US20160110819A1 - Dynamic security rating for cyber insurance products - Google Patents
Dynamic security rating for cyber insurance products Download PDFInfo
- Publication number
- US20160110819A1 US20160110819A1 US14/918,398 US201514918398A US2016110819A1 US 20160110819 A1 US20160110819 A1 US 20160110819A1 US 201514918398 A US201514918398 A US 201514918398A US 2016110819 A1 US2016110819 A1 US 2016110819A1
- Authority
- US
- United States
- Prior art keywords
- insurability
- product
- rating
- service
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/08—Insurance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present disclosure relates generally to systems, apparatuses, and methods and computer program that are stored on non-transitory storage media (collectively referred to as the “technology”) related to determining a company's vulnerability to a cyber security-related attack (“cyber attack”) and, based on the level of vulnerability, determining tailored cyber insurance policies and/or products to insure against the cyber attack.
- technology non-transitory storage media
- Insurance is a form of risk management tool primarily used by individuals, businesses, and other organizations to hedge against the risk of a contingent, uncertain loss that they can't or don't want to bear alone.
- An insured, or policyholder can buy an insurance policy from an insurer, or insurance carrier, for an amount of money, called the premium, for a certain amount of insurance coverage specified by an insurance policy.
- insurance policies available to cover losses from business may be classified as: (1) business personal insurance policies to cover first-party losses; (2) business interruption policies; (3) commercial general liability or umbrella liability insurance policies, to cover liability for damages to third parties; and (4) errors and omissions insurance to cover the company's officers.
- These traditional insurance policies were designed to cover the traditional perils of fires, floods, and other forces of nature.
- Cyber insurance is a specialty insurance product that covers losses associated with a company's information assets including computer generated, stored, and processed information. Cyber insurance may become part of the overall solution to computer network and system security, which becomes more and more important due to the increasing number of virus attacks, hacker assaults, and other IT security incidents.
- traditional insurance or even cyber insurance policies and associated premiums do not adequately correspond to the level of risk that is associated with a computer asset.
- the disclosed technology relates to determination one or more cyber insurance policies, products and/or ratings based on processing of real-time information related to cyber attacks on one or more of computing assets that are coupled to a computer network.
- the method includes receiving, at a processor that is implemented at least in-part by electronic circuitry and coupled to a computer network, real-time data indicative of cyber attacks that are likely to diminish a value of the product or service.
- the method further includes using the processor to process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks.
- the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks.
- the above noted method also includes using the processor to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks.
- the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- the method further includes using the insurability rating to produce an insurance premium value for the product or service.
- the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less.
- the insurability rating is produced at least in-part by processing the real-time damage assessment over a pre-determined time interval and determining a statistical value associated with a plurality of insurability rating values over the pre-determined time interval.
- the statistical value is an average of the plurality of insurability rating values over the pre-determined time interval.
- the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval, and insurability rating values that correspond to later time instances within the predetermined time interval are assigned a larger weight compared to insurability rating values that correspond to earlier time instances within the predetermined time interval.
- the pre-determined time interval is one of: one hour, one day, one week or one month.
- the above noted method further includes determining at least one additional insurability rating based on the real-time data, where one of the insurability rating or the additional insurability rating corresponds to a short-term insurability rating, and the other of the insurability rating or the additional insurability rating corresponds to a long-term insurability rating.
- the short-term insurability rating corresponds to a time period that is in the range of one hour to one day
- the long-term insurability rating corresponds to a time period that is greater than one day and up to one month.
- the real-time damage assessment is computed using a weighted average technique that assigns a first weight to the likelihood of occurrence of the one or more cyber attacks, a second weight to the likelihood of success of the one or more cyber attacks, and a third weight to the measure of severity of damage to the product of service.
- each of the likelihood of occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service is determined using historical information associated with previously launched cyber attacks against the products or the service.
- the historical information can include one or more of: a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by a previous cyber attack, or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service.
- the likelihood of occurrence of the one or more cyber attacks is produced by analyzing data associated with patterns of cyber activity over a plurality of data networks in real-time.
- the patterns of cyber activity are indicative of cyber attacks on other organizations with network connectivity.
- the insurability rating is determined using an inverse proportionality relationship with respect to the real-time damage assessment.
- the insurability rating is determined based in-part on existing cybersecurity countermeasures that are deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
- the insurability rating is modified based on changes in the cybersecurity countermeasures deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
- the above noted method further includes providing one or more of the following to an entity that is interested in obtaining or maintaining insurance coverage for the product or service: (a) information regarding the real-time damage, (b) information regarding the likelihood of occurrence of the one or more cyber attacks, (c) information regarding the likelihood of success of the one or more cyber attacks, (d) information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks, (e) a recommendation for obtaining additional cybersecurity countermeasures, or (f) a particular cybersecurity countermeasure.
- Another aspect of the technology relates to a computer program product, embodied on one or more non-transitory computer media, that includes program code for receiving real-time data from a computer network at a processor that is implemented at least in-part by electronic circuitry, where the real-time data is indicative of cyber attacks that are likely to diminish a value of the product or service.
- the computer program product further includes program code for processing by the processor the real-time data to compute real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, where the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks.
- the computer program product further includes program code for determining by the processor an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- a device that includes a processor implemented using electronic circuitry, and a memory comprising processor executable code.
- the processor executable code when executed by the processor, causes the device or the components of the device to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service, and process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks.
- the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks.
- the processor executable code when executed by the processor, further causes the device or the components of the device to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- Another aspect of the technology relates to a system for determining insurability rating of a service or product that includes a server device coupled to a computer network to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service and to produce an insurance premium estimate based at least in-part on the received real-time data.
- the system also includes a client device coupled the computer network to receive the insurance premium estimate produced by the server device.
- the server device uses the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, where the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks.
- the sever device determines an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- FIG. 1 is a block diagram of a basic and suitable computer that may employ aspects of the described technology.
- FIG. 2 is a block diagram illustrating a simple, yet suitable system in which aspects of the described technology may operate in a networked computer environment.
- FIG. 3A illustrates an exemplary asset risk profile that may employ aspects of the described technology.
- FIG. 3B illustrates an exemplary asset damage profile that may employ aspects of the described technology.
- FIG. 3C illustrates an exemplary company risk profile that may employ aspects of the described technology.
- FIG. 4 illustrates a block diagram of an exemplary device that can be implemented as part of the disclosed devices and systems.
- FIG. 5 illustrates a flow diagram for determining cyber insurance based on various profiles in accordance with an exemplary embodiment.
- FIG. 6 illustrates a flow diagram of communications between a customer and an insurance company in accordance with an exemplary embodiment.
- FIG. 7 illustrates a set of operations that can be carried out to determine an insurability rating for a product or a service in accordance with an exemplary embodiment.
- FIG. 8 illustrates some of the components of a device 1000 that can operate to produce an insurability rating in accordance with an exemplary embodiment
- FIG. 9 illustrates a block diagram of a device that can be implemented as part of the disclosed devices and systems.
- Cyber insurance can, in principle, be an important risk-management tool for strengthening IT security and reliability for companies. There may be many parties involved in the cyber insurance industry including underwriters, agents, and clients, code writers, inspectors, and vendors of products and services, working together to provide the needed coverage for the policy holders.
- specialized policies can cover losses from computer viruses or other malicious code, destruction or theft of data, business interruption, denial of service, and/or liability resulting from e-commerce or other networked IT failures.
- insurance policies for cyber insurance may cover the cost of legal disputes arising from cyber attacks on the insurance policy holder's digital assets.
- cyber insurance policies may specifically exclude certain coverages such as to exclude coverage of “electronic data,” “computer code,” and other similar terms as tangible property.
- the deductible may play an important role in managing cyber security risk.
- the deducible amount may be a way of lowering the insurance company's risk since a higher deductible can reduce the amount for paying out on a claim.
- higher deductibles can be imposed for companies with greater cyber security risks, such as those companies with consistently lower investment in cyber security, with poor security controls or with inadequate IT staff, among other factors. From a risk management point of view, it is important for a company to understand that deductibles affect the premiums. A lower deductible can lead to a higher premium, and vice versa.
- Premiums can vary according to specific situation and the amount of coverage, and can range from a few thousand dollars for base coverage for small businesses to several hundred thousand dollars for major corporations with comprehensive coverage. Premiums may depend on the individual company's security risk exposure and can vary substantially depending on the insurance provider. For example, the premiums may depend on the number of computers affected, company level dollar loss distribution, and the timing of the breach event. Premiums may also depend on the industry the company is operating in. For example, a company operating in the high-tech area may rely on computers more with more exposure to computer risks, which leads to a higher premium. A premium may further depend on the elements of the insurance contract, such as the settlement amount that is paid, the occurrence of the event covered by the contract, and the time when the settlement is paid.
- an insurance carrier may require audits by independent IT security consultants on a case-by case basis, depending on the risks to be covered and the policy limits sought.
- a cyber insurance underwriter may first ask prospective clients to complete an information security assessment that covers items such as: standard configurations with security documentation for firewalls, routers, and operating systems, information security policies, including password management, virus protection, encryption, and security training for employees, vulnerability monitoring and patch management, physical security and access controls, including remote access, privacy and confidentiality policies, backup and restoration provisions, business continuity planning, periodic testing of security controls, and outsourcing and other third-party security provisions.
- An insurance information system may need wide functionality, including both traditional tasks of information systems like data processing and storing and more advanced functions that has been traditionally done by humans such as risk evaluation.
- the technology determines one or more cyber insurance policies and/or products based on a company's real-time exposure to a cyber attack on one or more of its computing assets (e.g., a computer serving company data).
- the technology performs various security analysis techniques to explore, locate, and evaluate a company's assets for creating risk and damage assessments that are used to dynamically determine cyber insurance policies/products that are tailored to that company at that moment of time and, optionally, based on future projections.
- the technology can continuously or semi-continuously monitor the company's network for any changes to assets and, if changes are detected that could affect the company's exposure to a cyber attack, information associated with the detected changes is fed back to aspects of the technology that are configured to determine new/modified cyber insurance policies/products.
- the technology identifies computing assets' (e.g., computers, servers, mobile devices, databases, storage technology, cloud infrastructure, network appliances, intrusion detection systems (IDSs), firewalls, etc.) vulnerabilities that may be used in a cyber attack for exploiting resources (e.g., consumer data, such as credit card numbers) stored in or accessible to a company's network(s).
- Vulnerabilities are identified using various network security audit standards and technologies, such as the Payment Card Industry Data Security Standard (PCI DSS), other standard(s) and/or one or more penetration tests for analyzing assets for various vulnerabilities that may be exploited via internal and/or external cyber attacks.
- PCI DSS Payment Card Industry Data Security Standard
- PCI DSS Payment Card Industry Data Security Standard
- penetration tests for analyzing assets for various vulnerabilities that may be exploited via internal and/or external cyber attacks.
- Security audits determine the feasibility of a particular set of real and/or potential attack vectors, identify higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence, assess the magnitude of potential business and operational impacts of successful attacks, test the ability of network defenders (e.g., security personal, firewalls, IDSs, etc.) to successfully detect and respond to the cyber attacks, and provide evidence to support increased investments in technology and insurance. Damage values are assigned to tangible (e.g., theft of credit card numbers) and/or intangible (e.g., reputation) losses associated with an occurrence of one or more cyber-attacks which could successfully exploit an assets' software and/or hardware vulnerabilities.
- the technology can determine that an asset storing trade secrets and credit card information has a higher economic damage value than a value associated with a redundant publically accessible webserver.
- Damage values are, in various embodiments, adjusted based on various damage indicators, such as the complexity and/or sophistication required to execute an exploit, availability of an exploit, a likelihood of the occurrence a cyber-attack, and/or likelihood of success of a cyber-attack.
- an asset storing trade secrets can have an increased damage value if the asset is vulnerable to, e.g., more than one exploit, less complex exploits, and/or widely known exploits.
- the technology is configured to dynamically determine an amount of insurance for sufficiently insuring against the occurrence of the cyber-attack.
- the technology automatically and periodically performs real-time security audits to continuously or semi-continuously reassess a company's vulnerability to new cyber threats and dynamically determine new damage values and, in response, corresponding new recommendations for insurance coverage.
- the technology is a computer program product or service, a device or a system configured with program code for receiving real-time data indicative of cyber attacks that are likely to diminish a value of the product or service.
- the technology can leverage various databases, websites, the darknet, bit torrents, and/or other networks and data sources for determining known exploits and/or generate new or modify versions of known exploits.
- the program code is configured to process real-time data to compute a real-time damage assessment associated with losses for an occurrence of one or more cyber attacks.
- the damage assessment can be computed using a likelihood of the occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product or service as a result of the occurrence of the one or more cyber attacks.
- the program code in various embodiments, is configured with technology that determines an insurability rating for the product or service for insuring against the cyber attacks.
- the insurability rating is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, at least in-part based on the real-time damage indicator and is changeable in response to changes in the received real-time data.
- the technology determines asset risk assessments, asset damage assessments, and customer risk assessments.
- Assessments are snapshots of real-time asset and/or company behavior based on various indicators and expressed as simple values, such as a number, percentage, hash, etc.
- Each asset in one or more embodiments, is associated with one or more profiles or other data structures (“profiles”) that are associated with indicators that define asset and/or company characteristics and are used by the technology as variables for calculating assessment value.
- the technology can determine that an asset (e.g., a server) has a risk assessment of 8 out of 10 (i.e., 0.8) based on various indicators in that asset's profile, such as being a public server (i.e., a first indicator) operating using an older operating system and/or other software products (i.e., a second indicator) that has known vulnerabilities (i.e., a third indicator).
- asset's profile such as being a public server (i.e., a first indicator) operating using an older operating system and/or other software products (i.e., a second indicator) that has known vulnerabilities (i.e., a third indicator).
- That asset is also, in one or more embodiments, associated with a damage assessment, which is a measure of a company's estimated loss of capital and/or intangible losses (e.g., loss due to an adverse effect to company reputation) if the asset were compromised by a cyber-attack.
- a damage assessment for the server mentioned above could be, for example, 3 out of 10 (i.e., 0.3) because the server stores lower valued webpages and, if compromised, would not negatively affect the company's reputation.
- the technology can efficiently and quickly identify, in real-time, assets at most risk of being compromised, associated losses and, in response, recommend insurance policies based on a company's unique circumstance and preferences.
- multiple risk assessments are combined into a single meta-value that represents some or all of a company's assessments (e.g., a company's subsidiaries, different departments, or portions of a network).
- a profile is referenced for determining a company risk assessment, i.e., the level of risk associated with a specific company based on, for example, various indicators such as an amount of capital the company is willing to invest in cyber insurance, its risk tolerance, the number of assets to insure, existing security measures (e.g., an implemented network operating center (NOC), staff, and/or disaster recovery protocols), whether the company is high profile, the company's business, any history of attacks and their success, etc.
- NOC implemented network operating center
- Company risk profiles are automatically and/or manually determined and, in various embodiments, include a company's threshold tolerance for preventing and/or insuring against a determined level of financial loss (e.g., up to $2 million USD) as a result of the occurrence of the cyber-attack on an asset.
