Information processing systems, information processing methods, and programs

The information processing system addresses the need for effective security evaluation by acquiring and indexing security measure data, enabling reliable and transparent security level verification and dissemination.

JP2026112362APending Publication Date: 2026-07-06BIZREACH INC

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
BIZREACH INC
Filing Date
2025-04-04
Publication Date
2026-07-06

AI Technical Summary

Technical Problem

There is a need for a technique to present an evaluation result of security measures effectively.

Method used

An information processing system that includes a processor to acquire evaluation values from response data, assign security measure indices, and present evaluation results, utilizing a hardware configuration with control units, storage units, and communication units for terminals and servers, and employing artificial intelligence for data processing and evaluation.

Benefits of technology

Enables verification of security levels by presenting comprehensive evaluation results, facilitating security assessments and improving security management through standardized index assignment and public dissemination of security metrics.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026112362000001_ABST
    Figure 2026112362000001_ABST
Patent Text Reader

Abstract

We provide information processing systems and other tools that present security evaluation results. [Solution] According to one aspect of the present invention, an information processing system is provided, comprising at least one processor, the processor configured to perform the following steps by reading a program, wherein in the acquisition step, an evaluation value of representative answer data selected for each category to be classified from a plurality of answer data created by the person being evaluated, the answer data includes the person being evaluated's answers to questions about security, and in the index assignment step, an index indicating the level of security measures is assigned to the person being evaluated for each category based on the evaluation value of the acquired representative answer data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to an information processing system, an information processing method, and a program.

Background Art

[0002] Patent Document 1 describes a system for evaluating security measures.

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] There is a need for a technique for presenting an evaluation result of security.

[0005] In view of the above circumstances, the present invention aims to provide an information processing system or the like that presents an evaluation result of security.

Means for Solving the Problems

[0006] According to one aspect of the present invention, there is provided an information processing system including at least one processor configured to execute the following steps by reading a program. In an acquisition step, an evaluation value of representative response data selected for each category into which the response data is classified is acquired from a plurality of response data created by an evaluation target person. The response data includes an evaluation target person's response to a security-related question item. In an index assignment step, an index indicating a level of security measures is assigned to the evaluation target person for each category based on the evaluation value of the acquired representative response data.

[0007] This approach allows for the presentation of security evaluation results, thereby enabling verification of the security level of the person being evaluated. [Brief explanation of the drawing]

[0008] [Figure 1] This is a diagram showing the configuration of Information Processing System 1. [Figure 2] This block diagram shows the hardware configuration of the server device 10 and the target terminal 20. [Figure 3] This block diagram shows the hardware configuration of the evaluator terminal 30 and the user terminal 40. [Figure 4] This block diagram shows the functions realized by the server device 10 (control unit 11), the subject terminal 20 (control unit 21), the evaluator terminal 30 (control unit 31), and the user terminal 40 (control unit 41). [Figure 5] This is a schematic diagram illustrating an example of the concept of representative response data. [Figure 6] This is an activity diagram showing an example of the flow of information processing (index assignment processing) performed by information processing system 1. [Modes for carrying out the invention]

[0009] Embodiments of the present invention will be described below with reference to the drawings. The various features shown in the embodiments below can be combined with each other.

[0010] Incidentally, the program for implementing the software appearing in one embodiment may be provided as a non-transitory computer-readable medium, or it may be provided as a downloadable medium from an external server, or it may be provided so that the program is launched on an external computer and its functions are realized on a client terminal (so-called cloud computing).

[0011] Furthermore, in various information processing according to one embodiment, an input and an output corresponding to the input can be realized. Here, as long as an output is obtained as a result of the input, the form of the information referenced in such information processing (hereinafter referred to as "reference information") is not limited. The reference information may be, for example, rule-based information such as a database, a lookup table, or a predetermined function (including a decision formula such as a regression equation constructed by a statistical method), or a pre-trained model that has learned the correlation between input and output in advance, or a large-scale language model that can output a desired result by inputting a prompt.

[0012] Furthermore, in one embodiment, "part" may include, for example, hardware resources implemented by a circuit in a broad sense, and the information processing of software that can be specifically realized by these hardware resources. Also, in one embodiment, various types of information are handled, and this information can be represented, for example, by the physical values ​​of signal values ​​representing voltage and current, the high or low values ​​of signal values ​​as a set of binary bits composed of 0s or 1s, or by quantum superposition (so-called qubits), and communication and calculations can be performed on a circuit in a broad sense.

[0013] Furthermore, a circuit in a broad sense is a circuit realized by combining at least a suitable combination of circuits, circuits, processors, and memory. The processor may be a general-purpose processor or a dedicated circuit. In other words, it includes application-specific integrated circuits (ASICs), programmable logic devices (for example, simple programmable logic devices (SPLDs), complex programmable logic devices (CPLDs), and field programmable gate arrays (FPGAs)), etc.

[0014] 1. Hardware Configuration This section describes the hardware configuration.

[0015] <Information Processing System 1> Figure 1 is a configuration diagram representing information processing system 1. Information processing system 1 comprises a communication line 2, a server device 10, a plurality of subject terminals 20, at least one evaluator terminal 30, and a plurality of user terminals 40. The server device 10, the subject terminals 20, the evaluator terminals 30, and the user terminals 40 are configured to communicate with each other through the communication line 2. The connection between the server device 10, the subject terminals 20, the evaluator terminals 30, and the user terminals 40 may be wired or wireless.

[0016] Information processing system 1 constitutes at least a part of a security evaluation system used by, for example, multiple evaluators (first evaluator U1 and second evaluator U2), at least one evaluator U3, and multiple evaluation users (first evaluator U4 and second evaluator U5). Information processing system 1 primarily performs security evaluations of products, etc., provided by the evaluators, and provides security evaluations. For example, information processing system 1 primarily provides security evaluation services by evaluators. In one embodiment, information processing system 1 consists of one or more devices or components. These components will be described below.

[0017] <Server device 10> Figure 2 is a block diagram showing the hardware configuration of the server device 10 and the user terminal 20. As shown in Figure 2A, the server device 10 comprises a control unit 11, a storage unit 12, a communication unit 13, and a communication bus 14. The control unit 11, the storage unit 12, and the communication unit 13 are electrically connected within the server device 10 via the communication bus 14.

[0018] <Control Unit 11> The control unit 11 performs processing and control of the overall operation related to the server device 10. The control unit 11 is, for example, a Central Processing Unit (CPU). The control unit 11 realizes various functions related to the server device 10 by reading a predetermined program stored in the storage unit 12. That is, the information processing by software stored in the storage unit 12 is specifically realized by the control unit 11, which is an example of hardware, and can be executed as each functional unit included in the control unit 11. These will be described in more detail in the next section. Note that the control unit 11 is not limited to being single, and the server device 10 may have a plurality of control units 11 for each function. Also, the server device 10 may be configured by a combination of these.

[0019] <Storage unit 12> The storage unit 12 stores various information defined by the foregoing description. This can be implemented, for example, as a storage device such as a Solid State Drive (SSD) that stores various programs and the like related to the server device 10 executed by the control unit 11, or as a memory such as a Random Access Memory (RAM) that stores temporarily necessary information (arguments, arrays, etc.) related to the calculation of programs. The storage unit 12 stores various programs, variables, etc. related to the server device 10 executed by the control unit 11.

[0020] <Communication unit 13> The communication unit 13 preferably uses wired communication means such as USB, IEEE1394, Thunderbolt (registered trademark), and wired LAN network communication, but may include wireless LAN network communication, mobile communication such as LTE / 5G, and BLUETOOTH (registered trademark) communication as needed. That is, it is more preferable to implement it as a collection of these plural communication means. That is, the server device 10 may communicate various information from the outside via the communication unit 13 and the network.

[0021] The server device 10 may be on-premises or in a cloud environment. A cloud-based server device 10 may provide the above-mentioned functions and processing in the form of, for example, SaaS (Software as a Service) or cloud computing.

