This specification relates to analyzing risk in a system of assets. An asset is a computer or other electronic device. A system of assets can be connected over one or more networks. For example, a home might have five assets, all of which are networked to each other and connected to the outside world through the Internet. As another example, a business might have three physically separate offices, each of which has many assets. The assets within each office and the assets across the offices can be connected over a network.
A system administrator is often interested in knowing the risk that each asset in the system faces for each of various threats to the assets. Each threat corresponds to a potential attack on the asset by a particular virus, malware, or other unauthorized entity. An attack occurs when the unauthorized entity exploits a known vulnerability of the asset in an attempt to access or control the asset.
Risk calculation systems calculate risk for individual assets for individual threats. Risk is determined from both the likelihood of an attack corresponding to a threat occurring and the damage likely to be suffered if the attack were to occur.
System administrators want a complete risk assessment of the entire system. However, conventional risk calculation systems do not provide as accurate of a risk characterization for entire systems as is desired. One reason is that, in order to accurately calculate risk, accurate and complete data is needed; however, the data used by conventional systems is often incomplete. Traditional vulnerability detection systems indicate when an asset is vulnerable, but do not indicate when an asset is not vulnerable. If the detection system does not indicate that an asset is vulnerable, a risk calculation system does not know if the asset was not tested for the vulnerability, or if the asset was tested and is not vulnerable.
Another reason is that risk calculation systems often receive data from only agent-based sensors or only network-based sensors, and not both. This further results in incomplete data. In addition, conventional systems have difficulty determining which assets are protected by network-based sensors.
Yet another reason is that conventional risk systems focus on either vulnerability of assets (e.g., is an asset vulnerable to a threat) or countermeasure protection for an asset (e.g., is an asset protected from a threat), but not both. This results in an incomplete picture of risk in a system.
Yet another reason is that when an attack is detected on an asset, it can sometimes be difficult to uniquely identify the asset that was attacked.