Information processing method, information processing device, and program

Abstract

In this information processing method, a plurality of security documents each including information regarding product vulnerabilities is acquired, the plurality of security documents are grouped according to a described vulnerability type (S20), one or more security documents from two or more security documents belonging to one group are determined with respect to a basic item in risk factor information (S40), risk factor information is outputted that includes, as risk information, information based on the one or more security documents determined with respect to the basic item of risk factor information (S50), and for the determination of the one or more security documents, a determination method corresponding to the basic item is determined from among a plurality of determination methods, and the one or more security documents are determined from among two or more security documents by using the determined determination method.

Description

Information Processing Method, Information Processing Apparatus, and Program 【0001】 The present disclosure relates to an information processing method, an information processing apparatus, and a program. 【0002】 In recent years, cyberattacks such as unauthorized access via a network have become a serious problem. To counter cyberattacks, for example, it has been considered to find information about similar cyberattacks from SNS (Social Networking Service) or the like and use it as a reference. For example, Patent Document 1 discloses a technique for reflecting the evaluation of posts on SNS in the reliability of information related to a cyberattack in order to utilize the evaluation of posts on SNS in the analysis of information related to a cyberattack. Further, for example, Patent Document 2 discloses a technique for calculating the degree of influence on an organization regarding an event of a cyberattack using campaign information. 【0003】 Japanese Patent No. 6933112 Japanese Patent No. 6977577 【0004】 By the way, when there are a plurality of security documents describing the same vulnerability and there are different security documents for one vulnerability, it may not be possible to determine which security document should be used. 【0005】 Therefore, the present disclosure provides an information processing method, an information processing apparatus, and a program capable of determining a more appropriate security document when there are different security documents for one vulnerability. 【0006】An information processing method according to one aspect of the present disclosure is an information processing method that outputs risk factor information for evaluating security vulnerabilities of a product, wherein the risk factor information includes basic items indicating risk factor items and risk information including information relating to the risks of the basic items, and obtains a plurality of security documents, each containing information relating to the vulnerabilities of the product, groups the plurality of security documents according to the type of vulnerability described, determines one or more security documents from two or more security documents belonging to a group for the basic items of the risk factor information, outputs the risk factor information which includes information based on the one or more security documents determined for the basic items of the risk factor information, and there are a plurality of determination methods for determining one or more security documents from two or more security documents, in determining one or more security documents, a determination method corresponding to the basic items is determined from the plurality of determination methods, and the one or more security documents are determined from two or more security documents using the determined determination method. 【0007】An information processing device according to one aspect of the present disclosure is an information processing device that outputs risk factor information for evaluating security vulnerabilities of a product, wherein the risk factor information includes basic items indicating risk factor items and risk information including information relating to the risks of the basic items, and comprises an acquisition unit that acquires a plurality of security documents, each containing information relating to the vulnerabilities of the product, a grouping unit that groups the plurality of security documents according to the type of vulnerability described, a determination unit that determines one or more security documents from two or more security documents belonging to a group for the basic items of the risk factor information, and an output unit that outputs the risk factor information including information based on the one or more security documents determined for the basic items of the risk factor information, wherein there are a plurality of determination methods for determining one or more security documents from two or more security documents, the determination unit determines a determination method from the plurality of determination methods according to the basic items, and uses the determined determination method to determine one or more security documents from two or more security documents. 【0008】 A program relating to one aspect of this disclosure is a program that causes a computer to execute the above-described information processing method. 【0009】 According to one aspect of this disclosure, it is possible to realize an information processing method that can determine the most appropriate security document when different security documents exist for a single vulnerability. 【0010】Figure 1 is a diagram showing the configuration of the information processing system according to Embodiment 1. Figure 2 is a block diagram showing the functional configuration of the risk factor information analysis unit according to Embodiment 1. Figure 3 is a diagram showing the information stored in the storage unit according to Embodiment 1. Figure 4A is a diagram showing the risk factor adoption means information according to Embodiment 1. Figure 4B is a diagram showing a list of security documents according to Embodiment 1. Figure 4C is a diagram showing a group of risk factor information according to Embodiment 1. Figure 5 is a flowchart showing the operation of the information processing system according to Embodiment 1. Figure 6 is a sequence diagram showing an overview of the operation of step S10 shown in Figure 5. Figure 7 is a flowchart showing the detailed operation of step S10 shown in Figure 5. Figure 8 is a sequence diagram showing an overview of the operation of steps S20 to S50 shown in Figure 5. Figure 9 is a flowchart showing the detailed operation of step S20 shown in Figure 5. Figure 10 is a diagram showing a list of grouped security documents according to Embodiment 1. Figure 11 is a flowchart showing the detailed operation of step S30 shown in Figure 5. Figure 12 is a diagram showing a list of security documents to which risk factor information according to Embodiment 1 has been added. Figure 13 is a flowchart showing the detailed operation of step S40 shown in Figure 5. Figure 14 is a flowchart showing the detailed operation of step S44 shown in Figure 13. Figure 15 is a diagram showing the risk factor items according to Embodiment 1. Figure 16 is a flowchart showing the detailed operation of step S120 shown in Figure 14. Figure 17 is a flowchart showing the detailed operation of step S126 shown in Figure 16. Figure 18 is a flowchart showing the detailed operation of step S500 shown in Figure 17. Figure 19A is a flowchart showing the detailed operation of step S503 shown in Figure 18. Figure 19B is a flowchart showing the detailed operation of step S505 shown in Figure 18. Figure 19C is a flowchart showing the detailed operation of step S507 shown in Figure 18. Figure 19D is a flowchart showing the detailed operation of step S509 shown in Figure 18. Figure 19E is a flowchart showing the detailed operation of step S511 shown in Figure 18. Figure 19F is a flowchart showing the detailed operation of step S512 shown in Figure 18.Figure 20A is a first table showing the relationship between risk factor items and risk factor adoption means according to Embodiment 1. Figure 20B is a second table showing the relationship between risk factor items and risk factor adoption means according to Embodiment 1. Figure 21 is a table for explaining the security document to be determined according to Embodiment 1. Figure 22 is a flowchart showing the detailed operation of step S50 shown in Figure 5. Figure 23 is a flowchart showing the operation of the information processing system according to Embodiment 2. Figure 24 is a flowchart showing the detailed operation of step S60 shown in Figure 23. Figure 25 is a table for explaining the security document to be determined according to Embodiment 2. Figure 26 is a flowchart showing the operation of the information processing system according to Embodiment 3. Figure 27 is a table for explaining the security document to be determined according to Embodiment 3. Figure 28 is a flowchart showing the operation of the information processing system according to Embodiment 4. Figure 29 is a table for explaining the security document to be determined according to Embodiment 4. Figure 30 is a flowchart showing the operation of the information processing system according to Embodiment 5. Figure 31 is a table for explaining the security document to be determined according to Embodiment 5. Figure 32 is a diagram showing the detailed operation according to Embodiment 6, corresponding to step S60 shown in Figure 23. Figure 33 is a table illustrating the security document to be determined according to Embodiment 6. Figure 34 is a diagram illustrating the detailed operation according to Embodiment 7, corresponding to step S120 shown in Figure 15. Figure 35 is a flowchart illustrating the detailed operation of step S129 shown in Figure 34. Figure 36 is a table illustrating the security document to be determined according to Embodiment 7. Figure 37 is a diagram illustrating the configuration of the information processing system according to Embodiment 8. 