- a company's threshold tolerance for preventing and/or insuring against a determined level of financial loss (e.g., up to $2 million USD) as a result of the occurrence of the cyber-attack on an asset.
- the technology determines one or more insurance policies/products specific to the company.
- the technology continuously, or on a schedule, updates the profiles based on changes to the assets or company (e.g., a new asset is added or an asset is recommissioned, critical data is moved, new vulnerabilities are discovered, etc.).
- the technology dynamically and automatically determines a new policy tailored to the changed profiles. This feedback technique allows the company to efficiently and comprehensively understand, in real time, where it has vulnerabilities and how best to insure against losses.
- an exemplary embodiment of the described technology employs a computer 100 , such as a personal computer or workstation, having one or more processors 101 coupled to one or more user input devices 102 and data storage devices 104 .
- the computer 100 is also coupled to at least one output device such as a display device 106 and one or more optional additional output devices 108 (e.g., printer, plotter, speakers, tactile or olfactory output devices, etc.).
- the computer 100 may be coupled to external computers, such as via an optional network connection 110 , a wireless transceiver 112 , or both.
- the input devices 102 may include a keyboard, a pointing device such as a mouse, and described technology for receiving human voice, touch, and/or sight (e.g., a microphone, a touch screen, and/or smart glasses). Other input devices are possible such as a joystick, pen, game pad, scanner, digital camera, video camera, and the like.
- the data storage devices 104 may include any type of computer-readable media that can store data accessible by the computer 100 , such as magnetic hard and floppy disk drives, optical disk drives, magnetic cassettes, tape drives, flash memory cards, digital video disks (DVDs), Bernoulli cartridges, RAMs, ROMs, smart cards, etc. Indeed, any medium for storing or transmitting computer-readable instructions and data may be employed, including a connection port to or node on a network, such as a LAN, WAN, or the Internet (not shown in FIG. 1 ).
- a distributed computing environment with a network interface includes one or more user computers 202 (e.g., mobile devices, desktops, servers, etc.) in a system 200 , each of which can include a graphical user interface (GUI) program component (e.g., a thin client component) 204 that permits the user computer 202 to access and exchange data, such as network and/or security data, with a network 206 such as a LAN or the Internet, including web sites, ftp sites, live feeds, and data repositories within a portion of the network 206 .
- GUI graphical user interface
- the user computers 202 may be substantially similar to the computer described above with respect to FIG.
- the user computers 202 may be personal computers (PCs) or mobile devices, such as laptops, mobile phones, or tablets.
- the user computers 202 may connect to the network 206 wirelessly or through the use of a wired connection.
- Wireless connectivity may include any forms of wireless technology, such as a radio access technology used in wireless LANs or mobile standards such as 2G/3G/4G/LTE.
- the user computers 202 may include other program components, such as a filter component, an operating system, one or more application programs (e.g., security applications, word processing applications, spreadsheet applications, or Internet-enabled applications), and the like.
- the user computers 202 may be general-purpose devices that can be programmed to run various types of applications, or they may be single-purpose devices optimized or limited to a particular function or class of functions. More importantly, any application program for providing a graphical user interface to users may be employed, as described in detail below. For example, a mobile application or “app” has been contemplated, such as one used in Apple's® iPhone® or iPad® products, Microsoft® products, Nokia® products, or Android®-based products.
- At least one server computer 208 coupled to the network 206 , performs some or all of the functions for receiving, routing, and storing of electronic messages, such as security data, web pages, audio signals, electronic images, and/or other data. While the Internet is shown, a private network, such as an intranet, may be preferred in some applications.
- the network may have a client-server architecture, in which a computer is dedicated to serving other client computers, or it may have other architectures, such as a peer-to-peer, in which one or more computers serve simultaneously as servers and clients.
- a database or databases 210 coupled to the server computer(s), store some content (e.g., security-related data) exchanged between the user computers; however, content may be stored in a flat or semi-structured file that is local to or remote of the server computer 208 .
- the server computer(s), including the database(s) may employ security measures to inhibit malicious attacks on the system and to preserve the integrity of the messages and data stored therein (e.g., firewall systems, secure socket layers (SSL), password protection schemes, encryption, and the like).
- the server computer 208 may include a server engine 212 , a security management component 214 , an insurance management component 216 , and a database management component 218 .
- the server engine 212 performs basic processing and operating system level tasks.
- the security management component(s) 214 handle creation, streaming, processing and/or routing of networking and/or security data.
- Security management components 214 in various embodiments, includes other components and/or technology, such as an asset risk component, asset damage component, company risk component and/or other components and/or assessment technologies, described below. Users may access the server computer 208 by means of a network path associated therewith.
- the insurance management component 216 handles processes and technologies that support the collection, managing, and publishing of insurance and/or cyber-related data and information, and other data.
- the database management component 218 includes storage and retrieval tasks with respect to the database, queries to the database, and storage of data.
- multiple server computers 208 each having one or more of the components 212 - 218 may be utilized.
- the user computer 202 receives data input by the user and transmits such input data to the server computer 208 .
- the server computer 208 queries the database 210 , retrieves requested pages, performs computations and/or provides output data back to the user computer 202 , typically for visual display to the user.
- the user computers 202 may automatically, and/or based on user computers' 202 settings/preferences, receive various information, such as alerts, updates, cyber security assessments, cyber security programs, etc., from the server computer 208 .
- FIG. 3A illustrates one example of an asset risk profile 302 .
- An asset risk profile 302 includes various asset descriptions 304 a - 304 n each having one or more indicators 306 for defining attributes which may affect that asset's risk assessment 308 (e.g., whether the asset has a high, medium, or low risk rating).
- Asset A 304 a includes various indicators 306 , such as the physical location of the asset, software operating on the asset (e.g., a version of an operating system, such as a Windows 8®), known vulnerabilities (e.g., a virus or rootkit active on the asset), unknown or future vulnerabilities (e.g., a yet to be released exploit that is programmed for the asset's operating system), etc.
- an asset risk profile 302 may specify various risk indicators descriptive of the asset's hardware (e.g., an Intel-based server, 1 Terabyte Western Digital hard drive, vendor-specific network interface card (NIC)), and/or software/services (e.g., a command shell with super user privileges)), etc.
- the technology can determine, at least based on one or more risk assessments 308 (e.g., a value determined via the technology's implementation of a weighted-value-based algorithm or other algorithm), a representative multiple of the risk indicators 306 .
- the technology can determine that an asset with an old version of an operating system having known vulnerabilities running moderately easy to hack NIC drivers has a high risk assessment value (e.g., 0.95) and a modern, recently updated asset has a lower risk assessment value (e.g., 0.15).
- a high risk assessment value e.g. 0.5
- a modern, recently updated asset has a lower risk assessment value (e.g. 0.15).
- Risk indicators 306 can define virtually any type of information that may affect an asset's exploitation and values of risk indicators 306 are specific to an asset.
- different assets e.g., Asset B 304 b and Asset n 304 n
- risk indicators 306 are used by the technology, in one or more embodiments, to determine a risk assessment 308 , based on one or more predetermined algorithms.
- the risk assessment 308 is a snapshot of real-time risk to an asset (e.g., Asset A 304 a ) based on the indicators 306 that, in some embodiments, are being continuously or semi-continuously updated via new or continuing security assessments of the company's network. In other words, as assets change (e.g., an asset's operating system is updated) a new risk assessment 308 is automatically and/or manually determined.
- assets e.g., an asset's operating system is updated
- FIG. 3B illustrates one example of an asset damage profile 312 for an asset (e.g., Asset 304 a ).
- Asset damage profile 312 is associated with damage indicators 316 for each of a company's assets (e.g., Asset 304 a - 304 n ), which may indicate a potential loss (i.e., a tangible or intangible loss) to a company if the asset (e.g., Asset 304 a ) were compromised by a cyber attack.
- Asset 304 a discussed above in reference to asset risk profile 302 , includes various damage indicators 316 for determining, by the technology, a damage assessment 318 , based on one or more predetermined algorithms.
- Damage indicators 316 include virtually any information and any type of information that may affect a loss to a company if the asset (e.g., Asset 304 a ) is compromised and can include, for example, a data type indicator representative of the data being stored (e.g., credit cards, trade secrets or webpages), hardware cost indicator (e.g., the cost of purchasing new hardware), down time loss indicator, loss indicator associated with company reputation (e.g., public and/or shareholders), etc.
- the damage assessment 318 is a snapshot of real-time damage to a company (e.g., tangible and intangible losses) if a particular asset (e.g., Asset A 304 a ) were to be compromised.
- damage assessments 318 can be continuously or semi-continuously updated via new or continuing security assessments of the company's network.
- a new damage assessment 308 is determined automatically and/or manually for that asset (e.g., Asset 304 a ).
- FIG. 3C illustrates one example of a company risk profile 322 for defining various company attributes and/or preferences, based on one or more various company indicators 326 .
- the technology in one or more embodiments, references a company's (e.g., Company A 324 a , Company B 324 b , and/or Company n 324 n ) indicators 326 for determining a company's general risk, based on factors other than indicators 328 , which are specific to a particular asset (e.g., Asset A 304 a ).
- the technology determines a risk assessment 320 for the company based on various company indicator's 326 unique to that company, such as the company's public exposure, profits, global reach, investments, line(s) of business, number and sophistication of employees/customers/clients, existing security measures implemented by the company, total number of potentially exploitable assets, history of cyber attacks, etc.
- company indicator's 326 unique to that company, such as the company's public exposure, profits, global reach, investments, line(s) of business, number and sophistication of employees/customers/clients, existing security measures implemented by the company, total number of potentially exploitable assets, history of cyber attacks, etc.
- Other indicators such as company's level of tolerance of a cyber attack and the company's capital investment commitment for insuring against cyber-attacks are used by the technology in determining one or more insurance policies/products tailored to the company's situation and preferences.
- FIG. 4 illustrates one example of an engine 400 used by the technology to determine and/or recommend to a company one or more cyber insurance policies tailored to that company's asset, damage and/or company profiles.
- Engine 400 includes various components 402 - 410 , such as an asset risk profile component 402 , an asset damage profile component 404 , and a company risk profile component 406 and other optional component(s) 408 (e.g., other profiles, algorithms, analysis, feedback, etc.) for determining, by recommendation component 410 , one or more cyber insurance polices (e.g., a policy that includes cyber insurance Products 1 and 2 ).
- one or more cyber insurance polices e.g., a policy that includes cyber insurance Products 1 and 2 .
- the technology determines and/or recommends one or more insurance policies and/or products based on features of one or more of the asset risk profile 302 (e.g., a risk assessment 308 and/or risk indicators 306 ), asset damage profile 312 (e.g., damage assessment 318 and/or damage indicators 316 ) and company risk profile 322 (e.g., company risk assessment 328 and/or company indicators 326 ).
- asset risk profile 302 e.g., a risk assessment 308 and/or risk indicators 306
- asset damage profile 312 e.g., damage assessment 318 and/or damage indicators 316
- company risk profile 322 e.g., company risk assessment 328 and/or company indicators 326 .
- the technology determines and/or recommends cyber insurance policies/products by, for example, referencing a database or other data storing insurance information (e.g., premium, coverage amounts/percentages, terms, etc.) and calculating, via the recommendation component 410 , preferred policies/products for the company's specific requirements and preferences.
- insurance information e.g., premium, coverage amounts/percentages, terms, etc.
- One aspect of the disclosed technology relates to a computer-implemented cyber attack assessment method that includes identifying one or more software vulnerabilities for exploiting resources on one or more computing devices, assigning a damage value associated with tangible and intangible losses for an occurrence of one or more cyber attacks exploiting the one or more software vulnerabilities, and dynamically determining an amount of insurance for sufficiently insuring against the occurrence of the one or more cyber attacks exploiting the one or more software vulnerabilities, wherein the amount of insurance is at least based on the damage value.
- such a method further includes periodically determining a new amount of insurance based on identifying one or more new software vulnerabilities for exploiting resources on the one or more computing devices.
- a computer-readable storage device stores instructions that, upon execution by a processor of a computing system, cause the computing system to perform a method for insuring against cyber attacks within a network.
- the method includes determining an asset profile for a target asset, and assigning a risk rating to the target asset, wherein the risk rating is a measure of: (a) vulnerability of the target asset to a present or future cyber attack and (b) a cost associated with an occurrence of the cyber attack on the target asset.
- Such a method further includes identifying a customer risk profile associated with preventing the occurrence of the cyber attack on the target asset, and dynamically determining one or more financial instruments for insuring against the occurrence of the cyber attacked on the target asset, based at least on the risk rating and the customer risk profile.
- the asset profile includes characteristics descriptive of software products and data installed on the target asset.
- the customer risk profile includes a threshold tolerance for preventing a determined level of financial loss as a result of the occurrence of the cyber attack on the target asset.
- the one or more financial instruments insure against the occurrence of the cyber attack based on the determined level of financial loss.
- the above noted method further includes dynamically and periodically determining one or more new vulnerabilities and, in response to determining the one or more new vulnerabilities, assigning a new risk rating and determining one or more new financial instruments for insuring against an occurrence of a new cyber attack based on the one or more new vulnerabilities.
- FIG. 5 illustrates a flow diagram 500 for determining a company's risk of a cyber attack and recommending a cyber insurance policy based on the determined risk.
- the flow starts at 502 and, at 504 , the technology determines (e.g., via a security assessment) a network's vulnerability to cyber-attacks and stores results of the assessment in a assets risk profile 302 .
- the technology determines one or more asset damage profiles 312 for each of the one or more assets defined in the asset risk profile 302 and, at 508 , in some embodiments, defines indicators in the customer risk profile 322 . If there are additional profiles and/or indicators then, at 510 , the flow returns to 504 , 506 , and/or 508 .
- the flow continues to 512 where the technology determines and/or recommends one or more cyber insurance policies/products for insuring against the possibility of a cyber-attack, based on the results of operations at 504 - 508 .
- the flow returns to 504 , 506 , and/or 508 . Otherwise, the flow ends at 516 . Further description, embodiments and/or implementations of policies, indicators, and assessments may be found in reference to one or more of the remaining figures.
- FIG. 6 illustrates a flow diagram 600 of communications between a customer/company (“customer”) and an insurance company in accordance with an exemplary embodiment.
- a customer provides a customer profile to the insurance company.
- the customer provides an asset profile to the insurance company.
- the customer pays the premium to the insurance company to buy a policy.
- the customer reports certain damages to the insurance company.
- the insurance company pays the customer a damage compensation based on the policy that was purchased as part of operation 605 .
- the insurance company may perform some verification and damage assessment before paying such damage compensation at 609 .
- the complexity of the computer related security threats makes it hard for small companies to have the most updated information and the skills needed to cope with the ongoing and increasing threats faced every day in the world.
- Computer security personal are highly skilled, hard to find, and highly paid. Therefore it is unrealistic for small companies to be able to maintain the most up to up-to-date defenses against the ever increasing attacks on computer assets.
- the insurance company has to hire the highly skilled computer security personal to perform the security analysis, to keep updated with the most recent attacks with new methods. Therefore the insurance company can play a preventive role on behalf of many small companies by sharing the computer security expertise, developing defense guidelines, and distributing such defense guidelines and strategies among the insured companies. In this way, the insurance company can bear, or share with the small companies, the costs associated with combatting computer security threats while providing better defenses against new attacks.
