1. Field
Embodiments of the present invention apply to the field of network security and risk assessment, more specifically enterprise risk assessment.
2. Description of the Related Art
Modern business enterprises operate in a complex regulatory environment. Many enterprises must comply with various government regulations both on the federal level and on the state and local levels. For example, most public corporations (at the present time any publicly traded corporation with fifty million or more market capitalization) must comply with the Sarbanes-Oxley Act of 2002. Financial enterprises, heath related enterprises, and other more stringently regulated industries have their own regulatory frameworks.
Furthermore, many business enterprises have internal policies and controls independent of government regulation. These controls and policies may be concerned with security, confidentiality maintenance, trade secret protection, access control, best practices, accounting standards, business process policies, and other such internal rules and controls. The cost of complying with all regulations, rules, policies, and other requirements can be substantial for a large scale business enterprise.
One common problem faced by business enterprises in the control/policy/regulation compliance area is risk assessment. To satisfy either governmental regulations or internal policies, enterprises are often required to assess risk on many levels. Such risk assessment is traditionally done by risk assessment experts who collect evidence from various parts of the enterprise and come up with risks associated with various assets. Often, these experts, or rudimentary automated systems, will use pre-defined formulas to calculate risk. One problem with such calculations is that a formula that works well for one type of asset will generally not work well for other types of assets.