by asset applicability determines the total assumed impact.
This system method, and apparatus repeats the above process for each of the 110 risk scenarios, per industry.
Operator Defined Industry Impact Selection
This system, method, and apparatus provides an operator input for industry selection. The operator selected industry determines which industry baseline and industry assumed impacts are used for impact. For more details, please see here.
This system, method, and apparatus also contemplates a multi-industry selection using a percent breakout amongst applicable industry verticals.
Operator Defined Impact Selection
This system, method, and apparatus provides operator inputs for impact selection. The operator needs to understand the profile of their enterprise to inform operator defined impact selections. There are three categories of operator inputs for impact. There are inputs for confidentiality, availability, and integrity. The operator inputs will override industry impact assumptions.
For more details, please see here.
Confidentiality inputs provide a mechanism for the operator to define which record types are applicable to the enterprise, and where those record types are located within the enterprise. The total operator defined confidentiality score is the average of all selected record types for a given asset.
Availability inputs provide a mechanism for the operator to define how long it would take for an offline asset to cause an interference with enterprise production. For each asset, the operator can select 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, 24 hours, or 48 hours. Each selection translates to an availability value, on a 0 to 10 scale. 30 minutes equals availability value of 10.00, while 48 hours equals an availability value of 1.00.
Integrity inputs provide a mechanism for the operator to define impact associated with an integrity-based incident per asset or to allow the system, method, and apparatus to automatically determine integrity based on the average of confidentiality and availability. Selecting an integrity value, versus the automatic process, requires the operator to have a deep knowledge of the enterprise profile. For example, altering the blood type within PHI records may cause the administration of the wrong blood type, which may cause catastrophic human casualty. For each asset, the operator can select catastrophic, damaging, isolated, meager, or insignificant. Each selection translates to an integrity value, on a 0 to 10 scale. Catastrophic equals integrity value of 10.00, while insignificant equals an integrity value of 1.00.
Operator Impact Inputs
This system, method, and apparatus organizes and structures the operator impact inputs for enterprise-specific impact measuring and modeling. This system, method, apparatus stages, archives, and links the operator threat inputs to the impact model.
For more details, please see here.
Impact Measurement
Based on an operator selection, this system, method, and apparatus either uses industry impact assumption or operator impact selections.
This system, method, and apparatus repeats the above process for all 110 risk scenarios. The result is an impact measurement grid.
Impact Model
This system, method, and apparatus takes the results from impact measurement and tunes out non-applicable impacts. For example, confidentiality is not associated with DoS attacks. Therefore, this system, process, and method only uses the average of availability and integrity to determine DoS attack impact.