- the insurance company may distribute preventive information to the customer so that the customer can be aware of the most recent attacks and the associated techniques for defending against such attacks.
- the customer provides feedback based on the preventive information received from the insurance company, where the feedback may include the status report of the implementation results related to the preventive information distributed by the insurance company.
- One aspect of the disclosed technology relates to determination of insurability of a product or service based on real-time cyber activity, which can lead to a determination of an insurance premium for the product or service.
- the insurability rating provides a measure as to insurability of the product or service.
- Examples of products or services include consumer data (e.g., credit card information, personal information) that is stored on a network-accessible storage unit, cloud computing resources that are provided to paying customers, social media services, financial information, financial services, and others.
- a high insurability rating is commensurate with having a product or service that is easily insurable (e.g., there is a lower risk of damage to the product or service), whereas a low insurability indicates that there is a higher risk of damage to the product or service. It is however, understood that such an inverse correlation between the insurability rating and damage risk is merely provided for the sake of illustration, and other relationships (e.g., direct correlation) can also be used.
- the insurability rating can be a number or a range of numbers.
- the insurability rating is a number between 0 and 100, whereas in another implementation, the insurability rating is represented by high (e.g., ratings in range 80 to 100), medium (e.g., ratings in range 60 to 79) and low (e.g., ratings in range 0 to 59).
- FIG. 7 illustrates a set of operations 700 that can be carried out to determine insurability rating for a product or a service in accordance with an exemplary embodiment.
- the operations 700 can be implemented using a computing system with network connectivity.
- a computing system includes a processor (e.g., a hardware implemented processor comprising electronic circuitry), memory, physical buses and interfaces that allows different components of the system to communicate with one another and with other devices that are connected to the computing device through a network.
- a processor e.g., a hardware implemented processor comprising electronic circuitry
- memory e.g., a hardware implemented processor comprising electronic circuitry
- memory e.g., a hardware implemented processor comprising electronic circuitry
- physical buses and interfaces that allows different components of the system to communicate with one another and with other devices that are connected to the computing device through a network.
- real-time data indicative of cyber attacks that are likely to diminish a value of the product or service is received at a processor that is implemented at least in-part by electronic circuitry and
- the real-time data is processed to compute a real-time damage assessment associated with losses to the product or service in the event of one or more cyber attacks.
- the real-time damage assessment can be computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. For example, a higher likelihood of cyber attack, a higher likelihood of the success of the cyber attack, and a higher severity measure of damage caused by such cyber attacks, each contribute to a higher computed real-time damage assessment.
- an insurability rating for the product or service is determined.
- Such an insurability rating can be used to determine an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks.
- the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- the insurability rating can be used to produce an insurance premium value for the product or service.
- Such an insurance premium can also be affected by other factors, such as the length of relationship between the insurer and the organization or person that is seeking insurance (the “insured”), the insurance premiums offered by other insurers, existence of other insurance polices for the product or service, discounts based on the number of other products or services that are insured by the same insurer, and other factors.
- the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less.
- the damage assessment can be updated almost instantaneously to allow certain mitigating actions to be triggered.
- a number or a range of numbers can represent the damage assessment.
- the damage assessment is a number between 0 and 100, whereas in another implementation, the damage assessment is represented by a set of three numbers indicative of high (e.g., ratings in range 80 to 100), medium (e.g., ratings in range 60 to 79) and low (e.g., ratings in range 0 to 59) values of the real-time damage assessment.
- high e.g., ratings in range 80 to 100
- medium e.g., ratings in range 60 to 79
- low e.g., ratings in range 0 to 59
- the real-time damage assessment is computed by an algorithm that uses a weighted average technique.
- This technique assigns a first weight to an indicator representative of a likelihood of the occurrence of the one or more cyber attacks, assigns a second weight to an indicator representative of a the likelihood of success of the one or more cyber attacks, and a third weight to an indicator representative of the measure of severity of damage to the product of service.
- the weights can be indicative of the importance of each of the associated indicators of likelihood and/or measure.
- each of the likelihood of the occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service can be determined using historical information associated with previously launched cyber attacks against the products or the service.
- the historical information is typically obtained based on attacks, damages and success rates of previous cyber attacks.
- the historical information can include a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by the previous cyber attack(s), or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service.
- the damage caused by breach of financial data at one financial instruction is used to produce a measure of damage for another financial institution.
- the disclosed technology enables the likelihood of a cyber attack to be produced by analyzing the patterns of cyber activity over a large number of data networks, which can all be carried out in real-time as those evolve over time.
- the damage assessment can be used to compute the insurability rating.
- computation of the insurability rating includes processing the real-time damage assessment over a pre-determined time interval and then determining a statistical value associated with several of the insurability rating values over that pre-determined time interval.
- An example of the statistical value is an average of several insurability rating values over the pre-determined time interval.
- the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval.
- the weights can be assigned or determined using different techniques that would allow easy adaptation and correlation to the changes in the real-time data. For example, in computing the average value, insurability rating values that correspond to later time instances within the predetermined time interval are given a larger weight compared to the insurability rating values that correspond to earlier time instances within the predetermined time interval.
- the choice of the pre-determined time interval is often left to the designer of the system and can be based on system capabilities and recourses, observed time-dependence of cyber activity patterns, importance of the product or service, and other factors.
- the time interval can be set to be one hour, one day, one week or one month.
- the pre-determined time interval can also be set to an initial value, and can then be changed based on changes in the system resources, cyber activity patterns, customer requests, or other factors. It should be noted that in some instances it might be beneficial to compute more than one insurability rating so as to ascertain a trend in insurability rating over time, or for other reasons that facilitate the determination of the proper premium.
- both a short-term and a long-term insurability rating can be computed, with the short-term insurability rating spanning a time period in the range of, e.g., one hour to one day, and the long-term insurability corresponding to a time period that is, e.g., greater than one day and up to one month.
- the insurability rating is determined based in-part on the existing cybersecurity countermeasures that are being deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
- cyber security countermeasures include firewalls, anti-virus software, system alerts, fail-safe measures that, for example, limit the amount of loss to the product or service (e.g., cash withdrawal limits), biometric authorization protections and others administrative or physical security measures.
- the insurability rating is modified dynamically based on changes in cybersecurity countermeasures that are deployed to protect the assets. For example, upon a detection that deployed anti-virus software has expired or has become outdated, the insurability rating can correspondingly change to reflect a higher risk to the asset.
- certain information and/or cyber security countermeasures can be shared with an insured party upon a determination that indicates an elevated cyber security risk.
- one or more of the following can be shared with an entity that is interested in obtaining or maintaining insurance coverage for the product or service: information regarding the real-time damage, information regarding the likelihood of the occurrence of the one or more cyber attacks, information regarding the likelihood of success of the one or more cyber attacks, information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks, a recommendation for obtaining additional cybersecurity countermeasures, or a particular cybersecurity countermeasure.
- FIG. 8 illustrates some of the components of a device 800 that can operate to produce an insurability rating in accordance with an exemplary embodiment.
- the device 800 includes an input port 802 and an output port 804 that allow the device 800 to receive/send data, commands or other signal from/to an outside entity.
- the input port 802 or the output port 804 can be a serial port, parallel port, a USB port, a wireless connectivity port, an Ethernet port, or other types of input/output ports that are known in the art.
- the input port 802 and output port 804 may be part of communication component that provide wired and/or wireless communication capabilities in accordance with one or more communication protocols, and therefore they may comprise the proper transmitter/receiver, antennas, circuitry and ports, as well as the encoding/decoding capabilities that may be necessary for proper transmission and/or reception of data and other information.
- the device 800 in FIG. 8 also includes a processor 812 and memory 810 that are in communication with each other and with other components of the device through, for example, busses, optical interconnects, wireless connections or other means of connectivity that allow the exchange of data and control signals.
- the processor 812 can, for example, be a microprocessor, a controller or other processing device that is known in the art.
- the memory 810 can be used to permanently or temporarily (e.g., as in a buffer) store data, program code, parameters or other information that can be used to configure and/or operate the device 800 or the components therein.
- the device 800 also includes a damage assessment computation component 806 , which is coupled to the input port 802 and is configured to receive data on an on-going basis (e.g., real-time data indicative of cyber activity) and compute a real-time damage assessment associated with losses to the product or service in the event of one or more cyber attacks.
- a damage assessment computation component 806 which is coupled to the input port 802 and is configured to receive data on an on-going basis (e.g., real-time data indicative of cyber activity) and compute a real-time damage assessment associated with losses to the product or service in the event of one or more cyber attacks.
- the damage assessment computation component 806 can include sub-components (not shown) that parse the data received from the input port 802 or other device components, and route the appropriate data to other subcomponents (not shown) of the damage assessment computation component 806 .
- a routing subcomponent can sift the incoming data to identify and route the following types of data to an aggregation subcomponent: data indicative of a likelihood of the occurrence of the one or more cyber attacks, data a likelihood of success of the one or more cyber attacks, and data indicative of a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks.
- the damage assessment computation component 806 can also include one or more subcomponents (e.g., an aggregation subcomponent) that are configured to assign weights, compute averages, and modify data to determine a damage assessment value or values.
- the device 800 also includes an insurability rating computation component 808 that is coupled to the damage assessment computation component 806 and is configured to receive a damage assessment value or values and to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks.
- the insurability rating computation component 808 is configured to receive the damage assessment values on a real-time basis and use them to produce and update insurability ratings in response to changes in the real-time data.
- the insurability rating computation component 808 can also include subcomponent (not shown) that are configured to assign weights, compute averages, and modify data to determine the insurability rating.
- the insurability ratings can be communicated to outside components (not shown) using the output port 804 . Examples of those outside components include a monitor, a storage device (e.g., RAM, Optical or Magnetic disks, etc.), a printer and a networked computing device.
- FIG. 8 might not show all of the components of the device 800 , or all connections between the device components.
- the device 800 may include components that are configures to decompress and decompress the data based on the specific compression/decompression algorithms (e.g., LZV, Run Length Encoding, PKZip, etc.).
- the device 800 may include components that are configured to encrypt and decrypt the data based on specific algorithms (e.g., DES, 3DES, AES, RSA, etc.).
- the processor 812 can execute program code that is stored memory (e.g., in a portion of memory 810 ) to carry out certain operations, such as data compression/decompression or data encryption/decryption.
- the device 800 that is depicted in FIG. 8 is one example device that can be configured for generating insurability ratings for a product or service.
- a device includes a first input port coupled to a network communication channel to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service.
- the device also includes a damage assessment computation component that is implemented at least in-part using electronic circuits. The damage assessment computation component is coupled to the first input port to receive the real-time data and compute a real-time damage assessment measure associated with losses to the product or service due to occurrence of one or more cyber-attacks.
- the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attack.
- the device also includes an insurability rating computation component that is implemented at least in-part using electronic circuits and coupled to the damage assessment computation component.
- the insurability rating computation component is configured to receive the real-time damage indictor computed by the damage assessment computation component and to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks.
- the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- a hardware implementation can include discrete analog and/or digital circuits that are, for example, integrated as part of a printed circuit board.
- the disclosed components or modules can be implemented as an Application Specific Integrated Circuit (ASIC) and/or as a Field Programmable Gate Array (FPGA) device.
- ASIC Application Specific Integrated Circuit
- FPGA Field Programmable Gate Array
- Some implementations may additionally or alternatively include a digital signal processor (DSP) that is a specialized microprocessor with an architecture optimized for the operational needs of digital signal processing associated with the disclosed functionalities of this application.
- DSP digital signal processor
- FIG. 9 illustrates a block diagram of a device 900 that can be implemented as part of the disclosed devices and systems.
- the device 900 comprises at least one processor 904 and/or controller, at least one memory 902 unit that is in communication with the processor 904 , and at least one communication unit 906 that enables the exchange of data and information, directly or indirectly, through the communication link 908 with other entities, devices, databases and networks.
- the communication unit 906 may provide wired and/or wireless communication capabilities in accordance with one or more communication protocols, and therefore it may comprise the proper transmitter/receiver, antennas, circuitry and ports, as well as the encoding/decoding capabilities that may be necessary for proper transmission and/or reception of data and other information.
- the exemplary device 900 of FIG. 9 may be integrated as part of any devices or components to perform any of the disclosed methods.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
- FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present application.
Abstract
Description
- This patent application claims priority to U.S. Provisional Application No. 62/066,716, filed Oct. 21, 2014. The entire content of the before-mentioned provisional patent application is incorporated by reference as part of the disclosure of this application.
- The present disclosure relates generally to systems, apparatuses, and methods and computer program that are stored on non-transitory storage media (collectively referred to as the “technology”) related to determining a company's vulnerability to a cyber security-related attack (“cyber attack”) and, based on the level of vulnerability, determining tailored cyber insurance policies and/or products to insure against the cyber attack.
- This section is intended to provide a background or context to the disclosed embodiments that are recited in the claims. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, what is described in this section is not prior art to the description and claims in this application and is not admitted to be prior art by inclusion in this section.
- Insurance is a form of risk management tool primarily used by individuals, businesses, and other organizations to hedge against the risk of a contingent, uncertain loss that they can't or don't want to bear alone. An insured, or policyholder, can buy an insurance policy from an insurer, or insurance carrier, for an amount of money, called the premium, for a certain amount of insurance coverage specified by an insurance policy. Traditionally, insurance policies available to cover losses from business may be classified as: (1) business personal insurance policies to cover first-party losses; (2) business interruption policies; (3) commercial general liability or umbrella liability insurance policies, to cover liability for damages to third parties; and (4) errors and omissions insurance to cover the company's officers. These traditional insurance policies were designed to cover the traditional perils of fires, floods, and other forces of nature.
- In the last half a century, computers have become an integrated part of life for any individuals and organizations. As organizations become more dependent on their networked computer assets, they become more vulnerable to harm from increasing frequent and damaging attacks made possible by computers. Since traditional insurance policies are normally written before the advent of the Internet, they do not expressly cover new computer related risks. Cyber insurance is a specialty insurance product that covers losses associated with a company's information assets including computer generated, stored, and processed information. Cyber insurance may become part of the overall solution to computer network and system security, which becomes more and more important due to the increasing number of virus attacks, hacker assaults, and other IT security incidents. However, due to the ever-changing nature of cyber security and cyber vulnerabilities, traditional insurance or even cyber insurance policies and associated premiums do not adequately correspond to the level of risk that is associated with a computer asset.
- The disclosed technology relates to determination one or more cyber insurance policies, products and/or ratings based on processing of real-time information related to cyber attacks on one or more of computing assets that are coupled to a computer network.
- One aspect of the technology relates to a method for producing insurability ratings for a product or service. The method includes receiving, at a processor that is implemented at least in-part by electronic circuitry and coupled to a computer network, real-time data indicative of cyber attacks that are likely to diminish a value of the product or service. The method further includes using the processor to process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks. The damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The above noted method also includes using the processor to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks. The insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- In one exemplary embodiment, the method further includes using the insurability rating to produce an insurance premium value for the product or service. In another exemplary embodiment, the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less. In yet another exemplary embodiment, the insurability rating is produced at least in-part by processing the real-time damage assessment over a pre-determined time interval and determining a statistical value associated with a plurality of insurability rating values over the pre-determined time interval. In some embodiments, the statistical value is an average of the plurality of insurability rating values over the pre-determined time interval. In some exemplary embodiments, the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval, and insurability rating values that correspond to later time instances within the predetermined time interval are assigned a larger weight compared to insurability rating values that correspond to earlier time instances within the predetermined time interval. In some example embodiments, the pre-determined time interval is one of: one hour, one day, one week or one month.
