The following specification particularly describes the disclosure and the manner in which it is to be performed.
CROSS-REFERENCE TO RELATED APPLICATIONS AND PRIORITY
The present application does not claim priority from any other patent application(s).
TECHNICAL FIELD
This present disclosure relates to the field of information asset security system, more particularly, to a system and method for obtaining a maturity score for denoting the maturity of preparedness of an information technology system asset against cyberattacks.
BACKGROUND
A controlled environment for an organisation’s asset is an utmost requirement for every organisation for securing it from any vulnerabilities and other miscellaneous threats. An organisation with a weak control environment may lead to massive governing failure for the organisation. To properly manage the organisation’s operations, managers or apex level members need to determine the level of financial and compliance risk they are willing to assume. Risk assessment is one of management's responsibilities which enables management to act pro-actively in reducing unwanted threats. Failure to consciously manage these risks can result in a lack of confidence for achieving financial goals.
One of the major problem an organisation is facing is the lack of knowledge of their standing in terms of the cyber defence against the threats to its technology and information. Organisations do have a lot of information asset at various cyber locations. Such information assets are likely to be faced by cyber-attacks. Therefore, it is very much necessary to know the strength of an information asset against the level of attacks or threats of being disclosing or dispersing.
Currently, a maturity score is obtained for an organisation’s asset which is calculated by usually collecting data by interviews and on field observations of an auditor. The data might not be collected in a fashion for the cybersecurity because of the vastness of the data that would require collecting and the time that it would take to collect it if it were not automated. Therefore, such obsolete process is time consuming and to an extent not effective and accurate.
Therefore, there is a long-standing requirement of a system and method of obtaining a maturity score for an organisation wherein such maturity score may illustrate the preparedness of an information asset of an organisation against cyber-attacks.

SUMMARY
Before the present apparatus and its components and its method of use is described, it is to be understood that this disclosure is not limited to the particular apparatus and its arrangement as described, as there can be multiple possible embodiments which are not expressly illustrated in the present disclosure but may still be practicable within the scope of the disclosure as determined by claims. It is also to be understood that the terminology used in the description is for the purpose of describing the particular versions or embodiments only, and is not intended to limit the scope of the present application. This summary is not intended to identify essential features of the claimed subject matter nor it is intended for use in detecting or limiting the scope of the claimed subject matter.
In an embodiment, a system enabled for determining a maturity score for an organisation called overall maturity score is described. The system may further comprise a server, a processor and a memory coupled with the processor, wherein the processor executes a plurality of modules stored in the memory, the plurality of modules comprising a data collecting module 206 for collecting a data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices belonging to the organisation. The plurality of modules may further comprise an evaluating module evaluating a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit. The plurality of modules may further comprise a baseline module 208 for determining a baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset. The plurality of modules may further comprise a baseline module 208 a quality module 209 for obtaining a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form. The numerical value obtained by combining the first and the second variable represents the asset maturity score which denotes the maturity of the information asset indicating its for preparedness against cyber-attacks or threats.
In another embodiment, a method of determining an asset maturity score for an organisation. The method may comprise collecting via a processor a data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices belonging to the organisation. The method may further comprise evaluating a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit. The method may further comprise determining, via the processor, a baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset. The method may further comprise obtaining, via the processor 201, a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form. The method may further comprise determining, via the processor 201, the level of security of the information asset belonging to the organisation based on the macro level data. The method may further comprise wherein the numerical value obtained by combining the first and the second variable represents the asset maturity score which denotes the maturity of the information asset indicating its the for preparedness of such information against cyber-attacks or threats.
In yet another embodiment, a non-transitory computer readable medium storing program for determining an asset maturity score for an organisation is described. The program may comprise instructions for collecting data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices belonging to the organisation. The program may further comprise instructions evaluating a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit. The program may further comprise determining a baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset. The program may further comprise obtaining a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form. The program may further comprise determining the level of security of the information asset belonging to the organisation based on the macro level data. The program may further comprise wherein the numerical value obtained by combining the first and the second variable represents the asset maturity score which denotes the maturity of the information asset indicating the for preparedness of such information against cyber-attacks or threats.
In yet another embodiment, a method of calculating an overall maturity score of an asset for an organisation. The method may comprise obtaining, via a processor, a plurality of maturity scores for a plurality of assets wherein each asset maturity score represents maturity of the information asset for preparedness against cyber-attacks or threats for a particular asset belonging to the plurality of asset. The method may further comprise calculating, via a processor, maturity scores for a plurality of organisation level controls further comprising a plurality of architecture controls and policy controls. The method may further comprise assigning, via a processor, a plurality of weights for reducing the plurality of asset maturity scores and the maturity scores obtained for architecture controls and policy controls. The method may further comprise analysing, via a processor, an overall maturity score of an asset for an organisation based on combination of the plurality of asset maturity scores, the maturity scores of architecture controls and policy controls and the assigned weights.
BRIEF DESCRIPTION OF DRAWINGS