【0011】 (Background to this disclosure) Before explaining this disclosure, we will explain the background to this disclosure. 【0012】As mentioned in the "Background Technology" section above, cyberattacks such as unauthorized access via networks have become a serious problem in recent years. Therefore, product sales organizations are required to continue addressing vulnerabilities even after product shipment as part of their cybersecurity measures. One way to address vulnerabilities is to conduct vulnerability risk assessments based on product vulnerability information. 【0013】 Vulnerability information can be classified into structured data and unstructured data. Analyzing unstructured data primarily requires manual effort, making risk assessment time-consuming. Furthermore, there is a need to efficiently extract the information necessary for risk assessment (also referred to as risk factor information) from unstructured security documents written in natural language. Structured data is data where the file format is defined, and the location of information is known. Unstructured data is data without a defined file format, and the location of information is unknown. Examples of unstructured data include, but are not limited to, news articles, magazine articles, newspapers, and company reports. 【0014】 Incidentally, when multiple security documents describe the same vulnerability, and there is conflicting risk factor information for that single vulnerability, it can be difficult to decide which information to adopt. To conduct an accurate risk assessment, it is desirable to select the most appropriate security document. 【0015】 However, Patent Documents 1 and 2 do not disclose how to determine the more appropriate security document when different security documents exist for a single vulnerability. 【0016】 Therefore, in this disclosure, we have diligently considered information processing methods that can determine the more appropriate security document when different security documents exist for a single vulnerability, and have devised the following information processing methods. 【0017】An information processing method according to a first aspect of this disclosure is an information processing method that outputs risk factor information for evaluating security vulnerabilities of a product, wherein the risk factor information includes basic items indicating risk factor items and risk information including information relating to the risks of the basic items, and obtains a plurality of security documents, each containing information relating to the vulnerabilities of the product, groups the plurality of security documents according to the type of vulnerability described, determines one or more security documents from two or more security documents belonging to a group for the basic items of the risk factor information, outputs the risk factor information which includes information based on the one or more security documents determined for the basic items of the risk factor information, and there are a plurality of determination methods for determining one or more security documents from two or more security documents, in determining one or more security documents, a determination method corresponding to the basic items is determined from the plurality of determination methods, and the determination of one or more security documents from two or more security documents is made using the determined determination method. 【0018】 This allows for the selection of one or more security documents from two or more security documents based on a determination method corresponding to basic items. In other words, this determination method can be used to select the appropriate security document from two or more security documents based on the basic items. Therefore, it is possible to realize an information processing method that can determine the more appropriate security document when different security documents exist for a single vulnerability. 【0019】 Furthermore, for example, the information processing method according to the second embodiment is the information processing method according to the first embodiment, wherein in determining the one or more security documents, one security document is determined from the two or more security documents belonging to the one group for the basic items of the risk factor information, and in outputting the risk factor information, the risk factor information is output which includes information based on the one security document determined for the basic items of the risk factor information. 【0020】 This allows us to determine one more appropriate security document for each basic item. 【0021】 Furthermore, for example, the information processing method according to the third embodiment is the information processing method according to the second embodiment, wherein in outputting the risk factor information, the risk factor information may be output in which a string containing a word extracted from the one security document determined for the basic item of the risk factor information is included as the risk information for the basic item of the risk factor information. 【0022】 This allows the risk information to be included in the string of characters of the single security document that has been determined, making it possible to output risk factor information that includes more appropriate strings. 【0023】 Furthermore, for example, the information processing method according to the fourth embodiment is an information processing method according to any of the first to third embodiments, wherein the risk factor information includes a plurality of basic items and risk information for each of the plurality of basic items, and a single security document is determined for each of the plurality of basic items based on the security documents determined for each of the plurality of basic items of the risk factor information, and in outputting the risk factor information, the risk factor information is output that includes a string containing a word extracted from the single security document as the risk information for each of the plurality of basic items of the risk factor information. 【0024】 This allows risk information for multiple basic items to be extracted from a single determined security document, thereby improving the consistency of risk information included in multiple basic items. 【0025】 Furthermore, for example, the information processing method according to the fifth embodiment is an information processing method according to the fourth embodiment, in which the number of identical security documents is counted for each basic item among the two or more security documents, and the security document with the highest count value is determined to be the one security document for the multiple basic items. 【0026】 This allows for the decision on which security documents to adopt to be used to be determined by majority vote. 【0027】 Furthermore, for example, the information processing method according to the sixth embodiment is the information processing method according to the fourth embodiment, wherein each basic item of the risk factor information is assigned a weight for determining a security document, and one security document for the risk factor information is determined from among the security documents determined for each basic item based on the weight. 【0028】 This allows for the selection of security documents to be determined using weights. 【0029】 Furthermore, for example, the information processing method according to the seventh embodiment is an information processing method according to the fourth embodiment, in which, if there are two or more candidate security documents for one of the basic items of the risk factor information, the security document for that one basic item may be determined from the candidate security documents based on whether or not there is a contradiction with the security document already determined for the other basic items. 【0030】 This ensures that security documents that are consistent with already determined security documents are selected, allowing for the determination of even more appropriate security documents. 【0031】 Furthermore, for example, the information processing method relating to the eighth aspect is an information processing method relating to any of the first to seventh aspects, wherein the basic item of the risk factor information includes one or more detailed items, the determination method is determined for each of the one or more detailed items of the basic item, and in outputting the risk factor information, the risk factor information is output which includes information based on one or more security documents determined for the one or more detailed items of the basic item of the risk factor information. 【0032】 This allows for the determination of appropriate security documents for specific, more detailed items, even when determining security documents for those detailed items. 【0033】Furthermore, for example, the information processing method according to the ninth embodiment is an information processing method according to the eighth embodiment, in which a security document for the basic item may be determined based on the security document determined for each of the one or more detailed items included in the basic item. 【0034】 This allows for the determination of the appropriate security document for each basic item by using multiple security documents. 