AU2018102106A4 - Cyber security assessment tool - Google Patents
Cyber security assessment tool Download PDFInfo
- Publication number
- AU2018102106A4 AU2018102106A4 AU2018102106A AU2018102106A AU2018102106A4 AU 2018102106 A4 AU2018102106 A4 AU 2018102106A4 AU 2018102106 A AU2018102106 A AU 2018102106A AU 2018102106 A AU2018102106 A AU 2018102106A AU 2018102106 A4 AU2018102106 A4 AU 2018102106A4
- Authority
- AU
- Australia
- Prior art keywords
- cybersecurity
- roadmap
- workflow
- execution
- assessment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A cybersecurity assessment method and tool that automates workflow to execute a roadmap. A user answers a self-assessment survey and the results are analysed to generate a report identifying cybersecurity threat issues. 5 The roadmap is generated from the cybersecurity threat issues, priority of works and ability to execute. 3454399vl Answer Survey Generate Report i Populate Dashboard Ability to Execute H Produce Roadmap - Priority of Works Automate Workflow Id~d7 nnv 1
Description
TITLE CYBERSECURITY ASSESSMENT TOOL
FIELD OF THE INVENTION [001] The present invention relates to the field of cybersecurity. More particularly, the invention relates to a tool that assesses cybersecurity in an organisation and automates the process of managing and improving cybersecurity. The invention also relates to a method of cybersecurity assessment and improvement.
BACKGROUND TO THE INVENTION [002] The modern world of business and government is heavily reliant on digital communication, particularly using the Internet. Massive amounts of information flow between entities in digital form with various levels of security 15 from no security at all to sophisticated encoding techniques. Much of the information is highly confidential and is a highly lucrative target for cyber theft. There have been numerous reports of data loss due to failures in cybersecurity, and the numbers of reports are escalating at an alarming rate. Scarcely a day passes without a report of a cyber attack leading to denial of service, loss of data 20 or theft of information.
[003] It is a distressing truth that many of the cyber attacks can be thwarted with relatively simple measures such as appropriate login security (strong passwords, token authentication, etc), appropriate physical security (locked screens and keyboards, locked rooms, etc), and appropriate communication 25 security (encryption, verification, etc). To at least some degree, the problem of criminal or terrorist cyber activity can be addressed by applying known and available techniques. However, staff of many businesses and some government departments do not have sufficient knowledge or confidence in information technology systems to be able to identify and counter even the simplest of risks.
3454399vl
2018102106 20 Dec 2018
Even if they do identify the risk they are often unsure of how to address the risk, and they therefore do nothing.
[004] One approach to address the situation is described in United States patent publication number 20050132225 titled “Method and System for Cyber5 Security Vulnerability Detection and Compliance Measurement”. The patent application describes an extremely lengthy and complicated questionnaire that is used to produce reports on the cybersecurity of an assessed organisation. Unfortunately, the questionnaire is too long to be of practical benefit, but more importantly the proposed system only provides measurement, it does not provide 10 corrective action.
[005] At the other extreme is a cybersecurity system described in United States patent number 9306965 assigned to IronNet Cybersecurity, Inc. This patent describes a completely automated system that involves a complicated array of sensors feeding information to a distributed analytic platform with a 15 scoring engine that feeds to a real time analytic engine. The real time analytic engine generates a threat intelligence message. The invention is not useful for assessing and implementing simple steps that can overcome many cybersecurity problems.
SUMMARY OF THE INVENTION [006] In one form, although it need not be the only or indeed the broadest form, the invention resides in a method of cybersecurity assessment including the steps of: providing a self-assessment survey to a user;
analysing the results of the self-assessment survey and generating a report identifying cybersecurity threat issues;
producing an execution roadmap for correcting the cybersecurity threat issues, the execution roadmap being generated from the cybersecurity threat issues, priority of works and ability to execute; and automating the workflow to execute the execution roadmap.
3454399vl
2018102106 20 Dec 2018 [007] Suitably the self-assessment survey comprises a series of questions covering security culture, self awareness, external awareness, identity, perimeter, detection, response and recovery.