[0022] <Target user device 20> The target terminal 20 is an information processing terminal used by the person being evaluated for security. The "person being evaluated" includes business partners or their representatives who have any form of business relationship with the evaluation user (especially the evaluation requester), such as the provision of goods or services (e.g., provision of cloud services) or the outsourcing of work. The person being evaluated is, for example, a business operator such as a service provider, supplier, or outsourcing organization to the person being evaluated. The "business partner organization" includes primary business partners that receive transactions directly from the person being evaluated, and secondary business partners that receive secondary transactions from primary business partners.

[0023] Furthermore, "organizations" include for-profit corporations (e.g., companies), non-profit corporations (e.g., cooperatives, foundations, etc.), and public corporations (e.g., local governments, etc.).

[0024] As shown in Figure 2B, the target terminal 20 comprises a control unit 21, a storage unit 22, a communication unit 23, an input unit 24, an output unit 25, and a communication bus 26. The control unit 21, storage unit 22, communication unit 23, input unit 24, and output unit 25 are electrically connected within the target terminal 20 via the communication bus 26. The descriptions of the control unit 21, storage unit 22, and communication unit 23 are the same as the descriptions of each part in the server device 10 and are therefore omitted.

[0025] <Input section 24> The input unit 24 receives operation inputs made by the user. The operation inputs are transmitted as command signals to the control unit 21 via the communication bus 26. The control unit 21 can perform predetermined controls or calculations based on the transmitted command signals as needed. The input unit 24 may be included in the housing of the user terminal 20 or it may be an external component. For example, the input unit 24 may be implemented as a touch panel integrated with the output unit 25. When the input unit 24 is implemented as a touch panel, the user can input tap operations, swipe operations, etc. to the input unit 24. Instead of a touch panel, the input unit 24 can be a switch button, mouse, trackpad, QWERTY keyboard, etc.

[0026] <Output section 25> The output unit 25 displays a graphical user interface (GUI) screen that can be operated by the user. The output unit 25 may be included in the casing of the user terminal 20 or it may be an external component. Specifically, the output unit 25 can be implemented as a display device such as a CRT display, liquid crystal display, organic EL display, or plasma display. It is preferable that these display devices be used in accordance with the type of user terminal 20.

[0027] <Evaluator terminal 30> The evaluator terminal 30 is an information processing terminal used by evaluators to evaluate the responses of the person being evaluated. The evaluator is an organization such as a company that conducts security evaluations (for example, a security evaluation company that conducts security evaluations of services such as cloud services, software, etc.) or a person in charge of such an organization. The evaluator conducts the security evaluation of the person being evaluated via the information processing system 1 from the evaluator terminal 30, for example.

[0028] Figure 3 is a block diagram showing the hardware configuration of the evaluator terminal 30 and the user terminal 40. As shown in Figure 3A, the evaluator terminal 30 comprises a control unit 31, a storage unit 32, a communication unit 33, an input unit 34, an output unit 35, and a communication bus 36. The control unit 31, storage unit 32, communication unit 33, input unit 34, and output unit 35 are electrically connected within the evaluator terminal 30 via the communication bus 36. The descriptions of the control unit 31, storage unit 32, communication unit 33, input unit 34, and output unit 35 are the same as the descriptions of each part in the subject terminal 20 and are therefore omitted.

[0029] <User terminal 40> User terminal 40 is an information processing terminal used by evaluation users who utilize services provided by information processing system 1 (for example, response data evaluation service, security report provision service, etc.). "Evaluation users" include evaluation requesters, viewers, etc.

[0030] A "requester for evaluation" is an evaluation user who requests an evaluation of the security of the person being evaluated. This may be, for example, an individual, organization, or a person in charge of such organization that has a business relationship with the person being evaluated. Requesters for evaluation include, for example, evaluation users who are registered with the security evaluation service provided by Information Processing System 1.

[0031] The evaluation requester is an organization or individual that requests a transaction from a trading partner organization (the entity being evaluated), and receives and uses the goods or services provided by the trading partner organization. For example, if the goods or services being traded are physical goods, the evaluation requester is the purchaser of the goods (finished products or parts) manufactured by the trading partner organization. Also, for example, if the goods or services being traded are services, the evaluation requester is a user of the services provided by the trading partner organization (for example, a user of cloud services provided by a cloud service provider). Furthermore, for example, if the goods or services being traded are operations (tasks), the evaluation requester is the client or contractor requesting the operations.

[0032] Applicants for evaluation include not only individuals or organizations that conduct transactions subject to evaluation (such as service use or outsourcing) with the person being evaluated, but also individuals or organizations that request evaluations of specific services. For example, applicants for evaluation may include companies that want to have the security of cloud services they use or are considering using evaluated, or companies that want to verify such evaluations.

[0033] A “viewer” is an individual or organization that uses the results of a security assessment of the person being assessed, conducted at the request of the assessment requester (see, for example, the indicators described below). Viewers are, for example, providers of goods to be used, business partners with whom transactions are planned, or individuals or organizations that seek an assessment of the person being assessed as a candidate for such a business. Viewers may include assessment users who are registered with the security assessment service provided by the Information Processing System 1, and other assessment users who are not registered with the assessment service (for example, assessment users who are not registered with the assessment service but have obtained links to web pages displaying assessments provided by the assessment service that are accessible from outside the assessment service, or to files containing such assessments).

[0034] As shown in Figure 4B, the user terminal 40 comprises a control unit 41, a storage unit 42, a communication unit 43, an input unit 44, an output unit 45, and a communication bus 46. The control unit 41, storage unit 42, communication unit 43, input unit 44, and output unit 45 are electrically connected within the user terminal 40 via the communication bus 46. The descriptions of the control unit 41, storage unit 42, communication unit 43, input unit 44, and output unit 45 are the same as the descriptions of each part in the target terminal 20 and are therefore omitted.

[0035] 2. Functional Configuration This section describes the functional configuration of this embodiment. Information processing by software stored in the memory unit 12 is specifically realized by the control unit 11, which is an example of hardware, and can be executed as each functional unit included in the control unit 11 (at least one processor provided by the information processing system 1).

[0036] Figure 4 is a block diagram showing the functions realized by the server device 10 (control unit 11), the subject terminal 20 (control unit 21), the evaluator terminal 30 (control unit 31), and the user terminal 40 (control unit 41).

[0037] As shown in Figure 4A, the server device 10 (control unit 11) comprises a basic display control unit 111, a response receiving unit 112, an evaluation receiving unit 113, an acquisition unit 114, an index assignment unit 115, a rights granting unit 116, a search unit 117, a report output unit 118, and an artificial intelligence unit 120.

[0038] As shown in Figure 4B, the subject terminal 20 (control unit 21) comprises a display unit 211 and an operation acquisition unit 212. As shown in Figure 4C, the evaluator terminal 30 (control unit 31) comprises a display unit 311 and an operation acquisition unit 312. As shown in Figure 4D, the user terminal 40 (control unit 41) comprises a display unit 411 and an operation acquisition unit 412.

[0039] <Basic display control unit 111> The basic display control unit 111 is configured to display various information on the subject terminal 20, the evaluator terminal 30, and the user terminal 40. For example, the basic display control unit 111 displays the answer input form in which the subject enters their answers, the answers registered by the subject, and the evaluator's evaluation results of the answers on the display unit 211 of the subject terminal 20, the display unit 311 of the evaluator terminal 30, or the display unit 411 of the user terminal 40.

[0040] <Response Reception Department 112> The response receiving unit 112 is configured to create or update response data by receiving input of answers to questions from the person being evaluated. Specifically, the response receiving unit 112 displays a predetermined response input form on the person's terminal 20 for receiving input of answers to security-related questions from the person being evaluated, and registers the answers entered in the response input form as response data.

