WO2005022420A1 - Method and system for securing information assets and risk managing - Google Patents

Method and system for securing information assets and risk managing Download PDF

Info

Publication number
WO2005022420A1
WO2005022420A1 PCT/CA2004/001572 CA2004001572W WO2005022420A1 WO 2005022420 A1 WO2005022420 A1 WO 2005022420A1 CA 2004001572 W CA2004001572 W CA 2004001572W WO 2005022420 A1 WO2005022420 A1 WO 2005022420A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
consistency
impact
factor
relation
Prior art date
Application number
PCT/CA2004/001572
Other languages
French (fr)
Inventor
Eric Pesenti
Hans Briere
Patrick Rioux
Original Assignee
Medical Technologies Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Medical Technologies Inc. filed Critical Medical Technologies Inc.
Publication of WO2005022420A1 publication Critical patent/WO2005022420A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/20ICT specially adapted for the handling or processing of patient-related medical or healthcare data for electronic clinical trials or questionnaires

Definitions

  • the present invention relates to data collecting and processing. More specifically, the present invention is concerned with a method and a system for securing information assets and risk managing.
  • a method for managing information data assets comprising the steps of collecting data from at least one data provider in relation to at least one factor; analyzing a consistency of the data collected in relation to each data provider; and assessing a resulting impact of the at least one factor; whereby the resulting impact represents a combined impact of the at least one factor.
  • a system for securing information data of at least one of organizations and applications comprising means for collecting data in relation to at least one factor; means for analyzing a consistency of the data collected in relation to each data provider; and means for assessing a resulting impact of the at least one factor; wherein the means for assessing a resulting impact yield a combined impact of the at least one factor in the at least one of organizations and applications.
  • Figure 1 is an example of an organization layout in a hospital institution.
  • Figure 2 is a flowchart of a method according to an aspect of the present invention.
  • Figure 3 is a matrix calculus assessment of impact according to an embodiment of the method of the present invention.
  • Figure 4 is a result matrix [T] of Figure 3;
  • Figure 5 is a (q x n) matrix [ML] of linear factors of the matrix calculus assessment of Figure 3;
  • Figure 6 is a temporary matrix used in Figure 4.
  • Figure 7 is a temporary matrix used in Figure 4.
  • Figure 8 is a resulting matrix of the impact.
  • the method and system of the present invention take into account non-standard, usually non-linear, contribution of factors to a resulting impact in an organization or an application.
  • Data herein may refer to intelligence data, related for example to management procedural, environmental or development operations of organizations.
  • the method and system of the present invention may be applied for the security of such information assets in an open unformatted type of organization, such as medical and hospital organizations for example, which may comprise a number of organization layers as illustrated in Figure 1. They may be applied in relation to a variety of organizations and applications, for, for example operating and comparing legislations in a number of countries with regard to a given field or operating and comparing of standards or other types of evaluation means with regard to a specific activity etc.
  • the method of the present invention generally comprises collecting data in relation to a number of factors (step 10); analyzing the consistency of the data collected (step 20); and assessing a resulting impact of the number of factors (step 30).
  • the step of collecting data (10) may be based on a multi-level questionnaire, whereby an answer ⁇ is obtained for a factor or parameter i.
  • the method of the present invention only requires a limited number of entries, typically questions for example, in the questionnaire used to collect the data.
  • the questionnaire may be designed according to a target population of data providers, whereby for example the computer staff of the organization under survey is not directed the same questions as the human resources thereof, since due to their very activities in the organization, these two groups are not involved in the same manner with the flow of data, or even, they are not involved with a same part of the data flow to begin with.
  • the questionnaire may also be designed according to a size of the organization or application whose information assets are being under investigation.
  • the questionnaire used in the data collecting step is tailored to the specific needs of a given organization or application, in terms of number of entries, content of entries and target surveyed population for example, in order to allow a collection of meaningful data which may be relied upon to yield an adequate diagnosis of the status of the information assets under study.
  • step 20 takes into account a capacity of each data provider, i.e. each person answering the questionnaire in the data collecting step 10 for instance, to provide data that are assessed both in terms of consistency and accuracy, in order to yield a relative weight to each data thus collected.