- According to one exemplary embodiment, the above noted method further includes determining at least one additional insurability rating based on the real-time data, where one of the insurability rating or the additional insurability rating corresponds to a short-term insurability rating, and the other of the insurability rating or the additional insurability rating corresponds to a long-term insurability rating. In some exemplary embodiments, the short-term insurability rating corresponds to a time period that is in the range of one hour to one day, and the long-term insurability rating corresponds to a time period that is greater than one day and up to one month. In still another exemplary embodiment, the real-time damage assessment is computed using a weighted average technique that assigns a first weight to the likelihood of occurrence of the one or more cyber attacks, a second weight to the likelihood of success of the one or more cyber attacks, and a third weight to the measure of severity of damage to the product of service. In yet another exemplary embodiment, each of the likelihood of occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service is determined using historical information associated with previously launched cyber attacks against the products or the service. For example, the historical information can include one or more of: a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by a previous cyber attack, or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service.
- In one exemplary embodiment, the likelihood of occurrence of the one or more cyber attacks is produced by analyzing data associated with patterns of cyber activity over a plurality of data networks in real-time. In some embodiments, the patterns of cyber activity are indicative of cyber attacks on other organizations with network connectivity. In another exemplary embodiment, the insurability rating is determined using an inverse proportionality relationship with respect to the real-time damage assessment. In yet another exemplary embodiment, the insurability rating is determined based in-part on existing cybersecurity countermeasures that are deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service. In some embodiments, the insurability rating is modified based on changes in the cybersecurity countermeasures deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
- In another exemplary embodiment, the above noted method further includes providing one or more of the following to an entity that is interested in obtaining or maintaining insurance coverage for the product or service: (a) information regarding the real-time damage, (b) information regarding the likelihood of occurrence of the one or more cyber attacks, (c) information regarding the likelihood of success of the one or more cyber attacks, (d) information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks, (e) a recommendation for obtaining additional cybersecurity countermeasures, or (f) a particular cybersecurity countermeasure.
- Another aspect of the technology relates to a computer program product, embodied on one or more non-transitory computer media, that includes program code for receiving real-time data from a computer network at a processor that is implemented at least in-part by electronic circuitry, where the real-time data is indicative of cyber attacks that are likely to diminish a value of the product or service. The computer program product further includes program code for processing by the processor the real-time data to compute real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, where the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The computer program product further includes program code for determining by the processor an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- Another aspect of the technology relates to a device that includes a processor implemented using electronic circuitry, and a memory comprising processor executable code. The processor executable code, when executed by the processor, causes the device or the components of the device to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service, and process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks. The damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The processor executable code, when executed by the processor, further causes the device or the components of the device to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
- Another aspect of the technology relates to a system for determining insurability rating of a service or product that includes a server device coupled to a computer network to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service and to produce an insurance premium estimate based at least in-part on the received real-time data. The system also includes a client device coupled the computer network to receive the insurance premium estimate produced by the server device. The server device uses the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, where the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The sever device determines an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
-
FIG. 1 . is a block diagram of a basic and suitable computer that may employ aspects of the described technology. -
FIG. 2 . is a block diagram illustrating a simple, yet suitable system in which aspects of the described technology may operate in a networked computer environment. -
FIG. 3A illustrates an exemplary asset risk profile that may employ aspects of the described technology. -
FIG. 3B illustrates an exemplary asset damage profile that may employ aspects of the described technology. -
FIG. 3C illustrates an exemplary company risk profile that may employ aspects of the described technology. -
FIG. 4 illustrates a block diagram of an exemplary device that can be implemented as part of the disclosed devices and systems. -
FIG. 5 illustrates a flow diagram for determining cyber insurance based on various profiles in accordance with an exemplary embodiment. -
FIG. 6 illustrates a flow diagram of communications between a customer and an insurance company in accordance with an exemplary embodiment. -
FIG. 7 illustrates a set of operations that can be carried out to determine an insurability rating for a product or a service in accordance with an exemplary embodiment. -
FIG. 8 illustrates some of the components of a device 1000 that can operate to produce an insurability rating in accordance with an exemplary embodiment -
FIG. 9 illustrates a block diagram of a device that can be implemented as part of the disclosed devices and systems. - In the following description, for purposes of explanation and not limitation, details and descriptions are set forth in order to provide a thorough understanding of the disclosed embodiments. However, it will be apparent to those skilled in the art that the present invention may be practiced in other embodiments that depart from these details and descriptions. Additionally, in the subject description, the word “exemplary” is used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word exemplary is intended to present concepts in a concrete manner.
- Cyber insurance can, in principle, be an important risk-management tool for strengthening IT security and reliability for companies. There may be many parties involved in the cyber insurance industry including underwriters, agents, and clients, code writers, inspectors, and vendors of products and services, working together to provide the needed coverage for the policy holders.
- In some cases, specialized policies can cover losses from computer viruses or other malicious code, destruction or theft of data, business interruption, denial of service, and/or liability resulting from e-commerce or other networked IT failures. In some other cases, insurance policies for cyber insurance may cover the cost of legal disputes arising from cyber attacks on the insurance policy holder's digital assets. In still other cases, cyber insurance policies may specifically exclude certain coverages such as to exclude coverage of “electronic data,” “computer code,” and other similar terms as tangible property.
- For an insurance policy, the deductible may play an important role in managing cyber security risk. For example, the deducible amount may be a way of lowering the insurance company's risk since a higher deductible can reduce the amount for paying out on a claim. In particular, higher deductibles can be imposed for companies with greater cyber security risks, such as those companies with consistently lower investment in cyber security, with poor security controls or with inadequate IT staff, among other factors. From a risk management point of view, it is important for a company to understand that deductibles affect the premiums. A lower deductible can lead to a higher premium, and vice versa.
- Premiums can vary according to specific situation and the amount of coverage, and can range from a few thousand dollars for base coverage for small businesses to several hundred thousand dollars for major corporations with comprehensive coverage. Premiums may depend on the individual company's security risk exposure and can vary substantially depending on the insurance provider. For example, the premiums may depend on the number of computers affected, company level dollar loss distribution, and the timing of the breach event. Premiums may also depend on the industry the company is operating in. For example, a company operating in the high-tech area may rely on computers more with more exposure to computer risks, which leads to a higher premium. A premium may further depend on the elements of the insurance contract, such as the settlement amount that is paid, the occurrence of the event covered by the contract, and the time when the settlement is paid.
- Before issuing a cyber insurance policy, an insurance carrier may require audits by independent IT security consultants on a case-by case basis, depending on the risks to be covered and the policy limits sought. To this end, a cyber insurance underwriter may first ask prospective clients to complete an information security assessment that covers items such as: standard configurations with security documentation for firewalls, routers, and operating systems, information security policies, including password management, virus protection, encryption, and security training for employees, vulnerability monitoring and patch management, physical security and access controls, including remote access, privacy and confidentiality policies, backup and restoration provisions, business continuity planning, periodic testing of security controls, and outsourcing and other third-party security provisions.
- Various parties of the cyber insurance industry, such as underwriters, agents, and clients, code writers, inspectors, and vendors of products and services, may interact using modern insurance information systems. An insurance information system may need wide functionality, including both traditional tasks of information systems like data processing and storing and more advanced functions that has been traditionally done by humans such as risk evaluation.
- These tasks, while may have been sufficiently carried out for traditional insurance policies, suffer from major drawbacks in the realm of cyber insurance due to proliferation of online cyber attacks that can simultaneously and quickly breach many computer systems, databases and networks and result in loss of data, compromise of financial, medical or military secrets or assets. Therefore, there is an urgent need to continuously monitor and predict cyber space activities and relate those activities to risks to an insured (or insurable) product or service. Using such a real-time insurance assessment system benefits both the insured and the insurer by allowing a more accurate and realistic risk assessment to take place, as well as enabling the insurer to quickly alert the insured of impending attacks or existing security vulnerabilities. Further, such a system can be used to create offers for clients and make insurance deals online, to process insurance cases automatically and to automate many other tasks.
- In various embodiments, the technology determines one or more cyber insurance policies and/or products based on a company's real-time exposure to a cyber attack on one or more of its computing assets (e.g., a computer serving company data). The technology performs various security analysis techniques to explore, locate, and evaluate a company's assets for creating risk and damage assessments that are used to dynamically determine cyber insurance policies/products that are tailored to that company at that moment of time and, optionally, based on future projections. The technology can continuously or semi-continuously monitor the company's network for any changes to assets and, if changes are detected that could affect the company's exposure to a cyber attack, information associated with the detected changes is fed back to aspects of the technology that are configured to determine new/modified cyber insurance policies/products.
- In various embodiments, the technology identifies computing assets' (e.g., computers, servers, mobile devices, databases, storage technology, cloud infrastructure, network appliances, intrusion detection systems (IDSs), firewalls, etc.) vulnerabilities that may be used in a cyber attack for exploiting resources (e.g., consumer data, such as credit card numbers) stored in or accessible to a company's network(s). Vulnerabilities are identified using various network security audit standards and technologies, such as the Payment Card Industry Data Security Standard (PCI DSS), other standard(s) and/or one or more penetration tests for analyzing assets for various vulnerabilities that may be exploited via internal and/or external cyber attacks. Security audits, in some embodiments, determine the feasibility of a particular set of real and/or potential attack vectors, identify higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence, assess the magnitude of potential business and operational impacts of successful attacks, test the ability of network defenders (e.g., security personal, firewalls, IDSs, etc.) to successfully detect and respond to the cyber attacks, and provide evidence to support increased investments in technology and insurance. Damage values are assigned to tangible (e.g., theft of credit card numbers) and/or intangible (e.g., reputation) losses associated with an occurrence of one or more cyber-attacks which could successfully exploit an assets' software and/or hardware vulnerabilities.
- For example, the technology can determine that an asset storing trade secrets and credit card information has a higher economic damage value than a value associated with a redundant publically accessible webserver. Damage values are, in various embodiments, adjusted based on various damage indicators, such as the complexity and/or sophistication required to execute an exploit, availability of an exploit, a likelihood of the occurrence a cyber-attack, and/or likelihood of success of a cyber-attack. For example, an asset storing trade secrets can have an increased damage value if the asset is vulnerable to, e.g., more than one exploit, less complex exploits, and/or widely known exploits. Based at least on a damage value associated with an asset, the technology, in some embodiments, is configured to dynamically determine an amount of insurance for sufficiently insuring against the occurrence of the cyber-attack. In various embodiments, the technology automatically and periodically performs real-time security audits to continuously or semi-continuously reassess a company's vulnerability to new cyber threats and dynamically determine new damage values and, in response, corresponding new recommendations for insurance coverage.
- In some embodiments, the technology is a computer program product or service, a device or a system configured with program code for receiving real-time data indicative of cyber attacks that are likely to diminish a value of the product or service. For example, the technology can leverage various databases, websites, the darknet, bit torrents, and/or other networks and data sources for determining known exploits and/or generate new or modify versions of known exploits. The program code is configured to process real-time data to compute a real-time damage assessment associated with losses for an occurrence of one or more cyber attacks. For example, the damage assessment can be computed using a likelihood of the occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product or service as a result of the occurrence of the one or more cyber attacks. The program code, in various embodiments, is configured with technology that determines an insurability rating for the product or service for insuring against the cyber attacks. The insurability rating is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, at least in-part based on the real-time damage indicator and is changeable in response to changes in the received real-time data.
- In various embodiments, the technology determines asset risk assessments, asset damage assessments, and customer risk assessments. Assessments are snapshots of real-time asset and/or company behavior based on various indicators and expressed as simple values, such as a number, percentage, hash, etc. Each asset, in one or more embodiments, is associated with one or more profiles or other data structures (“profiles”) that are associated with indicators that define asset and/or company characteristics and are used by the technology as variables for calculating assessment value. For example and as further described below, the technology can determine that an asset (e.g., a server) has a risk assessment of 8 out of 10 (i.e., 0.8) based on various indicators in that asset's profile, such as being a public server (i.e., a first indicator) operating using an older operating system and/or other software products (i.e., a second indicator) that has known vulnerabilities (i.e., a third indicator). That asset (e.g., the server described above) is also, in one or more embodiments, associated with a damage assessment, which is a measure of a company's estimated loss of capital and/or intangible losses (e.g., loss due to an adverse effect to company reputation) if the asset were compromised by a cyber-attack. Similar to the determination of the risk assessment, a damage assessment for the server mentioned above could be, for example, 3 out of 10 (i.e., 0.3) because the server stores lower valued webpages and, if compromised, would not negatively affect the company's reputation. By determining respective snapshots associated with risk and damage, the technology can efficiently and quickly identify, in real-time, assets at most risk of being compromised, associated losses and, in response, recommend insurance policies based on a company's unique circumstance and preferences. In some embodiments, multiple risk assessments are combined into a single meta-value that represents some or all of a company's assessments (e.g., a company's subsidiaries, different departments, or portions of a network).
- In some embodiments, a profile is referenced for determining a company risk assessment, i.e., the level of risk associated with a specific company based on, for example, various indicators such as an amount of capital the company is willing to invest in cyber insurance, its risk tolerance, the number of assets to insure, existing security measures (e.g., an implemented network operating center (NOC), staff, and/or disaster recovery protocols), whether the company is high profile, the company's business, any history of attacks and their success, etc. Company risk profiles are automatically and/or manually determined and, in various embodiments, include a company's threshold tolerance for preventing and/or insuring against a determined level of financial loss (e.g., up to $2 million USD) as a result of the occurrence of the cyber-attack on an asset.
- In one more embodiments, based on one or more indicators of the asset risk profile, asset damage profile, and/or company risk profile, the technology determines one or more insurance policies/products specific to the company. In various embodiments, the technology continuously, or on a schedule, updates the profiles based on changes to the assets or company (e.g., a new asset is added or an asset is recommissioned, critical data is moved, new vulnerabilities are discovered, etc.). In response to the changes to one or more of the profiles, the technology dynamically and automatically determines a new policy tailored to the changed profiles. This feedback technique allows the company to efficiently and comprehensively understand, in real time, where it has vulnerabilities and how best to insure against losses.
