As the email system is widely used, incidents of information leakage of email produce serious effects. According to statistics of Japanese Information Processing Development Corporation (for example, fiscal years 2005 to 2007), the leading cause of incidents of information leakage is wrong transmission due to wrong addressing of mail, fax, and email. The leakage incidents caused by wrong transmission of email account for about 5.7% of all leakage incidents.
Most of the incidents of information leakage through email transmission are caused by human errors, such as carelessly setting wrong addresses (destination addresses) of outgoing email. In general, the sender does not notice the careless mistake, and the mistake is recognized when the receiver of the wrong transmission points out the mistake. Therefore, one incident may cause significantly adverse effects. There is a trend of expansion in the use of the email system, and the incident ratio is expected to rise. Therefore, it is more important to prevent wrong transmissions caused by human errors such as careless mistakes.
Conventionally, a mechanism is provided as a prevention measure of wrong transmission of email, in which risk information is presented to the sender before the email transmission to warn the sender to check the address and pay attention. For example, there is a known system, in which a security policy is registered in advance, and when a planned outgoing email violates the security policy, risk information is presented to the sender for warning.
Another example of a conventional method includes a system, in which a white list including reliable addresses registered in advance is prepared, and an address checking process is prevented when the address of an outgoing email is registered in the white list to thereby reduce the load of the sender in the security check process.
Another example of a conventional method includes a system, in which a transmission log of email is stored, an intimacy between a sender and a planned receiver as well as a threshold of availability of transmission according to the intimacy are stored based on the transmission log, words used in the text of an outgoing email are analyzed, the analysis result is determined by the threshold according to the intimacy of the receiver of the planned outgoing email, and the availability of transmission is checked.
The following are documents describe technical backgrounds of the discussed embodiment:
[Patent Literature 1] Japanese Patent Laid-Open No. 2007-293635
[Patent Literature 2] Japanese Patent Laid-Open No. 2006-059297
In a wrong transmission prevention measure of email, the level of an information security check process and the convenience or the operation comfort of an email transmission system are, so to say, in a trade-off relationship. If the security level of a security check process is high (i.e. strict), the convenience or the operation comfort of the system is reduced, and the user feels inconvenient. As a result, the check measure may be meaningless, and in spite of the user's intention, information that needs to be protected may not be protected. If the security level is too low, necessary checking is not sufficiently performed, and the security effects are reduced. Therefore, it is important to balance the convenience and the information security level to maximize the effects of the security measure.
The conventional methods of security measure cause the following problems that reduce the effectiveness of the measure as the operation is continued.
(1) Decrease in Freshness of Risk Information
The user gets used to checking if similar check processes are repeated, and the warning effect of the risk information is reduced. More specifically, there is a warning effect in the risk information when the user is not used to the risk information provided to the user. However, the user gets used to the information if similar information is repeatedly provided, and the user performs an operation of “checked” without thoroughly checking the content. Therefore, the effectiveness of the measure cannot be maintained.
(2) Inappropriateness of Check Level
In general, if the rule compliance obligation is too strict for the user, such as when the frequency of checking is high or when there are many check items, the risk is buried in the excessive information, and there is a high risk of simple mistakes. At the same time, the operation load of the user increases, and the original work may be interfered. Therefore, the excessive rule compliance obligation makes it difficult to maintain the motivation of the user to cooperate with the security check measure, and there is a high risk of making the check process meaningless and perfunctory.
(3) Management Load of White List
Due to the convenience and quickness of email, the email is also widely used as communication means in the working field. The flow of human resources is also high. Therefore, addresses (email addresses) that the user can rely on change on a daily basis. Under the circumstances, the user or the manager always has to maintain the latest white list for registering destination addresses that the user or the manager can rely on as email destinations, and the load of the evaluation and management of the addresses in the white list is large. Particularly, when a transaction, etc. is finished, email transmission to the address is usually not necessary, and the address needs to be immediately deleted from the white list. The deletion of the destination addresses from the white list has to be thorough. However, if the users are in charge of the deletion operations, the deletion determination and the deletion time vary between the users, and the compliance of the security policy may be difficult as a whole.
(4) Load of Inventory of Information Asset
When stored transmission history information (transmission log) is used to provide the risk information, an operation of deleting the storage information as a basis of providing the risk information, or so-called inventory operation of information asset, is necessary along with resetting of the security policy due to a change in the transaction condition, an organizational transfer, etc. If the users are in charge of the inventory operation, the security policy may not be thoroughly performed as a whole, as in the case of the management of the white list. Although the manager can perform the operation or force the user to perform the operation, there is a problem that the load of the manager increases.