[0041] The response receiving unit 112 may receive responses from the subject terminal 20 to security-related questions from the subject, along with the designation of the category to be assigned to the response, and add the response data, including the response and category, to the response database. Note that the category is assigned to the entire response data, including multiple responses.

[0042] Furthermore, the response receiving unit 112 does not necessarily have to accept category designations from the person being evaluated. For example, the response receiving unit 112 may present the person being evaluated with questions (response input forms) in which categories have been pre-specified, and register the response data in which the pre-specified categories have been assigned to the answers entered on the person's terminal 20.

[0043] The response data may include not only the response data and information indicating the category, but also the question data. Furthermore, if response data has already been registered for the same question and category, the response receiving unit 112 will replace the response included in the response data with the newly entered response.

[0044] The category is information that indicates the prerequisites for the evaluator's response to the questions (for example, the product, business, or department to which the response applies). In other words, the category is information about the product, business, or department to which the evaluator will enter their response. The evaluator will enter their response to the questions for the product, etc., specified in the category.

[0045] The categories may include the type of goods handled by the person being evaluated, the customers to whom the goods are provided, the types of plans included in the goods, the business that provides the goods, or a combination of these. This allows for different answers to questions to be entered and registered depending on the goods being evaluated, even for the same person being evaluated, and enables the assignment of the indicators described later to each person being evaluated based on the attributes of their goods.

[0046] The service provider being evaluated will input responses according to service attributes such as the type of service (e.g., AI (Artificial Intelligence) service, Recruitment Process Outsourcing (RPO) service, etc.), the recipient of the service (e.g., the name of the organization requesting the evaluation, etc., and other attributes of the evaluation requester), the type of plan (option) included in the service, and the name of the business or department providing the service. In other words, the service provider offering multiple services or plans may input responses for each of these service attributes, and the response receiving unit 112 may register the response data for each service attribute. The input responses are stored as response data, associated with their respective service attributes (categories).

[0047] The "services" provided by the evaluated party include services delivered via the internet, such as SaaS, IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and cloud services. In this case, the "evaluated party" includes cloud service providers, etc. Furthermore, the "services" provided by the evaluated party may also be services provided to business partners, customers, etc.

[0048] "Service type" may be interpreted as "service name" and represents the type, name, etc., of the service that the response is addressing. For example, if the person being evaluated provides Service A and Service B, at least one of "Service A" and "Service B" may be assigned to the response data as the service type. "Type of plan included in the service" refers to one or more types of contract plans set for the same service (e.g., Service A), such as "Standard Plan" and "Premium Plan." Multiple plans set for the same service may differ from each other in terms of available features, usage period, usage fees, etc. Furthermore, even for the same service, different categories may be assigned depending on the service provider, etc.

[0049] Categories may be structured as a combination of main categories and subcategories (hierarchical structure). For example, the type of service may be set as the main category, and the service provider may be set as the subcategory.

[0050] The response receiving unit 112 may, for example, refer to the types of services and plans that the person being evaluated has previously registered as user information in the information processing system 1, and present these to the person's terminal 20 as candidates for a category called "Type of Service" or "Type of Plan Included in the Service," and accept the selection of a category from the person's terminal 20. Alternatively, the response receiving unit 112 may present registered evaluation users in the person being evaluated as candidates for a category called "Service Destination." Registered evaluation users include, for example, organizations that have previously provided reports or documents regarding the person being evaluated in the information processing system 1, or organizations registered by service providers.

[0051] Furthermore, the response receiving unit 112 may accept input (specification) of multiple categories for a single response data. In other words, the response receiving unit 112 may assign multiple categories to a single response data. For example, in the case of a response common to multiple services, multiple service names may be assigned to the response data as categories.

[0052] Furthermore, the response receiving unit 112 does not need to accept category input (specification) for response data that is not category-dependent (i.e., does not fall into a specific category and applies to any service, plan, provider, etc.). The response receiving unit 112 may also accept the specification (input) of an "uncategorized category" for response data that is not category-dependent. For example, the response receiving unit 112 may accept the specification (input) of the category "common" as an uncategorized category.

[0053] The response data includes the evaluator's answers to multiple questions regarding the evaluator's security. The "questions" are items that the evaluator is required to answer and may include, for example, matters concerning the evaluator's own security, the security of the goods or services provided by the evaluator, etc. The "questions" may also include matters concerning the security of other organizations included in the evaluator's supply chain. "Other organizations" include, for example, organizations to which the evaluator outsources its operations (including subcontractors, sub-subcontractors, etc.), and other organizations that the evaluator deals with. The questions may include so-called security checklists.

[0054] The questions may include, for example, those that confirm the status or evaluation of security certifications, service levels, scope of responsibility, security measures within the evaluated entity, handling of data related to the evaluation requester, handling of data managed by the evaluated entity, and service development, maintenance, or operational policies (such as account management) (questions that require answers from the evaluated entity).

[0055] "Response data" consists of the evaluator's answers to multiple questions regarding the security of the service, and is the information that evaluators check and evaluate. Response data may be evaluated only once or multiple times. In other words, evaluation of response data may include an initial evaluation (so-called review), an intermediate evaluation, a final evaluation, etc. The initial and intermediate evaluations are evaluations that are further evaluated after the initial evaluation. Response data may be modified by the evaluator based on the initial or intermediate evaluation. Multiple evaluations may be performed by the same evaluator or by different evaluators (so-called reviewers, etc.). The final evaluation creates an evaluation to be used in a report or document provided to the evaluation user. Furthermore, response data may be evaluated again by the evaluator when it is modified or updated by the evaluator. The evaluator's evaluation results of the response data are used as part of or as reference information in the report or document.

[0056] The responses to each question included in the response data are those entered by the evaluators into the response input form for each question presented in the response input form, and registered in the response database. Responses to a single question may be hierarchical.

[0057] Furthermore, the response receiving unit 112 may accept responses through an interface other than the response input form (for example, uploading a data file containing responses by the person being evaluated) and register these responses as response data in the response database.

[0058] When the response receiving unit 112 updates the representative response data specified by the person being evaluated (described later) based on input from that person, it may also update other response data (hereinafter referred to as "dependent response data") that belong to the same category as the representative response data and are registered by that person, in accordance with the update to the representative response data. This makes it easier to manage the response data of the person being evaluated, as the representative response data used to determine the indicator can be used as master data, and dependent response data can be automatically updated by updating the representative response data.

[0059] "Updating to match updates to representative response data" includes, for example, replacing or updating answers in dependent response data for questions that are identical or similar to answers updated in representative response data.

[0060] <Evaluation Reception Department 113> The evaluation reception unit 113 is configured to receive evaluations from evaluators for the response data registered (created or updated) by the response reception unit 112. For example, the evaluation reception unit 113 registers the evaluated response data along with the evaluation results in a response database or the like. The evaluation results include at least an evaluation value indicating the level of security measures (few vulnerabilities or other problems).

[0061] "Evaluation" refers to the act of checking for deficiencies or inconsistencies in the responses included in the response data, creating comments on the content of the responses, assessing the content of the responses, and scoring the responses based on predetermined criteria. As mentioned above, evaluation may be carried out by multiple evaluators, and the first evaluator may request the second evaluator to evaluate the registered response data. In that case, the evaluation reception unit 113 may accept the evaluation from the second evaluator after the evaluation by the first evaluator.

[0062] For example, if the evaluation is conducted in two stages, the initial evaluation (review) involves checking for deficiencies or inconsistencies, and creating points of concern. Subsequently, the response data after the initial evaluation is evaluated as a final evaluation based on predetermined criteria, including assessment and scoring of the content (responses) and creation of comments on the entire response data. A report or document (e.g., a security report) containing the results is then created. The report or document is created by the final evaluator or by the evaluation unit of the control unit 11. The evaluation unit is configured to generate part or all of the report or document based on the input response data. The evaluation results of the response data may be included in the report or document as part of the report or as reference information. The report or document is transmitted to the user terminal 40 of the evaluation requester who requested the report or document.