The detailed description is described with reference to the accompanying Figures. In the Figures, the left-most digit(s) of a reference number identifies the Figure in which the reference number first appears. The same numbers are used throughout the drawings to refer like features and components.
Figure 1 illustrates a network implementation of the system 100 for obtaining a maturity score for denoting the maturity of preparedness of an information technology asset against cyberattacks illustrated, in accordance with an embodiment of the present subject matter.
Figure 2 illustrates the server 101 and its components is in accordance with an embodiment of the present subject matter.
Figure 3 illustrates a method 300 for obtaining a maturity score for denoting the maturity of preparedness of an information technology asset against cyberattacks, in accordance with an embodiment of the present subject matter.
Figure 4-A, 4-B, 4-C and 4-D illustrates simulation results in accordance with an embodiment of the present subject matter.

DETAILED DESCRIPTION
This present disclosure relates to the field of information asset security system, more particularly, to a system and method for obtaining a maturity score for denoting the maturity of preparedness of an information technology asset against cyberattacks.
The maturity of security provided to an asset is thus a quality or state of having a full development in the information security required for the asset. The asset maturity score may provide the quality or state in the process of the development of the information security provided to a particular asset. The disclosure may intend in creating a controlled environment within the organisation’s environment to resist an unauthorized and unwanted malicious activities within that environment. This controlled environment may be established by maintaining a set of controls which may improve such efforts. An information system which represents an asset may comprise of a number of in-house components as well as third-party components. The dark-world researchers or unauthorised and non-licensed hackers study these components to find the security faults or vulnerabilities in these components and thus contribute to exploit codes and other exploitations against the information security where the said components are used. One of the intended purpose of the security controls is to resist against these very vulnerabilities that are known. Other controls are maintained to provide a different type of security by monitoring the activities related to information systems and to protect against the unknown vulnerabilities. Thus, the information about the controls that are applied or not applied when applicable to an asset may provide an idea of how close is the information security to the state of being fully developed.
Referring to Figure 1, a network implementation of the system 100 for obtaining a maturity score for denoting the maturity of preparedness of an information technology asset against cyberattacks illustrated, in accordance with an embodiment of the present subject matter. In one embodiment, the system may comprise a server 101 which is connected to one or more user devices 103 by a network 102. The one or more user devices 103 may comprise a user device owned by the employee of a particular organisation, laptops and computers of the organisation, data storage devices of the organisation and other devices capable of processing and storing information which may be important for the organisation. Such user devices 103 may function as a data collecting means for the server 101.
Although the present subject matter is explained considering that the system 100 is implemented on a server 101, it may be understood that the system 100 may also be implemented in a variety of computing systems, such as a distributed system, a laptop computer, a desktop computer, a notebook, a workstation, a mainframe computer, a server, a network server, and using a variety of database software like- RDBMS (example- Oracle, Postgres), distributed file systems (example- MapR). Examples of the user devices 103 may include, but are not limited to, a portable computer, a personal digital assistant, a handheld device, and a workstation.
