Elements of a security-function design of a computer system include a specific measure (a security implementation scheme) for implementing a certain security function (e.g. an entity authentication) and an associated measure (an associated function element) required for functioning the security implementation scheme. The associated function element varies depending on a system configuration. For example, in case that an authentication scheme using a user ID and a password as the security implementation scheme is employed, whether or not encryption of a communication path through which the user ID and the password are transmitted is required varies depending on if the system is online or offline. In other words, in this example, encryption of the communication path is the associated function element. It is necessary that a system designer designs such that associated function elements are selected without excess or deficiency considering the system configuration. For this purpose, the system designer needs to have knowledge of security in general in addition to knowledge of the entire system, and is required great effort. In addition, in case that design of the associated function element is not sufficient, it causes the security function of the entire system not to operate effectively and, as a result, it may become a factor that causes a security accident.
In a security-design support method described in PTL 1, a location on a path, from a location of an agent which becomes a cause of a conceivable threat in a design-target system to a location of an asset which suffers damage by the threat, is assumed to be an arrangement candidate of a security-function requirement. Furthermore, the arrangement of the security-function requirement is facilitated by determining a priority of each arrangement candidate according to a predetermined arrangement rule.
In a security-design support method described in PTL 2, a degree of importance of the security-function requirement is obtained from a risk value of a threat of an information system, a measure policy against the threat, and the security-function requirement of the measure policy against the threat. In addition, information-related products to be introduced into the information system are derived from the degree of importance of the security-function requirement, a degree of association between the security-function requirement and a security function of existing information-related products, and a degree of satisfaction of the security function of the information-related products.