[008] Suitably the report classifies risks as low level, moderate level, or high level. The report provides a description of each risk and actions required for addressing the risk.
[009] The execution roadmap is generated by an assessment algorithm taking as primary input the cybersecurity threat issues and priorities. Suitably the assessment algorithm also takes as input the ability of the user to execute the solutions to each cybersecurity threat issue and a priority of works. The ability of the user to execute may be based on such factors as size, sophistication and skill of the user. The priority of works may be based on such factors as nature of the user, preferences of the user and severity of the threat.
[0010] The step of automating the workflow may include automated tasking and management of internal resources, automated tasking and management of external resources, or automatic actions.
[0011] The method may further include the step of displaying the cybersecurity threat issues in a dashboard display. The dashboard display provides an easy to visualise summary of the risks and, preferably, progress towards addressing the 20 risks.
[0012] In a further form the invention resides in a cybersecurity assessment tool comprising:
a user input device or devices that receives user inputs;;
a report generator that generates a cybersecurity report identifying cybersecurity 25 issues from the user inputs;
an execution roadmap generator that produces an execution roadmap that outlines steps to address the cybersecurity issues;
an automated workflow generator that automates the workflow required to execute the execution roadmap;
a communication module that communicates workflow requirements to users;
3454399vl
2018102106 20 Dec 2018 and a workflow progress tracking module that displays progress towards completing workflow.
[0013] Further features and advantages of the present invention will become apparent from the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS [0014] To assist in understanding the invention and to enable a person skilled in the art to put the invention into practical effect, preferred embodiments of the invention will be described by way of example only with reference to the accompanying drawings, in which:
| [0015] | FIG 1 | is a flowchart of a method of cybersecurity assessment; |
| [0016] | FIG 2 | is a block diagram of the elements of a cybersecurity assessment tool; |
| [0017] | FIG 3 | is a screenshot of part of the Input Module; |
| [0018] | FIG 4 | is a screenshot of part of a report; and |
| [0019] | FIG 5 | is a screenshot of a summary of the report. |
DETAILED DESCRIPTION OF THE INVENTION [0020] Embodiments of the present invention reside primarily in a method of 20 cybersecurity threat assessment and a cybersecurity threat assessment tool.
Accordingly, the method steps have been illustrated in concise schematic form in the drawings, showing only those specific details that are necessary for understanding the embodiments of the present invention, but so as not to obscure the disclosure with excessive detail that will be readily apparent to those 25 of ordinary skill in the art having the benefit of the present description.
[0021] In this specification, adjectives such as first and second, left and right, and the like may be used solely to distinguish one element or action from another element or action without necessarily requiring or implying any actual such relationship or order. Words such as “comprises” or “includes” are
3454399vl
2018102106 20 Dec 2018 intended to define a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed, including elements that are inherent to such a process, method, article, or apparatus.
[0022] Referring to FIG 1 there is a shown a flowchart of a cybersecurity threat assessment process. The process is initiated by providing a user with a survey, preferably online, comprising a number of questions relevant to issues of cybersecurity. In one embodiment the survey is presented in a web page. The survey may be saved in a part-completed form and completed at a later time or 10 by another person. The inventor expects that in many cases the input from two or more people in an organization may be required to complete the survey. In another embodiment the survey may be delivered as an App that runs on a smartphone or tablet.
[0023] The number and nature of the questions will vary somewhat depending 15 on the size and nature of the organization being surveyed, although a core number of questions will be common across all implementations. The specific questions are not critical to the invention, although the types of questions will fall in the following categories: security culture; self awareness; external awareness; identity; protection; detection; response; recovery.
[0024] Once the survey is complete the answers are automatically analyzed to identify weaknesses in the cybersecurity of the organization. As a simple example, if a question about security culture identifies that the IT administrator is responsible for all cybersecurity decisions, the report will flag a low maturity rating for this practice. Another example would be a question that asks if the organization uses VPN connections. This would flag that the organization is open to cyber risk and additional investigation and controls should be put in place. Another example would be a question about what types of authentication the organization uses. It the respondent selects username and password only they would be flagged with low maturity and would be advised to consider implementing strong forms of authentication like multi factor authentication.
