Invention Title:

PRE-EMPTIVE RISK QUANTIFICATION WITH HARM CAPACITY USING FOUNDATIONAL MODELS

Publication number:

US20260127290

Publication date:

2026-05-07

Section:

Physics

Class:

G06F21/577

Inventors:

Adam Lee Griffin 🇺🇸 Cohasset, MN, United States

Balaji Muthusamy Pandurangan 🇳🇱 Amstelveen, Netherlands

Vivek Soni 🇮🇳 Pune, India

Assignee:

INTERNATIONAL BUSINESS MACHINES CORPORATION 🇺🇸 ARMONK, NY, United States

Applicant:

INTERNATIONAL BUSINESS MACHINES CORPORATION 🇺🇸 Armonk, NY, United States

Smart overview of the Invention

The disclosed method involves constructing a model of an IT system composed of multiple elements to evaluate potential cybersecurity threats. This model is used to generate threat data, representing potential vulnerabilities and exploits within the system. Each element within the system is assigned a value, which is then used to model the potential harm from these threats. A neural network processes this information to quantify the risk, combining the likelihood of encountering the threat with the potential harm and the allocated value of the system elements.

Context

In the current digital landscape, organizations depend heavily on IT infrastructures to manage operations and safeguard sensitive data. The complexity and interconnectedness of these systems have increased the risk of cyberattacks and IT failures, potentially leading to financial losses and reputational damage. Traditional qualitative risk assessment methods often lack precision, making it challenging to prioritize mitigation efforts effectively. Therefore, a systematic and quantitative approach is needed to evaluate and manage risks, translating them into tangible financial impacts.

Methodology

The invention introduces a process for quantified threat assessment on IT systems, addressing deficiencies in existing methods. It assesses the system's architecture, network traffic, and policies, using data on threats, vulnerabilities, and exploits. The approach includes evaluating the nature and value of system components, incorporating internal vulnerabilities into the analysis, and identifying areas where security improvements offer the most value. The risk is quantified by considering the likelihood and impact of threats, taking into account the value of compromised systems and data.

Application

The system can be implemented through a computer program product, involving a computer-readable storage medium with program instructions. These instructions are executed by a processor via computer-readable memory, enabling the automated risk quantification process. The invention is applicable to any digital system that processes or stores data, and can be adapted to various configurations and environments, including hardware, software, or a combination thereof.

Flexibility and Adaptability

The illustrative embodiments are described using specific configurations and components as examples, but the invention is not limited to these. It is adaptable to various data types, storage devices, and computing environments. The system's flexibility allows it to be integrated with other structures, systems, or applications, providing a comprehensive solution for managing IT risks. The invention's scope includes any suitable manifestation of the described process, allowing for alterations and modifications to suit specific needs and technologies.