  • a capacity of each data provider i.e. each person answering the questionnaire in the data collecting step 10 for instance, to provide data that are assessed both in terms of consistency and accuracy, in order to yield a relative weight to each data thus collected.
  • Consistency 1 -((no max - yes mj n )/(number of levels-1) ) (1)
  • a consistency result of 100% means consistency of the data.
  • Table IV presents two sets of distribution for the yi's according to the patterns of answers to the questionnaire obtained.
  • “0” refers to a "no” answer
  • “1” refers to a "yes” answer.
  • the first distribution (type 1) involves reduced impacts of inconsistencies, while the second one (type 2) yields a quicker reduction of the correlation.
  • step 30 For assessing the impacts (step 30), a standard linear computation method may be applied as is well known in the art, summing up each data corresponding to a factor / multiplied by a weighting factor associated therewith, as follows:
  • each question of the questionnaire used in step 10 is identified as belonging to an entity referred to as a subject, and is given a weight associated with a susceptibility to be impacted, according to its content, in terms of minor susceptibility, major susceptibility and critical susceptibility.
  • the different subjects relate to parameters or targets standardly defined by the organization, for which standard target threshold are known. Answers to the different question of the questionnaire are summed up by subject using the susceptibility weights. When the result for a given subject is lower than the standard target threshold thereof, this result is tagged with an asset or a handicap weight.
  • the subjects are compared and a dependence link matrix is drawn relating the subjects taking into account these asset or a handicap weights.
  • Such a first approach yields a global assessment of the interdependency of the subjects as determined by a respective asset or a handicap weight of each one in the framework of the organization under study and by the susceptibility weight of each question.
  • Such an approach may be sued for example in the field of securing information assets, maintenance, risk management, management planning, standards compliance etc...
  • a mathematical function that may be used for example is the so called rounded part function, which may be implemented in conventional spreadsheet calculators and sometimes referred to as "floor”, “ceiling”, “integer”, “round” etc.
  • the "floor” function yields the smallest integer of a value.
  • Matrix calculus techniques are well known in the art, and softwares are available, such as LapackTM for example, which allow processing matrices of up to 1000 X 1000 in less than half a second on a PentiumTM 42 GHz.
  • LapackTM for example
  • tools such as ExcelTM that do not require a VBA software
  • a 154 X 154 matrix may be processed without delay.
  • the method of the present invention not only allows a qualitative assessment of global risks of direct impacts, but also a quantitative assessment of combined risks of specific data.
  • a system according to the present invention allows carrying on the method described hereinabove.
  • the system basically comprises an intelligence unit and a processing unit, wherein the intelligence unit provides a knowledge database and the processing unit provides decision tools for an automated diagnostic.
  • the method and the system of the present invention provide a tool for an automated diagnosis, by the ability of a functional unit to detect problems and to identify the type of error.
  • the present method allows handling of data including collection and validation of the data, classification and weighting of factors of direct impacts; classification and modeling of correlation between the data.
  • the present method comprises assessing a data consistency factor, a classification of data in relation to security thereof, and an assessment of risks related to each type of data by a combination of direct impacts.
  • the present invention provides a method for increasing information technology security in terms of accuracy and interpretation of data.
  • the method of the present invention takes into account non- standard (non-linear) contribution of impact.
  • this invention provides continuous multi-model management of risk items in accordance with the type of organization.
  • the present invention provides a method for increasing information technology security in terms of accuracy and interpretation of data.
  • the method of the present invention takes into account non-linear (non-standard) cross-correlation of impact which accounts for an effective decision aid and management tool.
  • the present method and system may be seen as an expert method and system for information assets. They may used in risks analysis, assessment of an overall state of an institution or organization, operating and comparing legislations with regard to a given field or operating and comparing of standards or other types of evaluation means with regard to a specific activity, determining remedial actions, validating results of these actions. Interestingly, they may be used for securing information assets and risk managing of a number of organizations or applications at a time.