[0025] The cybersecurity threats are classified into threat levels. For example,
3454399vl
2018102106 20 Dec 2018 the threat levels may be classified as low, medium and high. The inventors believe a simple three tier assessment system is adequate and appropriate as it is familiar to most people, however more complex systems may be appropriate in some circumstances. By way of example, a low-level maturity response typically indicates that the organization is only at the understanding stage. As in the example of username and password authentication, the organization needs to understand what better forms of authentication exist, a medium level maturity response typically indicates that the organization is at the implementation stage. To extend upon the example above, the organization may have implemented multifactor authentication in some areas of their business and as such have improved, or matured the cybersecurity resilience. A high-level maturity response typically indicates the organization is at an improvement stage. Once again, extending on the previous example, the organization may have now implemented multi factor authentication across all of their critical systems taking their cyber resilience to a higher maturity level.
[0026] Every question is weighted relative to its importance, impact and effectiveness. The total possible score of each section is based on the total weighted scores of each question in the section. Sections have a maximum score that range from 50 to 250. Individual questions can have weighted scores 20 as low as 1 or as high as 50 or more. The scale fineness is based on the granularity of the individual question weights. The basis of the assessment is biased towards efficiency of information gathering rather than exhaustive detailed questioning.
[0027] The process optionally includes display of the report in a dashboard 25 format. The dashboard format gives the user a useful visualization of the threats and will typically be color coded with, for example, high level threats (low maturity) in grey, medium level threats (moderate maturity) in blue and low level threats (high maturity) in green. The colors may change over time as the execution roadmap (described below) is implemented and the organization’s 30 maturity improves.
[0028] The details of the report are processed by an analytic engine to produce an Execution Roadmap. The execution roadmap is a specific set of
3454399vl
2018102106 20 Dec 2018 actions to address the cybersecurity threats, and a specific order of tasks to achieve the actions. The Execution Roadmap is produced by ordering the cybersecurity threats by threat level and adjusting the order by taking into account the Ability to Execute of the organization and the Priority of Works for 5 the specific organization.
[0029] Turning first to Priority of Works, the same threat may be of lesser or greater priority depending on the organization. For instance, a law firm may have a higher sensitivity to loss of confidential data than a school, or a transport management department may have a higher sensitivity to a denial of service attack than a museum. For these organizations the threat level may be the same but the order in which the threat is addressed will be different, and hence will be placed differently on the execution roadmap. The Priority of Works is determined by a number of factors including commonality of threats, industry specific threats, the organization’s ability to execute the required controls, availability of resources, maturity assessments and ratings as well as the organization’s own ability to prioritize threats and controls.
[0030] Ability to Execute is another important input to producing the Execution Roadmap. There is no benefit setting an action for an organization that the organization is unable to complete. For instance, a known security bug in a piece 20 of hardware may be impossible to plug until the hardware supplier provides a patch. In such an instance an action of “patch the bug” cannot be executed. Instead alternate strategies to minimize the threat will be listed. As another example, budget constraints may limit what an organization can achieve so the Execution Roadmap will take this into account. The Ability to Execute is determined by various factors affecting the organization such as size, business maturity, overall cybersurity maturity ratings, and industry specific variables to name a few.
[0031] Once the Execution Roadmap is produced it is converted to an Automated Workflow. The Automated Workflow allocates tasks to be completed 30 and tracks the progress. The tasks may be allocated to internal resources, external resources or executed automatically.
3454399vl
2018102106 20 Dec 2018 [0032] An example of an automatically executed task is a cybersecurity training video. If the Execution Roadmap assesses that all or some staff require a greater awareness of cybersecurity the Automated Workflow may automatically distribute a short video to the staff and record that it is watched.
Another example is implementation of a structured patching regime. This task could be assigned to an IT department, either internal or external to complete. They will be given a deadline to complete this task and if the task is not completed in time then it will be escalated as a potential risk that the organization’s cybersecurity management team will follow up on and resolve.