[0063] The evaluation reception unit 113 receives input such as characters and sentences to be used for evaluation from the evaluator terminal 30. Typically, evaluation is performed on answer data in which all questions have been answered. Answer data that contains unanswered questions (questions for which answers have not been registered) is not subject to evaluation, and the evaluation reception unit 113 does not need to accept the evaluation. Furthermore, even if answer data contains unanswered questions (questions for which answers have not been registered), only the questions that have been answered may be partially subject to evaluation.

[0064] <Acquisition part 114> The acquisition unit 114 is configured to acquire evaluation values ​​for representative response data selected for each category of response classification from multiple response data created by the person being evaluated (response data registered by the response reception unit 112). The representative response data is the response data referenced to calculate the index for each category.

[0065] For example, if multiple response data created by the person being evaluated are classified into two categories, "Service A" and "Service B" (in other words, each response data is assigned to one of these categories), the acquisition unit 114 acquires the evaluation value of the representative response data in the "Service A" category and the evaluation value of the representative response data in the "Service B" category. In other words, the acquisition unit 114 acquires the evaluation value of the response data selected or designated as representative response data from among multiple response data classified into the same category (for example, "Service A"). Similarly, the acquisition unit 114 also acquires the evaluation value of the response data selected or designated as representative response data for other response data classified into other categories, for each category. By acquiring the evaluation value of representative response data for each category in this way, it is possible to assign indicators to each category, which have different characteristics and tendencies, thereby enabling the evaluation person to be assigned more appropriate indicators.

[0066] Furthermore, multiple response data classified under a single category (for example, "Service A") will have different question content or answer content, and consequently, different evaluation values.

[0067] Furthermore, if a category includes both a main category and a subcategory, the acquisition unit 114 may acquire the evaluation value of a representative response data from among multiple response data with the same main category but different subcategories, or it may acquire the evaluation value of a representative response data from among multiple response data with the same subcategory but different main categories, or it may acquire the evaluation value of a representative response data from among multiple response data with both the main category and subcategory being the same. In addition, the acquisition unit 114 may, for example, receive input from the target terminal 20 for the category from which to acquire the evaluation value of the representative response data.

[0068] The acquisition unit 114 may select the response data with the lowest evaluation value from among the response data classified in the same category as the representative response data. This allows the index assignment unit 115, described later, to assign an index to the person being evaluated based on the response with the lowest evaluation.

[0069] The acquisition unit 114 may use the response data specified by the person being evaluated as representative response data for each category. This allows the person being evaluated to adjust the criteria for determining the indicators assigned by the indicator assignment unit 115, which will be described later.

[0070] The response data specified by the person being evaluated may be selected by the person's terminal 20 from the registered response data, or it may be newly created as representative response data based on the registered response data. In this case, the newly created response data may be created by the person being evaluated, or it may be created by the representative response data creation model included in the artificial intelligence unit 120. The representative response data creation model is a learning model that has been trained to take multiple response data as input and output representative response data.

[0071] Representative response data may be used as the basis for responses when evaluators input different answers for each subcategory (e.g., recipient) within the same category (e.g., the same service provided). Evaluators may create response data for each subcategory by modifying all or part of the responses in the representative response data, depending on the recipient, etc.

[0072] Figure 5 is a schematic diagram illustrating an example of the concept of representative response data. As shown in Figure 5, when multiple response data associated with a particular evaluator are classified into the categories of "Service A" and "Service B," representative response data is selected from each set of response data. In the example in Figure 5, "Response Data A1" is selected as the representative response data for Service A, and "Response Data B1" is selected as the representative response data for Service B. Furthermore, when the representative response data, "Response Data A1," is updated, the other response data for Service A ("Response Data A2" and "Response Data A3") may be automatically updated as dependent response data in accordance with the update of "Response Data A1." In other words, the responses in the dependent response data corresponding to the updated representative response data may be automatically updated. The same applies to the response data for Service B.

[0073] Furthermore, the acquisition unit 114 may acquire evaluation values ​​for multiple representative response data for each category. For example, the acquisition unit 114 may accept the selection of multiple representative response data from the subject terminal 20, or it may select multiple representative response data from response data classified into the same category based on a specific criterion (for example, the three with the lowest evaluation values).

[0074] <Indicator assignment unit 115> The indicator assignment unit 115 is configured to assign an indicator indicating the level of security measures to each person being evaluated, categorized by type, based on the evaluation value of the representative response data acquired by the acquisition unit 114.

[0075] The indicators assigned by the indicator assignment unit 115 are created for each category from which the evaluation values ​​of representative response data have been obtained by the acquisition unit 114. For example, if evaluation values ​​of representative response data have been obtained from two categories, "Service A" and "Service B," the indicator assignment unit 115 assigns the indicator for "Service A" and the indicator for "Service B" to the person being evaluated.

[0076] An "indicator" is information such as a numerical value, keyword, or code that indicates the level of security measures. The indicators assigned to each category of the person being evaluated are registered in the person being evaluated database, for example, as part of the person being evaluated's registration information. The indicator may also be interpreted as a grade or rank, and is displayed on the user terminal 40, etc., in the form of a numerical value, symbol, keyword, or an image indicating the size of the indicator (e.g., a medal, badge, etc.), attached to information about the person being evaluated (information representing the person being evaluated, information representing the person being evaluated's products, or information created by the person being evaluated).

[0077] The indicators are displayed, for example, in the search results from the search unit 117 described later, as well as on the information display screen for the service detection results of IT services used by the evaluation user on the evaluation service of the information processing system 1, and for the service ledger of IT services managed by the evaluation user, along with information about the person being evaluated or the products provided by the person being evaluated.

[0078] The metrics may be made public by the person to whom they are assigned on external services of Information Processing System 1 (for example, a website managed by an external server, the person to whom the metrics are assigned, a Social Networking Service (SNS), etc.). Metrics published on external services will also be displayed on the terminals of external users (i.e., users other than the evaluation user) who do not use or are not registered with the services provided by Information Processing System 1.

[0079] In this way, by making the metrics of the evaluated individuals publicly available to external users, external users can easily and appropriately check the level of security measures (level of security risk) of the evaluated individuals. That is, the evaluation results of the response data (the evaluation value of the level of security measures) themselves will differ depending on the category, such as the service, business, recipient, and whether or not options are available, even for the same evaluated individual. Therefore, if the evaluated individuals themselves select the evaluation values ​​to publish externally from among the evaluation values ​​of multiple categories, there is a possibility of arbitrariness on the part of the evaluated individuals, and the criteria for selecting the evaluation values ​​to publish may differ from one evaluated individual to another, which may lead to misunderstandings and confusion among external users regarding the evaluation individuals' security measures level. In contrast, by publishing metrics for external users based on unified standards for each category, external users can appropriately check the security measures level of the evaluated individuals, as described above.

[0080] The index assignment unit 115 converts the evaluation values ​​of representative response data into an index using, for example, pre-prepared reference information such as functions, conditional expressions, tables, and statistical processing. The "level" represented by the index increases in proportion to the evaluation value. The "level" may also represent the ranking among all those evaluated.

[0081] The index assignment unit 115 may assign an index to the evaluator based on the relative relationship between the evaluation value of the representative response data of the evaluator and the evaluation values ​​of the representative response data of other evaluators. This allows the results of evaluating the level of security measures to be assigned as an index based on relative evaluation (ranking). For example, the index assignment unit 115 may assign an index that directly or indirectly indicates to evaluators who meet conditions such as being in the top 5% in evaluation value ranking or being within the top 100 in evaluation value ranking. Alternatively, the index assignment unit 115 may assign an index based on the relative relationship (ranking) of numerical values ​​(e.g., levels) obtained by converting the evaluation values.

