1. Field of the Invention
The present invention relates to a risk analysis engine, and, more particularly, to an adaptable risk analysis engine capable of representing and executing organizational risk policies through input and analysis of both online and offline data sources.
2. Description of the Related Art
Businesses are constantly under attack by entities both inside and outside the walls of the business. With the expanding worldwide interconnectivity of people and entities fueled by technological advances such as the Internet and handheld electronic devices, there are increased opportunities for attack. These attacks are increasingly more dangerous as attackers gain the technology and the proficiency to overwhelm or bypass a businesses' security measures.
These attacks pose significant risks to employees and business entities, where risk is defined as the combination of the probability of an event occurring and the potential impact of that event. The impact associated with a risk can be either positive or negative. The events for which risk is determined can come from many different sources. Internet or intranet hackers continually scan for exploitable vulnerabilities in security software, productivity software, or email software and launch targeted or Internet-wide attacks either directly or through distributable malware such as spyware, crimeware, trojans, viruses, or worms. Terrorists, both domestic and international, pose physical, financial, and electronic threats to the operation of a business. Competitors looking to develop an advantage over the business can steal valuable information.
A businesses' own employees can pose some of the greatest threats to the organization, in part because of the enormous potential impact of the employee's actions. Employees who are poorly trained or negligent can pose a threat to the business by inadvertently disrupting or destroying assets, allowing unauthorized access, or distributing proprietary information or malware. Dishonest, disgruntled, or terminated employees can pose more direct and dangerous threats including assault, bribery, blackmail, theft, sabotage, disruption or destruction of company assets, unauthorized access, or the intentional distribution of malware or proprietary information.
To reduce the risk of these threats to an acceptable or manageable level, businesses commonly implement risk management systems that continually monitor the activities of the business' employees as well as the activities of the business as a whole. Risk management systems perform risk analysis to identify and characterize threats, and then assess the qualitative or quantitative magnitude of the risk as a function of the possibility of the threat occurring and the predicted harm that would occur as a result of that occurrence. Although previous risk management systems monitor business activities and produce risk assessments, no risk assessment system utilizes a risk analysis method similar to the present invention.