SYSTEMS AND METHODS FOR IDENTIFYING, CATEGORIZING, QUANTIFYING AND EVALUATING RISKS

摘要

Systems and methods for identifying, categorizing, quantifying and evaluating risks are presented. In exemplary embodiments of the present invention an asset can be analyzed into its various levels of sub-assets in a top-down manner. In turn, lowest level sub-assets can be analyzed into components and elements of such components. In exemplary embodiments of the present invention, comprehensive and orthogonal threat probability and vulnerability data can be input for each of the elements of each component of each lowest level sub-asset. In exemplary embodiments of the present invention such data can be input in the form of a threat probability matrix and a vulnerability matrix. The input data can then be processed to generate an output set for each such sub-asset comprising a combined threat/vulnerability matrix, an index of overall risk vulnerability, or "Figure of Merit" (FOM) and associated retained risk. For each component and level of sub-assets such an output set can then be processed into combined output sets for the higher-level assets of which they are a part, proceeding back up the asset analysis tree. This can provide an accurate risk calculus for the top-level asset and each level of sub-asset identified in the top-down analysis. In exemplary embodiments of the present invention, such outputs can be displayed in various display modes, and an optional iterative risk remediation process can also be performed. In alternative "inverse" exemplary embodiments of the present invention a risk calculus can be used to augment, maximize or exploit an adversary's vulnerabilities.