초록 ▼

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first ti

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.

대표청구항 ▼

1. A computer-implemented method comprising: calculating, by a computing device having a processor, a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of ele

1. A computer-implemented method comprising: calculating, by a computing device having a processor, a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining, by the computing device, an overall threat score (foverall), where foverall=(flive+fanalytic)*fperson100, wherein flive includes calculation of data from a first time period and is calculated, by the computing device, for a plurality of activities, wherein for each activity: -flive=∑x=0n⁢⁢xgreaterThan⁢⁢0(weightxlive2)+(hitxmaxhitx)⁢(weightxlive2), where x specifies a predefined activity selected from a plurality of activities, and xgreaterThan⁢⁢0={1,hitsx>00,hitsx=0⁢ wherein fanalytic includes the calculation of data from a second time period and is calculated, by the computing device, for the plurality of activities of flive, wherein: fanalytic=(spikex+aboveAvgx+offHoursx)*(weightxanalytic)wherein spikex is assigned, by the computing device, a zero value unless the user account comprises an activity level during the first time period that is over a first threshold level above an average of the same user account during the second time period and a first integer if the user account comprises an activity level during the first time period that is over the first threshold level above the average of the same user account during the second time period;wherein aboveavgx is assigned, by the computing device, a zero unless the user account comprises an activity level that is over a first threshold level above an average of a plurality of user accounts for the same time period and a first integer if the user account comprises an activity level that is over a first threshold level above an average of a plurality of user accounts for the same time period;wherein offhoursx is assigned, by the computing device, a zero unless the user account comprises an activity level during a time frame during the first time period before or after the average start or end time for that user account and a first integer if the user account comprises an activity level during a time frame during the first time period before or after the average start or end time for that user account; wherein fperson is a variable that considers one or more weights given to the user account; andwherein weightxlive is a weighting value used for activities during the first time period and weightxanalytic is a weighting value used for activities during the second time period;ranking the plurality of user accounts based on the calculated threat score; anddisplaying the ranking of the plurality of user accounts. 2. The method of claim 1, wherein spikex is assigned, by the computing device, the first integer when the first threshold level of spikex is about 40% greater than the average of the same user account during the second time period. 3. The method of claim 1, wherein the aboveavgx is assigned, by the computing device, the first integer when the first threshold level of aboveavgx is above about 30% greater than the activity of the plurality of user accounts for the same time period. 4. The method of claim 1, wherein the offhoursx is assigned, by the computing device, the first integer when the activity level is detected about 6 hours before or after the average start or end time for that user account. 5. The method of claim 1, wherein activities of the plurality of activities are selected from the group consisting of: a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof. 6. The method of claim 1, wherein fperson is calculated, by the computing device, according to: fperson=1+∑x=0n⁢(categoryx)⁢(weightcategory), wherein categoryx is a category of a user account and weightcategory is a weight associated with the category. 7. One or more non-transitory computer-readable media comprising computer-executable instructions that, when executed by a processor, cause the processor to: calculate a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining an overall threat score (foverall), where foverall=(flive+fanalytic)*fperson100, wherein flive includes calculation of data from a first time period and is calculated for a plurality of activities, wherein for each activity: -flive=∑x=0n⁢⁢xgreaterThan⁢⁢0(weightxlive2)+(hitxmaxhitx)⁢(weightxlive2), where x specifies a predefined activity selected from a plurality of activities, and xgreaterThan⁢⁢0={1,hitsx>00,hitsx=0⁢ wherein fanalytic includes the calculation of data from a second time period and is calculated for the plurality of activities of flive, wherein: fanalytic=(spikex+aboveAvgx+offHoursx)*(weightxanalytic)assign spikex a zero value unless the user account comprises an activity level during the first time period that is over a first threshold level above an average of the same user account during the second time period and a first integer if the user account comprises an activity level during the first time period that is over the first threshold level above the average of the same user account during the second time periodassign aboveavgx a zero unless the user account comprises an activity level that is over a first threshold level above an average of a plurality of user accounts for the same time period and a first integer if the user account comprises an activity level that is over a first threshold level above an average of a plurality of user accounts for the same time period;assign offhoursx a zero unless the user account comprises an activity level during a time frame during the first time period before or after the average start or end time for that user account and a first integer if the user account comprises an activity level during a time frame during the first time period before or after the average start or end time for that user account; wherein fperson is a variable that considers one or more weights given to the user account; and wherein weightxlive is a weighting value used for activities during the first time period and weightxanalytic is a weighting value used for activities during the second time period;ranking the plurality of user accounts based on the calculated threat score; anddisplaying the ranking of the plurality of user accounts. 8. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause the processor to assign spikex the first integer when the first threshold level of spikex is about 40% greater than the average of the same user account during the second time period. 9. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause the processor to assign aboveavgx the first integer when the first threshold level of aboveavgx is above about 30% greater than the activity of the plurality of user accounts for the same time period. 10. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause the processor to assign offhoursx the first integer when the activity level is detected about 6 hours before or after the average start or end time for that user account. 11. The one or more non-transitory computer-readable media of claim 7, wherein activities of the plurality of activities are selected from the group consisting of: a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof. 12. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause fperson to be calculated according to: fperson=1+∑x=0n⁢(categoryx)⁢(weightcategory), wherein categoryx is a category of a user account and weightcategory is a weight associated with the category. 13. An apparatus, comprising: a processor;memory storing computer-readable instructions that, when executed, cause the apparatus to:calculate a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining an overall threat score (foverall), where foverall=(flive+fanalytic)*fperson100, wherein flive includes calculation of data from a first time period and is calculated for a plurality of activities, wherein for each activity: -flive=∑x=0n⁢⁢xgreaterThan⁢⁢0(weightxlive2)+(hitxmaxhitx)⁢(weightxlive2), where x specifies a predefined activity selected from a plurality of activities, and xgreaterThan⁢⁢0={1,hitsx>00,hitsx=0⁢ wherein fanalytic includes the calculation of data from a second time period and is calculated for the plurality of activities of flive, wherein: fanalytic=(spikex+aboveAvgx+offHoursx)*(weightxanalytic)  Equation 1b:assign spikex a zero value unless the user account comprises an activity level during the first time period that is over a first threshold level above an average of the same user account during the second time period and a first integer if the user account comprises an activity level during the first time period that is over the first threshold level above the average of the same user account during the second time period;assign aboveavgx a zero unless the user account comprises an activity level that is over a first threshold level above an average of a plurality of user accounts for the same time period and a first integer if the user account comprises an activity level that is over a first threshold level above an average of a plurality of user accounts for the same time period;assign offhoursx a zero unless the user account comprises an activity level during a time frame during the first time period before or after the average start or end time for that user account and a first integer if the user account comprises an activity level during a time frame during the first time period before or after the average start or end time for that user account; wherein fperson is a variable considers one or more weights given to the user account; and wherein weightxlive is a weighting value used for activities during the first time period and weightxanalytic is a weighting value used for activities during the second time period; ranking the plurality of user accounts based on the calculated threat score; anddisplaying the ranking of the plurality of user accounts. 14. The apparatus of claim 13, further including instructions that, when executed, cause the apparatus to assign spikex the first integer when the first threshold level of spikex is about 40% greater than the average of the same user account during the second time period. 15. The apparatus of claim 13, further including instructions that, when executed, cause the apparatus to assign aboveavgx the first integer when the first threshold level of aboveavgx is above about 30% greater than the activity of the plurality of user accounts for the same time period. 16. The apparatus of claim 13, further including instructions that, when executed, cause the apparatus to assign offhoursx the first integer when the activity level is detected about 6 hours before or after the average start or end time for that user account. 17. The apparatus of claim 13, wherein activities of the plurality of activities are selected from the group consisting of: a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof. 18. The apparatus of claim 13, further including instructions that, when executed, cause fperson to be calculated according to: fperson=1+∑x=0n⁢(categoryx)⁢(weightcategory), wherein categoryx is a category of a user account and weightcategory is a weight associated with the category.