In one implementation, the network 102 may be a wireless network, a wired network or a combination thereof. The network 102 can be implemented as one of the different types of networks, such as intranet, local area network (LAN), wide area network (WAN), the internet, and the like. The network 102 may either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like, to communicate with one another. Further the network 102 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
Referring now to Figure 2, the server 101 is illustrated in accordance with an embodiment of the present subject matter. In one embodiment, the server 101 may include at least one processor 201, an input/output (I/O) interface 202, and a memory 203. The at least one processor 201 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the at least one processor 201 is configured to fetch and execute computer-readable instructions stored in the memory 203.
The I/O interface 202 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface 202 may allow the server 101 to interact with one or more devices such as a laptop computer, personal computer, smartphone, and the like. Further, the I/O interface 202 may enable the server 101 to communicate with other computing devices, such as web servers and external data servers (not shown). The I/O interface 202 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. The I/O interface 202 may include one or more ports for connecting several devices to one another or to another server.
The memory 203 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. The memory 203 may include modules 204 and data 205.
The modules 204 include routines, programs, objects, components, data structures, etc., which perform particular tasks or implement particular abstract data types. In one implementation, the modules 204 may include a data collecting module 206, an evaluating module 207, a baseline module 208, a quality module 209 and other modules. The other modules may include programs or coded instructions that supplement applications and functions of the server 101.
The data 205, amongst other things, serves as a repository for storing data processed, received, and generated by one or more of the modules 204. The data 205 may include data repository 212 and other data 213. The data repository 212 may include data records captured from multiple data sources for each session in a communication network. The other data 213 may include data generated as a result of the execution of one or more modules in the other modules. The telecom operator may manage multiple network and business machines to provide services and to charge the customers. The detailed functionality of the modules 204 are further described below.
DATA COLLECTING MODULE 206
The data collecting module 206 may enabled the server 101 to collecting the data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices 103 belonging to the organisation. The information security provided to an asset may be required to be observed by the processor 201from both micro and macro level. At the macro level, from the information known about the given asset, the level of the information security required for the asset is processed and is then maintained. At micro level, all the components and subcomponents as well as the whole structure of resources devoted to the asset are micro-analysed by the processor 201 through a plurality of utilities of the controls applicable to the said asset. The information collected is combined to arrive at a model which may represent the maturity of the information security provided. The model thus obtained may require tuning to arrive at a curve of maturity scoring which is acceptable by the standards and the knowledge maintained by the organisation.
In an embodiment, collection process of the macro level data is described. The macro level data may be collected by a plurality questions asked to the user of the asset. The first question that may always be asked is the intra organization view on criticality of the asset. This feature provides a tool to collect most of the non-prominent organization specific features in at once. Further, the system 100 may ask about the macro nature of the asset by asking the number of internal or external user accessing the asset, the frequency of change request sent to the asset, and how exposed is the asset to the population. Further, the factor of cost may be considered for what is the cost of breach and what is the cost of restoration. Such two factors may demand for extra security. The ultimate question may be the jurisdiction which affects the laws governing the information security.