- Referring to
FIG. 1 , an exemplary embodiment of the described technology employs acomputer 100, such as a personal computer or workstation, having one ormore processors 101 coupled to one or moreuser input devices 102 anddata storage devices 104. Thecomputer 100 is also coupled to at least one output device such as adisplay device 106 and one or more optional additional output devices 108 (e.g., printer, plotter, speakers, tactile or olfactory output devices, etc.). Thecomputer 100 may be coupled to external computers, such as via anoptional network connection 110, awireless transceiver 112, or both. - The
input devices 102 may include a keyboard, a pointing device such as a mouse, and described technology for receiving human voice, touch, and/or sight (e.g., a microphone, a touch screen, and/or smart glasses). Other input devices are possible such as a joystick, pen, game pad, scanner, digital camera, video camera, and the like. Thedata storage devices 104 may include any type of computer-readable media that can store data accessible by thecomputer 100, such as magnetic hard and floppy disk drives, optical disk drives, magnetic cassettes, tape drives, flash memory cards, digital video disks (DVDs), Bernoulli cartridges, RAMs, ROMs, smart cards, etc. Indeed, any medium for storing or transmitting computer-readable instructions and data may be employed, including a connection port to or node on a network, such as a LAN, WAN, or the Internet (not shown inFIG. 1 ). - Aspects of the described technology may be practiced in a variety of other computing environments. For example, referring to
FIG. 2 , a distributed computing environment with a network interface includes one or more user computers 202 (e.g., mobile devices, desktops, servers, etc.) in asystem 200, each of which can include a graphical user interface (GUI) program component (e.g., a thin client component) 204 that permits theuser computer 202 to access and exchange data, such as network and/or security data, with anetwork 206 such as a LAN or the Internet, including web sites, ftp sites, live feeds, and data repositories within a portion of thenetwork 206. Theuser computers 202 may be substantially similar to the computer described above with respect toFIG. 1 . Theuser computers 202 may be personal computers (PCs) or mobile devices, such as laptops, mobile phones, or tablets. Theuser computers 202 may connect to thenetwork 206 wirelessly or through the use of a wired connection. Wireless connectivity may include any forms of wireless technology, such as a radio access technology used in wireless LANs or mobile standards such as 2G/3G/4G/LTE. Theuser computers 202 may include other program components, such as a filter component, an operating system, one or more application programs (e.g., security applications, word processing applications, spreadsheet applications, or Internet-enabled applications), and the like. Theuser computers 202 may be general-purpose devices that can be programmed to run various types of applications, or they may be single-purpose devices optimized or limited to a particular function or class of functions. More importantly, any application program for providing a graphical user interface to users may be employed, as described in detail below. For example, a mobile application or “app” has been contemplated, such as one used in Apple's® iPhone® or iPad® products, Microsoft® products, Nokia® products, or Android®-based products. - At least one
server computer 208, coupled to thenetwork 206, performs some or all of the functions for receiving, routing, and storing of electronic messages, such as security data, web pages, audio signals, electronic images, and/or other data. While the Internet is shown, a private network, such as an intranet, may be preferred in some applications. The network may have a client-server architecture, in which a computer is dedicated to serving other client computers, or it may have other architectures, such as a peer-to-peer, in which one or more computers serve simultaneously as servers and clients. A database ordatabases 210, coupled to the server computer(s), store some content (e.g., security-related data) exchanged between the user computers; however, content may be stored in a flat or semi-structured file that is local to or remote of theserver computer 208. The server computer(s), including the database(s), may employ security measures to inhibit malicious attacks on the system and to preserve the integrity of the messages and data stored therein (e.g., firewall systems, secure socket layers (SSL), password protection schemes, encryption, and the like). - The
server computer 208 may include aserver engine 212, asecurity management component 214, aninsurance management component 216, and adatabase management component 218. Theserver engine 212 performs basic processing and operating system level tasks. The security management component(s) 214 handle creation, streaming, processing and/or routing of networking and/or security data.Security management components 214, in various embodiments, includes other components and/or technology, such as an asset risk component, asset damage component, company risk component and/or other components and/or assessment technologies, described below. Users may access theserver computer 208 by means of a network path associated therewith. Theinsurance management component 216 handles processes and technologies that support the collection, managing, and publishing of insurance and/or cyber-related data and information, and other data. Thedatabase management component 218 includes storage and retrieval tasks with respect to the database, queries to the database, and storage of data. In some embodiments,multiple server computers 208 each having one or more of the components 212-218 may be utilized. In general, theuser computer 202 receives data input by the user and transmits such input data to theserver computer 208. Theserver computer 208 then queries thedatabase 210, retrieves requested pages, performs computations and/or provides output data back to theuser computer 202, typically for visual display to the user. Additionally, or alternatively, theuser computers 202 may automatically, and/or based on user computers' 202 settings/preferences, receive various information, such as alerts, updates, cyber security assessments, cyber security programs, etc., from theserver computer 208. -
FIG. 3A illustrates one example of anasset risk profile 302. Anasset risk profile 302 includes various asset descriptions 304 a-304 n each having one ormore indicators 306 for defining attributes which may affect that asset's risk assessment 308 (e.g., whether the asset has a high, medium, or low risk rating). For example,Asset A 304 a includesvarious indicators 306, such as the physical location of the asset, software operating on the asset (e.g., a version of an operating system, such as aWindows 8®), known vulnerabilities (e.g., a virus or rootkit active on the asset), unknown or future vulnerabilities (e.g., a yet to be released exploit that is programmed for the asset's operating system), etc. As an additional example, anasset risk profile 302 may specify various risk indicators descriptive of the asset's hardware (e.g., an Intel-based server, 1 Terabyte Western Digital hard drive, vendor-specific network interface card (NIC)), and/or software/services (e.g., a command shell with super user privileges)), etc. The technology can determine, at least based on one or more risk assessments 308 (e.g., a value determined via the technology's implementation of a weighted-value-based algorithm or other algorithm), a representative multiple of therisk indicators 306. For example, the technology can determine that an asset with an old version of an operating system having known vulnerabilities running moderately easy to hack NIC drivers has a high risk assessment value (e.g., 0.95) and a modern, recently updated asset has a lower risk assessment value (e.g., 0.15). -
Risk indicators 306 can define virtually any type of information that may affect an asset's exploitation and values ofrisk indicators 306 are specific to an asset. In other words, different assets, e.g.,Asset B 304 b andAsset n 304 n, can have different indicators and/or types of indicators than theindicators 306 associated withAsset A 304 a. As mentioned above,risk indicators 306 are used by the technology, in one or more embodiments, to determine arisk assessment 308, based on one or more predetermined algorithms. Therisk assessment 308 is a snapshot of real-time risk to an asset (e.g.,Asset A 304 a) based on theindicators 306 that, in some embodiments, are being continuously or semi-continuously updated via new or continuing security assessments of the company's network. In other words, as assets change (e.g., an asset's operating system is updated) anew risk assessment 308 is automatically and/or manually determined. -
FIG. 3B illustrates one example of anasset damage profile 312 for an asset (e.g.,Asset 304 a).Asset damage profile 312 is associated withdamage indicators 316 for each of a company's assets (e.g., Asset 304 a-304 n), which may indicate a potential loss (i.e., a tangible or intangible loss) to a company if the asset (e.g.,Asset 304 a) were compromised by a cyber attack. For example,Asset 304 a, discussed above in reference toasset risk profile 302, includesvarious damage indicators 316 for determining, by the technology, a damage assessment 318, based on one or more predetermined algorithms.Damage indicators 316 include virtually any information and any type of information that may affect a loss to a company if the asset (e.g.,Asset 304 a) is compromised and can include, for example, a data type indicator representative of the data being stored (e.g., credit cards, trade secrets or webpages), hardware cost indicator (e.g., the cost of purchasing new hardware), down time loss indicator, loss indicator associated with company reputation (e.g., public and/or shareholders), etc. The damage assessment 318 is a snapshot of real-time damage to a company (e.g., tangible and intangible losses) if a particular asset (e.g.,Asset A 304 a) were to be compromised. In some embodiments, similar to the feedback technique described for theasset risk profile 302, damage assessments 318 can be continuously or semi-continuously updated via new or continuing security assessments of the company's network. In other words, as the network changes (e.g., an asset, such asAsset 304 a, switches from storing financial security information to storing publicly available emails address) anew damage assessment 308 is determined automatically and/or manually for that asset (e.g.,Asset 304 a). -
FIG. 3C illustrates one example of acompany risk profile 322 for defining various company attributes and/or preferences, based on one or morevarious company indicators 326. The technology, in one or more embodiments, references a company's (e.g.,Company A 324 a,Company B 324 b, and/or Company n 324 n)indicators 326 for determining a company's general risk, based on factors other thanindicators 328, which are specific to a particular asset (e.g.,Asset A 304 a). For example, the technology determines a risk assessment 320 for the company based on various company indicator's 326 unique to that company, such as the company's public exposure, profits, global reach, investments, line(s) of business, number and sophistication of employees/customers/clients, existing security measures implemented by the company, total number of potentially exploitable assets, history of cyber attacks, etc. Other indicators, such as company's level of tolerance of a cyber attack and the company's capital investment commitment for insuring against cyber-attacks are used by the technology in determining one or more insurance policies/products tailored to the company's situation and preferences. -
FIG. 4 illustrates one example of anengine 400 used by the technology to determine and/or recommend to a company one or more cyber insurance policies tailored to that company's asset, damage and/or company profiles.Engine 400 includes various components 402-410, such as an assetrisk profile component 402, an assetdamage profile component 404, and a companyrisk profile component 406 and other optional component(s) 408 (e.g., other profiles, algorithms, analysis, feedback, etc.) for determining, byrecommendation component 410, one or more cyber insurance polices (e.g., a policy that includescyber insurance Products 1 and 2). As referenced in the illustration forFIG. 4 , the technology determines and/or recommends one or more insurance policies and/or products based on features of one or more of the asset risk profile 302 (e.g., arisk assessment 308 and/or risk indicators 306), asset damage profile 312 (e.g., damage assessment 318 and/or damage indicators 316) and company risk profile 322 (e.g.,company risk assessment 328 and/or company indicators 326). Based on the one or more features of components 402-408, the technology determines and/or recommends cyber insurance policies/products by, for example, referencing a database or other data storing insurance information (e.g., premium, coverage amounts/percentages, terms, etc.) and calculating, via therecommendation component 410, preferred policies/products for the company's specific requirements and preferences. - One aspect of the disclosed technology relates to a computer-implemented cyber attack assessment method that includes identifying one or more software vulnerabilities for exploiting resources on one or more computing devices, assigning a damage value associated with tangible and intangible losses for an occurrence of one or more cyber attacks exploiting the one or more software vulnerabilities, and dynamically determining an amount of insurance for sufficiently insuring against the occurrence of the one or more cyber attacks exploiting the one or more software vulnerabilities, wherein the amount of insurance is at least based on the damage value. In some embodiments, such a method further includes periodically determining a new amount of insurance based on identifying one or more new software vulnerabilities for exploiting resources on the one or more computing devices.
- In another aspect of the technology, a computer-readable storage device stores instructions that, upon execution by a processor of a computing system, cause the computing system to perform a method for insuring against cyber attacks within a network. The method includes determining an asset profile for a target asset, and assigning a risk rating to the target asset, wherein the risk rating is a measure of: (a) vulnerability of the target asset to a present or future cyber attack and (b) a cost associated with an occurrence of the cyber attack on the target asset. Such a method further includes identifying a customer risk profile associated with preventing the occurrence of the cyber attack on the target asset, and dynamically determining one or more financial instruments for insuring against the occurrence of the cyber attacked on the target asset, based at least on the risk rating and the customer risk profile.
- In some embodiments, the asset profile includes characteristics descriptive of software products and data installed on the target asset. In some embodiments, the customer risk profile includes a threshold tolerance for preventing a determined level of financial loss as a result of the occurrence of the cyber attack on the target asset. In some embodiments, the one or more financial instruments insure against the occurrence of the cyber attack based on the determined level of financial loss. In some embodiments, the above noted method further includes dynamically and periodically determining one or more new vulnerabilities and, in response to determining the one or more new vulnerabilities, assigning a new risk rating and determining one or more new financial instruments for insuring against an occurrence of a new cyber attack based on the one or more new vulnerabilities.
-
FIG. 5 illustrates a flow diagram 500 for determining a company's risk of a cyber attack and recommending a cyber insurance policy based on the determined risk. The flow starts at 502 and, at 504, the technology determines (e.g., via a security assessment) a network's vulnerability to cyber-attacks and stores results of the assessment in aassets risk profile 302. At 506, the technology determines one or more asset damage profiles 312 for each of the one or more assets defined in theasset risk profile 302 and, at 508, in some embodiments, defines indicators in thecustomer risk profile 322. If there are additional profiles and/or indicators then, at 510, the flow returns to 504, 506, and/or 508. Otherwise, the flow continues to 512 where the technology determines and/or recommends one or more cyber insurance policies/products for insuring against the possibility of a cyber-attack, based on the results of operations at 504-508. At 514, if there has been a change to the assets and/or customer preferences, the flow returns to 504, 506, and/or 508. Otherwise, the flow ends at 516. Further description, embodiments and/or implementations of policies, indicators, and assessments may be found in reference to one or more of the remaining figures. -
FIG. 6 illustrates a flow diagram 600 of communications between a customer/company (“customer”) and an insurance company in accordance with an exemplary embodiment. At 601, a customer provides a customer profile to the insurance company. At 603, the customer provides an asset profile to the insurance company. At 605, the customer pays the premium to the insurance company to buy a policy. At 607, the customer reports certain damages to the insurance company. At 609, the insurance company pays the customer a damage compensation based on the policy that was purchased as part ofoperation 605. The insurance company may perform some verification and damage assessment before paying such damage compensation at 609. - The complexity of the computer related security threats makes it hard for small companies to have the most updated information and the skills needed to cope with the ongoing and increasing threats faced every day in the world. Computer security personal are highly skilled, hard to find, and highly paid. Therefore it is unrealistic for small companies to be able to maintain the most up to up-to-date defenses against the ever increasing attacks on computer assets. The insurance company, on the other hand, has to hire the highly skilled computer security personal to perform the security analysis, to keep updated with the most recent attacks with new methods. Therefore the insurance company can play a preventive role on behalf of many small companies by sharing the computer security expertise, developing defense guidelines, and distributing such defense guidelines and strategies among the insured companies. In this way, the insurance company can bear, or share with the small companies, the costs associated with combatting computer security threats while providing better defenses against new attacks.
- Referring again to
FIG. 6 , at 611, the insurance company may distribute preventive information to the customer so that the customer can be aware of the most recent attacks and the associated techniques for defending against such attacks. At 613, the customer provides feedback based on the preventive information received from the insurance company, where the feedback may include the status report of the implementation results related to the preventive information distributed by the insurance company. - One aspect of the disclosed technology relates to determination of insurability of a product or service based on real-time cyber activity, which can lead to a determination of an insurance premium for the product or service. The insurability rating provides a measure as to insurability of the product or service. Examples of products or services include consumer data (e.g., credit card information, personal information) that is stored on a network-accessible storage unit, cloud computing resources that are provided to paying customers, social media services, financial information, financial services, and others. In the context of the disclosed examples, a high insurability rating is commensurate with having a product or service that is easily insurable (e.g., there is a lower risk of damage to the product or service), whereas a low insurability indicates that there is a higher risk of damage to the product or service. It is however, understood that such an inverse correlation between the insurability rating and damage risk is merely provided for the sake of illustration, and other relationships (e.g., direct correlation) can also be used. The insurability rating can be a number or a range of numbers. For instance, in one implementation, the insurability rating is a number between 0 and 100, whereas in another implementation, the insurability rating is represented by high (e.g., ratings in range 80 to 100), medium (e.g., ratings in range 60 to 79) and low (e.g., ratings in range 0 to 59).
