1. Field of the Invention
The present invention relates to a device, a system and a method for monitoring a degree of security to appropriately secure security of assets.
2. Background Art
In a party such as an enterprise, various kinds of security devices are introduced and a security system is constructed to protect assets such as information, money, equipment, articles of commerce, and persons. Risk management for taking an appropriate measure by evaluating risk damaging the assets is executed. The risk damaging the assets and the security protecting the assets have a reciprocal relation. Therefore, there is also a case in which the security is evaluated instead of the risk.
For example, there are devices described in the following patent literature 1 and patent literature 2 as a security measure for protecting information assets and a security evaluating device for evaluating this measure. In patent literature 1, a device for constructing the system and a risk analyzing technique are selected by a user, and a menace able to be caused in the selected constructional device and a security policy able to counteract the menace are extracted from a database stored in advance. On the basis of the selected risk analyzing technique, information relating to generating possibility of each menace and the magnitude of loss is inputted by the user, and the risk of each menace is calculated. A priority degree of the security policy is determined from this calculating result. The security policy and the priority degree are listed and displayed. The existence of execution of the security policy is inputted by the user, and an executing situation is totalized and displayed as a security evaluating result. In patent literature 2, a measure sufficiency ratio showing an effect provided by executing the risk measure selected by the user is calculated and displayed on the basis of a risk reducing ratio of each measure shown in a measure defining file stored in advance. Further, an optimum security measure is sequentially selected from information assets of a large risk amount on the basis of the risk reducing ratio and cost of each measure shown in the measure defining file, a risk amount, etc. showing an economical value of the information assets inputted by the user.
Patent literature 1: JP-A-2002-352062
Patent literature 2: JP-A-2002-24526
In the above former security evaluating device, it is necessary for a person to collect, determine and input information relative to risk such as the generating possibility of the menace, the magnitude of loss, and the risk reducing ratio. Analyses of the security and the risk, etc. are made on the basis of only these input contents. However, information relative to risk is changed by a change such as movements and increases and decreases of a thing and a person, etc. naturally caused during a daily business operation. It is very difficult for a person to collect, determine and input information relative to risk in conformity with this change. Therefore, there is a great fear that information relative to risk deviating from reality is inputted. When the information relative to risk deviating from reality is inputted in this way, a result of analyses, etc. of security and risk made on the basis of only the input contents also deviates from reality. Therefore, even when this result is outputted, no states of security and risk can be accurately recognized, and no appropriate measure can be also taken.