Abstract: A security system comprising a computer, a memory, a data store comprising a cyber threat intent dictionary and a technology dictionary; and an application stored in the memory. When executed by the computer, the application generates a report that comprises an identification of a cyber threat intent and the identification of a cyber threat technology, wherein the cyber threat intent is selected from a plurality of cyber threat intents listed in the cyber threat intent dictionary and wherein the cyber threat technology is selected from the technology dictionary. The application also populates values in a cyber threat progression vector, where the cyber threat progression vector comprises elements that each corresponds to an action in a chain of actions associated with a cybercrime, where the values correspond to one of present or not present. The vector is used to manage the cyber risk of an enterprise or organization.

Abstract: A security system comprising a computer, a memory, a data store comprising a plurality of consensus evaluations and a plurality of cyber threat analyst ratings, and an application stored in the memory. When executed by the computer, the application generates a cyber threat report that identifies of a cyber threat intent and a cyber threat technology, receives from a cyber threat analyst an input of a cyber threat frequency score, an input of a cyber threat likelihood score, and an input of a cyber threat capability score, and generates a cyber threat intensity based on the scores and based on a cyber threat analyst rating stored in the data store and associated with the cyber threat analyst inputting the scores, whereby the cyber threat report and the cyber threat intensity are used to select cyber risk mitigation actions to economically manage the cyber risk of an enterprise or organization.

Abstract: A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system.

Abstract: A system for electronic crime reduction is provided, comprising a computer system, a database, a malware de-compiler, a malware parser, and an inference engine. The database contains information that associates electronic crime attack signature data with at least one of an individual, a group, and a location. The malware de-compiler, when executed on the computer system, translates a first malware executable to an assembly language version. The first malware is associated with an electronic crime that has been committed. The malware parser, when executed on the computer system, analyzes the assembly language version to identify distinctive coding preferences used to develop the first malware. The inference engine, when executed on the computer system, analyzes the distinctive coding preferences identified by the malware parser application in combination with searching the database to identify one of an individual, a group, and a location associated with the electronic crime.

Abstract: A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system.

Abstract: A method of selecting security actions is provided. The method comprises estimating a maximum forecast loss, identifying general, sector specific, and targeted threats. The method further comprises forecasting a security loss based on the estimated maximum forecast loss and the threats, estimating a reduction in the security loss based on a first investment on a general threat countermeasure, on a second investment on a sector specific countermeasure, and on a third investment on a targeted threat countermeasure. The method further comprises allocating at least a portion of a security investment budget among the first, the second, and the third investments to maximize the estimated reduction in security loss. An aspect disclosed comprises a method that determines rates of return on security investment and selects security investments based on the rates of return. An aspect disclosed comprises a system for forecasting a security loss based on a security investment.

Abstract: A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system.

Abstract: A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system.

Abstract: A method of selecting security actions is provided. The method comprises estimating a maximum forecast loss, identifying general, sector specific, and targeted threats. The method further comprises forecasting a security loss based on the estimated maximum forecast loss and the threats, estimating a reduction in the security loss based on a first investment on a general threat countermeasure, on a second investment on a sector specific countermeasure, and on a third investment on a targeted threat countermeasure. The method further comprises allocating at least a portion of a security investment budget among the first, the second, and the third investments to maximize the estimated reduction in security loss. An aspect disclosed comprises a method that determines rates of return on security investment and selects security investments based on the rates of return. An aspect disclosed comprises a system for forecasting a security loss based on a security investment.

Abstract: A system for electronic crime reduction is provided, comprising a computer system, a database, a malware de-compiler, a malware parser, and an inference engine. The database contains information that associates electronic crime attack signature data with at least one of an individual, a group, and a location. The malware de-compiler, when executed on the computer system, translates a first malware executable to an assembly language version. The first malware is associated with an electronic crime that has been committed. The malware parser, when executed on the computer system, analyzes the assembly language version to identify distinctive coding preferences used to develop the first malware. The inference engine, when executed on the computer system, analyzes the distinctive coding preferences identified by the malware parser application in combination with searching the database to identify one of an individual, a group, and a location associated with the electronic crime.