In an embodiment, collection process of micro level data is described. The first step in creating such model is to establish a baseline. For a given asset, a set of controls are applicable because of its components and subcomponents and the weaknesses that may lie therein. If a control for information security is identified and is not applied to the said information asset then that control is counted as a lack of commitment to maintain the information security devoted to that particular asset.
EVALUATING MODULE 207
The evaluating module 207 may evaluate a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit. The evaluating module 207 may further evaluate the application controls into negative controls and positive controls.
BASELINE MODULE 208
The baseline module 208 may enable the system 100 to determine the baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset. Therefore, the baseline representing the commitment of the information security may be represented by a first variable B, defined in terms of variables AC, PC are as follows:
B =PC/AC,
where the variables AC and PC are the number of controls applicable to the asset and the number of controls which are found positive for an asset.
Such variable is taken as a baseline because it represents the commitment of the organization as a whole in providing the necessary security controls to the given asset. This number is clearly a fraction less than 1 as PC = AC, with the difference defining the next variable: NC representing the number of negative controls making PC + NC = AC.
QUALITY MODULE 209
The quality module 209 may enable the system 100 to a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form. After the consideration of the baseline, it is intended to observe for how the security efforts paid off by analysing the microdata and to combine the information thus obtained to create another factor for the model, which can be named as Q. All the information about the security vulnerabilities in different components may not be combined unless they are brought to same scale and are represented as numbers which may be compared. The controls which are audited may provide a multi-dimensional volume of attacks scenarios. If there is just one control that fails and it leads to just one type of vulnerabilities then it may be far easier to deal with than the such a case where there are a plurality of controls failing and leading to multiple type of vulnerabilities, reason being the combinations in which the different type of vulnerabilities may be exploited in combination of each other. The net effect of such type of scenario is the exponential decay of the quality of the information security achieved with respect to the fraction of the applicable controls that have failed. The base of this decay itself may increase or decrease depending on the vulnerability scores obtained, and the number of instances where the respective controls failed. The resulting equation is as follows:
Q=?Ql?^(l×NC/AC),
where l is the first tuning parameter used in this model,
Ql is the quality of the security effort provided to the asset when NC = l × AC controls are negative. It is to be that by the definition of exponential function A^0=1. Above equation will become Q = 1 as soon as NC = 0, irrespective of the value of Ql. The description of Ql may make valid meaning because when NC = l * AC the exponent in above equation becomes 1 and the equation itself becomes Q=Ql. Therefore, analysing when the number of controls failing is NC = l × AC. When such situation occurs the quality of the security depends on a number of factors. The first factor being the severity of the vulnerabilities generated by the different instances of failed controls. This severity as discussed before it can be given by a Severity Score as a number from 0.0-10.0 for the instances where the security controls failed. The relationship between these weaknesses and the quality can be given by:

Ql ? H( V_m/V_ci ),
where c is the index of the control that failed,
i is the index of the instance where control indexed by c failed,
V_m is the minimum non-zero value taken by the factored vulnerability score, and
V_ci is the factored vulnerability score of the vulnerability generated when instance index i of the control indexed c failed,
H is a function defined as following:
H = (1 + erf(q * (2x -0.96)))/2
The number of instances where the control indexed c failed by may be represented by variable k_c. Then the net effect of above relationship for a control may be given by the following relationship.

Ql ? GM({ H( V_m/V_ci )}_(i = 1,...,k_c ) ) = (?_(i = 1)^(k_c)¦H( V_m/V_ci ) )^(1/k_c ),
where the function GM is the geometric mean of the element of the set mentioned, it may take value 1 when the mentioned set is empty. Another dependency will reflect the attack surface of the vulnerability found in terms of the instances as follows:
Ql ? 1/k_c , where k_c is the number of instances as mentioned before.
Taking a weighted geometric average of these two relationship we get the following:
Ql ? ((1/k_c )^as ×((?_(i = 1)^(k_c)¦H( V_m/V_ci ) )^(1/k_c ) )^v )^(1/((as+v))) ,
This will hold true for all of the controls and by another geometric mean we get the following:
Ql ?(?_(c=1)^NC¦((1/k_c )^as ×((?_(i = 1)^(k_c)¦H( V_m/V_ci ) )^(1/k_c ) )^v )^(1/((as+v))) )^(1/NC),

Taking the proportionality constant as Ml, we arrive at the following equation:
Q = [Ml × (?_(c=1)^NC¦((1/k_c )^as ×((?_(i = 1)^(k_c)¦H( V_m/V_ci ) )^(1/k_c ) )^v )^(1/((as+v))) )^(1/NC) ]^(l × NC/AC )

