System and Method for Enumerating and Remediating Gaps in Cybersecurity Defenses

20210234885

17/104030

November 25, 2020

A method for identifying gaps in an organization's cyber defenses, and identifying and prioritizing remediations that are designed to eliminate those gaps, including using multiple choice questionnaires, wherein the answers to a series of multiple choice questions are scored for inherent risk, selecting security controls and calculating expected maturity scores for these controls based on the inherent risk score, using multiple choice questionnaires, wherein the answers to a series of multiple-choice questions are scored for actual control maturity, aggregating said actual and expected maturity scores and comparing these to identify and quantify gaps, and recommending and prioritizing control improvements that are designed to raise the score to an expected level. These steps are implemented using a computing device. In this manner the organization can identify a sequenced set of concrete steps it can take to achieve reasonable and effective security.

1. A method for identifying gaps in an organization's cyber defenses, and identifying and prioritizing remediations that are designed to eliminate those gaps, comprising: using multiple choice questionnaires, wherein the answers to a series of multiple choice questions are scored for inherent risk; selecting security controls and calculating expected maturity scores for these controls based on the inherent risk score; using multiple choice questionnaires, wherein the answers to a series of multiple-choice questions are scored for actual control maturity; aggregating said actual and expected maturity scores and comparing these to identify and quantify gaps; and recommending and prioritizing control improvements that are designed to raise the score to an expected level; wherein the steps above are implemented using a computing device; in this manner the organization can identify a sequenced set of concrete steps it can take to achieve reasonable and effective security.

2. The method of claim 1, wherein the answers to a series of multiple-choice questions are scored for inherent risk, comprising: using expert judgment and open source threat intelligence, predefining a list of generic risk factors and grouping these into risk categories for “Assets”, “Data”, “Media”, “Staff”, “3rd Parties”, “Facilities”, “IT infrastructure”, and “Applications”; using expert judgement and open source threat intelligence, pre-assigning a weighting factor wi for each risk factor i, which represents an estimate of the size of risk factor i relative to other factors in the same category; using expert judgement, pre-assigning a set of declarative statements for each of said risk factors, which describe levels of minimal, moderate, and significant risk; using expert judgement, pre-assigning a numerical value between 0 and 1 for each declarative statement, which represents an estimated risk rating rij for risk factor i and level j; prompting the user with the choice of said declarative statements for each of said risk factors; receiving the chosen response from the user and multiplying the risk rating rij for the chosen level j by the weighting factor pre-assigned for this risk factor wi, to establish an inherent risk score Ri for factor i, as in the formula Ri=wirij; adding up the risk scores for each risk category C and dividing by the maximum total risk score for each category C to generate a normalized category risk score, as in the formula RC=Σi=1nwirij/Σi=1nwi max (ri), where max (ri)=riSignificant and n is the number of risk factors in risk category C; calculating a threat score T using the risk scores for the “Assets”, “Data”, and “Media” categories, and the formula [mathematical expression included] calculating a vulnerability score V using the risk scores for the “Staff”, “3rd Parties”, “Facilities”, “IT Infrastructure”, and “Applications” categories, and the formula [mathematical expression included] calculating a consequence score C using the risk scores for the “Assets” and “Data” categories and the formula C=(RAssets+RData)/2; calculating a normalized total inherent risk score RTotal using said scores for threat, vulnerability and consequence and the formula [mathematical expression included] wherein the steps above are implemented using a computing device.

3. The method of claim 1, involving selecting security controls and calculating expected maturity scores for these controls based on the inherent risk score, comprising: predefining, prioritizing and grouping a universe of security controls that can be implemented at different levels of functionality and pre-assigning a weighting factor for each control; selecting from this universe a set of controls that the organization is expected to implement to achieve reasonable security based on its normalized total inherent risk; for each selected control, calculating the degree of functionality that the organization is expected to implement to achieve effective security based on its normalized total inherent risk; for each selected control, calculating an expected score by multiplying the expected degree of functionality for this control by the weighting factor, as in the formula ESi=wi*EDPi; wherein the steps above are implemented using a computing device.

