The present invention relates to systems for determining the security of information systems and, in particular, for evaluating the security of third-party computer systems.
When a company wants to reduce its cyber security risk of doing business with another company's computer systems, it either performs, or hires an outside firm to perform, a cyber security assessment of the other company to determine if it is following good security practices. The theory is that these good practices make it difficult for attackers to compromise the networks of the other company. If the auditing company is satisfied with the assessment, it may choose to continue doing business with the other company. Or, it may ask the other company to make some improvements to its security systems or terminate the business relationship.
Generally, these audits are slow, expensive and impractical given the high volume of service provider security systems that need to be characterized by the company. And, the inventors have noted that audits are not entirely predictive of the performance of the security systems.