【0035】 Furthermore, for example, the information processing method according to the tenth embodiment is an information processing method according to the eighth embodiment, wherein the risk factor information includes a plurality of basic items, each containing one or more detailed items, and risk information for each of the one or more detailed items included in each of the plurality of basic items, and a single security document for the plurality of basic items may be determined based on the security documents determined for each of the one or more detailed items included in each of the plurality of basic items. 【0036】 This allows for consistency in the risk information for each basic item. 【0037】 Furthermore, for example, the information processing method according to the 11th embodiment is an information processing method according to the 10th embodiment, in which the one security document for each of the plurality of basic items may be directly determined based on the security documents determined for each of the one or more detailed items included in each of the plurality of basic items. 【0038】 This allows security documents for each basic item to be obtained with less computation. 【0039】 Furthermore, for example, the information processing method according to the 12th embodiment is an information processing method according to the 10th embodiment, wherein in each of the plurality of basic items, a security document for the basic item is determined from among the security documents determined for each of the one or more detailed items included in the basic item, and the one security document for the plurality of basic items is determined based on the security documents determined for each of the plurality of basic items. 【0040】 As a result, the risk information for each detailed item can be made consistent. 【0041】 Further, for example, the information processing method according to the 13th aspect is an information processing method according to any one of the 4th to 7th aspects, and the plurality of basic items of the risk factor information may include at least two of a threat of a cyber attack, a target of the cyber attack, damage caused by the cyber attack, and a countermeasure against the cyber attack. 【0042】 As a result, a security document for at least two of a threat, a target of attack, damage, and a countermeasure can be appropriately determined. 【0043】 Further, for example, the information processing method according to the 14th aspect is an information processing method according to any one of the 1st to 13th aspects, and the basic items and the determination method adopted among the plurality of determination methods may be preset. 【0044】 As a result, a security document can be determined using a determination method more suitable for each basic item. 【0045】 Further, for example, the information processing method according to the 15th aspect is an information processing method according to the 13th aspect, and for the threat, as the determination method, a latest date method of adopting a security document with the latest creation date and time is preset, and for the target of attack and the countermeasure, as the determination method, a specificity - emphasized method of adopting a security document with the largest number of proper nouns among the extracted risk information is preset, and for the damage, as the determination method, a party - information - priority method of adopting a security document in which the organization to which the document creator belongs matches the organization related to the vulnerability may be preset. 【0046】 As a result, a security document for at least two of a threat, a target of attack, damage, and a countermeasure can be appropriately determined using a preset determination method. 【0047】Further, for example, the information processing method according to the 16th aspect is the information processing method according to the 13th aspect or the 15th aspect, wherein the threat includes, as detailed items of the threat, an attack method indicating the method of the cyber attack and an attack difficulty indicating the difficulty level of the cyber attack, and the attack target includes, as detailed items of the attack target, an attack purpose indicating the purpose of the cyber attack, a product of a damage target indicating the product targeted by the cyber attack, a utilization record indicating the record of the information leaked by the cyber attack being misused, and an assumed damage assumed to occur by the cyber attack. 【0048】 Thus, security documents for at least two of the attack method, attack difficulty, attack purpose, damage target, utilization record, and assumed damage can be appropriately determined. 【0049】 Further, for example, the information processing method according to the 17th aspect is the information processing method according to the 16th aspect, wherein for the attack method, as the determination method, a past adoption record method of adopting the security document most frequently adopted as risk information in the past is preset, and for the attack difficulty, as the determination method, a latest date method of adopting the security document with the latest creation date and time may be preset. 【0050】 Thus, security documents for the attack method and attack difficulty can be appropriately determined using the preset determination method. 【0051】 Further, for example, the information processing method according to the 18th aspect is the information processing method according to the 16th aspect or the 17th aspect, wherein for the attack purpose and the product of the damage target, a specificity - emphasized method of adopting the security document with the largest number of proper nouns among the extracted risk information is preset, for the utilization record, a party - information - priority method of adopting the security document in which the organization to which the document creator belongs matches the organization related to the vulnerability is preset, and for the assumed damage, a maximum - risk method of adopting the security document including the risk information with the greatest risk may be preset. 【0052】This allows for the appropriate determination of the attack objective, the target product, the history of misuse, and the security documentation regarding anticipated damage, using pre-configured decision-making methods. 【0053】 Furthermore, an information processing device according to one aspect of the present disclosure is an information processing device that outputs risk factor information for evaluating security vulnerabilities of a product, wherein the risk factor information includes basic items indicating risk factor items and risk information including information relating to the risks of the basic items, and comprises an acquisition unit that acquires a plurality of security documents, each containing information relating to the vulnerabilities of the product, a grouping unit that groups the plurality of security documents according to the type of vulnerability described, a determination unit that determines one or more security documents from two or more security documents belonging to a group for the basic items of the risk factor information, and an output unit that outputs the risk factor information including information based on the one or more security documents determined for the basic items of the risk factor information, wherein there are a plurality of determination methods for determining one or more security documents from two or more security documents, the determination unit determines a determination method according to the basic items from the plurality of determination methods, and uses the determined determination method to determine one or more security documents from two or more security documents. Furthermore, a program according to one aspect of the present disclosure is a program for causing a computer to execute an information processing method according to any of the first to eighteen aspects. 【0054】 This produces the same effect as the information processing method described above. 【0055】 These general or specific embodiments may be implemented using a system, method, integrated circuit, computer program, or a non-temporary recording medium such as a computer-readable CD-ROM, or any combination of a system, method, integrated circuit, computer program, or recording medium. The program may be pre-stored on the recording medium or supplied to the recording medium via a wide-area communication network, including the Internet. 【0056】The embodiments will be described in detail below with reference to the drawings. 【0057】 The embodiments described below are all comprehensive or specific examples. The numerical values, shapes, components, arrangement and connection configurations of components, steps, and the order of steps shown in the following embodiments are examples only and are not intended to limit this disclosure. Furthermore, any components in the following embodiments that are not described in an independent claim will be described as optional components. 【0058】 Furthermore, each figure is a schematic diagram and not necessarily a strictly accurate representation. Therefore, for example, the scale may not necessarily match in each figure. Also, in each figure, substantially identical components are given the same reference numerals, and redundant explanations may be omitted or simplified. 【0059】 Furthermore, in this specification, terms indicating relationships between elements such as agreement, as well as numerical values ​​and numerical ranges, are not expressions that represent only strict meanings, but also expressions that include substantially equivalent ranges, for example, differences of a few percent (or about 10%). 【0060】 Furthermore, in this specification, ordinal numbers such as "first," "second," etc., do not mean the number or order of components unless otherwise specified, but are used to avoid confusion and to distinguish similar components. 