In an embodiment, the variables present in the above equation are described below along with their description:
The variables used to create the above model include the following:
AC : The number of controls applicable to the given information asset,
PC : The number of controls which are applicable and are positive for the asset,
NC : The number of controls which are applicable and are negative for the asset,
k_c: The number of instances where the control indexed c is negative,
V_ci: The factored vulnerability score generated because of the instance indexed i of the negative control indexed c,
B : Artificial variable created to represent the baseline for the maturity of the information security devoted to the asset, and finally
Q: Artificial variable created to represent the quality of the resultant control environment created for the information asset.
In an embodiment, the tuning parameters present in the above equation may be described below along with their description:
There are five tuning parameters used so far:
l : The decay constant to tune in the rate of decay for the quality curve for the variable Q. Such value may take in the non-negative real values.
Ml: The accompanying tuning parameter for l to tune in the correct curvature of the decay curve.
as: The tuning parameter to tune in the contribution of the factor of attack surface into the quality curve.
v: The tuning parameter to tune in the contribution of the severity of the vulnerabilities generated due to the instances of the respective failed controls.
V_m: The tuning parameter to scale the severity score.
q: The tuning parameter in the function definition of H.

SECURITY LEVEL MODULE 210
The security level module may enable the system 100 to obtain a level of security present in the organisation by collecting data by from the answers obtained for a plurality of question. Such answers may be obtained from a plurality of users or employee of an organisation. In an embodiment, additional questions may include information about the information being transmitted through different assets and the like.
The question asked are as follows:

How critical is the asset?
Critical
High
Medium
Low
Negligible
How many internal users does have access to the asset?
Very Large More than 50% internal users
Large More than 30% and less than 50% internal users
Medium More than 10% and less than 30% internal users
Small More than 5% and less than 10% internal users
Negligible More than 0% and less than 5% internal users
Not Applicable Question not applicable to the asset
How many external users does have access to the asset?
Very Large 10 million and more users
Large 1 to 10 million users
Medium 50 thousand to 1 million users
Small 5 thousand to 50 thousand users
Negligible less than 5 thousand users
Not Applicable Question not applicable to the asset
How often are the change requests pushed for the asset?
On Hourly basis
On Daily basis
On Weekly basis
On Monthly basis
On Quarterly basis
On Yearly basis
Not Applicable
How exposed is the asset?
Internet
Intranet
Private Network
Adjacent Network
Local
Physical
What is the cost of a breach?
Very high DI (anything greater than 3% turnover) + II (2% market cap /valuation)
High DI (greater than 0.1%, less than 3% turnover) + II (0.5% market cap /valuation)
Medium DI (greater than 0.05%, less than 0.1% turnover) + II (0.1% market cap /valuation)
Low DI (greater than 0, less than 0.05% turnover) + II (less than 0.1% market cap /valuation)
Negligible DI (equal to 0% turnover) + II (0% market cap /valuation)
What is the cost of restoration (Hard Reset)?
Very High More than 20% of the security budget
High From 15 to 20% of the security budget
Medium From 7 to 15% of the security budget
Low From 3 to 7% of the security budget
Negligible From 0 to 3% of the security budget
Under which Jurisdiction does this asset lie?
India
USA
UK
Singapore
Hong Kong
Netherlands

In an embodiment, the responses to the above questions mentioned in the collecting module may be used to obtained the numerical values for the questions. The numerical values may lie from 0 to 1. The variables are partitioned into four sets as {CRT}, {IU, EU, CH, EX}, {CB, CR}, {JR}. This partition may direct play its role in the model for S, which is as follows taking the numerical values from the table which are chosen by the organization providing the cybersecurity:
S=5.0 ×((cr ×CRT+hr × Mean(IU,EU,CH,EX)+c ×Mean(CB,CR)+j × Jr )/(cr+hr+c+j))
The numerical values so obtained are as follows:

How critical is the asset? CRT
Critical 1
High .80
Medium .40
Low .20
Negligible .1

How many internal users does have access the asset? IU
Very Large 1
Large 0.8
Medium 0.4
Small 0.2
Negligible 0.1
Not Applicable ___

