An element for security function design of a computer system includes a specific countermeasure (security implementation method) for implementing a given security function (e.g., subject authentication) and an ancillary countermeasure (ancillary-function element) necessary to cause the security implementation method to function. The ancillary-function element differs depending on a system configuration. When, for example, an authentication method using a user ID and a password is employed as the security implementation method, the necessity of encryption of a communication pathway where the user ID and the password are transmitted and received differs depending on whether the system is online or offline. In other words, in this example, “the encryption of the communication pathway” is an ancillary-function element. It is necessary for a designer of the system to perform designing in just proportion by selecting ancillary-function elements in consideration of a system configuration. Therefore, the system designer needs knowledge of security in general in addition to knowledge of the entire system, and therefore, a large amount of effort is necessary. Insufficient design of the ancillary-function elements causes a security function of the entire system not to work efficiently, which may be, as a result, a cause of occurrence of a security incident.
The security-design support method described in PTL 1 receives a definition of a security environment of an IT product or a system from the user, extracts possible threats based on the defined security environment, and presents the threats to the user. The security-design support method further extracts countermeasure candidates based on a result of a threat selection by the user, presents the extracted countermeasure candidates to the user, and also receives a countermeasure selection from the user.