【0061】 (Embodiment 1) The information processing system according to this embodiment will be described below with reference to Figures 1 to 22. 【0062】 [1. Configuration of the Information Processing System] First, the configuration of the information processing system according to this embodiment will be explained with reference to Figures 1 to 4C. Figure 1 is a diagram showing the configuration of the information processing system according to this embodiment. 【0063】As shown in Figure 1, the information processing system comprises a server 100, an information source 200, and an information terminal 400. The server 100 can obtain security documents from the information source 200. The information source 200 is exemplified by, but is not limited to, web articles, academic papers, and bulletin boards. The server 100 stores in advance a URL (Uniform Resource Locator) for connecting to the information source 200. The server 100 and the information terminal 400 are connected to communicate via a communication network 300. Communication between the server 100 and the information terminal 400 may be performed by wired communication or by wireless communication. 【0064】 Server 100 is an information processing device that executes processing (information processing method) for outputting risk factor information for evaluating vulnerabilities related to the security (cybersecurity) of a product. The risk factor information includes risk factor values ​​contained in one or more security documents, which are determined by the determination method described later, from among the risk factor values ​​contained in each security document. The risk factor information includes basic risk factor items that indicate the items of risk factors, and risk factor values ​​that include information about the risk for said basic risk factor items. The basic risk factor items are examples of basic items. 【0065】 The product may be a device containing software, or it may be the software itself (e.g., an OS (Operating System) or an application). The product may also have the ability to connect to a communication network, such as the Internet. 【0066】 Server 100 comprises a security document acquisition unit 110, a security document storage unit 120, and a risk factor information analysis unit 130. Server 100 may also be a cloud server. 【0067】 Security documents are documents that contain information about cybersecurity, and include, but are not limited to, historical information including past cybersecurity achievements (e.g., technical reports), academic papers, and patent documents. Security documents may also be structured data. 【0068】 The security document acquisition unit 110 acquires multiple security documents from multiple information sources 200 (for example, information sources A to C). Each of the multiple security documents contains information about product vulnerabilities. The security document acquisition unit 110 may also acquire document metadata of the security documents, including information source, creation date and time, and number of characters. The security document acquisition unit 110 may be configured to include, for example, a communication circuit (or communication module). 【0069】 The security document storage unit 120 is a storage device that stores security documents acquired by the security document acquisition unit 110. The security document storage unit 120 is composed of a non-volatile storage device (SSD (Solid State Drive) or HDD (Hard Disk Drive)), etc. 【0070】 The Risk Factor Information Analysis Unit 130 is a processing unit that generates risk factor information for evaluating product vulnerabilities using multiple security documents stored in the Security Document Storage Unit 120. Specifically, the Risk Factor Information Analysis Unit 130 outputs risk factor information for each identical vulnerability from multiple security documents. The Risk Factor Information Analysis Unit 130 may be implemented as a standalone information processing device (security document analysis device). 【0071】 The information terminal 400 is a terminal device owned by an analyst or other personnel. The information terminal 400 may be a PC (personal computer), a smartphone, a tablet device, or the like. 【0072】 The information terminal 400 includes at least an output unit 410. The output unit 410 outputs risk factor information acquired from the server 100 to the analyst. The output unit 410 may be implemented by a display device such as a liquid crystal display device, or by a sound output device such as a speaker. 【0073】 Here, the functional configuration of the risk factor information analysis unit 130 will be explained with reference to Figures 2 to 4C. 【0074】Figure 2 is a block diagram showing the functional configuration of the risk factor information analysis unit 130 according to this embodiment. Note that Figure 2 shows an exemplary functional configuration of the risk factor information analysis unit 130, and the functional configuration of the risk factor information analysis unit 130 is not limited to Figure 2. 【0075】 As shown in Figure 2, the risk factor information analysis unit 130 comprises a communication unit 131, a vulnerability extraction unit 132, a risk factor information extraction unit 133, an adoption information determination unit 134, a risk factor information output unit 135, and a storage unit 136. The functions of the communication unit 131, the vulnerability extraction unit 132, the risk factor information extraction unit 133, the adoption information determination unit 134, and the risk factor information output unit 135 are realized, for example, by a processor such as the CPU (Central Processing Unit) of the risk factor information analysis unit 130 executing a program stored in the memory of the risk factor information analysis unit 130. 【0076】 The communication unit 131 is a processing unit that retrieves security documents from the security document storage unit 120. The communication unit 131 is an example of a retrieval unit that retrieves security documents. 【0077】 The vulnerability extraction unit 132 is a processing unit that extracts vulnerabilities to be described from security documents obtained via the communication unit 131 and groups multiple security documents according to the type of vulnerability (e.g., vulnerability type) based on the extracted vulnerabilities. The vulnerability extraction unit 132 groups security documents that describe the same vulnerability into the same group. Each group contains one or more security documents. Hereafter, it will be explained that each group contains multiple security documents. The vulnerability extraction unit 132 is an example of a grouping unit. 【0078】 The risk factor information extraction unit 133 extracts risk factor information (i.e., risk factor items and risk factor values), which is information necessary for risk assessment, from the security document. 【0079】The adoption information determination unit 134 is a processing unit that determines which security document's risk factor information (e.g., risk factor values) to adopt from among multiple security documents grouped by vulnerability. The adoption information determination unit 134 is an example of a determination unit. 【0080】 The risk factor information output unit 135 is a processing unit that outputs acquired risk factor information. The risk factor information output unit 135 may be configured to include, for example, a communication circuit (or a communication module). The risk factor information output unit 135 is an example of an output unit. 【0081】 The storage unit 136 is a storage device that stores various information for generating and outputting risk factor information for evaluating product vulnerabilities. The storage unit 136 is composed of a non-volatile storage device (SSD or HDD), but may also be composed of a volatile storage device. 【0082】 The security document storage unit 120 and the storage unit 136 may be separate devices or an integrated device. 【0083】 Figure 3 is a diagram showing the information stored in the storage unit 136 according to this embodiment. Figure 4A is a diagram showing the risk factor adoption means information 136a according to this embodiment. Figure 4B is a diagram showing a list of security documents 136b according to this embodiment. Figure 4C is a diagram showing the risk factor information group 136c according to this embodiment. Note that in Figure 4C, the security documents 136b are shown in a grouped state. 【0084】 As shown in Figure 3, the storage unit 136 stores risk factor adoption means information 136a, security documents 136b, and a group of risk factor information 136c. 【0085】 As shown in Figure 4A, the risk factor adoption means information 136a includes information about a decision method for which the adoption information determination unit 134 decides which security document's risk factor information to adopt. The risk factor adoption means information 136a includes the name of the risk factor action means and a description of the risk factor adoption means. 【0086】The name of the risk factor mechanism is information that identifies the decision method. In the example in Figure 4A, six decision methods are included: majority voting, past adoption performance method, latest date method, risk maximization method, specificity-focused method, and party information priority method. Note that the decision methods are not limited to these six and may include other decision methods. Also, there should be at least two decision methods. Thus, there are multiple decision methods for determining one or more security documents from two or more security documents. 【0087】 The explanation of risk factor selection methods describes each decision-making process and indicates which security documents' risk factor information will be adopted. 