[0082] The "evaluation values ​​of the subjects being evaluated" that the index assignment unit 115 compares (ranks) may be evaluation values ​​of the same or similar categories. The similarity criterion for categories is a threshold for the difference in the features of the two categories (for example, the distance between the vectors obtained by vectorizing the categories). For example, two categories whose difference in features is less than the threshold (for example, whose cosine similarity is greater than or equal to the threshold) are judged to be similar to each other. Vectorization is performed by quantification using known methods such as natural language processing by morphological analysis or encoding. Furthermore, the features of a category may be obtained by referring to a table in which features are defined for each keyword. In addition, category similarity may be determined by referring to a table in which similar categories are defined in advance.

[0083] If the acquisition unit 114 acquires evaluation values ​​for multiple representative response data for a single category, the index assignment unit 115 may assign an index to the person being evaluated based on the level of security measures obtained by statistical processing of the evaluation values ​​of the multiple representative response data acquired by the acquisition unit 114. This improves the reliability of the index because it allows for the statistical determination of the level of security measures. Examples of statistical processing of multiple evaluation values ​​include extracting the maximum value, extracting the minimum value, and calculating the mean or median.

[0084] The index assignment unit 115 may assign an index to the person being evaluated based on the evaluation value of the representative response data acquired by the acquisition unit 114 and other evaluation information about the person being evaluated. This improves the reliability of the index because the index is determined based on evaluations other than the evaluation value of the response data.

[0085] "Other evaluation information" includes, for example, information about the evaluated individuals registered in the evaluated individuals database (registered information), information provided by the evaluated individuals (provided information), and publicly available information about the evaluated individuals on the network.

[0086] The registration information of the person being evaluated, which is referenced as evaluation information, includes, for example, the results of vulnerability detection by a security check program (a vulnerability information scanning program). The information provided by the person being evaluated includes, for example, the existence and content of evidence of security measures (e.g., authentication certificates).

[0087] The vulnerability detection results may include a vulnerability triage level, which is output based on the results of scanning for the presence and type of vulnerabilities in software and systems (including cloud computing services), including open-source software (OSS). The triage level may be expressed in multiple levels, with higher levels indicating a relatively greater need for countermeasures.

[0088] "Public information" refers to information that is publicly available on websites accessible via the internet. The types of websites from which the public information of the evaluated entity is obtained are not limited to those that contain at least some information about the evaluated entity (organization), and include official websites, unofficial websites, and other websites.

[0089] Official websites are websites established by the organization being evaluated and its affiliates, and include, for example, corporate websites, investor relations websites, product websites (product or service websites), brand websites, promotional websites, owned media websites, campaign websites, e-commerce websites, membership websites, recruitment websites, and landing pages. Unofficial websites are websites established by organizations other than the organization being evaluated (external organizations), and include, for example, industry information websites, news websites, economic information websites, and commercial database websites. Unofficial websites include both free and paid access pages. Publicly available information of the organization being evaluated may include, for example, the types of services provided (service categories), the number of service users, and the year of establishment.

[0090] The indicator assignment unit 115 may assign indicators to the person being evaluated that show levels in stages based on the level of security measures. This makes it easier to understand and manage the level of security measures of the person being evaluated. For example, the indicator assignment unit 115 may assign indicators in stages to the person being evaluated, such as gold rank (indicator of a gold medal), silver rank (indicator of a silver medal), and bronze rank (indicator of a bronze medal), in order of increasing level of security measures.

[0091] The tiered indicators (ranks) may be defined by a range of levels (or evaluation values ​​of representative response data). For example, the indicator assignment unit 115 may assign a gold rank to levels of 9 or higher out of 10, a silver rank to levels between 7 and 9, and so on. Alternatively, the tiered indicators may be defined by the rank of the level (or evaluation value of representative response data) within the same category. For example, the indicator assignment unit 115 may assign a gold rank to levels ranked 10th or higher among registered evaluators, a silver rank to levels ranked 20th or higher, and so on.

[0092] The indicator assignment unit 115 may assign an indicator to only those evaluated whose security measures level is above a predetermined level. This makes it easier to identify high-level evaluated individuals, as indicators are assigned only to those evaluated with a high level of security measures. For example, the indicator assignment unit 115 may assign an indicator (gold medal) only to those evaluated with the gold rank mentioned above, and may not assign an indicator to those evaluated at a lower level.

[0093] The indicator assignment unit 115 may periodically update the indicators assigned to the person being evaluated, and may also generate image data representing the indicators, including the date the indicators were assigned or their expiration date. This allows the person being evaluated to continuously improve their security measures, and enables the evaluation user to check the freshness and currentness of the indicators.

[0094] The update period for the indicators assigned by the indicator assignment unit 115 can be, for example, one year, one month, etc. When updating, the acquisition unit 114 acquires the evaluation value of the latest representative response data again, and the indicator assignment unit 115 assigns the indicator to the person being evaluated based on this evaluation value. In addition, the most recent update date and time is displayed as the expiration date of the indicator in the image data of the indicator. The indicator assignment unit 115 may also create, for example, an image data of a medal that has the date of assignment or expiration date of the indicator written on it. Information about the person being evaluated to whom the indicator has been assigned is displayed on the user terminal 40, etc., with the image of the medal attached.

[0095] The indicator assignment unit 115 may assign auxiliary indicators to the person being evaluated based on the change in the evaluation value of the representative response data acquired by the acquisition unit 114, indicating the degree of improvement in security measures. This allows the evaluation user to objectively grasp not only the level of security measures but also the attitude of the person being evaluated towards security measures. Furthermore, it allows the person being evaluated to appeal their attitude towards security measures to the evaluation user.

[0096] The indicator assignment unit 115 may assign an auxiliary indicator to the person being evaluated that shows the lead time to respond, based on the time from the request for answers to the questions to the person being evaluated to the completion of the creation of the response data by the person being evaluated. This allows the evaluation user to objectively understand not only the level of security measures but also the speed of response when a security investigation is requested from the person being evaluated. In addition, the person being evaluated can appeal to the evaluation user about their speed of response.

[0097] "The time from the request for responses to the evaluation subject to the completion of the creation of response data by the evaluation subject" refers, for example, to the time from when the questions (response input form) are sent to the evaluation subject terminal 20 upon receiving a request from the evaluation requester, until the time when all responses to the questions are entered on the evaluation subject terminal 20 and those responses are registered as response data by the response reception unit 112.

[0098] <Rights Granting Section 116> The rights granting unit 116 is configured to grant various rights (benefits) to the person being evaluated, depending on whether or not an indicator has been granted by the indicator granting unit 115, and the type of indicator.

[0099] The rights granting unit 116 may grant rights to the evaluated person in accordance with the contract status of the evaluation service for the evaluated person's response data to which an indicator has been assigned.

[0100] The "Response Data Evaluation Service" is a service provided by Information Processing System 1 that accepts input into the response input form, provides feedback (evaluation) on the responses entered into the response input form, and provides evaluated responses to the evaluation users.

[0101] "Contract status in the evaluation service" refers, for example, to whether or not there is a contract for the evaluation service, or the type of plan contracted for the evaluation service. There are multiple types of plans, for example, depending on the content of the services provided (available functions), usage fees, etc. The types of plans may include free plans. In this case, paid plans may include services such as providing registered response data (sharing of evaluation reports) to evaluation users who are not registered for the evaluation service (i.e., viewers) or external users, and providing support for creating response data using input assistance functions such as AI. Furthermore, "contract status" may include the amount charged according to the use of services in plans contracted on a pay-as-you-go basis. The rights granting unit 116 may grant rights to evaluation subjects who have contracted a predetermined plan (for example, a plan with a monthly usage fee of a predetermined amount or more) or evaluation subjects whose billing amount is a predetermined amount or more.