How many external users does have access the asset? EU
Very Large 1
Large 0.8
Medium 0.4
Small 0.2
Negligible 0.1
Not Applicable ___

How often are the change requests pushed for the asset? CH
Yearly 0.02
Quarterly 0.1
Monthly 0.2
Weekly 0.4
Daily 0.8
Hourly 1
Not Applicable __

How exposed is the asset? EX
Internet 1
Intranet 0.8
Private Network 0.4
Local Network 0.2
Local 0.1
Physical 0.02

What is the cost of a breach? CB
Very High 1
High 0.8
Medium 0.4
Low 0.2
Negligible 0.1

What is the cost of restoration(Hard Reset)? CR
Very High 1
High 0.8
Medium 0.4
Low 0.2
Negligible 0.1

MATURITY SCORE MODULE 211
The maturity score module 211 may enable the system 100 to calculate the maturity score of an asset belonging to the organisation. A partitioning is initiated for the controls into three categories: Vulnerability, Configuration, and Policy. Then we get three tuples of (B_V, Q_V, S_V), (B_C, Q_C, S_C), and (B_P, Q_P, S_P). Maturity scores ?MS?_V, ?MS?_C, and ?MS?_P are obtained from these tuples for Vulnerability, Configuration, and Policy respectively, and then use some weights w_V, w_C, and w_P are implemented to take weighted average to get the final maturity score of the asset. Such weightages may be specific to the categories of assets. For example, for some of the cases the vulnerability controls are not present and therefore the weight w_V is taken as zero and others having a non-zero sum.

In an embodiment, by way of implementation of the illustrated model for defining a set of controls the maturity score may be defined as follows:

The model to define the maturity score ?MS?_X for a set of controls from the values of (B_X, Q_X, S_X) is as follows:

?MS?_X = b * B_X + q * ?Q_X?^(S_X ),
where the tuning parameters b and q are taken to be 1 and 3.2 respectively for the initial use, it is 3.2 instead of 4 to factor in prohibit assigning a score of 4.2 of 5,
this maturity score can be calculated for subscripts V, C and P.

With this model, the maturity scores M_V, M_C, and M_P are obtained which may further be combined to give a final maturity score for the asset as follows:

AMS = (w_V * ?MS?_V + w_C * ?MS?_C + w_P * ?MS?_P)/(w_V + w_C + w_P )
where the maturity scores have weights w_V, w_C, and w_P as discussed before, which are to be decided for different categories of assets separately.

The tuning is implemented based on the experience of the entity providing cybersecurity. The following tuning parameters may be arrived at after simulations:
l = 0.5
Ml = 1
v = 0.5
as = 0.5
q = 7.5 in the equation of H.
Vm = 1

Overall Maturity Score

The Overall Maturity Score is a maturity score for the organization indicating the maturity of its preparedness to face the information security attacks. This maturity score is calculated using the Asset Maturity Score which is as described in the document titled “Asset Maturity Score” and with the Maturity Score calculated using the organization level controls divided into two categories: Architecture Controls and Policy Controls. The data that the Overall Maturity Score takes is then the Asset Maturity Score for the different assets of the organization and then two Maturity Scores calculated using the model for the Asset Maturity Score for the two categories described above.

The Assets are themselves divided into three categories:
Crown Jewels
Medium or High
Low

Model for Overall Maturity Score
The maturity score may be calculated using the following model:

OMS=0.7 × (w_CJ ×Mean ({?AMS?_CJ })+ w_(M/H) ×Mean ({?AMS?_(M/H) })+ w_L ×Mean ({?AMS?_L }))/(w_CJ+ w_(M/H)+ w_L )+0.3 × (w_A × ?MS?_A+ w_P × ?MS?_P)/(w_A+ w_P )
where means are for the set of all the AMS scores available for the given categories, w_CJ, w_(M/H), w_L, w_A, and w_L are respectively weights assigned according to the requirement and training if required with initial values as mentioned below, ?MS?_A and ?MS?_P are the maturity scores calculated at organization level with model same as that which were calculated for Asset Maturity Score, and the controls categories are respectively Architecture Controls and Policy Controls set for organization.