【0088】 As shown in Figure 4B, security document 136b is a security document obtained via the communication unit 131, and includes, for example, documents 1 to 5. The storage unit 136 also stores document metadata for security document 136b. Document metadata includes information source, creation date and time, number of characters, etc. Document metadata may also be obtained via the communication unit 131. 【0089】 As shown in Figure 4C, the risk factor information group 136c includes multiple risk factor information (risk factor information X1 to X3, Y1 and Y2). Each risk factor information includes a risk factor item and a risk factor value. As will be described in detail later, the risk factor item includes "threat". If the risk factor item is a threat, the corresponding risk factor value includes information about the specific threat contained in the security document. The risk factor value is information extracted from the security document and is an example of risk information. Risk information includes strings containing words (i.e., character information) extracted from the security document. 【0090】 Risk factor information X1 is risk factor information extracted from one security document. Similarly, risk factor information X2 is risk factor information extracted from another security document. 【0091】A "same vulnerability group" refers to a group of security documents describing the same vulnerability, and is grouped by the vulnerability extraction unit 132. The risk factor information group 136c contains one or more same vulnerability groups. Furthermore, one or more security documents belong to each same vulnerability group. If a same vulnerability group contains multiple security documents, there are the same number of risk factor information entries. 【0092】 [2. Operation of the Information Processing System] Next, the operation of the information processing system configured as described above will be explained with reference to Figures 5 to 22. Figure 5 is a flowchart of the operation (information processing method) of the information processing system according to this embodiment. Figure 5 shows the processing performed by the server 100. 【0093】 As shown in Figure 5, the server 100 (mainly the risk factor information analysis unit 130) executes a security document acquisition step (S10), an identical vulnerability grouping processing step (S20), a risk factor information extraction processing step (S30), a risk factor information adoption decision processing step (for example, deciding which security documents to adopt for each basic risk factor item) (S40), and a risk factor information output step (S50). 【0094】 Step S10 is the process of obtaining security documents from multiple information sources. In step S10, multiple security documents are obtained. Step S20 is the process of extracting vulnerabilities to be described from the security documents and then grouping the security documents based on whether or not they describe the same vulnerability. Step S30 is the process of extracting risk factor information from the security documents. Each step will be explained in detail below. 【0095】 Figure 6 is a sequence diagram showing an overview of the operation (information processing method) of step S10 shown in Figure 5. Figure 6 shows the flow of information in the security document acquisition step. Figure 7 is a flowchart showing the detailed operation (information processing method) of step S10 shown in Figure 5. 【0096】As shown in Figure 6, the security document acquisition unit 110 connects to the information source 200 and acquires security documents. The security document acquisition unit 110 also stores the acquired security documents by outputting them to the security document storage unit 120. Alternatively, the security document acquisition unit 110 may read security documents from the security document storage unit 120. 【0097】 As shown in Figure 7, the security document acquisition unit 110 acquires all of the information sources 200 to be acquired (S11). In other words, the security document acquisition unit 110 acquires information indicating the information sources 200 that store cybersecurity-related information. 【0098】 The security document acquisition unit 110 may acquire input from the user regarding all information sources 200, or it may acquire all information sources 200 based on a list of information sources 200. The list includes information indicating the information source 200 and information indicating whether or not a security document was acquired from the information source 200. The list may be stored in the security document storage unit 120. 【0099】 Next, the security document acquisition unit 110 determines whether or not there are any unacquired information sources 200 (S12). The security document acquisition unit 110 may also determine whether or not there are any unacquired information sources 200 by checking whether or not the information sources 200 to be acquired include information sources other than the information sources 200 from which security documents stored in the security document storage unit 120 have been acquired. 【0100】 Next, if the security document acquisition unit 110 determines that there are unacquired information sources 200 (YES in S12), it selects one of the unacquired information sources 200 (S13), acquires a security document from the selected information source 200, and stores it in the security document storage unit 120 (S14). 【0101】 Next, the security document acquisition unit 110 changes the status of the selected information source 200 to acquired (S15). 【0102】Furthermore, if the security document acquisition unit 110 determines that there are no unacquired information sources 200 (NO in S12), it terminates the process. 【0103】 The process in step S10 may be performed periodically, for example, or whenever the information in the information source 200 is updated. Also, "not acquired" in step S12 may mean that a security document has not been acquired from the information source 200, or that a security document has been acquired from the information source 200 but it is not the latest security document (i.e., the latest security document has not been acquired). 【0104】 Figure 8 is a sequence diagram showing an overview of the operation (information processing method) of steps S20 to S50 shown in Figure 5. Step S20 shows the flow of information in the same vulnerability grouping step, and step S30 shows the flow of information in the risk factor information extraction step. Furthermore, step S40 shows the flow of information in the risk factor information adoption decision step, and step S50 shows the flow of information in the risk factor information output step. 【0105】 As shown in Figure 8, step S20 is a process in which the vulnerability extraction unit 132 reads the security documents stored in the storage unit 136, performs vulnerability grouping to combine security documents showing the same vulnerability into one group, and stores the same vulnerability group information showing the grouping result in the storage unit 136. 【0106】 Step S30 indicates a process in which the risk factor information extraction unit 133 extracts risk factor information from the security document and stores the extracted risk factor information in the storage unit 136. 【0107】 Step S40 indicates the process in which the adoption information determination unit 134 determines a security document containing risk factor information, and stores the resulting adopted security document information in the storage unit 136. 【0108】Step S50 indicates the process by which the risk factor information output unit 135 acquires the approved security document information and risk factor information from the storage unit 136. Based on the acquired approved security document information and risk factor information, the risk factor information output unit 135 generates and outputs comprehensive risk factor information. 【0109】 Next, the process of step S20 will be explained with reference to Figures 9 and 10. 【0110】 Figure 9 is a flowchart showing the detailed operation (information processing method) of step S20 shown in Figure 5. The same vulnerability grouping process shown in Figure 9 is performed periodically (for example, every day), but it may also be performed each time a security document is acquired. 【0111】 As shown in Figure 9, the vulnerability extraction unit 132 reads all acquired security documents (S21). In other words, the vulnerability extraction unit 132 acquires all security documents stored in the storage unit 136. 【0112】 Next, the vulnerability extraction unit 132 determines whether or not there are security documents for which vulnerability extraction has not been performed (S22). The vulnerability extraction unit 132 may perform the determination in step S22 using a table that indicates whether or not vulnerability extraction processing has been performed for each security document. 【0113】 Next, if the vulnerability extraction unit 132 determines that there are security documents for which vulnerability extraction has not yet been performed (YES in S22), it selects one of the security documents for which vulnerability extraction has not yet been performed (S23) and extracts vulnerabilities from the selected security document (S24). In other words, the vulnerability extraction unit 132 extracts what type of vulnerability the selected security document describes. The vulnerability extraction unit 132 may also use natural language processing or the like to extract the type of vulnerability. The type of vulnerability may be a type (or category) classified using a management number by a country, a specialized organization, etc., or it may be the type or version of the OS or software, etc. 【0114】Next, the vulnerability extraction unit 132 determines whether or not there are other security documents that describe the same vulnerability (S25). 