-
FIG. 7 illustrates a set ofoperations 700 that can be carried out to determine insurability rating for a product or a service in accordance with an exemplary embodiment. Theoperations 700 can be implemented using a computing system with network connectivity. Such a computing system includes a processor (e.g., a hardware implemented processor comprising electronic circuitry), memory, physical buses and interfaces that allows different components of the system to communicate with one another and with other devices that are connected to the computing device through a network. Referring toFIG. 7 , at 702, real-time data indicative of cyber attacks that are likely to diminish a value of the product or service is received at a processor that is implemented at least in-part by electronic circuitry and coupled to a computer network. At 704, the real-time data is processed to compute a real-time damage assessment associated with losses to the product or service in the event of one or more cyber attacks. The real-time damage assessment can be computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. For example, a higher likelihood of cyber attack, a higher likelihood of the success of the cyber attack, and a higher severity measure of damage caused by such cyber attacks, each contribute to a higher computed real-time damage assessment. - Referring again to
FIG. 7 , at 706, an insurability rating for the product or service is determined. Such an insurability rating can be used to determine an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks. The insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data. - The insurability rating can be used to produce an insurance premium value for the product or service. Such an insurance premium can also be affected by other factors, such as the length of relationship between the insurer and the organization or person that is seeking insurance (the “insured”), the insurance premiums offered by other insurers, existence of other insurance polices for the product or service, discounts based on the number of other products or services that are insured by the same insurer, and other factors.
- One of the advantages of the disclosed technology relates to the use of real-time data that allows dynamic and up-to-date computation of the damage assessment based on cyber activities that are being continuously monitored. For instance, in one exemplary implementation, the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less. Thus, through, for example, monitoring world-wide attacks on particular assets or organizations, the damage assessment can be updated almost instantaneously to allow certain mitigating actions to be triggered. A number or a range of numbers can represent the damage assessment. For instance, in one implementation, the damage assessment is a number between 0 and 100, whereas in another implementation, the damage assessment is represented by a set of three numbers indicative of high (e.g., ratings in range 80 to 100), medium (e.g., ratings in range 60 to 79) and low (e.g., ratings in range 0 to 59) values of the real-time damage assessment.
- In one implementation, the real-time damage assessment is computed by an algorithm that uses a weighted average technique. This technique assigns a first weight to an indicator representative of a likelihood of the occurrence of the one or more cyber attacks, assigns a second weight to an indicator representative of a the likelihood of success of the one or more cyber attacks, and a third weight to an indicator representative of the measure of severity of damage to the product of service. The weights can be indicative of the importance of each of the associated indicators of likelihood and/or measure. Further, each of the likelihood of the occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service can be determined using historical information associated with previously launched cyber attacks against the products or the service.
- The historical information is typically obtained based on attacks, damages and success rates of previous cyber attacks. For example, the historical information can include a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by the previous cyber attack(s), or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service. In one example, the damage caused by breach of financial data at one financial instruction is used to produce a measure of damage for another financial institution. The disclosed technology enables the likelihood of a cyber attack to be produced by analyzing the patterns of cyber activity over a large number of data networks, which can all be carried out in real-time as those evolve over time.
- The damage assessment can be used to compute the insurability rating. In one example, computation of the insurability rating includes processing the real-time damage assessment over a pre-determined time interval and then determining a statistical value associated with several of the insurability rating values over that pre-determined time interval. An example of the statistical value is an average of several insurability rating values over the pre-determined time interval. In one variation, the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval. In this scenario, the weights can be assigned or determined using different techniques that would allow easy adaptation and correlation to the changes in the real-time data. For example, in computing the average value, insurability rating values that correspond to later time instances within the predetermined time interval are given a larger weight compared to the insurability rating values that correspond to earlier time instances within the predetermined time interval.
- The choice of the pre-determined time interval is often left to the designer of the system and can be based on system capabilities and recourses, observed time-dependence of cyber activity patterns, importance of the product or service, and other factors. For example, the time interval can be set to be one hour, one day, one week or one month. The pre-determined time interval can also be set to an initial value, and can then be changed based on changes in the system resources, cyber activity patterns, customer requests, or other factors. It should be noted that in some instances it might be beneficial to compute more than one insurability rating so as to ascertain a trend in insurability rating over time, or for other reasons that facilitate the determination of the proper premium. For example, both a short-term and a long-term insurability rating can be computed, with the short-term insurability rating spanning a time period in the range of, e.g., one hour to one day, and the long-term insurability corresponding to a time period that is, e.g., greater than one day and up to one month.
- In some implementations, the insurability rating is determined based in-part on the existing cybersecurity countermeasures that are being deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service. Examples of such cyber security countermeasures include firewalls, anti-virus software, system alerts, fail-safe measures that, for example, limit the amount of loss to the product or service (e.g., cash withdrawal limits), biometric authorization protections and others administrative or physical security measures. In some implementations, the insurability rating is modified dynamically based on changes in cybersecurity countermeasures that are deployed to protect the assets. For example, upon a detection that deployed anti-virus software has expired or has become outdated, the insurability rating can correspondingly change to reflect a higher risk to the asset.
- As noted in connection with
operation 611 ofFIG. 6 , certain information and/or cyber security countermeasures can be shared with an insured party upon a determination that indicates an elevated cyber security risk. For example, one or more of the following can be shared with an entity that is interested in obtaining or maintaining insurance coverage for the product or service: information regarding the real-time damage, information regarding the likelihood of the occurrence of the one or more cyber attacks, information regarding the likelihood of success of the one or more cyber attacks, information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks, a recommendation for obtaining additional cybersecurity countermeasures, or a particular cybersecurity countermeasure. -
FIG. 8 illustrates some of the components of adevice 800 that can operate to produce an insurability rating in accordance with an exemplary embodiment. Thedevice 800 includes aninput port 802 and an output port 804 that allow thedevice 800 to receive/send data, commands or other signal from/to an outside entity. For example, theinput port 802 or the output port 804 can be a serial port, parallel port, a USB port, a wireless connectivity port, an Ethernet port, or other types of input/output ports that are known in the art. In some implementations, theinput port 802 and output port 804 may be part of communication component that provide wired and/or wireless communication capabilities in accordance with one or more communication protocols, and therefore they may comprise the proper transmitter/receiver, antennas, circuitry and ports, as well as the encoding/decoding capabilities that may be necessary for proper transmission and/or reception of data and other information. - The
device 800 inFIG. 8 also includes aprocessor 812 andmemory 810 that are in communication with each other and with other components of the device through, for example, busses, optical interconnects, wireless connections or other means of connectivity that allow the exchange of data and control signals. Theprocessor 812 can, for example, be a microprocessor, a controller or other processing device that is known in the art. Thememory 810 can be used to permanently or temporarily (e.g., as in a buffer) store data, program code, parameters or other information that can be used to configure and/or operate thedevice 800 or the components therein. Thedevice 800 also includes a damageassessment computation component 806, which is coupled to theinput port 802 and is configured to receive data on an on-going basis (e.g., real-time data indicative of cyber activity) and compute a real-time damage assessment associated with losses to the product or service in the event of one or more cyber attacks. - The damage
assessment computation component 806 can include sub-components (not shown) that parse the data received from theinput port 802 or other device components, and route the appropriate data to other subcomponents (not shown) of the damageassessment computation component 806. For example, a routing subcomponent (not shown) can sift the incoming data to identify and route the following types of data to an aggregation subcomponent: data indicative of a likelihood of the occurrence of the one or more cyber attacks, data a likelihood of success of the one or more cyber attacks, and data indicative of a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The damageassessment computation component 806 can also include one or more subcomponents (e.g., an aggregation subcomponent) that are configured to assign weights, compute averages, and modify data to determine a damage assessment value or values. - The
device 800 also includes an insurabilityrating computation component 808 that is coupled to the damageassessment computation component 806 and is configured to receive a damage assessment value or values and to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks. The insurabilityrating computation component 808 is configured to receive the damage assessment values on a real-time basis and use them to produce and update insurability ratings in response to changes in the real-time data. The insurabilityrating computation component 808 can also include subcomponent (not shown) that are configured to assign weights, compute averages, and modify data to determine the insurability rating. The insurability ratings can be communicated to outside components (not shown) using the output port 804. Examples of those outside components include a monitor, a storage device (e.g., RAM, Optical or Magnetic disks, etc.), a printer and a networked computing device. - It should be noted that to avoid clutter,
FIG. 8 might not show all of the components of thedevice 800, or all connections between the device components. For example, in instances where data compression is used to reduce the storage and transmission bandwidth of data that is received and processed bydevice 800, thedevice 800 may include components that are configures to decompress and decompress the data based on the specific compression/decompression algorithms (e.g., LZV, Run Length Encoding, PKZip, etc.). Similarly, in instances where data encryption is used to ensure the security of data (e.g., for the external data received by thedevice 800, data transmitted by thedevice 800 to outside devices, or data stored in memory 810), thedevice 800 may include components that are configured to encrypt and decrypt the data based on specific algorithms (e.g., DES, 3DES, AES, RSA, etc.). In some embodiments, theprocessor 812 can execute program code that is stored memory (e.g., in a portion of memory 810) to carry out certain operations, such as data compression/decompression or data encryption/decryption. - The
device 800 that is depicted inFIG. 8 is one example device that can be configured for generating insurability ratings for a product or service. Such a device includes a first input port coupled to a network communication channel to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service. The device also includes a damage assessment computation component that is implemented at least in-part using electronic circuits. The damage assessment computation component is coupled to the first input port to receive the real-time data and compute a real-time damage assessment measure associated with losses to the product or service due to occurrence of one or more cyber-attacks. The damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attack. The device also includes an insurability rating computation component that is implemented at least in-part using electronic circuits and coupled to the damage assessment computation component. The insurability rating computation component is configured to receive the real-time damage indictor computed by the damage assessment computation component and to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks. The insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data. - The components or modules that are described in connection with the disclosed embodiments can be implemented as hardware, software, or combinations thereof. For example, a hardware implementation can include discrete analog and/or digital circuits that are, for example, integrated as part of a printed circuit board. Alternatively, or additionally, the disclosed components or modules can be implemented as an Application Specific Integrated Circuit (ASIC) and/or as a Field Programmable Gate Array (FPGA) device. Some implementations may additionally or alternatively include a digital signal processor (DSP) that is a specialized microprocessor with an architecture optimized for the operational needs of digital signal processing associated with the disclosed functionalities of this application.
-
FIG. 9 illustrates a block diagram of adevice 900 that can be implemented as part of the disclosed devices and systems. Thedevice 900 comprises at least oneprocessor 904 and/or controller, at least onememory 902 unit that is in communication with theprocessor 904, and at least onecommunication unit 906 that enables the exchange of data and information, directly or indirectly, through the communication link 908 with other entities, devices, databases and networks. Thecommunication unit 906 may provide wired and/or wireless communication capabilities in accordance with one or more communication protocols, and therefore it may comprise the proper transmitter/receiver, antennas, circuitry and ports, as well as the encoding/decoding capabilities that may be necessary for proper transmission and/or reception of data and other information. Theexemplary device 900 ofFIG. 9 may be integrated as part of any devices or components to perform any of the disclosed methods. - Various embodiments described herein are described in the general context of methods or processes, which may be implemented in one embodiment by a computer program product, embodied in a computer-readable medium, including computer-executable instructions, such as program code, executed by computers in networked environments. A computer-readable medium may include removable and non-removable storage devices including, but not limited to, Read Only Memory (ROM), Random Access Memory (RAM), compact discs (CDs), digital versatile discs (DVD), Blu-ray Discs, etc. Therefore, the computer-readable media described in the present application include non-transitory storage media. Generally, program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of program code for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps or processes.
- While this document contains many specifics, these should not be construed as limitations on the scope of an invention that is claimed or of what may be claimed, but rather as descriptions of features specific to particular embodiments. Certain features that are described in this document in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or a variation of a sub-combination. Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results.