Weights/Parameters
The weights mentioned above are taken as follows:
w_CJ=0.50,
w_(M/H)=0.35,
w_L=0.15,
w_A=0.25, and
w_L=0.05.

Referring Figure 3, a method for obtaining a maturity score for denoting the maturity of preparedness of an information technology asset against cyberattacks illustrated, in accordance with an embodiment of the present subject matter.
At block 301, the system 100 may collect the data further comprising a macro level data and a micro level data wherein such data may be collected from a plurality of user devices belonging to the organisation. The user devices may be any devices which may have the capability of storing and processing data which may belong to that organisation.
At block 302, the system 100 may evaluate the plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit.
At block 303, the system may determine the baseline represented by a first variable wherein the value of the first variable may describe the commitment of the organisation in providing the necessary security to the asset.
At block 304, the system may obtain obtaining a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which may be capable of being represented in numerical form.
At block 305, the numerical value obtained for the second variable may represent the asset maturity score which denotes the maturity of the information asset for preparedness against cyber-attacks or threats.
Referring Figure 4-A, 4-B, 4-C and 4-D here the maturity score and the percentage of negative controls areas illustrated and indicated, in accordance with an embodiment of the present subject matter. The colour grading from green to red indicates the increase in the net severity of the negative controls at micro level.
In an exemplary embodiment, an overall maturity score may be calculated by the system for the organisation wherein the overall maturity score may provide a score for the organization indicating the maturity of different assets for its preparedness to face the information security attacks. Such overall maturity score may be calculated using the one or more asset maturity scores which are as described above. The asset maturity scores which are calculated using the organization level controls are divided into two categories: architecture controls and policy controls. The data required for the overall maturity score takes is asset maturity score for the different assets of the organization and then two maturity scores calculated by the processor 20.
The Assets are themselves divided into three categories:
1. Crown Jewels
2. Medium or High
3. Low
In an embodiment, the maturity score may be calculated using the following model:

OMS = 0.7 × (w_CJ × Mean({AMS_CJ} ) +w_(M/H) × Mean({AMS_(M/H)}) + w_L × Mean({AMS_L}))/(w_CJ + w_(M/H) + w_L )+ 0.3 ×(w_A ×MS_A + w_P × MS_P)/(w_A + w_P )

where means are for the set of all the AMS scores available for the given categories, w_CJ, w_(M/H), w_L, w_A, and w_P are respectively weights assigned according to the requirement and training if required with initial values as mentioned below, MS_A and MS_P are the maturity scores calculated at organization level with model same as that for Asset Maturity Score, and the controls categories are respectively Architecture Controls and Policy Controls set for organization.

The weights mentioned above may be exemplarily considered as follows:
w_CJ=0.50,
w_(M/H) = 0.35,
w_L = 0.15,
w_A = 0.25, and
w_P = 0.05

The embodiments, examples and alternatives of the preceding paragraphs, the claims, or the following description and drawings, including any of their various aspects or respective individual features, may be taken independently or in any combination. Features described in connection with one embodiment are applicable to all embodiments, unless such features are incompatible. The present disclosure can be embodied in many other forms or carried out in other ways, without departing from the spirit or essential characteristics thereof, and the above-mentioned embodiment of the disclosure have been disclosed in detail only for illustrative purposes. It is understood that the disclosure is not limited thereto, but is susceptible of numerous changes and modifications as known to those skilled in the art, and all such variations or modifications of the disclosed apparatus, including the rearrangement of parts, lie within the scope of the present disclosure.