【0115】 If the vulnerability extraction unit 132 determines that there are other security documents that describe the same vulnerability (YES in S25), it adds the security document from which the vulnerability was extracted in step S24 to the existing group of identical vulnerabilities (S26). In other words, the vulnerability extraction unit 132 manages security documents that describe the same vulnerability by associating them with a single group. 【0116】 Furthermore, if the vulnerability extraction unit 132 determines that no security document describes the same vulnerability (NO in S25), it creates a new vulnerability group and assigns the security document to it (S27). 【0117】 Next, the vulnerability extraction unit 132 changes the status of the security document in the risk to "extracted" (S28). 【0118】 Furthermore, if the vulnerability extraction unit 132 determines that there are no security documents for which vulnerability extraction has not yet been performed (NO in S22), that is, if the status of each security document included in the table is that vulnerability extraction has been performed, the unit terminates processing. 【0119】 Furthermore, the vulnerability extraction unit 132 periodically performs the above processing. 【0120】 Furthermore, there is no particular limit to the number of groups that can be grouped. 【0121】 Figure 10 is a diagram showing a list of grouped security documents according to this embodiment. 【0122】 Figure 10 shows an example where documents 1-3 are grouped into group X (same vulnerability group X) and documents 4 and 5 are grouped into group Y (same vulnerability group Y). 【0123】Next, the process of step S30 will be explained with reference to Figures 11 and 12. Figure 11 is a flowchart showing the detailed operation (information processing method) of step S30 shown in Figure 5. 【0124】 As shown in Figure 11, the risk factor information extraction unit 133 extracts risk factor information from the security document (S31). The method for extracting risk factor information is not particularly limited, but examples include methods using natural language processing or machine learning models. 【0125】 The risk factor information includes one or more (for example, multiple) risk factor items. The risk factor information extraction unit 133 extracts a description of the content corresponding to each risk factor item (an example of a risk factor value) from the security document for each risk factor item. 【0126】 Figure 12 shows a list of security documents to which risk factor information according to this embodiment has been added. An example is shown in which the risk factor items of the risk factor information include threat, target, damage, and countermeasures. Each of the items, threat, target, damage, and countermeasures, is also referred to as the basic risk factor item. In Figure 12, "..." indicates the risk factor value corresponding to the basic risk factor item. 【0127】 Threats refer to potential cyberattacks on the network within the product (e.g., an in-vehicle network). Threats may include, for example, the attacker's identification information and the type of attack (e.g., data breach, equipment failure (e.g., DoS (Denial of Service), financial fraud, etc.)). Targets of attacks refer to components within the product that are targeted by cyberattacks (e.g., infrastructure equipment). Damages refer to the name of the organization or company that suffered the cyberattack. Countermeasures refer to the measures taken against the cyberattack in the event of a cyberattack. 【0128】 As shown in Figure 12, information (risk factor values) for each item is extracted from each document. The risk factor information includes combinations of risk factor items and risk factor values. 【0129】Figure 12 illustrates an example where the risk factor items in the risk factor information include basic risk factor items. However, each basic risk factor item may also include detailed risk factor items, which are further subdivided into one or more sub-items. In the following sections, we will mainly describe examples where the risk factor items in the risk factor information include detailed risk factor items. Detailed risk factor items will be discussed later with reference to Figure 15. Detailed risk factor items are just one example of detailed items. 【0130】 Next, the process of step S40 will be explained with reference to Figures 13 to 21. Figure 13 is a flowchart showing the detailed operation (information processing method) of step S40 shown in Figure 5. 【0131】 As shown in Figure 13, the adoption information determination unit 134 acquires all of the same vulnerability group (S41). Using Figure 12 as an example, the adoption information determination unit 134 acquires information indicating groups X and Y. 【0132】 Next, the adoption information determination unit 134 determines whether or not there are any identical vulnerability groups that have not yet been adopted (S42). The adoption information determination unit 134 may perform the determination in step S42 using a table that shows whether or not an adoption decision process has been performed for each identical vulnerability group. 【0133】 If the adoption information determination unit 134 determines that there are identical vulnerability groups that have not yet been adopted (YES in S42), it selects one from among the identical vulnerability groups that have not yet been adopted (S43). 【0134】 Next, the adoption information determination unit 134 performs the adoption decision of risk factor information within the same vulnerability group (S44). For each risk factor item, the adoption information determination unit 134 determines which security document's risk factor information from among the multiple security documents included in the same vulnerability group to adopt. 【0135】 Next, when the processing in step S44 is executed, the adoption information determination unit 134 changes the status of the same vulnerability group in the table to "adopted" (S45). 【0136】Furthermore, if the adoption information determination unit 134 determines that there are no identical vulnerability groups for which adoption has not been decided (NO in S42), it terminates the process. 【0137】 Figure 14 is a flowchart showing the detailed operation (information processing method) of step S44 shown in Figure 13. Figure 14 is executed for each vulnerability group. 【0138】 As shown in Figure 14, the adoption information determination unit 134 acquires all security documents included in the same vulnerability group (S110). Using Figure 12 as an example, if the same vulnerability group is group X, the adoption information determination unit 134 acquires only documents 1 to 3 out of documents 1 to 5 (i.e., all security documents belonging to group X). 【0139】 Next, the recruitment information decision unit 134 makes recruitment decisions for each risk factor item (S120). Figure 15 is a diagram showing the risk factor items according to this embodiment. The table shown in Figure 15 may be stored in, for example, the storage unit 136. 【0140】 As shown in Figure 15, the risk factor items include not only basic risk factor items but also detailed risk factor items. Detailed risk factor items for threats include attack methods and attack difficulty. Detailed risk factor items for targets include attack objectives, target products, past exploitation, and anticipated damage. Detailed risk factor items for damage include actual damage. Detailed risk factor items for countermeasures include patch release status. 【0141】 Furthermore, each risk factor item only needs to include at least one basic risk factor item. 【0142】 Here, the operation of step S120 shown in Figure 14 will be explained with reference to Figure 16. Figure 16 is a flowchart showing the detailed operation (information processing method) of step S120 shown in Figure 14. 【0143】As shown in Figure 16, the recruitment information determination unit 134 acquires all the risk factor items to be selected for recruitment (S121). For example, the recruitment information determination unit 134 acquires the basic risk factor items and the detailed risk factor items shown in Figure 15. 【0144】 Next, the adoption information determination unit 134 determines whether or not there are undecided risk factor items in the security document to be adopted (S122). In other words, the adoption information determination unit 134 determines whether or not there are items for which a security document has not been determined for the risk factor item. 【0145】 If the adoption information determination unit 134 determines that there are undecided risk factor items in the security document to be adopted (YES in S122), it selects one of the undecided risk factor items (S123). For example, the adoption information determination unit 134 selects one risk factor detail item as an undecided risk factor item. 【0146】 Next, the recruitment information determination unit 134 acquires security documents containing risk factor values ​​corresponding to the selected risk factor items (selected risk factor items) (S124), and determines whether there are two or more acquired security documents (acquired security documents) (S125). 【0147】 If the adoption information determination unit 134 determines that there are two or more security documents to acquire (YES in S125), it makes an adoption decision for cases where there are multiple risk factor information items (S126). If it determines that there are not two or more security documents to acquire (NO in S125), it adopts the single security document (S127). In step S126, if there are multiple security documents that are candidates for adoption for a single risk factor item, a process is performed to select one of the security documents. 【0148】 Next, when the processing in step S126 or S127 is executed, the adoption information determination unit 134 changes the status of the risk factor item in the table to "adopted" (S128). 【0149】Furthermore, if the adoption information determination unit 134 determines that there are no undecided risk factor items in the security document to be adopted (NO in S122), it terminates the process. 