[0033] Many cybersecurity tasks will be executable from within the resources of an organization. The Automated Workflow process allows management teams to identify tasks and allocate them to the appropriate team. As in the previous example, the patching regime task was identified as an IT task that is appropriate for an IT manager to complete. Part of the Automated Workflow includes setting start and completion dates as well as collecting data for progress towards completion. This information is conveniently displayed on the Dashboard described previously. The allocation may be specific to a person or group that has the necessary skills or it may be a generic allocation which requires a user to have input to determine the specific allocation. For example, the Automated Workflow may allocate a task, such as implement antivirus software, to the IT department and the IT Manager will then allocate the task to a person or persons. Other tasks may be allocated to all staff, such as notify the IT Manager of suspected spam.
[0034] Not all tasks will be able to be completed within the resources of the organization and the Automated Workflow may allocate these to external resources, such as consultants or software suppliers. Typically, the external resources will be existing suppliers to the business. It will usually be appropriate to require an internal resource, such as the IT Manager, to approve an external tasking.
[0035] Whether using internal resources or external resources the Automated
Workflow will allocate commencement and completion dates as well as track progress on the Dashboard, as described above.
3454399vl
2018102106 20 Dec 2018 [0036] The invention described above is suitably implemented as an online cybersecurity assessment tool such as via a smartphone app or webpage. The cybersecurity assessment tool is constructed as a number of modules as depicted in FIG 2. The primary user facing module is an input module that collects input from a User or Users via a User Input Device, such as a keyboard, pointing device or voice recorder. The Input module presents questions to the User and collects responses.
[0037] The data collected by the Input Module is processed by a Report Generator to generate a cybersecurity report for the organization. The cybersecurity report covers multiple dimensions of cybersecurity for an organization including identifying cybersecurity maturity and specific deficiencies requiring corrective actions. The report is then converted to a Roadmap for improvement by a Roadmap Generator, as described above. The Roadmap Generator receives additional inputs from the Input Module such as the User input to Priority of Works and Ability to Execute.
[0038] The Roadmap is displayed to the User but may also be converted to specific tasks by the Workflow Generator module. The specific tasks are given timelines and assigned by a Workflow Progress module which displays the information in a Dashboard. The Dashboard receives input from the User Input
Device via the Input Module, or directly. The Dashboard provides prime interaction with the User for execution of the Cybersecurity Roadmap. For instance, the User accesses the Report fro the Dashboard.
[0039] An example of a user input screen generated by the Input Module is shown in FIG 3. FIG 3 displays one of the questions that is answered by a User to provide input to the Report Generator. FIG 4 shows a screenshot of a toplevel summary of the result of a cybersecurity assessment using the cybersecurity assessment tool. It is evident that the top-level summary is not merely rewriting the answers to the questions recorded by the Input Module. FIG 5 is a screenshot of a more detailed summary of the output of the Report
Generator. The remainder of the report provides detailed assessment of cybersecurity issues following the dimensions of the summary of FIG 5.
3454399vl
2018102106 20 Dec 2018 [0040] The detailed assessment is then compiled into a Workflow which is displayed to the User in a Dashboard (not shown).
[0041] The above description of various embodiments of the present invention is provided for purposes of description to one of ordinary skill in the related art. It 5 is not intended to be exhaustive or to limit the invention to a single disclosed embodiment. As mentioned above, numerous alternatives and variations to the present invention will be apparent to those skilled in the art of the above teaching. Accordingly, while some alternative embodiments have been discussed specifically, other embodiments will be apparent or relatively easily 10 developed by those of ordinary skill in the art. Accordingly, this invention is intended to embrace all alternatives, modifications and variations of the present invention that have been discussed herein, and other embodiments that fall within the spirit and scope of the above described invention.
Claims (5)
1. A method of cybersecurity assessment including the steps of: providing a self-assessment survey to a user;
5 analysing the results of the self-assessment survey and generating a report identifying cybersecurity threat issues;
producing an execution roadmap for correcting the cybersecurity threat issues, the execution roadmap being generated from the cybersecurity threat issues, priority of works and ability to execute; and
10 automating the workflow to execute the execution roadmap.