4. The method of claim 3, involving predefining, prioritizing and grouping a universe of security controls that can be implemented at different levels of functionality and pre-assigning a weighting factor for each control, comprising: identifying a set of security best practices and technologies from government and industry regulations, best practice surveys, control frameworks, intelligence agency control rankings, and industry analyst guides; using expert judgement to combine and rearrange said best practices and technologies to derive a set of security controls based on activities, artefacts or properties whose security effectiveness can be quantified with, at minimum an ordinal scale, but preferably an interval or ratio scale; pre-assigning each of said derived controls to one of the following functional groups: “Governance”, “Endpoints”, “Network”, “Access”, “Data”, Dependencies” and “Awareness”; pre-assigning each of said derived controls to one of the following lifecycle groups: “Identify”, “Prevent”, “Limit”, Detect”, “Respond”, “Recover”; pre-assigning each of said derived controls to one of the following control groups: “Plan”, “Policy”, “Procedure”, “Resource”, or “Technical”; ensuring that every combination of said functional group and said lifecycle group has at least one security control; pre-assigning a specific priority P1, P2, or P3 to each control based on best practice surveys, customary norms, intelligence agency control rankings, NIST Baselines, or Center for Internet Security Implementation Classes; pre-assigning a set of declarative statements to each control which describe basic, intermediate and advanced levels of functionality, wherein each higher level either subsumes or replaces and improves the functionality of the level(s) below it; designating each of said derived controls as a predominantly likelihood-reducing control of impact-reducing control; pre-assigning a weighting factor wi for each likelihood-reducing control i, which is an estimate of the fraction of all security incidents that the control will block or contain, based on open source data breach statistics; pre-assigning a weighting factor wi for each impact-reducing control i, which is an estimate of the fraction by which the control will reduce the impact of a security incident, based on open source cost of data breach statistics;

5. The method of claim 3, involving selecting from this universe a set of controls that the organization is expected to implement to achieve reasonable security based on its normalized total inherent risk, comprising: pre-assigning a numerical value between 0 and 1 for each declarative statement for each control i in 4, representing an estimate of the degree of functionality (Degreei)L of the control implemented at level L relative to its maximum functionality (implemented at the advanced level); multiplying the weighting factor pre-assigned to each control in 4 by said numerical value for each declarative statement to determine a precalculated score for the control for basic, intermediate, and advanced levels of functionality, as in the formula (CSi)L=wi*(Degreei)L, where L is the level of functionality (basic, intermediate, or advanced); pre-calculating cumulative aggregated maturity scores AMρλ by adding together said precalculated control scores for each combination of priority ρ (P1, P2, and P3) assigned in 4 and level λ (basic, intermediate, advanced) described in 4, as in the formula AMρλ=AM(ρ-1)Advanced+Σi=1Nρ(CSi)λ, where Nρ is the number of controls with priority ρ; dividing said cumulative aggregated maturity scores by the maximum possible aggregated maturity score, obtained by implementing all controls (P1, P2, and P3) at the advanced level, to yield a matrix of nine normalized total maturity scores, as in (MTotal)ρλ=AMρλ=AMρλ/Σi=1Nwi, where N is the total number of controls; selecting only P1 controls if the normalized total inherent risk score RTotal in 2 is equal or less than said normalized total maturity score for P1 at the advanced level, (MTotal)P1Advanced; selecting P1 and P2 controls if the normalized total inherent risk score RTotal in 2 is greater than said normalized total maturity score for P1 at the advanced level, (MTotal)P1Advanced, but equal or less than said normalized total maturity score for P2 at the advanced level, (MTotal)P2Advanced; selecting P1, P2 and P3 controls if the normalized total inherent risk score RTotal in 2 is greater than said normalized total maturity score for P2 at the advanced level, (MTotal)P2Advanced, but equal or less than said normalized total maturity score for P3 at the advanced level, (MTotal)P3Advanced; wherein the steps above are implemented using a computing device.