【0150】 Here, the operation of step S126 shown in Figure 16 will be explained with reference to Figure 17. Figure 17 is a flowchart showing the detailed operation (information processing method) of step S126 shown in Figure 16. 【0151】 As shown in Figure 17, the recruitment information determination unit 134 acquires all risk factor values ​​corresponding to the risk factor items (S200) and determines whether all risk factor values ​​match (S300). Here, "match" is not limited to an exact match; it may also mean a substantial match or the inclusion of common information. 【0152】 If the adoption information determination unit 134 determines that all risk factor values ​​match (YES in S300), it adopts one of the security documents (S400). The adoption information determination unit 134 may adopt any one security document, or it may adopt one security document using a pre-set method. If the adoption information determination unit 134 determines that all risk factor values ​​do not match (NO in S300), it determines the security documents according to the risk adoption method (S500). Determining the security documents according to the risk adoption method means adopting the security documents determined using the risk adoption method. 【0153】 Figure 18 is a flowchart showing the detailed operation (information processing method) of step S500 shown in Figure 17. Figures 19A to 19F are flowcharts showing the detailed operation (information processing method) of each adoption decision process. Note that the process shown in Figure 18 is executed for each risk factor item. For example, if a risk factor item consists only of basic risk factor items, the process shown in Figure 18 is executed for each basic risk factor item, and if a risk factor item includes detailed risk factor items, the process shown in Figure 18 is executed for each detailed risk factor item. Also, in Figure 18, the risk factor adoption means is also referred to as the adoption means. 【0154】As shown in Figure 18, the adoption information determination unit 134 executes a process to acquire risk factor adoption means corresponding to risk factor items (S501). The adoption information determination unit 134 may, for example, acquire a table from the storage unit 136 that associates risk factor items with risk factor adoption means. 【0155】 Figures 20A and 20B are tables showing the relationship between risk factor items and risk factor adoption methods according to this embodiment. Note that the relationship between risk factor items and risk factor adoption methods shown in Figures 20A and 20B is an example and is not limited thereto. 【0156】 Figure 20A shows a table where the risk factor items consist only of basic risk factor items, with a one-to-one correspondence between the basic risk factor items and the means (determination method) for adopting the risk factor. 【0157】 Specifically, for threats, the latest date method is pre-configured as the determination method, which uses the security document with the most recent creation date. This is because obtaining the latest information allows for accurate capture of threat information, which tends to change significantly over time, and is useful for risk assessment. 【0158】 Furthermore, a specificity-focused method is pre-configured for determining attack targets. This method selects the security document with the highest number of proper nouns among the extracted risk factors. This is because risk assessment requires as much information as possible about the attack, and obtaining information that is specifically described allows for a more accurate risk assessment. 【0159】 Furthermore, a predetermined method for determining the extent of damage is the "Party Information Priority Method," which uses security documents where the organization to which the document creator belongs matches the organization related to the vulnerability. This is because documents made public by the parties involved are primary information and are therefore expected to be accurate as risk factor information. 【0160】Furthermore, the decision-making process for countermeasures is pre-defined as a specificity-focused method, which involves selecting the security document with the highest number of proper nouns among the extracted risk factors. This is because obtaining specific countermeasure information allows for its effective use within the organization. 【0161】 Figure 20B shows a table where the risk factor items include basic risk factor items and detailed risk factor items, with a one-to-one correspondence between the detailed risk factor items and the means of adopting the risk factor. 【0162】 Threats include attack methods and attack difficulty as detailed risk factor items. Attack methods indicate the methods of cyberattacks, and attack difficulty indicates the difficulty of cyberattacks (e.g., the degree of threat). For attack methods, the past usage method is pre-configured as the determination method. This is because it is determined based on the reliability of security documents (past reliability), allowing for the acquisition of accurate risk factor information. Similarly, for attack difficulty, the latest date method is pre-configured as the determination method. 【0163】 The attack target includes detailed risk factors such as the attack objective, the target product, past misuse, and anticipated damage. The attack objective indicates the purpose of the cyberattack (e.g., data leakage, equipment failure, financial fraud), the target product indicates the product targeted by the cyberattack, past misuse indicates how information leaked through the cyberattack has been misused, and anticipated damage indicates the predicted damage from the cyberattack. As for the determination method, a specificity-focused method is pre-set for the attack objective and the target product, and a party information-prioritizing method is pre-set for past misuse. Furthermore, a risk maximization method is pre-set as the determination method for anticipated damage. This is because it allows for consideration of the worst-case scenario in risk management. 【0164】 Damage includes actual damage as a detailed risk factor item. Actual damage indicates the actual damage caused by cyberattacks. The method for determining actual damage is predetermined to prioritize the information of the parties involved. 【0165】The countermeasures include patch release status as a detailed risk factor item. Patch release status indicates the status of additional programs distributed in response to defects in the software, etc. A specificity-focused method is pre-defined for patch release status. 【0166】 The selection information determination unit 134 obtains the means for selecting risk factors for each risk factor item from the table in Figure 20A or Figure 20B. 【0167】 Referring again to Figure 18, the recruitment information determination unit 134 determines whether the recruitment method is the past recruitment performance method (S502). If it determines that the recruitment method is the past recruitment performance method (YES in S502), it makes a recruitment decision using the past recruitment performance method (S503). If it determines that the recruitment method is not the past recruitment performance method (NO in S502), it proceeds to step S504. 【0168】 Next, the selection information determination unit 134, if it proceeds to step S504, determines whether the selection method is the latest date and time method (S504). If it determines that the selection method is the latest date and time method (YES in S504), it makes a selection decision using the latest date and time method (S505). If it determines that the selection method is not the latest date and time method (NO in S504), it proceeds to step S506. 【0169】 Next, the selection information determination unit 134, if it proceeds to step S506, determines whether the selection method is the risk maximization method (S506). If it determines that the selection method is the risk maximization method (YES in S506), it makes a selection decision using the risk maximization method (S507). If it determines that the selection method is not the risk maximization method (NO in S506), it proceeds to step S508. 【0170】 Next, the recruitment information determination unit 134, if it proceeds to step S508, determines whether the recruitment method is a specificity-focused method (S508). If it determines that the recruitment method is a specificity-focused method (YES in S508), it makes a recruitment decision using the specificity-focused method (S509). If it determines that the recruitment method is not a specificity-focused method (NO in S508), it proceeds to step S510. 【0171】Next, if the selection information determination unit 134 proceeds to step S510, it determines whether the selection method is the party information priority method (S510). If it determines that the selection method is the party information priority method (YES in S510), it makes a selection decision using the party information priority method (S511). If it determines that the selection method is not the party information priority method (NO in S510), it makes a selection decision using the majority vote method (S512). 【0172】 I will explain each hiring decision. 【0173】 As shown in Figure 19A, in step S503, the information adoption determination unit 134 decides to adopt the security document that has been adopted most frequently as a risk factor value among multiple security documents in the past (S503a). 【0174】 As shown in Figure 19B, in step S505, the adoption information determination unit 134 decides to adopt the security document with the most recent creation date and time among the multiple security documents (S505a). 【0175】 As shown in Figure 19C, in step S507, the adoption information determination unit 134 decides to adopt the security document with the highest risk factor value among the multiple security documents (S507a). 