1. The Field of the Invention
The present invention generally relates to methods and systems for protecting computer products such as software and devices from attack and, more particularly, to methods and systems for determining the relative susceptibility of computing software and devices to attack.
2. Background and Relevant Art
In the computer industry, it is well known that computer software and networks can be attacked, such as, for example, by hackers. In particular, hackers can breach the security features of a computer product, thereby obtaining access to valuable trade secret and personal information that is stored therein. Upon breaching the security features of a computer product, malicious hackers can alter programming and destroy valuable computing resources that are associated with the computer product.
Accordingly, in order to prevent some of the foregoing problems, the computing industry has continually attempted to secure known vulnerabilities and to develop new robust and secure computer products that are less likely to be attacked than the preceding products.
However, despite the best efforts that have been directed at overcoming known security deficiencies and for developing more secure products, the computing industry has yet to develop a method for determining the relative vulnerability of a computer product to attack, thereby making it difficult to determine how secure a product actually is. Accordingly, the question concerning which of two or more computer products is less vulnerable to attack is not an easy question to answer.
Prior to the present invention, the security and vulnerability of a computer product was determined largely upon the past history of the particular computer product. Even more particularly, the security of the computer product was typically determined by considering whether or not the computer product had been attacked in the past and whether or not the attack was successful. Such a determination, however, is subjective and based upon the conditional circumstances and timing in which the computer product was exposed to a potential attack.
Accordingly, one problem with the known techniques for determining a product's susceptibility to attack is that it may be inaccurate or at least give a false impression. For example, a relatively insecure product which is very vulnerable to attack, but which has, by fortune, never actually been the subject of an attack, may actually be perceived by some to be relatively more secure than a second product, that is in reality more secure, but which has successfully been attacked in the past by a very skilled attacker.
Yet another problem with known techniques for determining a product's susceptibility to attack is that they do not provide any objective measure by which a system operator can impose limits for determining whether a product should be utilized based upon an existing susceptibility of attack or a changing susceptibility of attack.
Accordingly, there is a need in the art for a more objective means for determining the relative susceptibility of computer products to attack.