Abstract

The present invention provides a method and a system for increasing information technology security in terms of accuracy and interpretation of data. The method takes into account non-linear (non-standard) cross-correlation of impact which accounts for an effective decision aid and management tool. Therefore, qualitative analysis is likely to be functionally avoided and a strict remedial plan may be conducted in order to increase security of information assets at all times.

Description

TITLE OF THE INVENTION
Method and system for securing information assets and risk managing,
FIELD OF THE INVENTION
[0001] The present invention relates to data collecting and processing. More specifically, the present invention is concerned with a method and a system for securing information assets and risk managing.
BACKGROUND OF THE INVENTION
[0002] In organizational structures or applications, an increasing amount of data is collected, stored and processed, usually in an electronic way. Such data may include personal data as well as technical data, and may be used for decision taking and risk managing in the framework of the given organization or application.
[0003] Existing information technology security methods and systems are either obsolete or especially developed for fields related to production. Since they are designed typically in relation to closed type systems provided with a well-defined organizational structure, they are usually based on linear methods and only allow a rough qualitative evaluation.
[0004] There is an increasing concern in relation to the integrity, confidentiality, availability, accuracy and permanence of data, especially of electronic data, in the field of specialized services, which are usually part of open, non-structured systems. [0005] Therefore, there is a need for a method and a system allowing securing information assets and risk managing in a reliable and effective way.
SUMMARY OF THE INVENTION
[0006] There is provided a method for managing information data assets, comprising the steps of collecting data from at least one data provider in relation to at least one factor; analyzing a consistency of the data collected in relation to each data provider; and assessing a resulting impact of the at least one factor; whereby the resulting impact represents a combined impact of the at least one factor.
[0007] There is provided a system for securing information data of at least one of organizations and applications, comprising means for collecting data in relation to at least one factor; means for analyzing a consistency of the data collected in relation to each data provider; and means for assessing a resulting impact of the at least one factor; wherein the means for assessing a resulting impact yield a combined impact of the at least one factor in the at least one of organizations and applications.
[0008] Other objects, advantages and features of the present invention will become more apparent upon reading of the following non- restrictive description of embodiments thereof, given by way of example only with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] In the appended drawings: [0010] Figure 1 is an example of an organization layout in a hospital institution.
[0011] Figure 2 is a flowchart of a method according to an aspect of the present invention;
[0012] Figure 3 is a matrix calculus assessment of impact according to an embodiment of the method of the present invention;
[0013] Figure 4 is a result matrix [T] of Figure 3;
[0014] Figure 5 is a (q x n) matrix [ML] of linear factors of the matrix calculus assessment of Figure 3;
[0015] Figure 6 is a temporary matrix used in Figure 4;
[0016] Figure 7 is a temporary matrix used in Figure 4; and
[0017] Figure 8 is a resulting matrix of the impact.
DESCRIPTION OF EMBODIMENTS OF THE INVENTION
[0018] Generally stated, there is provided a method and a system for increasing information technology security in terms of accuracy and interpretation of data. [0019] In particular, the method and system of the present invention take into account non-standard, usually non-linear, contribution of factors to a resulting impact in an organization or an application.
[0020] Data herein may refer to intelligence data, related for example to management procedural, environmental or development operations of organizations.
[0021] The method and system of the present invention may be applied for the security of such information assets in an open unformatted type of organization, such as medical and hospital organizations for example, which may comprise a number of organization layers as illustrated in Figure 1. They may be applied in relation to a variety of organizations and applications, for, for example operating and comparing legislations in a number of countries with regard to a given field or operating and comparing of standards or other types of evaluation means with regard to a specific activity etc.
[0022] As shown in Figure 2, the method of the present invention generally comprises collecting data in relation to a number of factors (step 10); analyzing the consistency of the data collected (step 20); and assessing a resulting impact of the number of factors (step 30).
[0023] As is well known in the art, the step of collecting data (10) may be based on a multi-level questionnaire, whereby an answer η is obtained for a factor or parameter i. Interestingly however, due to the data processing approach used in following steps that will be described hereinbelow, the method of the present invention only requires a limited number of entries, typically questions for example, in the questionnaire used to collect the data. [0024] Moreover, the questionnaire may be designed according to a target population of data providers, whereby for example the computer staff of the organization under survey is not directed the same questions as the human resources thereof, since due to their very activities in the organization, these two groups are not involved in the same manner with the flow of data, or even, they are not involved with a same part of the data flow to begin with.
