The system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk contains a process for determining inherent risk.
This process references US patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570.
The inherent risk system, method, and apparatus is just one component of the entire system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk.
The inherent risk component expands into a defined system, method, and apparatus for measuring and modeling impact.
The inherent risk system and method expands into additional detail. (1) Inherent risk model expands into a process that determines inherent risk amongst the 110 risk scenarios. (2) Inherent risk results expands into a sample output. (3) Inherent risk ranking expands into a sample prioritization of inherent risk. (4) Addressing inherent risk expands into a sample set of decisions.
Inherent Risk Model
This system, method, and apparatus multiplies the threat model results and impact model results for each of the 110 risk scenarios.
This system, method, and apparatus repeats for each of the 110 risk scenarios.
Inherent Risk Results
This system, method, and apparatus displays inherent risk to the operator in one of two ways.
In the first way, the user only populates Company Exposure, Asset Applicability, Threat Likelihood, and Business Impact within the X-Analytics Profile Builder. For more information, please see here. This limited profile build (without control implementation details) will produce inherent risk values within the Residual Risk Grid.
This systems, method, and apparatus may use a color scale overlay to help the operator better see where high inherent risk exists within the residual risk graph. Dark colors represent higher inherent risk, while lighter colors represent lower inherent risk.
In the first way, this system, method, and apparatus supports current and monthly inherent risk modeling and results. As such, it is possible to generate inherent risk trending based on shifts in threat and impact due to historical and cyber risk intelligence data and operator inputs. A macro inherent risk value is the average maximum inherent risk amongst all threat categories.
In the second way, the operator will need to go to the Mitigation Simulator and select Inherent Risk from the What-if % of Implementation toggle.
This modified view gives the operator an understanding of inherent risk within the context of estimated cyber exposure.
This systems, method, and apparatus may use a color scale overlay to help the operator better see where high inherent risk exists within the Improvement by Control graph. Dark colors represent higher inherent risk, while lighter colors represent lower inherent risk.
In the second way, the operator can easily realize the benefit of existing control implementations by reading the delta between Cyber Exposure and Revised Cyber Exposure and by reading which CIS CSC control is providing the greatest improvement to Cyber exposure.
Inherent Risk Ranking
This system, method, and apparatus automatically ranks all inherent risk results. The operator can use the rankings to reduce inherent risk. In the above residual risk grid (with inherent risk values), the operator can easily see the top 3 inherent risks are:
Rank 1: DoS Attack : Server & Apps
Rank 2: WebApp Attack : Server & Apps
Rank 3: Everything Else : Server & Apps
The operator may use the inherent risk ranking to prioritize finite enterprise budget and other finite enterprise resources.
Addressing Inherent Risk
This system, method, and apparatus automatically empowers the operator, with an inherent risk grid, inherent risk trend analysis, and inherent risk rankings, to inform decisions regarding addressing inherent risk.
If the inherent risk conditions are undesirable to the enterprise, then the operator has several options for addressing inherent risk.
In the above diagram, the operator may determine the inherent risk condition is desirable. In such a case, the operator may select to accept the threat condition.
In the above diagram, the operator may determine the inherent risk condition is undesirable. In such a case, the operator may select to reduce, transfer, or remove the inherent risk. Inherent risk mitigation may consist of blocking and monitoring threat using technology and/or implementing controls (countermeasures), inherent risk transfer may consist of transferring inherent risk to a cyber insurance policy or 3rd party via legal contract, and inherent risk removal may consist of removing assets or record types associated with high inherent risk conditions.
With the use of system, method, and apparatus, an enterprise could achieve automatic decision analysis and near real time addressing of inherent risk.