Claims (39)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/918,398 US20160110819A1 (en) | 2014-10-21 | 2015-10-20 | Dynamic security rating for cyber insurance products |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462066716P | 2014-10-21 | 2014-10-21 | |
US14/918,398 US20160110819A1 (en) | 2014-10-21 | 2015-10-20 | Dynamic security rating for cyber insurance products |
Publications (1)
Publication Number | Publication Date |
---|---|
US20160110819A1 true US20160110819A1 (en) | 2016-04-21 |
Family
ID=55749422
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/918,398 Abandoned US20160110819A1 (en) | 2014-10-21 | 2015-10-20 | Dynamic security rating for cyber insurance products |
US14/919,506 Active 2037-02-25 US11587177B2 (en) | 2014-10-21 | 2015-10-21 | Joined and coordinated detection, handling, and prevention of cyberattacks |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/919,506 Active 2037-02-25 US11587177B2 (en) | 2014-10-21 | 2015-10-21 | Joined and coordinated detection, handling, and prevention of cyberattacks |
Country Status (2)
Country | Link |
---|---|
US (2) | US20160110819A1 (en) |
WO (2) | WO2016064919A1 (en) |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170331840A1 (en) * | 2016-05-11 | 2017-11-16 | Symantec Corporation | Systems and methods for determining security risk profiles |
US10210551B1 (en) | 2016-08-15 | 2019-02-19 | EMC IP Holding Company LLC | Calculating data relevance for valuation |
WO2019173241A1 (en) * | 2018-03-04 | 2019-09-12 | Fractal Industries, Inc. | Platform for live issuance and management of cyber insurance policies |
US10430442B2 (en) | 2016-03-09 | 2019-10-01 | Symantec Corporation | Systems and methods for automated classification of application network activity |
US10528522B1 (en) | 2016-03-17 | 2020-01-07 | EMC IP Holding Company LLC | Metadata-based data valuation |
US10666675B1 (en) | 2016-09-27 | 2020-05-26 | Ca, Inc. | Systems and methods for creating automatic computer-generated classifications |
US10671483B1 (en) | 2016-04-22 | 2020-06-02 | EMC IP Holding Company LLC | Calculating data value via data protection analytics |
US10719480B1 (en) | 2016-11-17 | 2020-07-21 | EMC IP Holding Company LLC | Embedded data valuation and metadata binding |
EP3545418A4 (en) * | 2016-11-22 | 2020-08-12 | AON Global Operations PLC, Singapore Branch | Systems and methods for cybersecurity risk assessment |
US10769006B2 (en) | 2018-07-31 | 2020-09-08 | Cisco Technology, Inc. | Ensemble risk assessment method for networked devices |
US10789224B1 (en) | 2016-04-22 | 2020-09-29 | EMC IP Holding Company LLC | Data value structures |
US10838965B1 (en) | 2016-04-22 | 2020-11-17 | EMC IP Holding Company LLC | Data valuation at content ingest |
US10838946B1 (en) | 2016-03-18 | 2020-11-17 | EMC IP Holding Company LLC | Data quality computation for use in data set valuation |
US20210034752A1 (en) * | 2019-07-29 | 2021-02-04 | Ventech Solutions, Inc. | Method and system for dynamic testing with diagnostic assessment of software security vulnerability |
US10970787B2 (en) | 2015-10-28 | 2021-04-06 | Qomplx, Inc. | Platform for live issuance and management of cyber insurance policies |
US11037208B1 (en) | 2016-12-16 | 2021-06-15 | EMC IP Holding Company LLC | Economic valuation of data assets |
US11057774B1 (en) | 2020-05-14 | 2021-07-06 | T-Mobile Usa, Inc. | Intelligent GNODEB cybersecurity protection system |
US11070982B1 (en) | 2020-04-15 | 2021-07-20 | T-Mobile Usa, Inc. | Self-cleaning function for a network access node of a network |
WO2021173317A1 (en) * | 2020-02-26 | 2021-09-02 | RiskLens, Inc. | Systems, methods, and storage media for calculating the frequency of cyber risk loss within computing systems |
US11115824B1 (en) | 2020-05-14 | 2021-09-07 | T-Mobile Usa, Inc. | 5G cybersecurity protection system |
US11206542B2 (en) | 2020-05-14 | 2021-12-21 | T-Mobile Usa, Inc. | 5G cybersecurity protection system using personalized signatures |
US20220092506A1 (en) * | 2019-07-19 | 2022-03-24 | The Boston Consulting Group, Inc. | Methods and Systems for Determining an Optimal Portfolio of Cyber Security Related Projects |
US11444980B2 (en) | 2020-04-15 | 2022-09-13 | T-Mobile Usa, Inc. | On-demand wireless device centric security for a 5G wireless network |
US11456885B1 (en) | 2015-12-17 | 2022-09-27 | EMC IP Holding Company LLC | Data set valuation for service providers |
US20220343434A1 (en) * | 2019-09-30 | 2022-10-27 | Nec Corporation | Insurance audit device, insurance audit system, insurance audit method, and non-transitory computer readable medium storing program |
US11514531B2 (en) | 2015-10-28 | 2022-11-29 | Qomplx, Inc. | Platform for autonomous risk assessment and quantification for cyber insurance policies |
US11695791B2 (en) | 2020-09-28 | 2023-07-04 | Mcafee, Llc | System for extracting, classifying, and enriching cyber criminal communication data |
US11799878B2 (en) | 2020-04-15 | 2023-10-24 | T-Mobile Usa, Inc. | On-demand software-defined security service orchestration for a 5G wireless network |
US11824881B2 (en) | 2020-04-15 | 2023-11-21 | T-Mobile Usa, Inc. | On-demand security layer for a 5G wireless network |
Families Citing this family (57)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9781148B2 (en) * | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses between collections of mobile communications devices |
US9955352B2 (en) | 2009-02-17 | 2018-04-24 | Lookout, Inc. | Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such |
US10122747B2 (en) | 2013-12-06 | 2018-11-06 | Lookout, Inc. | Response generation after distributed monitoring and evaluation of multiple devices |
US9753796B2 (en) | 2013-12-06 | 2017-09-05 | Lookout, Inc. | Distributed monitoring, evaluation, and response for multiple devices |
US9706379B2 (en) * | 2014-10-06 | 2017-07-11 | Honeywell International Inc. | Method and system for generation and transmission of alert notifications relating to a crowd gathering |
WO2016064919A1 (en) * | 2014-10-21 | 2016-04-28 | Abramowitz Marc Lauren | Dynamic security rating for cyber insurance products |
EP3387814B1 (en) * | 2015-12-11 | 2024-02-14 | ServiceNow, Inc. | Computer network threat assessment |
JP6693114B2 (en) * | 2015-12-15 | 2020-05-13 | 横河電機株式会社 | Controller and integrated production system |
JP6759572B2 (en) | 2015-12-15 | 2020-09-23 | 横河電機株式会社 | Integrated production system |
US11242051B1 (en) | 2016-01-22 | 2022-02-08 | State Farm Mutual Automobile Insurance Company | Autonomous vehicle action communications |
US11441916B1 (en) | 2016-01-22 | 2022-09-13 | State Farm Mutual Automobile Insurance Company | Autonomous vehicle trip routing |
US11719545B2 (en) | 2016-01-22 | 2023-08-08 | Hyundai Motor Company | Autonomous vehicle component damage and salvage assessment |
US10493936B1 (en) | 2016-01-22 | 2019-12-03 | State Farm Mutual Automobile Insurance Company | Detecting and responding to autonomous vehicle collisions |
US11373245B1 (en) * | 2016-03-04 | 2022-06-28 | Allstate Insurance Company | Systems and methods for detecting digital security breaches of connected assets based on location tracking and asset profiling |
US10623437B2 (en) * | 2016-04-01 | 2020-04-14 | Doble Engineering Company | Secured method for testing and maintenance of bulk electrical systems (BES) assets |
RU2634211C1 (en) * | 2016-07-06 | 2017-10-24 | Общество с ограниченной ответственностью "Траст" | Method and system of protocols analysis of harmful programs interaction with control centers and detection of computer attacks |
CN106101130B (en) * | 2016-07-08 | 2019-05-17 | 北京易华录信息技术股份有限公司 | A kind of network malicious data detection method, apparatus and system |
RU2649793C2 (en) | 2016-08-03 | 2018-04-04 | ООО "Группа АйБи" | Method and system of detecting remote connection when working on web resource pages |
RU2634209C1 (en) | 2016-09-19 | 2017-10-24 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | System and method of autogeneration of decision rules for intrusion detection systems with feedback |
JP6903901B2 (en) * | 2016-11-28 | 2021-07-14 | 富士通株式会社 | Attack detection device, attack detection program and attack detection method |
RU2671991C2 (en) | 2016-12-29 | 2018-11-08 | Общество с ограниченной ответственностью "Траст" | System and method for collecting information for detecting phishing |
RU2637477C1 (en) * | 2016-12-29 | 2017-12-04 | Общество с ограниченной ответственностью "Траст" | System and method for detecting phishing web pages |
CA3054319A1 (en) * | 2017-02-27 | 2018-08-30 | Ivanti, Inc. | Systems and methods for context-based mitigation of computer security risks |
CN108259449B (en) * | 2017-03-27 | 2020-03-06 | 新华三技术有限公司 | Method and system for defending against APT (android packet) attack |
US10812518B1 (en) * | 2017-05-18 | 2020-10-20 | Wells Fargo Bank, N.A. | End-of-life management system |
CN107426226B (en) * | 2017-08-01 | 2020-05-05 | 北京观数科技有限公司 | Damage assessment method and system for attacked target system |
RU2689816C2 (en) | 2017-11-21 | 2019-05-29 | ООО "Группа АйБи" | Method for classifying sequence of user actions (embodiments) |
RU2677361C1 (en) | 2018-01-17 | 2019-01-16 | Общество с ограниченной ответственностью "Траст" | Method and system of decentralized identification of malware programs |
RU2668710C1 (en) | 2018-01-17 | 2018-10-02 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Computing device and method for detecting malicious domain names in network traffic |
RU2677368C1 (en) | 2018-01-17 | 2019-01-16 | Общество С Ограниченной Ответственностью "Группа Айби" | Method and system for automatic determination of fuzzy duplicates of video content |
RU2680736C1 (en) | 2018-01-17 | 2019-02-26 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Malware files in network traffic detection server and method |
RU2676247C1 (en) * | 2018-01-17 | 2018-12-26 | Общество С Ограниченной Ответственностью "Группа Айби" | Web resources clustering method and computer device |
RU2681699C1 (en) | 2018-02-13 | 2019-03-12 | Общество с ограниченной ответственностью "Траст" | Method and server for searching related network resources |
US10791137B2 (en) * | 2018-03-14 | 2020-09-29 | Synack, Inc. | Risk assessment and remediation |
US11075930B1 (en) * | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
RU2708508C1 (en) | 2018-12-17 | 2019-12-09 | Общество с ограниченной ответственностью "Траст" | Method and a computing device for detecting suspicious users in messaging systems |
RU2701040C1 (en) | 2018-12-28 | 2019-09-24 | Общество с ограниченной ответственностью "Траст" | Method and a computer for informing on malicious web resources |
WO2020176005A1 (en) | 2019-02-27 | 2020-09-03 | Общество С Ограниченной Ответственностью "Группа Айби" | Method and system for identifying a user according to keystroke dynamics |
US11954735B1 (en) * | 2019-05-31 | 2024-04-09 | Aon Risk Services, Inc. Of Maryland | Digital property protection systems |
US11640469B2 (en) | 2019-06-21 | 2023-05-02 | Ventech Solutions, Inc. | Method and system for cloud-based software security vulnerability diagnostic assessment |
CN110648240A (en) * | 2019-08-02 | 2020-01-03 | 广东工业大学 | Intelligent insurance system and method based on block chain |
US20220337605A1 (en) * | 2019-09-30 | 2022-10-20 | Nec Corporation | Management apparatus, network monitoring system, determination method, communication method, and non-transitory computer readable medium |
RU2728498C1 (en) | 2019-12-05 | 2020-07-29 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Method and system for determining software belonging by its source code |
RU2728497C1 (en) | 2019-12-05 | 2020-07-29 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Method and system for determining belonging of software by its machine code |
US11218360B2 (en) | 2019-12-09 | 2022-01-04 | Quest Automated Services, LLC | Automation system with edge computing |
RU2743974C1 (en) | 2019-12-19 | 2021-03-01 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | System and method for scanning security of elements of network architecture |
US11367140B2 (en) | 2019-12-30 | 2022-06-21 | International Business Machines Corporation | Dynamic cyber insurance using a distributed ledger |
CN111277598B (en) * | 2020-01-21 | 2022-11-04 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
SG10202001963TA (en) | 2020-03-04 | 2021-10-28 | Group Ib Global Private Ltd | System and method for brand protection based on the search results |
CN111404916B (en) * | 2020-03-11 | 2022-12-27 | 杭州迪普科技股份有限公司 | System and method for actively defending network attack |
US11388179B2 (en) | 2020-05-06 | 2022-07-12 | Wells Fargo Bank, N.A. | Centralized threat intelligence |
US20210349994A1 (en) * | 2020-05-11 | 2021-11-11 | International Business Machines Corporation | Enterprise notification of trending threats |
US11475090B2 (en) | 2020-07-15 | 2022-10-18 | Group-Ib Global Private Limited | Method and system for identifying clusters of affiliated web resources |
RU2743619C1 (en) | 2020-08-06 | 2021-02-20 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Method and system for generating the list of compromise indicators |
US11509675B2 (en) * | 2020-09-25 | 2022-11-22 | Honeywell International Inc. | Systems and methods for cyber monitoring and alerting for connected aircraft |
US11947572B2 (en) | 2021-03-29 | 2024-04-02 | Group IB TDS, Ltd | Method and system for clustering executable files |
US20230038196A1 (en) * | 2021-08-04 | 2023-02-09 | Secureworks Corp. | Systems and methods of attack type and likelihood prediction |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090024627A1 (en) * | 2007-07-17 | 2009-01-22 | Oracle International Corporation | Automated security manager |
US20090024663A1 (en) * | 2007-07-19 | 2009-01-22 | Mcgovern Mark D | Techniques for Information Security Assessment |
WO2015144220A1 (en) * | 2014-03-26 | 2015-10-01 | Swiss Reinsurance Company Ltd. | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof |
US20150347096A1 (en) * | 2014-06-02 | 2015-12-03 | Blackwatch International | Generic Template Node for Developing and Deploying Model Software Packages Made Up Of Interconnected Working Nodes |
US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
US20160112445A1 (en) * | 2014-10-21 | 2016-04-21 | Marc Lauren Abramowitz | Joined and coordinated detection, handling, and prevention of cyberattacks |
US20160226893A1 (en) * | 2015-01-30 | 2016-08-04 | Wipro Limited | Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof |
US20170078308A1 (en) * | 2015-09-16 | 2017-03-16 | Mastercard International Incorporated | Systems and Methods for Use in Scoring Entities in Connection With Preparedness of the Entities for Cyber-Attacks |
US9767318B1 (en) * | 2015-08-28 | 2017-09-19 | Frank Dropps | Secure controller systems and associated methods thereof |
Family Cites Families (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7319970B1 (en) | 1993-05-20 | 2008-01-15 | Simone Charles B | Method and apparatus for lifestyle risk evaluation and insurability determination |
US6556992B1 (en) | 1999-09-14 | 2003-04-29 | Patent Ratings, Llc | Method and system for rating patents and other intangible assets |
US6990591B1 (en) * | 1999-11-18 | 2006-01-24 | Secureworks, Inc. | Method and system for remotely configuring and monitoring a communication device |
JP2002083121A (en) * | 2000-09-07 | 2002-03-22 | Zeon Joho System Kk | Computer network risk calculating method and computer network insurance providing method using it |
US20020087364A1 (en) | 2000-11-07 | 2002-07-04 | Lerner Andrew S. | System and method for enabling real time underwriting of insurance policies |
US8065180B2 (en) | 2001-04-02 | 2011-11-22 | invivodata®, Inc. | System for clinical trial subject compliance |
CN1462972A (en) | 2002-05-31 | 2003-12-24 | 佐藤通洋 | Securities valuating method, its method and its control program and method thereof |
US9503470B2 (en) * | 2002-12-24 | 2016-11-22 | Fred Herz Patents, LLC | Distributed agent based model for security monitoring and response |
US20050102534A1 (en) | 2003-11-12 | 2005-05-12 | Wong Joseph D. | System and method for auditing the security of an enterprise |