[0025] Furthermore, the questionnaire may also be designed according to a size of the organization or application whose information assets are being under investigation.
[0026] Therefore, the questionnaire used in the data collecting step is tailored to the specific needs of a given organization or application, in terms of number of entries, content of entries and target surveyed population for example, in order to allow a collection of meaningful data which may be relied upon to yield an adequate diagnosis of the status of the information assets under study.
[0027] The step of analysis of the consistency of the collected data
(step 20) takes into account a capacity of each data provider, i.e. each person answering the questionnaire in the data collecting step 10 for instance, to provide data that are assessed both in terms of consistency and accuracy, in order to yield a relative weight to each data thus collected.
[0028] Obviously, simple logical criteria may be applied to assess the consistency of the collected data, for example in the example given hereinbelow where the data are collected by means of a questionnaire comprising 5 levels (questions), each of them to be answered either by "yes" or by "no": 5) There is a delay of more than 1 week between each changes of access code. 4) There is a delay of more than 1 month between each changes of access code. 3) There is a delay of more than 3 months between each change of access code. 2) There is a delay of more than 4 months between each change of access code. 1 ) There is a delay of more than 1 year between each change of access code.
[0029] Clearly, a "yes" answer to question 1 is not consistent with a
"no" answer to questions 2 to 5, as a "yes" answer to questions 1, 3 and 5 is not consistent with a "no" answer to questions 2 and 4. In this example, it is possible to draw a chart of all the possible consistent sets of answers as shown in Table I as follows:
Figure imgf000007_0001
Table
All these sets of answers are characterized by a consistency rating of 100%. A consistency rating inferior to 100% in this example would mean that the data provider, i.e. the person answering the questionnaire, does not understand the questions or does not take the time to thoroughly read them. However, such a consistency of 100% does not necessarily mean accuracy of the data provided, since the data provider may be consistent in his responses while at the same time lacking a desired expertise or knowledge.
[0030] In the case of inconsistency, the following relation may be used:
Consistency = 1 -((no max - yes mjn)/(number of levels-1) ) (1)
where nomaχ corresponds to the highest level of question answered with a "no" answer, and yes,™ corresponds to the lowest level of question answered with a "yes" answer.
[0031] When the responses are consistent, the consistency is taken as 100%. In the exemplary case given above, the results shown in Table II hereinbelow may thus be obtained:
Figure imgf000008_0001
Table II
A consistency result of 100% means consistency of the data. Such a technique is straightforward but of limited representativeness. [0032] A more sophisticated consistency measurement technique may involve correlation computation and drawing evaluation profiles related to each data by relations 2-7 below, where cov is the covariance of x and y, σx and σ-y are the standard deviations of x and y respectively; and ux and uy are the average of x and y respectively, x refers to a reference with a fixed value, such as x(1,2,3,4,5)={1 ,2,3,4,5} and y(1,2,3,4,5)={1 ,2,3,4,5} corresponds to consistency in the data collected, giving a correlation equal to 1 or 100%.
Correlation = C -X'y) {2} where cov = -∑(χ , ~ U Γ U J (3) σxσy " w
(4)
Figure imgf000009_0001
[0033] For example, given the pattern of response to the questionnaire already used as an example hereinabove shown in Table III below, a fair hypothesis would be that data 2 and 3 have been mixed up and that an adequate value for y in the correlation is y ={1,3,2,4,5}. Therefore, in that case, the correlation with the reference x={1 ,2,3,4,5} is 90%. A more severe rating may be selected, by using the factor at a power of 2 instead of 1 , which would in this example have yield a correlation of 81%.
Figure imgf000009_0002
Figure imgf000010_0001
[0034] From the above example, it is obvious that different levels of severity in the correlation assessment may be selected, resulting in correlation ratings that are more or less high, depending on predetermined criteria, including for example a degree of specific expertise and knowledge of the person answering the questionnaire.
[0035] The following Table IV presents two sets of distribution for the yi's according to the patterns of answers to the questionnaire obtained. In Table IV, "0" refers to a "no" answer, while "1" refers to a "yes" answer. Clearly, the first distribution (type 1) involves reduced impacts of inconsistencies, while the second one (type 2) yields a quicker reduction of the correlation.
Figure imgf000010_0002
Figure imgf000011_0001
[0036] It appears that such a correlation computation allows more adequately assessing the consistency of data according to a background and expertise of the data provider. Interestingly, it only implies simple computations and is easily implemented with known computation software such as, for example, Excel™, or by using tables. [0037] For assessing the impacts (step 30), a standard linear computation method may be applied as is well known in the art, summing up each data corresponding to a factor / multiplied by a weighting factor associated therewith, as follows:
Impact = pιrι+p2r2+...+piri+...+pnrn with n = 1 (8)
where p,- refers to a weight of risk factor and η refers to an answer to factor /.
[0038] However, in cases when two factors have a small impact taken separately but a major impact when occurring simultaneously, the above standard method is ineffective. Moreover, when this method includes adjusting the weights according to individual impact of each factor, the resulting impact is under-estimated; while when it includes adjusting the weights in relation to the combined impact, individual impacts are over-estimated.
