1. Field
Embodiments of the present invention apply to the field of network security and risk assessment, more specifically enterprise risk assessment.
2. Description of the Related Art
Modern business enterprises operate in a complex regulatory environment. Many enterprises must comply with various government regulations both on the federal level and on the state and local levels. For example, most public corporations (at the present time any publicly traded corporation with fifty million or more market capitalization) must comply with the Sarbanes-Oxley Act of 2002. Financial enterprises, heath related enterprises, and other more stringently regulated industries have their own regulatory frameworks.
Furthermore, many business enterprises have internal policies and controls independent of government regulation. These controls and policies may be concerned with security, confidentiality maintenance, trade secret protection, access control, best practices, accounting standards, business process policies, and other such internal rules and controls. The cost of complying with all regulations, rules, policies, and other requirements can be substantial for a large scale business enterprise.
One common problem faced by business enterprises in the control/policy/regulation compliance area is risk assessment and mitigation. Current risk models use determinative formulas and models to calculate risks associated with assets. One problem with determinative risk formulas and models is that no new information can be gained by attempting to mitigate risks by simulating inputs to the determinative formulas and models. For example, a determinative risk formula may calculate risk as threat severity multiplied by likelihood of threat and then multiplied by impact of threat. Since the formula is fixed, it is clear how much a reduction in the inputs will reduce the risk. Thus, a risk assessment professional can gain no new knowledge about risk mitigation from such linear determinative models and formulas.