US7917536B2 (en) * | 2004-02-23 | 2011-03-29 | International Business Machines Corporation | Systems, methods and computer program products for managing a plurality of remotely located data storage systems |
US8494955B2 (en) * | 2004-03-23 | 2013-07-23 | John S. Quarterman | Method, system, and service for quantifying network risk to price insurance premiums and bonds |
US8682685B2 (en) | 2005-03-02 | 2014-03-25 | David P. Katz | System and method for assessing data quality during clinical trials |
US7467145B1 (en) * | 2005-04-15 | 2008-12-16 | Hewlett-Packard Development Company, L.P. | System and method for analyzing processes |
US8181240B2 (en) * | 2005-06-14 | 2012-05-15 | Cisco Technology, Inc. | Method and apparatus for preventing DOS attacks on trunk interfaces |
US20090037215A1 (en) | 2007-08-02 | 2009-02-05 | Clinical Trials Software Ltd | Screening method |
US20110040582A1 (en) | 2009-08-17 | 2011-02-17 | Kieran Mullins | Online system and method of insurance underwriting |
US8510792B2 (en) * | 2009-11-25 | 2013-08-13 | At&T Intellectual Property I, L.P. | Gated network service |
US8712596B2 (en) | 2010-05-20 | 2014-04-29 | Accenture Global Services Limited | Malicious attack detection and analysis |
US20120166209A1 (en) | 2010-12-28 | 2012-06-28 | Datastream Content Solutions, Llc | Determining clinical trial candidates from automatically collected non-personally identifiable demographics |
US8484730B1 (en) * | 2011-03-10 | 2013-07-09 | Symantec Corporation | Systems and methods for reporting online behavior |
US8775218B2 (en) | 2011-05-18 | 2014-07-08 | Rga Reinsurance Company | Transforming data for rendering an insurability decision |
US9239908B1 (en) * | 2011-06-29 | 2016-01-19 | Emc Corporation | Managing organization based security risks |
US9141805B2 (en) * | 2011-09-16 | 2015-09-22 | Rapid7 LLC | Methods and systems for improved risk scoring of vulnerabilities |
US20130086685A1 (en) | 2011-09-29 | 2013-04-04 | Stephen Ricky Haynes | Secure integrated cyberspace security and situational awareness system |
US9426169B2 (en) * | 2012-02-29 | 2016-08-23 | Cytegic Ltd. | System and method for cyber attacks analysis and decision support |
US20130332191A1 (en) | 2012-06-06 | 2013-12-12 | Cerner Innovation, Inc. | Identifying patient eligibility for clinical trials |
US9323923B2 (en) * | 2012-06-19 | 2016-04-26 | Deja Vu Security, Llc | Code repository intrusion detection |
US20140081671A1 (en) * | 2012-09-14 | 2014-03-20 | Sap Ag | Real-time Provisioning of Actuarial Data |
US20140142988A1 (en) * | 2012-11-21 | 2014-05-22 | Hartford Fire Insurance Company | System and method for analyzing privacy breach risk data |
KR101442691B1 (en) * | 2013-03-26 | 2014-09-25 | 한국전자통신연구원 | Apparatus and method for quantifying vulnerability of system |
US10382474B2 (en) * | 2013-11-01 | 2019-08-13 | Cyberg Control Ltd. | Cyber defense |
WO2015087333A1 (en) * | 2013-12-13 | 2015-06-18 | Comilion Mobile Ltd. | Collaborative system for cyber security analysis |
US9009827B1 (en) | 2014-02-20 | 2015-04-14 | Palantir Technologies Inc. | Security sharing system |
US9661013B2 (en) * | 2014-05-30 | 2017-05-23 | Ca, Inc. | Manipulating API requests to indicate source computer application trustworthiness |
US9760849B2 (en) * | 2014-07-08 | 2017-09-12 | Tata Consultancy Services Limited | Assessing an information security governance of an enterprise |
US9930058B2 (en) * | 2014-08-13 | 2018-03-27 | Honeywell International Inc. | Analyzing cyber-security risks in an industrial control environment |
US9756062B2 (en) * | 2014-08-27 | 2017-09-05 | General Electric Company | Collaborative infrastructure supporting cyber-security analytics in industrial networks |
US9754106B2 (en) * | 2014-10-14 | 2017-09-05 | Symantec Corporation | Systems and methods for classifying security events as targeted attacks |
US9571517B2 (en) * | 2014-11-11 | 2017-02-14 | Goldman, Sachs & Co. | Synthetic cyber-risk model for vulnerability determination |
US9742807B2 (en) * | 2014-11-19 | 2017-08-22 | At&T Intellectual Property I, L.P. | Security enhancements for a software-defined network with network functions virtualization |
-
2015
- 2015-10-20 WO PCT/US2015/056520 patent/WO2016064919A1/en unknown
- 2015-10-20 US US14/918,398 patent/US20160110819A1/en not_active Abandoned
- 2015-10-21 US US14/919,506 patent/US11587177B2/en active Active
- 2015-10-21 WO PCT/US2015/056734 patent/WO2016065049A1/en active Application Filing
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090024627A1 (en) * | 2007-07-17 | 2009-01-22 | Oracle International Corporation | Automated security manager |
US20090024663A1 (en) * | 2007-07-19 | 2009-01-22 | Mcgovern Mark D | Techniques for Information Security Assessment |
AU2018229433A1 (en) * | 2014-03-26 | 2018-10-04 | Swiss Reinsurance Company Ltd. | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof |
WO2015144220A1 (en) * | 2014-03-26 | 2015-10-01 | Swiss Reinsurance Company Ltd. | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof |
AU2014388092A1 (en) * | 2014-03-26 | 2016-09-29 | Swiss Reinsurance Company Ltd. | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof |
US20170013011A1 (en) * | 2014-03-26 | 2017-01-12 | Swiss Reinsurance Company Ltd. | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof |
US10348757B2 (en) * | 2014-03-26 | 2019-07-09 | Swiss Reinsurance Company Ltd. | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof |
US20150347096A1 (en) * | 2014-06-02 | 2015-12-03 | Blackwatch International | Generic Template Node for Developing and Deploying Model Software Packages Made Up Of Interconnected Working Nodes |
US10360000B2 (en) * | 2014-06-02 | 2019-07-23 | Blackwatch International | Generic template node for developing and deploying model software packages made up of interconnected working nodes |
US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
US9680855B2 (en) * | 2014-06-30 | 2017-06-13 | Neo Prime, LLC | Probabilistic model for cyber risk forecasting |
US20160112445A1 (en) * | 2014-10-21 | 2016-04-21 | Marc Lauren Abramowitz | Joined and coordinated detection, handling, and prevention of cyberattacks |
US20160226893A1 (en) * | 2015-01-30 | 2016-08-04 | Wipro Limited | Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof |
US9767318B1 (en) * | 2015-08-28 | 2017-09-19 | Frank Dropps | Secure controller systems and associated methods thereof |
US20170078308A1 (en) * | 2015-09-16 | 2017-03-16 | Mastercard International Incorporated | Systems and Methods for Use in Scoring Entities in Connection With Preparedness of the Entities for Cyber-Attacks |
Non-Patent Citations (2)
Title |
---|
Coble et al. "Methodology Analysis for Weighting Historical Experience –Technical Report" July 12, 2011, USDA report, pages 1-88, https://www.rma.usda.gov/-/media/RMA/Publications/Weighting-of-Historical-Experience/weightingtechnical.ashx?la=en (Year: 2011) * |
S. L. Pfleeger and R. Rue, "Cybersecurity Economic Issues: Clearing the Path to Good Practice," in IEEE Software, vol. 25, no. 1, pp. 35-42, Jan.-Feb. 2008 (Year: 2008) * |
Cited By (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10970787B2 (en) | 2015-10-28 | 2021-04-06 | Qomplx, Inc. | Platform for live issuance and management of cyber insurance policies |
US11514531B2 (en) | 2015-10-28 | 2022-11-29 | Qomplx, Inc. | Platform for autonomous risk assessment and quantification for cyber insurance policies |
US11475528B2 (en) | 2015-10-28 | 2022-10-18 | Qomplx, Inc. | Platform for live issuance and management of cyber insurance policies |
US11456885B1 (en) | 2015-12-17 | 2022-09-27 | EMC IP Holding Company LLC | Data set valuation for service providers |
US10430442B2 (en) | 2016-03-09 | 2019-10-01 | Symantec Corporation | Systems and methods for automated classification of application network activity |
US10528522B1 (en) | 2016-03-17 | 2020-01-07 | EMC IP Holding Company LLC | Metadata-based data valuation |
US11169965B2 (en) | 2016-03-17 | 2021-11-09 | EMC IP Holding Company LLC | Metadata-based data valuation |
US10838946B1 (en) | 2016-03-18 | 2020-11-17 | EMC IP Holding Company LLC | Data quality computation for use in data set valuation |
US10671483B1 (en) | 2016-04-22 | 2020-06-02 | EMC IP Holding Company LLC | Calculating data value via data protection analytics |
US10789224B1 (en) | 2016-04-22 | 2020-09-29 | EMC IP Holding Company LLC | Data value structures |
US10838965B1 (en) | 2016-04-22 | 2020-11-17 | EMC IP Holding Company LLC | Data valuation at content ingest |
US20170331840A1 (en) * | 2016-05-11 | 2017-11-16 | Symantec Corporation | Systems and methods for determining security risk profiles |
CN109154962A (en) * | 2016-05-11 | 2019-01-04 | 赛门铁克公司 | System and method for determining security risk profile |
WO2017196463A1 (en) * | 2016-05-11 | 2017-11-16 | Symantec Corporation | Systems and methods for determining security risk profiles |
US10210551B1 (en) | 2016-08-15 | 2019-02-19 | EMC IP Holding Company LLC | Calculating data relevance for valuation |
US10666675B1 (en) | 2016-09-27 | 2020-05-26 | Ca, Inc. | Systems and methods for creating automatic computer-generated classifications |
US10719480B1 (en) | 2016-11-17 | 2020-07-21 | EMC IP Holding Company LLC | Embedded data valuation and metadata binding |
EP3545418A4 (en) * | 2016-11-22 | 2020-08-12 | AON Global Operations PLC, Singapore Branch | Systems and methods for cybersecurity risk assessment |
US10963572B2 (en) | 2016-11-22 | 2021-03-30 | Aon Global Operations Se Singapore Branch | Systems and methods for cybersecurity risk assessment |
US11790090B2 (en) | 2016-11-22 | 2023-10-17 | Aon Global Operations Se Singapore Branch | Systems and methods for cybersecurity risk assessment |
US11037208B1 (en) | 2016-12-16 | 2021-06-15 | EMC IP Holding Company LLC | Economic valuation of data assets |
WO2019173241A1 (en) * | 2018-03-04 | 2019-09-12 | Fractal Industries, Inc. | Platform for live issuance and management of cyber insurance policies |
US10769006B2 (en) | 2018-07-31 | 2020-09-08 | Cisco Technology, Inc. | Ensemble risk assessment method for networked devices |
US11294744B2 (en) | 2018-07-31 | 2022-04-05 | Cisco Technology, Inc. | Ensemble risk assessment method for networked devices |
US20220092506A1 (en) * | 2019-07-19 | 2022-03-24 | The Boston Consulting Group, Inc. | Methods and Systems for Determining an Optimal Portfolio of Cyber Security Related Projects |
US11544385B2 (en) * | 2019-07-29 | 2023-01-03 | Ventech Solutions, Inc. | Method and system for dynamic testing with diagnostic assessment of software security vulnerability |
US20210034752A1 (en) * | 2019-07-29 | 2021-02-04 | Ventech Solutions, Inc. | Method and system for dynamic testing with diagnostic assessment of software security vulnerability |
US20220343434A1 (en) * | 2019-09-30 | 2022-10-27 | Nec Corporation | Insurance audit device, insurance audit system, insurance audit method, and non-transitory computer readable medium storing program |
US11935131B2 (en) * | 2019-09-30 | 2024-03-19 | Nec Corporation | Insurance audit device, insurance audit system, insurance audit method, and non-transitory computer readable medium storing program |
US11250138B2 (en) | 2020-02-26 | 2022-02-15 | RiskLens, Inc. | Systems, methods, and storage media for calculating the frequency of cyber risk loss within computing systems |
WO2021173317A1 (en) * | 2020-02-26 | 2021-09-02 | RiskLens, Inc. | Systems, methods, and storage media for calculating the frequency of cyber risk loss within computing systems |
US11070982B1 (en) | 2020-04-15 | 2021-07-20 | T-Mobile Usa, Inc. | Self-cleaning function for a network access node of a network |
US11444980B2 (en) | 2020-04-15 | 2022-09-13 | T-Mobile Usa, Inc. | On-demand wireless device centric security for a 5G wireless network |
US11799878B2 (en) | 2020-04-15 | 2023-10-24 | T-Mobile Usa, Inc. | On-demand software-defined security service orchestration for a 5G wireless network |
US11533624B2 (en) | 2020-04-15 | 2022-12-20 | T-Mobile Usa, Inc. | On-demand security for network resources or nodes, such as for a wireless 5G network |
US11824881B2 (en) | 2020-04-15 | 2023-11-21 | T-Mobile Usa, Inc. | On-demand security layer for a 5G wireless network |
US11057774B1 (en) | 2020-05-14 | 2021-07-06 | T-Mobile Usa, Inc. | Intelligent GNODEB cybersecurity protection system |
US20230091852A1 (en) * | 2020-05-14 | 2023-03-23 | T-Mobile Usa, Inc. | Intelligent cybersecurity protection system, such as for use in 5g networks |
US11659396B2 (en) * | 2020-05-14 | 2023-05-23 | T-Mobile Usa, Inc. | Intelligent cybersecurity protection system, such as for use in 5G networks |
US11558747B2 (en) * | 2020-05-14 | 2023-01-17 | T-Mobile Usa, Inc. | Intelligent cybersecurity protection system, such as for use in 5G networks |
US11115824B1 (en) | 2020-05-14 | 2021-09-07 | T-Mobile Usa, Inc. | 5G cybersecurity protection system |
US11206542B2 (en) | 2020-05-14 | 2021-12-21 | T-Mobile Usa, Inc. | 5G cybersecurity protection system using personalized signatures |
US20210360405A1 (en) * | 2020-05-14 | 2021-11-18 | T-Mobile Usa, Inc. | Intelligent cybersecurity protection system, such as for use in 5g networks |
US11695791B2 (en) | 2020-09-28 | 2023-07-04 | Mcafee, Llc | System for extracting, classifying, and enriching cyber criminal communication data |
Also Published As
Publication number | Publication date |
---|---|
WO2016064919A1 (en) | 2016-04-28 |
US11587177B2 (en) | 2023-02-21 |
WO2016065049A1 (en) | 2016-04-28 |
US20160112445A1 (en) | 2016-04-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20160110819A1 (en) | Dynamic security rating for cyber insurance products | |
US11265350B2 (en) | Cyber risk analysis and remediation using network monitored sensors and methods of use | |
US10491624B2 (en) | Cyber vulnerability scan analyses with actionable feedback | |
US11924237B2 (en) | Digital asset based cyber risk algorithmic engine, integrated cyber risk methodology and automated cyber risk management system | |
US10757127B2 (en) | Probabilistic model for cyber risk forecasting | |
US10050989B2 (en) | Inferential analysis using feedback for extracting and combining cyber risk information including proxy connection analyses | |
US10511635B2 (en) | Inferential analysis using feedback for extracting and combining cyber risk information | |
US9373144B1 (en) | Diversity analysis with actionable feedback methodologies | |
US9521160B2 (en) | Inferential analysis using feedback for extracting and combining cyber risk information | |
CN101681328B (en) | Predictive assessment of network risks | |
Shetty et al. | Reducing informational disadvantages to improve cyber risk management | |
US10341376B2 (en) | Diversity analysis with actionable feedback methodologies | |
US10841330B2 (en) | System for generating a communication pathway for third party vulnerability management | |
US20220129990A1 (en) | Multidimensional assessment of cyber security risk | |
US11855768B2 (en) | Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information | |
Panou et al. | RiSKi: A framework for modeling cyber threats to estimate risk for data breach insurance | |
US11863590B2 (en) | Inferential analysis using feedback for extracting and combining cyber risk information | |
Inan | A Visual Tool for the Analysis of Cybersecurity Investments | |
US20240022584A1 (en) | Systems and methods for blockchain-based cyber threat management | |
Goh et al. | Predictive taxonomy analytics (LASSO): predicting outcome types of cyber breach | |
Khalil | The landscape from above: Continuous cloud monitoring for continuous assurance | |
Keskin et al. | Cyber Third-Party Risk Management: A Comparison of Non-Intrusive Risk Scoring Reports. Electronics 2021, 10, 1168 | |
Wright | Healthcare cybersecurity and cybercrime supply chain risk management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
AS | Assignment |
Owner name: PALANTIR TECHNOLOGIES INC., COLORADO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ABRAMOWITZ, MARC L.;REEL/FRAME:062063/0289 Effective date: 20221201 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |