Claims:WE CALIM
1. A method of software risk management within an Information Technology (IT) infrastructure, the method comprising:
computing, by a risk management device, security risk factors for a plurality of software components based on availability of executables for the plurality of software components;
identifying, by a risk management device, a set of software components from the plurality of components in response to computing, wherein a security risk factor for each of the set of software components is greater than a predefined threshold;
activating, by the risk management device, compensating control for at least one of the set of software components, when a compensating control mechanism is available for each of the at least one software component and the compensating control mechanism satisfies control criteria; and
dynamically deploying, by the risk management device, at least one continuous monitoring tool satisfying monitoring criteria, to monitor each of at least one remaining software component in the set of software components for a predefined duration, wherein a compensating control mechanism is not available for each of the at least one remaining software component.

2. The method of claim 1, wherein the security risk factors are computed based on interdependencies amongst the plurality of software components, the interdependencies are based on at least data-flow interdependencies between the plurality of software components and human usage interdependencies relating to the usage of the plurality of software components.

3. The method of claim 2, wherein computing the security risk factors based on interdependencies comprises:
identifying at least one adjacency tree within the plurality of software components,
wherein an adjacency tree from the at least one adjacency tree comprises a subset of the plurality of software components and each software component in the subset is represented as a node in the adjacency tree, and
wherein the adjacency tree comprises at least one path and each of the at least one path comprises at least one of a root node, a destination node, and zero or more middle nodes, wherein a root node is the first node and a destination node is the last node in each of the at least one path.

4. The method of claim 3 further comprising:
computing an individual security risk associated with each node in the at least one path; and
computing a path risk for each path leading to a current node from an associated root node, wherein a path risk for a path leading to the current node is computed based on individual security risk computed for each node preceding the current node within the path, and wherein the current node is one of a middle node or a destination node.

5. The method of claim 4 further comprising computing a cumulative security risk for the current node based on an individual security risk computed for the current node and the path risk computed for each path leading to the current node.

6. The method of claim 5, wherein computing the cumulative security risk comprises applying a traversal probability of a path to an associated path risk, and wherein the traversal probability indicates a probability of traversing the path to reach the current node.

7. The method of claim 5 further comprising converting the cumulative security risk to a security risk factor for the current node.

8. The method of claim 2 further comprising determining, by the risk management device, an insurance aggregate limit and an insurance premium for a software component, based on a security risk factor computed for the software component and an asset value associated with the software component.

9. The method of claim 1, wherein a security risk factor for a software component from the plurality of software components is computed based on individual security risk of the software component without dependency on other software components in the plurality of software components.

10. The method of claim 1, wherein the predefined duration is updated in real time.

11. A risk management device for managing software risk in an Information Technology (IT) infrastructure, the risk management device comprising:
a processor; and
a memory communicatively coupled to the processor, wherein the memory stores processor instructions, which, on execution, causes the processor to:
compute security risk factors for a plurality of software components based on availability of executables for the plurality of software components;
identify a set of software components from the plurality of components in response to computing, wherein a security risk factor for each of the set of software components is greater than a predefined threshold;
activate compensating control for at least one of the set of software components, when a compensating control mechanism is available for each of the at least one software component and the compensating control mechanism satisfies control criteria; and
dynamically deploy at least one continuous monitoring tool satisfying monitoring criteria, to monitor each of at least one remaining software component in the set of software components for a predefined duration, wherein a compensating control mechanism is not available for each of the at least one remaining software component.

12. The risk management device of claim 11, wherein the security risk factors are computed based on interdependencies amongst the plurality of software components, the interdependencies are based on at least data-flow interdependencies between the plurality of software components and human usage interdependencies relating to the usage of the plurality of software components.

13. The risk management device of claim 12, wherein to computing the security risk factors based on interdependencies, the processor instructions further cause the processor to:
identify at least one adjacency tree within the plurality of software components,
wherein an adjacency tree from the at least one adjacency tree comprises a subset of the plurality of software components and each software component in the subset is represented as a node in the adjacency tree, and
wherein the adjacency tree comprises at least one path and each of the at least one path comprises at least one of a root node, a destination node, and zero or more middle nodes, wherein a root node is the first node and a destination node is the last node in each of the at least one path.

14. The risk management device of claim 13, wherein the processor instructions further cause the processor to:
compute an individual security risk associated with each node in the at least one path; and
compute a path risk for each path leading to a current node from an associated root node, wherein a path risk for a path leading to the current node is computed based on individual security risk computed for each node preceding the current node within the path, and wherein the current node is one of a middle node or a destination node.

15. The risk management device of claim 14, wherein the processor instructions further cause the processor to compute a cumulative security risk for the current node based on an individual security risk computed for the current node and the path risk computed for each path leading to the current node.

16. The risk management device of claim 15, wherein to compute the cumulative security risk the processor instructions further cause the processor to apply a traversal probability of a path to an associated path risk, and wherein the traversal probability indicates a probability of traversing the path to reach the current node.

17. The risk management device of claim 15, wherein the processor instructions further cause the processor to convert the cumulative security risk to a security risk factor for the current node.

18. The risk management device of claim 12, wherein the processor instructions further cause the processor to determine an insurance aggregate limit and an insurance premium for a software component, based on a security risk factor computed for the software component and an asset value associated with the software component.

19. The risk management device of claim 1, wherein a security risk factor for a software component from the plurality of software components is computed based on individual security risk of the software component without dependency on other software components in the plurality of software components.

Dated this 23rd day of March, 2017

R Ramya Rao
Of K&S Partner
Agent for the Applicant
, Description:TECHNICAL FIELD
This disclosure relates generally to software risk management and more particularly to method and device for software risk management within Information Technology (IT) infrastructure.