6. The method of claim 3, involving, for each control, calculating the degree of functionality that the organization is expected to implement to achieve effective security based on its normalized total inherent risk, comprising: if only P1 controls are selected in 5, then calculating the expected degree for all P1 controls EDP1 by dividing the normalized total inherent risk by the sum of the weighting factors for all P1 controls, as in the formula [mathematical expression included] where I is the number of controls with priority P1; if P1 and P2 controls are selected in 5, then setting the expected degree for all P1 controls to 1 and calculating the expected degree for all P2 controls EDP2 by subtracting the sum of the weighting factors for all P1 controls from the normalized total inherent risk and dividing the remainder by the sum of the weighting factors for all P2 controls, as in the formula EDP2=(RTotal−Σi=1Iwi)/Σj=1Jwj, where I is the number of controls with priority P1, and J is the number of controls with priority P2; if P1, P2 and P3 controls are selected in 5, then setting the expected degree for all P1 and P2 controls to 1 and calculating the expected degree for all P3 controls EDP2 by subtracting the sum of the weighting factors for all P1 and P2 controls from the normalized total inherent risk and dividing the remainder by the sum of the weighting factors for all P3 controls, as in the formula EDP3=(RTotal−Σi=1Iwi−Σj=1Jwj)/Σk=1Kwk, where I is the number of controls with priority P1, J is the number of controls with priority P2, and K is the number of controls with priority P3; wherein the steps above are implemented using a computing device.

7. The method of claim 1, involving using multiple choice questionnaires, wherein the answers to a series of multiple-choice questions are scored for control maturity, comprising: for each control i selected in 5, prompting the user with the choice of declarative statements pre-assigned to this control in 4; determining based on the response to said choice the precalculated score for the control described in 5, and equating the control score for said control to said precalculated score, as in the formula CSi=wi*Degreei; wherein the steps above are implemented using a computing device.

8. The method of claim 1, involving aggregating said actual and expected maturity scores and comparing these to identify and quantify gaps, comprising: for each functional, lifecycle, and control group defined in 4, calculating the actual group aggregated maturity score by adding up the maturity scores for all selected controls pre-assigned to said functional, lifecycle, or control group, as in the formula AMG=Σi=1nCSi, where there are n controls in group G; for each functional, lifecycle, and control group defined in 4, calculating the expected group aggregated maturity score by adding up the expected scores for all selected controls pre-assigned to said functional, lifecycle, or control group, as in the formula EMG=Σi=1nESi, where there are n controls in group G; for each functional, lifecycle, and control group defined in 4, comparing the actual group aggregated maturity score to the expected group aggregated maturity score for all selected controls pre-assigned to said functional, lifecycle, or control group, as in the formula AMG

9. The method of claim 1, involving recommending and prioritizing control improvements that are designed to raise the score to an expected level, comprising: for each functional, lifecycle, or control group G with a gap identified in 8; for each security control i pre-assigned to said group, calculating the size of the shortfall for the control by subtracting the control score from the expected score for this control, as in the formula SFi=ESi−CSi; sorting all security controls pre-assigned to said group whose control scores fall short of their expected scores, in ascending order of priority (P1 then P2 then P3) followed by descending order of the size of the shortfall SFi; working through the sorted list, choosing controls for improvement, each time subtracting the size of the shortfall SFi from the size of the gap for said group GSG, until there are no more controls or the sum of shortfall for the chosen controls equals or exceeds the size of the gap, as in the formula GSG≤Σρ=P1P3Σi=1gMax(SFi)ρ, where Max(SFi)ρ is the largest remaining shortfall in the sorted list of controls with priority ρ in group G and g is the number of controls in group g with a nonzero shortfall; recommending improvements in functionality for said chosen controls, according to the declarative statements pre-assigned in 4 for the missing levels of functionality; wherein the steps above are implemented using a computing device.

04; 04

edspap.20210234885