[0102] The validity period (usable period) of rights granted according to the indicator may be, for example, the same period as the validity period of the indicator, or a period with a grace period added to the validity period. Also, if rights are granted to the person being evaluated according to the contract situation, the validity period of the rights may be the same period as the contract period, or a period with a grace period added to the contract period.

[0103] The rights granting unit 116 may grant the right to acquire image data representing the assigned indicators to the person being evaluated, depending on the contract status of the evaluation service for the person being evaluated's response data. This allows the system to demonstrate the high level of security measures to evaluation users or external users by presenting the image data of the indicators to the evaluation users or external users for evaluations under specific contracts.

[0104] The "right to acquire image data" is, for example, the right to download data of an image representing an indicator (e.g., a medal) to the subject's terminal 20. The person being evaluated can display the downloaded image data on their service site, a website presenting their security measures (policy), etc. These websites may be provided by an external server of the information processing system 1 that is accessible to external users. This allows the person being evaluated to publicly demonstrate their level of security measures.

[0105] Furthermore, the rights granting unit 116 may grant evaluation subjects who have contracted a specific plan (for example, a paid plan) the right to obtain image data of the regular indicators, and may also grant evaluation subjects who have contracted a plan other than the specific plan (for example, a free plan) the right to obtain image data of the indicators with a watermark.

[0106] The rights granting unit 116 may grant a ticket to an evaluated person who has been assigned a predetermined indicator, which allows the evaluated person to request a security investigation of a business partner organization with which they have a business relationship. This can increase the motivation of the evaluated person to improve the level of their own security measures. The "predetermined indicator" is an indicator (for example, a gold rank) that shows that the level of security measures is above a predetermined value.

[0107] The "security survey of trading partner organizations" is conducted as an evaluation service of Information Processing System 1 and includes, for example, sending a response input form to trading partner organizations, evaluation by evaluators of the responses entered by trading partner organizations, and providing the evaluation to the evaluation target (trading partner organization). The tickets granted by the Rights Granting Unit 116 are consumed, for example, when the evaluation target requests a security survey. Requests for security surveys to trading partner organizations may normally be made on a paid basis (for example, by charging for the evaluation service of Information Processing System 1).

[0108] The granting and use of tickets may be carried out, for example, in the following steps. First, in the ticket stock management step, tickets are granted to evaluators who meet certain conditions (e.g., evaluators who have been assigned specific metrics) (specified evaluators). Next, in the investigation request step, a request for a security investigation is sent to a business partner organization selected by the specified evaluator, and the ticket stock of the specified evaluator is reduced based on the receipt of the investigation request or a response to the request. Tickets may be usable not only for investigation requests but also for viewing investigation results, and the ticket stock may be reduced based on the sending of a viewing request from the specified evaluator, the receipt of investigation results, viewing, etc.

[0109] The rights granting unit 116 may grant award rights or event participation rights to evaluation subjects who have been awarded predetermined indicators. Evaluation subjects who have been awarded award rights will be recognized for their efforts in security measures at events, etc. Evaluation subjects who have been awarded event participation rights will be sent an invitation, application link, etc. to a specific event (for example, an event that only evaluation subjects who have been awarded predetermined indicators can participate in). This will help to increase the evaluation subjects' motivation to improve security.

[0110] The rights granting unit 116 may grant improvement support rights to evaluation subjects who have been assigned a predetermined indicator. Evaluation subjects who have been granted improvement support rights can, for example, receive plans to improve security measures, attend special seminars by experts, etc., depending on the rank of their indicator.

[0111] The rights granting unit 116 may grant a fee discount right to an evaluation subject who has been assigned a predetermined indicator. An evaluation subject who has been granted a fee discount right can receive discounts on various fees (monthly usage fees, individual service usage fees, etc.) for the evaluation service of the information processing system 1, for example. In addition, a discount on cyber insurance premiums may be provided to an evaluation subject who has been granted a fee discount right.

[0112] The rights granting unit 116 may accept input from the evaluator, such as setting criteria for the recipients of the evaluation (recipients of distribution) to whom rights will be granted, and selecting recipients of distribution. The rights granting unit 116 may also accept input from the evaluator, such as links to events, seminars, etc., ticket information, and register the benefit information in the database. Furthermore, the rights granting unit 116 may send a message containing the benefit information registered in the database to the recipient's terminal 20. As a result, the benefit information will be displayed on the recipient's terminal 20.

[0113] <Search section 117> The search unit 117 is configured to perform a search for individuals registered in the evaluation target database.

[0114] The search unit 117 searches for individuals to be evaluated based on a search query received from the user terminal 40, for example, and displays the search results for the individuals to be evaluated, including the indicators assigned to them, on the user terminal 40. The search query may include, for example, the product name, the evaluation result (evaluation value) of security measures, the name of the person being evaluated, etc.

[0115] The search unit 117 may search for information on individuals registered in the evaluation target database and perform a search using the indicators assigned to the individuals as the filtering conditions. This makes it possible for evaluation users to search for and select individuals to conduct transactions with based on the indicators.

[0116] Furthermore, the search unit 117 may perform filtering by, for example, product type and filtering by indicator. For example, the search unit 117 may receive product type, indicator, etc., which are to be used as filtering conditions from the user terminal 40. In this case, the search unit 117 will use the category indicator corresponding to the product type to refine the search results.

[0117] The search unit 117 may search for products offered by evaluators registered in the evaluator database, and may prioritize displaying in the search results products of evaluators that have been assigned predetermined indicators in the category corresponding to the product. This makes it easier for evaluation users to select their desired product (goods or services) based on the level of security measures taken by the evaluators.

[0118] For example, the search unit 117 may display products from evaluated individuals that have been assigned a predetermined metric (e.g., a gold rank) higher in the search results than products from other evaluated individuals that have not been assigned the same metric.

[0119] <Report Output Section 118> The report output unit 118 is configured to output a report or document created based on the evaluation received by the evaluation reception unit 113 to the user terminal 40. The report or document includes at least all or part of the response data entered by the person being evaluated and the evaluation results by the evaluator (e.g., evaluation value, comments, etc.).

[0120] <Artificial Intelligence Department 120> The artificial intelligence unit 120 is configured to receive input from each functional unit and return the instructed output. The artificial intelligence used by each functional unit of the server device 10 may be common to all units, or it may be prepared individually for each functional unit.

[0121] The artificial intelligence unit 120 is an AI (Artificial Intelligence) equipped with learning models such as transformers including GPT (Generative Pretrained Transformer, including GPT-1, GPT-2, GPT-3, and GPT-4), BERT (Bidirectional Encoder Representations from Transformers), BART (Bidirectional and Auto-regressive Transformer), and language models such as recurrent neural networks (RNNs), and may include generative AI including large-scale language models. Large-scale language models are a type of generative AI and include models provided by services such as OpenAI's GPT, Google's Gemini, and Microsoft's Azure AI Studio. In addition, the artificial intelligence unit 120 can include any machine learning model, deep learning model, artificial intelligence model, etc.

[0122] The language model is an example of a learning model using a machine learning algorithm. Specific machine learning algorithms include nearest neighbors, naive Bayes, decision trees, support vector machines, and deep learning using neural networks. The artificial intelligence unit 120 can apply the above algorithms as appropriate.

[0123] The artificial intelligence unit 120 may have a trained model constructed by a learning method such as supervised learning, unsupervised learning, or self-supervised learning. In supervised learning, machine learning is performed using training data. Training data consists of pairs of input data and output data (correct answer data) for training. Furthermore, the language model may not only be one trained for a specific task, but also a general-purpose model that can be used universally for a wide range of tasks.