2. The method of claim 1 wherein the execution roadmap is generated by an assessment algorithm taking as primary input the cybersecurity threat issues and priorities.
3. The method of claim 2 wherein the assessment algorithm takes as
15 input the ability of the user to execute the solutions to each cybersecurity threat issue and a priority of works.
4. The method of claim 1 wherein the step of automating the workflow includes one or more of: automated tasking and management of internal resources; automated tasking and management of external resources; or
20 automatic actions.
5. A cybersecurity assessment tool comprising:
a user input device or devices that receives user inputs;;
a report generator that generates a cybersecurity report identifying cybersecurity issues from the user inputs;
25 an execution roadmap generator that produces an execution roadmap that outlines steps to address the cybersecurity issues;
an automated workflow generator that automates the workflow required to execute the execution roadmap;
a communication module that communicates workflow requirements to users;
30 and a workflow progress tracking module that displays progress towards completing workflow.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2017905169A AU2017905169A0 (en) | 2017-12-22 | Cyber security assessment tool | |
| AU2017905169 | 2017-12-22 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| AU2018102106A4 true AU2018102106A4 (en) | 2019-01-31 |
Family
ID=65137756
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2018102106A Active AU2018102106A4 (en) | 2017-12-22 | 2018-12-20 | Cyber security assessment tool |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2018102106A4 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11451575B2 (en) | 2020-07-30 | 2022-09-20 | Saudi Arabian Oil Company | Method and system for determining cybersecurity maturity |
-
2018
- 2018-12-20 AU AU2018102106A patent/AU2018102106A4/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11451575B2 (en) | 2020-07-30 | 2022-09-20 | Saudi Arabian Oil Company | Method and system for determining cybersecurity maturity |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200267183A1 (en) | Systems and methods for vulnerability analysis of phishing attacks | |
| US20180270265A1 (en) | System and Method For Assessing Network Security Risks | |
| Thompson | Cybersecurity incident response: How to contain, eradicate, and recover from incidents | |
| Jourdan | An investigation of organizational information security risk analysis | |
| Heitzenrater et al. | Policy, statistics and questions: Reflections on UK cyber security disclosures | |
| Gerace et al. | The critical elements of the patch management process | |
| UK | Cyber security breaches survey 2020 | |
| AU2018102106A4 (en) | Cyber security assessment tool | |
| Davri et al. | Cyber security certification programmes | |
| Sipior et al. | Information technology operational risk: A teaching case | |
| Ell et al. | Cyber security breaches survey 2022 | |
| US20210390878A1 (en) | Systems and methods for career selection and adaptive learning techniques in the field of cybersecurity | |
| Dada et al. | Information security awareness, a tool to mitigate information security risk: A literature review | |
| van den Hout | Standardised Penetration Testing? Examining the Usefulness of Current Penetration Testing Methodologies | |
| Presley | Effective Cybersecurity Risk Management in Projects | |
| Hood | Streamlined Cybersecurity: Investigation of the Center for Internet Security (CIS) Controls and Comparison to US Federal Controls | |
| ALEMAYEHU | Assessing Practice of Information Technology Audit And Fraud Detection On Commercial Banks In Ethiopia | |
| Wojcik | Network cybersecurity indicators: Determining cybersecurity indicators that accurately reflect the state of cybersecurity of a network | |
| Gundu | Towards an information security awareness process for engineering SMEs in emerging economies | |
| Odebade et al. | Evaluating the impact of government Cyber Security initiatives in the UK | |
| Pejic | Cybersecurity in small and medium-sized enterprises | |
| Sill | Cybersecurity Resources for Small and Medium-Sized Businesses | |
| Green | A Qualitative Inquiry of Small Businesses Cybersecurity Governance Strategies | |
| Aldawood | An Awareness Policy Framework for Cyber Security Social Engineering Threats | |
| Pinckard et al. | Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGI | Letters patent sealed or granted (innovation patent) |