[0039] According to the present invention, a more accurate impact assessment method in such a case when two factors have a small impact taken separately and a major impact when occurring simultaneously incorporates a non-linear element in the computation.
[0040] In a first method, each question of the questionnaire used in step 10 is identified as belonging to an entity referred to as a subject, and is given a weight associated with a susceptibility to be impacted, according to its content, in terms of minor susceptibility, major susceptibility and critical susceptibility. The different subjects relate to parameters or targets standardly defined by the organization, for which standard target threshold are known. Answers to the different question of the questionnaire are summed up by subject using the susceptibility weights. When the result for a given subject is lower than the standard target threshold thereof, this result is tagged with an asset or a handicap weight. Once the result is obtained for each subject, the subjects are compared and a dependence link matrix is drawn relating the subjects taking into account these asset or a handicap weights. Such a first approach yields a global assessment of the interdependency of the subjects as determined by a respective asset or a handicap weight of each one in the framework of the organization under study and by the susceptibility weight of each question. Such an approach may be sued for example in the field of securing information assets, maintenance, risk management, management planning, standards compliance etc...
[0041] In a second method, a mathematical function that may be used for example is the so called rounded part function, which may be implemented in conventional spreadsheet calculators and sometimes referred to as "floor", "ceiling", "integer", "round" etc. For example, the "floor" function yields the smallest integer of a value. With such a tool, assessment of impact is then computed as follows:
Impact = pir1+p2r2+...+Piri+...+pnrn+ floor((pιr1+ p2r2+... +Pin+... +pnrn)/n) (9)
[0042] In the present invention, a matrix calculus method is developed (see Figures 2-7), wherein impact is assessed by separating a standard (linear) part and a non-linear part thereof, as follows:
[MIIMNL][ML][R]= [T] (10) where [Ml] is a (m x q) impact matrix comprising an identity matrix I (m x m) and non-linear factors impact (m x s) where q = m+s; [MNL] is a (q x q) matrix of non-linear factors; [ML] is a (q x n) matrix of linear factors (see Figure 4); [R] is a column matrix (n x 1) of the n answers, and [T] is a column matrix (m x 1) of results (Figure 2).
[0043] The column matrix [T] of results is computed as a product of the impact matrix [Ml] by temporary matrix [MT1, 2], (see Figures 3 and 5-6).
[0044] The method yields an assessment of impact as illustrated by the matrix in Figure 7.
[0045] Matrix calculus techniques are well known in the art, and softwares are available, such as Lapack™ for example, which allow processing matrices of up to 1000 X 1000 in less than half a second on a Pentium™ 42 GHz. Alternatively, with tools such as Excel™ that do not require a VBA software, a 154 X 154 matrix may be processed without delay.
[0046] As people in the art will appreciate, the method of the present invention not only allows a qualitative assessment of global risks of direct impacts, but also a quantitative assessment of combined risks of specific data.
[0047] A system according to the present invention allows carrying on the method described hereinabove. The system basically comprises an intelligence unit and a processing unit, wherein the intelligence unit provides a knowledge database and the processing unit provides decision tools for an automated diagnostic. [0048] The method and the system of the present invention provide a tool for an automated diagnosis, by the ability of a functional unit to detect problems and to identify the type of error.
[0049] The present method allows handling of data including collection and validation of the data, classification and weighting of factors of direct impacts; classification and modeling of correlation between the data. In particular, the present method comprises assessing a data consistency factor, a classification of data in relation to security thereof, and an assessment of risks related to each type of data by a combination of direct impacts.
[0050] The present invention provides a method for increasing information technology security in terms of accuracy and interpretation of data. In particular, the method of the present invention takes into account non- standard (non-linear) contribution of impact. Furthermore, this invention provides continuous multi-model management of risk items in accordance with the type of organization.
[0051] The present invention provides a method for increasing information technology security in terms of accuracy and interpretation of data. Interestingly, the method of the present invention takes into account non-linear (non-standard) cross-correlation of impact which accounts for an effective decision aid and management tool. The present method and system may be seen as an expert method and system for information assets. They may used in risks analysis, assessment of an overall state of an institution or organization, operating and comparing legislations with regard to a given field or operating and comparing of standards or other types of evaluation means with regard to a specific activity, determining remedial actions, validating results of these actions. Interestingly, they may be used for securing information assets and risk managing of a number of organizations or applications at a time.
[0052] Although the present invention has been described, hereinabove by way of embodiments thereof, it can be modified, without departing from the nature and teachings thereof as defined herein.

Claims

1. A method for securing information data assets of at least one of organizations and applications, comprising the steps of: collecting data from at least one data provider in relation to at least one factor; analyzing a consistency of the data collected in relation to each one of at least one data provider; and assessing a resulting impact of the at least one factor; whereby the resulting impact represents a combined impact of the at least one factor in a framework of the at least one of organizations and applications.
2. The method according to claim 1 , wherein said step of collecting data comprises using a multi-level questionnaire, whereby each data is an answer η obtained in relation to a factor i.
3. The method according to claim 2, wherein the multi-level questionnaire is designed according to at least one of a target population of data providers and a size of the at least one of organizations and applications whose information assets are being under investigation.
4. The method according to claim 1 , wherein said step of analyzing a consistency of the data collected comprises determining a correlation and an accuracy of each data in relation to the at least one data provider and associating a relative weight to each data thus collected.
5. The method according to claim 4, wherein said step of analyzing a consistency of the data collected comprises assessing a consistency in the data provided by each of the at least one data provider.
6. The method according to claim 2, wherein said step of collecting data comprises using a yes/no questionnaire having a given number of levels and said step of analyzing a consistency of the data collected comprises using a relation as follows:
Consistency = 1 -((no max - yes min)/(number of levels-1),
where nθmaχ corresponds to a highest level answered with a "no" answer, and yesmin corresponds to a lowest level answered with a "yes" answer.
7. The method according to claim 2, wherein said step of analyzing a consistency of the data collected comprises determining correlation and drawing evaluation profiles related to each data, using a relation as follows: (χt - u γ, - u J (3)
Figure imgf000018_0001
Figure imgf000018_0002
y n ~~t • where x refers to a reference with a fixed value, y corresponds to correlation in the data collected, cov is a covariance of x and y, σx and σy are standard deviations of x and y respectively; and ux and uy are an average of x and y respectively.
8. The method according to claim 7, wherein said step of analyzing a consistency of the data collected comprises selecting different levels of severity of correlation depending on predetermined criteria, including at least one of a degree of specific expertise and knowledge of each data provider.
9. The method according to claim 2, wherein said step of assessing a resulting impact comprises: identifying each question of the questionnaire as belonging to one of a number of subjects; associating to each question a susceptibility weight; summing up answers to each question of the questionnaire by subject using the susceptibility weight, and when a result for a given subject is lower than a standard target threshold thereof, tagging the result with a result weight; and comparing, when the result is obtained for each subject, the subjects and drawing a dependence link matrix relating the subjects taking into account the result weights; whereby the subjects relate to predefined factors, and a global assessment of an interdependency of the subjects is obtained by a respective result weight of each one in a framework of the at least one of an organization and an application under study and by the susceptibility weight of each question.
10. The method according to claim 2, wherein said step of assessing impact comprises using a relation as follows:
Impact = p1ri+p2r2+...+piri+...+pnrn+ floor((pιrι+ p2r2+...+piri+...+pnrπ)/n)
where p,- refers to a weight associated with factor / .
11. The method according to claim 2, wherein said step of assessing impact comprises separating a linear contribution and a non-linear contribution of the at least one factor.
12. The method according to any one of claims 1 to 11 , wherein the applications comprise legislations in a number of countries with regard to a given field, standards in a number of countries with regard to a given field and other types of evaluation means in a number of countries with regard to a specific activity.