[0124] The artificial intelligence unit 120 may be a general-purpose natural language processing learning model, such as a Large Language Model (LLM), which has learned from a vast amount of data. An LLM is a learning model that has been pre-trained on a large amount of data consisting of text data, etc. (for example, (i) web content on the internet, or (ii) data stored in a predetermined database), and can perform various language processing tasks by being given a task. It can perform a wide range of natural language processing tasks, such as understanding sentence patterns and context, responding to questions, and generating sentences, according to the given prompts. Such a general-purpose learning model includes language models that can handle various tasks without fine-tuning using One-shot Learning or Few-shot Learning. Furthermore, the general-purpose learning model may also be configured to handle various tasks using Zero-shot Learning. The artificial intelligence used in each functional unit of the control unit 11 may be a separate learning model, or it may be a common general-purpose learning model.

[0125] The learning models included in the artificial intelligence unit 120 (such as the representative response data creation model, and other learning models used in each functional unit) can undergo additional learning through transfer learning or fine-tuning. For example, the artificial intelligence unit 120 may perform additional learning and fine-tuning each time new data is registered, using this data as new training data. This improves the accuracy of the information output from the learning model.

[0126] The learning model included in the artificial intelligence unit 120 may be a learning model (distilled model) obtained by knowledge distillation using the original learning model. In knowledge distillation, a pre-trained model, such as a large-scale language model, is used as the teacher model, and the parameters of the student model are adjusted so that the output loss of the student model (distilled model) relative to the output (Soft Target Loss) of the teacher model is small. The student model is then trained, and this student model becomes the distilled model. Alternatively, the student model may be trained so that the output loss of the student model relative to the correct labels (Hard Target) of the teacher data (combinations of input and output data of the learning model) is small. Compared to the original learning model (teacher model), the distilled model has similar performance to the original learning model, but with fewer parameters and a lower processing load. Therefore, using a distilled model can reduce the cost of the information processing system 1.

[0127] For example, the learning model used in each functional unit may be a distilled model that has been trained using combinations of input and output data from a large-scale language model as training data. Alternatively, when the information processing system 1 is introduced, a large-scale language model may be used as the learning model in each functional unit, and once training data from the large-scale language model has been accumulated, the distilled model obtained by knowledge distillation using that training data may be used as the learning model in each functional unit.

[0128] <Display> The display unit 211 of the subject terminal 20, the display unit 311 of the evaluator terminal 30, and the display unit 411 of the user terminal 40 each display the screen indicated by the screen data transmitted from the server device 10.

[0129] <Operation acquisition part> The operation acquisition unit 212 of the target terminal 20 receives operations from the person being evaluated using the target terminal 20. The operation acquisition unit 312 of the evaluator terminal 30 receives operations from the evaluator using the evaluator terminal 30. The operation acquisition unit 412 of the user terminal 40 receives operations from the user being evaluated using the user terminal 40.

[0130] 3. Information Processing Methods This section describes the information processing method of the server device 10. In this information processing method, each part of the server device 10 is executed by a computer as a step.

[0131] This information processing comprises an acquisition step and an indicator assignment step. In the acquisition step, evaluation values ​​for representative response data selected for each category of response classification are obtained from multiple response data created by the person being evaluated. In the indicator assignment step, indicators indicating the level of security measures are assigned to the person being evaluated for each category based on the evaluation values ​​of the acquired representative response data.

[0132] Figure 6 is an activity diagram showing an example of the flow of information processing (index assignment processing) performed by information processing system 1. The information processing will be explained below in accordance with each activity in this activity diagram.

[0133] The indicator assignment process begins with the selection of representative response data by the person being evaluated. The person being evaluated selects and inputs representative response data for each category from the response data on the person's terminal 20 (Activity A101). Alternatively, the server device 10 may perform the selection of representative response data based on predetermined rules. The server device 10 obtains the evaluation value of the selected representative response data from the response database (Activity A102).

[0134] Next, the server device 10 determines the indicators for each category based on the evaluation values ​​of the acquired representative response data (Activity A103). Furthermore, the server device 10 assigns the determined indicators to the evaluated individuals and registers them in the evaluated individuals database (Activity A104). As a result, the evaluated individuals' terminals 20 display information about the indicators (for example, display of the assigned indicators, display of benefits based on the indicators, etc.) (Activity A105).

[0135] 4. Effect The function of this embodiment can be summarized as follows: It can present security evaluation results. Therefore, the security level of the person being evaluated can be confirmed.

[0136] Although embodiments of the present invention have been described above, the present invention is not limited thereto and can be modified as appropriate without departing from the technical spirit of the invention.

[0137] 5. Others In the above embodiment, the server device 10 performed various storage and control functions, but instead of the server device 10, multiple external devices may be used. That is, various information and programs may be stored in a distributed manner across multiple external devices using blockchain technology or the like. In particular, the artificial intelligence unit 120 may be an external configuration of the server device 10. In that case, the external artificial intelligence unit 120 may be provided by, for example, an artificial intelligence service server, and is configured to receive input from each functional unit of the server device 10, receive requests to execute artificial intelligence services, and return the instructed output as a processing result to the server device 10. The artificial intelligence service server may be a server that provides services using a language model as a learning model, or a server that executes language processing tasks using a language model. The artificial intelligence service server may be constructed using an LLM. The artificial intelligence service server receives prompt input in the form of text, images, audio, etc., and generates and responds with answers to the prompts.

[0138] The control unit 11 does not necessarily have to include a rights granting unit 116 and a search unit 117. In other words, the information processing system 1 does not necessarily have to grant rights based on the indicators to the person being evaluated. Furthermore, the information processing system 1 does not necessarily have to include a search function related to the person being evaluated.

[0139] The embodiments of this model are not limited to the information processing system 1, but may also be an information processing method or a program. The information processing method comprises each step executed by the information processing system 1. The program causes a computer to execute each step of the information processing system 1.

[0140] An embodiment of this product may be an index assignment method that includes a step in which an index assessor assigns an index indicating the level of security measures to the person being evaluated for each category, based on the evaluation value of representative response data selected for each category from multiple response data created by the person being evaluated.

[0141] The product may be provided in any of the following embodiments.

[0142] (1) An information processing system comprising at least one processor, wherein the processor is configured to perform the following steps by reading a program, the acquisition step of acquiring an evaluation value of representative response data selected for each category of response classification from a plurality of response data created by the person being evaluated, wherein the response data includes the person being evaluated's answers to questions concerning security, and the index assignment step of assigning an index indicating the level of security measures to the person being evaluated for each category based on the evaluation value of the acquired representative response data.

[0143] (2) An information processing system as described in (1) above, wherein the category is the type of goods handled by the person being evaluated, the recipient of the goods, the type of plans included in the goods, the business that provides the goods, or a combination thereof.

[0144] (3) An information processing system according to (1) or (2) above, wherein in the acquisition step, the evaluation values ​​of a plurality of representative response data are acquired for each category, and in the index assignment step, the index is assigned to the person being evaluated based on the level obtained by statistical processing of the evaluation values ​​of the plurality of acquired representative response data.

[0145] (4) An information processing system according to any one of (1) to (3) above, wherein in the acquisition step, the system selects the response data with the lowest evaluation value from among the response data classified into the same category as the representative response data.

[0146] (5) An information processing system according to any one of (1) to (4) above, wherein the processor is configured to further perform the following steps: in the response reception step, it creates or updates the response data by receiving input of answers to the questions from the person being evaluated; in the acquisition step, for each category, the response data specified by the person being evaluated is used as the representative response data; and in the response reception step, when updating the representative response data, it updates the other response data included in the same category as the representative response data in accordance with the update content of the representative response data.

[0147] (6) An information processing system according to any one of (1) to (5) above, wherein in the index assignment step, the index is assigned to the person being evaluated based on the relative relationship between the evaluation value of the representative response data of the person being evaluated and the evaluation value of the representative response data of other persons being evaluated.

[0148] (7) An information processing system according to any one of (1) to (6) above, wherein in the index assignment step, the index indicating that the level is above a predetermined level is assigned only to the person being evaluated whose level is above a predetermined level.

[0149] (8) An information processing system according to any one of (1) to (7) above, wherein in the index assignment step, the system assigns the index indicating the level in stages to the person being evaluated based on the level.