Claims:1.A system 100 enabled for determining a maturity score for an organisation called overall maturity score, the system comprising
a server 101;
a processor 201;
an input/output interface 202 and
a memory 203 coupled with the processor, wherein the processor 202 executes a plurality of modules stored in the memory 203, the plurality of modules comprising:
a data collecting module 203 for data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices 103 belonging to the organisation;
an evaluating module for a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit;
a baseline module enabled for determining a baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset;
a quality module for obtaining a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form;
a security module 209 for determining the level of security of the information asset belonging to the organisation based on the macro level data;
a maturity score module 211 for obtaining the maturity score wherein the numerical value obtained by combining the first and the second variable represents the asset maturity score which denotes the maturity of the information asset indicating the for preparedness of such information against cyber-attacks or threats.

2. The system of claim 1, wherein the macro level data may comprise the information of the asset including but not limiting to criticality, cost of breach, cost of restoration, jurisdiction, exposure and also other factors that may influence the requirement of strictness of the information security required for the asset.

3. The system of claim 1, wherein the micro level data may comprise a plurality of controls which are audited and further provide multi-dimensional volume of attacks scenarios by a combination of one or more vulnerabilities.

4. The system of claim 1, wherein the value of the first variable is determined by accounting the total number of positive controls to the total number of applicable controls.

5. The system of claim 1, wherein the net effect of the total number of negative controls to the total number applicable controls, along with a decay constant and the net effect of the macro level data as mentioned in claim 2 results in an exponential decay of the second variable.

6. The system of claim 1, wherein the first variable is an artificial variable created to represent the baseline for the maturity of the information security devoted to the asset.

7. The system of claim 1, wherein the second variable denotes an artificial variable created to represent the quality of the resultant control environment created for the information asset.

8. A method of determining an asset maturity score for an organisation, the method comprising:
collecting, via a processor 201, data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices belonging to the organisation;
evaluating, via the processor 201, a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit;
determining, via the processor 201, a baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset;
obtaining, via the processor 201, a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form;
determining, via the processor 201, the level of security of the information asset belonging to the organisation based on the macro level data
wherein the numerical value obtained by combining the first and the second variable represents the asset maturity score which denotes the maturity of the information asset indicating the for preparedness of such information against cyber-attacks or threats.

9. A non-transitory computer readable medium storing program for determining an asset maturity score for an organisation, the program comprising instructions for:
collecting data further comprising a macro level data and a micro level data wherein such data is collected from a plurality of user devices belonging to the organisation;
evaluating a plurality of positive controls which are found from a plurality of applicable controls wherein a plurality of components and sub-components of an applicable control is evaluated by considering the weakness of each component and sub-component of the asset under audit;
determining a baseline represented by a first variable wherein the value of the first variable describes the commitment of the organisation in providing the necessary security to the asset;
obtaining a second variable to represent quality of the control environment created for the information asset by analysing the macro level data comprising the information about the asset and its environment and by further combining the analysed information wherein the information regarding the security vulnerabilities, configuration, and policies in different components is reduced to a same scale which is capable of being represented in numerical form;
determining the level of security of the information asset belonging to the organisation based on the macro level data;
wherein the numerical value obtained by combining the first and the second variable represents the asset maturity score which denotes the maturity of the information asset indicating the for preparedness of such information against cyber-attacks or threats.
10. A method of calculating an overall maturity score of an asset for an organisation, the method comprising:
obtaining, via a processor, a plurality of maturity scores for a plurality of assets wherein each asset maturity score represents maturity of the information asset for preparedness against cyber-attacks or threats for a particular asset belonging to the plurality of asset;
calculating, via a processor, maturity scores for a plurality of organisation level controls further comprising a plurality of architecture controls and policy controls;
assigning, via a processor, a plurality of weights for reducing the plurality of asset maturity scores and the maturity scores obtained for architecture controls and policy controls;
analysing, via a processor, an overall maturity score of an asset for an organisation based on combination of the plurality of asset maturity scores, the maturity scores of architecture controls and policy controls and the assigned weights.
11. The method of claim 10, wherein the plurality of assets having the plurality of asset maturity scores are further divided into categories comprising crown jewel assets, medium/high assets and low assets.