13. A system for securing information data of at least one of organizations and applications, comprising: means for collecting data in relation to at least one factor; means for analyzing a consistency of the data collected in relation to each data provider; and means for assessing a resulting impact of the at least one factor; wherein said means for assessing a resulting impact yield a combined impact of the at least one factor in the at least one of organizations and applications.
14. The system according to claim 13, wherein said means for collecting data comprises collecting answers to a multi-level questionnaire, each answer η being obtained in relation to a factor i.
15. The system according to claim 14, wherein said multi-level questionnaire is designed according to at least one of a target population of data providers and a size of the at least one of organizations and applications.
16. The system according to claim 14, wherein said means for analyzing a consistency of the data collected in relation to each data provider determines a correlation and an accuracy of each data in relation to each data provider and associates a relative weight to each data collected.
17. The system according to claim 14, wherein said means for collecting data comprises a yes/no questionnaire having a given number of levels and said means for analyzing a consistency of the data collected determines a consistency as follows:
Consistency = 1 -((no max - yes min)/(number of levels-1),
where nomax corresponds to a highest level answered with a "no" answer, and yesmin corresponds to a lowest level answered with a "yes" answer.
18. The system according to claim 14, wherein said means for analyzing a consistency of the data collected determines a correlation and drawing evaluation profiles related to each data, as follows: Correlation = C0Y -X, y) (2) where ∞v =-∑(χ u γ - u ) (3)
Figure imgf000022_0001
where x refers to a reference with a fixed value, y corresponds to correlation in the data collected, cov is a covariance of x and y, σx and σy are standard deviations of x and y respectively; and ux and uy are an average of x and y respectively.
19. The system according to claim 18, wherein said means for analyzing a consistency of the data collected selects different levels of severity of correlation depending on predetermined criteria, including at least one of a degree of specific expertise and a degree of knowledge of each data provider.
20. The system according to claim 14, wherein said means of assessing a resulting impact identifies each question of the questionnaire as belonging to one of a number of subjects; associates to each question a susceptibility weight; sums up answers to each question of the questionnaire by subject using the susceptibility weight, and when a result for a given subject is lower than a standard target threshold thereof, tags the result with a result weight; and compares, when the result is obtained for each subject, the subjects and drawing a dependence link matrix relating the subjects taking into account the result weights; the subjects relating to predefined factors, and a global assessment of an interdependency of the subjects being obtained by a respective result weight of each one in a framework of the at least one of organizations and applications and by the susceptibility weight of each question.
21. The system according to claim 14, wherein said means of assessing a resulting impact determines an impact as follows:
Impact = pιrι+p2r2+...+pirj+...+pnrn+ floor((pιr1+ p2r2+...+pjri+...+pnrn)/n)
where p,- refers to a weight associated with factor / .
22. The system according to claim 14, wherein said means of assessing a resulting impact separates a linear contribution and a non-linear contribution of the at least one factor.
23. The system according to any one of claims 13 to 22, wherein the organizations and applications are selected in the group consisting of medical institutions, hospitals, institutions, legislations in a number of countries with regard to a given field, standards in a number of countries with regard to a given field and other types of evaluation means in a number of countries with regard to a specific activity.
PCT/CA2004/001572 2003-08-29 2004-08-27 Method and system for securing information assets and risk managing WO2005022420A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US49857903P 2003-08-29 2003-08-29
US60/498,579 2003-08-29

Publications (1)

Publication Number Publication Date
WO2005022420A1 true WO2005022420A1 (en) 2005-03-10

Family

ID=34272697

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2004/001572 WO2005022420A1 (en) 2003-08-29 2004-08-27 Method and system for securing information assets and risk managing

Country Status (1)

Country Link
WO (1) WO2005022420A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000034911A2 (en) * 1998-12-11 2000-06-15 Arthur Andersen Llp System for modeling, measuring, managing, and depicting the effects of business decisions on market value
US6510419B1 (en) * 1998-04-24 2003-01-21 Starmine Corporation Security analyst performance tracking and analysis system and method
US6757660B2 (en) * 1999-08-26 2004-06-29 Blane, Canada Ltd. Method for analyzing information to provide an objective assessment of a predefined subject

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6510419B1 (en) * 1998-04-24 2003-01-21 Starmine Corporation Security analyst performance tracking and analysis system and method
WO2000034911A2 (en) * 1998-12-11 2000-06-15 Arthur Andersen Llp System for modeling, measuring, managing, and depicting the effects of business decisions on market value
US6757660B2 (en) * 1999-08-26 2004-06-29 Blane, Canada Ltd. Method for analyzing information to provide an objective assessment of a predefined subject

Similar Documents

Publication Publication Date Title
Shen et al. Hospital ownership and financial performance: what explains the different findings in the empirical literature?
US20060100957A1 (en) Electronic data processing system and method of using an electronic data processing system for automatically determining a risk indicator value
US20140058763A1 (en) Fraud detection methods and systems
US20020128884A1 (en) Computer method for using sample data to predict future population and domain behaviors
Karim et al. A signal detection theory approach to analyzing the efficiency and effectiveness of auditing to detect management fraud
Robson et al. Developing leading indicators from OHS management audit data: Determining the measurement properties of audit data from the field
Kim et al. Human decision-making behavior and modeling effects
Sumalatha et al. Mediclaim fraud detection and management using predictive analytics
Pittman et al. Audit partners’ risk tolerance and the impact on audit quality
Parsons Developing clusters of indicators: an alternative approach to measuring the provision of justice
Li Groupthink tendencies in top management teams and financial reporting fraud
WO2005022420A1 (en) Method and system for securing information assets and risk managing
Chen et al. Quantifying impact factors of corporate financing: engineering consulting firms
Zhu Forecasting employee turnover in large organizations
Karren An analysis of the drug testing decision
Adewusi et al. Residential Tenants Classification: A Test of Performance of Five Selected Artificial Neural Networks training Algorithms
Abraham et al. Taking up or turning down: new estimates of household demand for employer-sponsored health insurance
Mande et al. Enforcement Structure Enhance Board Performance in a Developing Economy.
Gharaibeh et al. The Affect of Applying Accounting Information System on the Profitability of Commercial Banks in Jordan (A field study from Management’s Viewpoint)
Kaya et al. Determining the financial performance of the firms in the Borsa Istanbul sustainability index: integrating multi criteria decision making methods with simulation
Wafula The role of forensic accounting as a tool in the fight against financial crimes
Flowe et al. A correlational study of the SEI's capability maturity model and software development performance in DoD contracts
Reiter Borrowing strength when explicit data pooling is prohibited
Mace Implications of Ancestry Estimation: An analysis of identification rates in unidentified persons cases
Byrnes Automated Clustering: From Concept to Reality

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OR RIGHTS PURSUANT TO RULE 69(1) EPC (COMMUNICATION DATED 23-05-2006, EPO FORM 1205A)

122 Ep: pct application non-entry in european phase