[0150] (9) An information processing system according to any one of (1) to (8) above, wherein in the index assignment step, the index is assigned to the person being evaluated based on the evaluation value of the representative response data obtained and other evaluation information for the person being evaluated.

[0151] (10) An information processing system according to any one of (1) to (9) above, wherein in the step of assigning an indicator, an auxiliary indicator indicating the degree of improvement in security measures is assigned to the person being evaluated based on the amount of change in the evaluation value of the representative response data obtained.

[0152] (11) An information processing system according to any one of (1) to (10) above, wherein in the step of assigning an indicator, an auxiliary indicator indicating the lead time to answer is assigned to the person being evaluated, based on the time from the time from the time requested from the person being evaluated to answer the questions to the time from the time the person being evaluated completes to create the answer data.

[0153] (12) An information processing system according to any one of (1) to (11) above, wherein the index assignment step includes updating the index assigned to the person being evaluated periodically and generating image data representing the index, including the date of assignment or expiration date of the index.

[0154] (13) An information processing system according to any one of (1) to (12) above, wherein the processor is configured to further perform the following steps, and in the granting step, grants the subject of evaluation the right to acquire image data representing the granted indicator, in accordance with the contract status of the subject of evaluation's response data in the evaluation service.

[0155] (14) An information processing system according to any one of (1) to (13) above, wherein the processor is configured to perform the following steps in the granting step, the granting step grants the person to be evaluated who has been awarded a predetermined indicator a ticket which allows the person to request a security investigation of a trading partner organization with which the person has a business relationship.

[0156] (15) An information processing system according to any one of (1) to (14) above, wherein the processor is configured to perform the following steps in the search step, wherein the search target is the information of the person to be evaluated registered in the database and the search is performed with the indicator as the narrowing condition.

[0157] (16) An information processing system according to any one of (1) to (15) above, wherein the processor is configured to further perform the following steps, wherein in the search step, the search target is the products provided by the person being evaluated that are registered in the database, and the products of the person being evaluated that have been assigned a predetermined index are displayed preferentially in the search results.

[0158] (17) An information processing method comprising each step performed by the information processing system described in any one of (1) to (16) above.

[0159] (18) A program that causes a computer to perform each step of the information processing system described in any one of (1) to (16) above. Of course, this is not always the case.

[0160] Finally, while various embodiments relating to this disclosure have been described, these are presented as examples only and are not intended to limit the scope of the invention. These novel embodiments can be implemented in a variety of other forms, and various omissions, substitutions, and modifications can be made without departing from the spirit of the invention. These embodiments and their variations are included in the scope and spirit of the invention, as well as in the claims and their equivalents. [Explanation of symbols]

[0161] 1: Information Processing System 2: Communication lines 10: Server device 11: Control Unit 12: Storage section 13: Communications Department 14: Communications bus 20: Target user's device 21: Control Unit 22: Storage section 23: Communications Department 24: Input section 25: Output section 26: Communications bus 30: Evaluator terminal 31: Control Unit 32: Storage section 33: Communications Department 34: Input section 35: Output section 36: Communications bus 40: User terminal 41: Control Unit 42: Storage section 43: Communications Department 44: Input section 45: Output section 46: Communications bus 111: Basic Display Control Unit 112: Response Reception Department 113: Evaluation Reception Department 114: Acquisition Department 115: Indicator Assignment Section 116: Rights Granting Department 117: Search Department 118: Report Output Section 120: Artificial Intelligence Department 211:Display section 212: Operation acquisition section 311: Display section 312: Operation acquisition section 411: Display section 412: Operation acquisition section

Claims

1. An information processing system, Equipped with at least one processor, The aforementioned processor is configured to perform the following steps by reading a program: In the acquisition step, the evaluation value of representative response data selected for each category of response classification is obtained from multiple response data created by the person being evaluated, where the response data includes the person being evaluated's answers to security-related questions. An information processing system that, in the indicator assignment step, assigns an indicator indicating the level of security measures to the person being evaluated for each category, based on the evaluation value of the representative response data obtained.

2. In the information processing system described in claim 1, The aforementioned category is an information processing system, which is the type of goods handled by the person being evaluated, the recipient of those goods, the type of plans included in those goods, the business that provides those goods, or a combination thereof.

3. In the information processing system described in claim 1, In the acquisition step, the evaluation values ​​of multiple representative response data are acquired for each category. An information processing system that, in the step of assigning an indicator, assigns the indicator to the person being evaluated based on the level obtained by statistical processing of the evaluation values ​​of the multiple representative response data acquired.

4. In the information processing system described in claim 1, An information processing system that, in the acquisition step, selects the response data with the lowest evaluation value among the response data classified into the same category as the representative response data.

5. In the information processing system described in claim 1, The aforementioned processor is configured to perform the following steps: In the response reception step, the response data is created or updated by receiving input from the person being evaluated to answer the questions. In the acquisition step, for each category, the response data specified by the person being evaluated is used as the representative response data. In the response reception step, when updating the representative response data, the information processing system updates the other response data that are included in the same category as the representative response data, in accordance with the updates to the representative response data.

6. In the information processing system described in claim 1, An information processing system that, in the step of assigning the indicator, assigns the indicator to the person being evaluated based on the relative relationship between the evaluation value of the representative response data of the person being evaluated and the evaluation values ​​of the representative response data of other persons being evaluated.

7. In the information processing system described in claim 1, An information processing system that, in the step of assigning the indicator, assigns the indicator indicating that the level is above a predetermined level only to the person being evaluated whose level is above a predetermined level.

8. In the information processing system described in claim 1, An information processing system that, in the step of assigning indicators, assigns indicators to the person being evaluated, based on the level, indicating the level in stages.

9. In the information processing system described in claim 1, An information processing system that, in the step of assigning the indicator, assigns the indicator to the person being evaluated based on the evaluation value of the representative response data obtained and other evaluation information for the person being evaluated.

10. In the information processing system described in claim 1, An information processing system that, in the step of assigning indicators, assigns an auxiliary indicator to the person being evaluated, based on the amount of change in the evaluation value of the representative response data obtained, indicating the degree of improvement in security measures.

11. In the information processing system described in claim 1, An information processing system that, in the step of assigning indicators, assigns an auxiliary indicator to the person being evaluated that shows the lead time to answer, based on the time from when the person being evaluated is requested to answer the questions to when the person being evaluated completes to create the answer data.

12. In the information processing system described in claim 1, An information processing system that, in the step of assigning indicators, periodically updates the indicators assigned to the person being evaluated, and generates image data representing the indicators, including the date of assignment or expiration date of the indicators.

13. In the information processing system described in claim 1, The aforementioned processor is configured to perform the following steps: In the rights granting step, an information processing system grants the person being evaluated the right to acquire image data representing the assigned indicator, according to the contract status of the person being evaluated in the evaluation service for the person's response data.

14. In the information processing system described in claim 1, The aforementioned processor is configured to perform the following steps: An information processing system that, in the rights granting step, grants a ticket to the person being evaluated who has been assigned the predetermined indicator, allowing the person being evaluated to request a security investigation of a business partner organization with which they have a business relationship.

15. In the information processing system described in claim 1, The aforementioned processor is configured to perform the following steps: The information processing system performs a search in the search step, using the information of the person being evaluated, which is registered in the database, as the search target, and using the aforementioned indicator as a filtering condition.

16. In the information processing system described in claim 1, The aforementioned processor is configured to perform the following steps: An information processing system that, in the search step, searches for products offered by the evaluated person registered in the database, and prioritizes the display of the evaluated person's products that have been assigned predetermined indicators in the search results.

17. Information processing method, An information processing method comprising each step performed by the information processing system according to any one of claims 1 to 16.

18. It is a program, A program for causing a computer to perform each step of the information processing system described in any one of claims 1 to 16.