| US 7,613,625 B2 | ||
| Overall risk in a system | ||
| Nicolas Heinrich, Nice (France) | ||
| Assigned to Accenture SAS, Paris (France) | ||
| Filed on Nov. 09, 2004, as Appl. No. 10/984,057. | ||
| Application 10/984057 is a continuation of application No. 10/113202, filed on Mar. 29, 2002, granted, now 6,895,383. | ||
| Claims priority of provisional application 60/279987, filed on Mar. 29, 2001. | ||
| Prior Publication US 2005/0114186 A1, May 26, 2005 | ||
| This patent is subject to a terminal disclaimer. | ||
| Int. Cl. G06F 17/50 (2006.01) | ||
| U.S. Cl. 705—7 | 25 Claims |
| 1. A computer-implemented method for assessing a single value representative of an overall risk in at least part of an information
technology system comprising:
inputting into a risk assessment database a plurality of risks for an information technology system by utilizing at least
one computer having a risk analysis program, wherein each of the risks represent a security vulnerability for the information
technology system;
associating the plurality of risks with at least one severity band in a risk echelon and storing said association in a memory
storage device;
assigning a risk value to each of the plurality of risks that represents a value of danger associated with the risk;
for each of the plurality of risks, assigning a risk rank to the risk that indicates the magnitude of the risk value assigned
to the risk;
determining, with the risk analysis program stored on the at least one computer, a band limit value for the at least one severity
band, wherein the band limit value indicates a risk limit value for the risk values associated with the at least one severity
band;
for each of the plurality of risks, determining, with the risk analysis program stored on the at least one computer, a corresponding
coefficient factor based on the assigned risk rank and the band limit value for the at least one severity band associated
with the risk, each coefficient factor having a decreasing magnitude from a coefficient factor corresponding to a highest
risk value to a coefficient factor corresponding to a lowest risk value;
summing, with the risk analysis program stored on the at least one computer, each of the corresponding coefficient factors
together to determine a coefficient factor summation;
multiplying, with the risk analysis program stored on the at least one computer, the coefficient factor summation with a risk
multiplicand to determine a risk product, wherein the risk multiplicand is defined as
 wherein:
rimax is an upper band limit;
rimax−1 is a lower band limit;
adding, with the risk analysis program stored on the at least one computer, the risk product to a risk addend to determine
the overall risk, where the risk addend is defined as rimax−1 and,
outputting an indication of the overall risk.
|