【0176】 As shown in Figure 19D, in step S509, the adoption information determination unit 134 decides to adopt the security document that has the highest number of proper nouns among the extracted risk factor values ​​from among the multiple security documents (S509a). 【0177】 As shown in Figure 19E, in step S511, the adoption information determination unit 134 decides to adopt a security document whose creator matches the organization related to the vulnerability (S511a). 【0178】 As shown in Figure 19F, in step S512, the adoption information determination unit 134 decides to adopt the security document with the highest number of risk factor values ​​among the multiple security documents by majority vote (S512a). 【0179】The above process determines the security documents to be adopted for each risk factor item (S130). Figure 21 is a table illustrating the security documents to be determined according to this embodiment. Figure 21 shows the case where the risk factor item consists only of basic risk factor items. 【0180】 As shown in Figure 21, for each basic risk factor, candidate security documents (e.g., Documents 1-3), the means of adopting the risk factor, and the security documents adopting the basic risk factor are associated. 【0181】 In this way, for each basic item of risk factor information, one or more security documents are selected from two or more security documents belonging to a single group. For example, a determination method is individually selected from among multiple determination methods according to each basic item, and using the determined determination method, one or more security documents are selected from two or more security documents for each basic item. 【0182】 Next, the process of step 50 will be explained with reference to Figure 22. Figure 22 is a flowchart showing the detailed operation (information processing method) of step S50 shown in Figure 5. 【0183】 As shown in Figure 22, the risk factor information output unit 135 acquires risk factor information of the adopted security documents according to the level of the defined risk factor items (S51), and outputs the acquired risk factor information to the information terminal 400 (S52). It can also be said that the risk factor information output unit 135 outputs risk factor information that includes information based on one or more security documents determined for each basic item of risk factor information (in this case, information extracted from one security document) as risk factor values. 【0184】 The level of risk factor items is determined by whether the risk factor items consist only of basic risk items or whether they include both basic risk items and detailed risk items. Figure 21 shows the level where the risk factor items consist only of basic risk items. 【0185】The risk factor information output unit 135 outputs, for example, if a threat is involved, the description of the threat in document 1, which has been decided to be adopted according to the latest date method, as risk factor information for that threat. The risk factor information output unit 135 also outputs, for example, if an attack target is involved, the description of the attack target in document 3, which has been decided to be adopted according to the specificity-focused method, as risk factor information for that attack target. The risk factor information output unit 135 also outputs, for example, if damage is involved, the description of the damage in document 1, which has been decided to be adopted according to the party information priority method, as risk factor information for that damage. The risk factor information output unit 135 also outputs, for example, if countermeasures are involved, the description of the countermeasures in document 3, which has been decided to be adopted according to the specificity-focused method, as risk factor information for those countermeasures. 【0186】 As a result, the risk factor information output unit 135 can output information including risk factor information for each risk factor item. 【0187】 (Embodiment 2) The information processing system according to this embodiment will be described below with reference to Figures 23 to 25. In the following description, the differences from Embodiment 1 will be the main focus, and the same or similar content as in Embodiment 1 will be omitted or simplified. The configuration of the information processing system according to Embodiments 2 to 7 may be the same as the configuration of the information processing system according to Embodiment 1. Also, for convenience, the reference numerals of the information processing system according to Embodiment 1 will be used in the description of Embodiments 2 to 7. 【0188】 Figure 23 is a flowchart showing the operation (information processing method) of the information processing system according to this embodiment. Figure 24 is a flowchart showing the detailed operation (information processing method) of step S60 shown in Figure 23. Figure 25 is a table for describing the security document to be determined according to this embodiment. As shown in Figure 25, the risk factor information includes a plurality of basic risk factor items and the risk factor value for each of the plurality of basic risk factor items. 【0189】In this embodiment, the security documents determined for each basic risk item are used to determine a single security document to be adopted for all basic risk factor items (i.e., for multiple basic items). In other words, in this embodiment, a single security document common to all basic risk items is determined. In this embodiment, it is assumed that risk factor items consist only of basic risk factor items (i.e., they do not include detailed risk factor items). 【0190】 As shown in Figure 23, in addition to the operation shown in Figure 5 of Embodiment 1, the risk factor information analysis unit 130 performs step S60. Specifically, the risk factor information analysis unit 130 aggregates the results of the adoption of basic risk factor items and determines the security document to be adopted for the entire risk factor information (S60). 【0191】 As shown in Figure 24, the recruitment information determination unit 134 acquires all recruitment security documents to be aggregated (S61). For example, if security documents for the basic risk factor items shown in Figure 25 have been determined in step S40, the recruitment information determination unit 134 acquires documents 1 and 3 as recruitment security documents to be aggregated. 【0192】 Next, the adoption information determination unit 134 determines the security document with the most adoption votes as the adopted security document (overall adopted security document) based on the majority vote (S62). The adoption information determination unit 134 determines that document 1 is the adopted security document because document 1 has been adopted 3 times and document 3 has been adopted 1 time. 【0193】 In this embodiment, the number of identical security documents (i.e., the number of adopted documents) is counted for each basic item among two or more security documents, and the security document with the highest count value is determined to be a single security document for multiple basic items. 【0194】As a result, as shown in Figure 25, one security document (Document 1 in the example in Figure 25) is determined for each basic risk factor item. Therefore, the risk factor values ​​for each risk factor item output by the risk factor information output unit 135 are all descriptions extracted from Document 1, thus improving the consistency of each risk factor value. 【0195】 In this embodiment, in step S50, for each of the multiple basic items of risk factor information, risk factor information is output that includes a string containing a word extracted from a single security document as a risk factor value. 【0196】 In step S62, if there are multiple security documents with the highest number of adoptions, one security document may be determined by a separately defined method. For example, as shown in Embodiment 7 described later, one security document may be determined by additionally performing a contradiction checking process. 【0197】 (Embodiment 3) The information processing system according to this embodiment will be described below with reference to Figures 26 and 27. In the following description, the differences from Embodiment 1 will be the main focus, and the same or similar content as in Embodiment 1 will be omitted or simplified. 【0198】 Figure 26 is a flowchart showing the operation (information processing method) of the information processing system according to this embodiment. Figure 27 is a table for explaining the security document to be determined according to this embodiment. 【0199】 In this embodiment, one security document to be adopted for each of the one or more detailed risk factor items included in the basic risk factor item is determined based on the security documents determined for that basic risk factor item. 【0200】 As shown in Figure 26, the recruitment information determination unit 134 executes step S40A instead of step S40 shown in Figure 5 of Embodiment 1, and then executes step S60A. 【0201】In step S40A, the adoption information determination unit 134 determines the security documents to be adopted for each detailed risk factor item. For example, based on the risk factor items shown in Figure 15 and the second table shown in Figure 20B, the adoption information determination unit 134 determines a method for determining the security documents for each detailed risk factor item, and then determines the security documents for each detailed risk factor item based on the determined method. 【0202】 Next, the adoption information determination unit 134 aggregates the adoption results for each basic risk factor and determines the security documents to be adopted for each basic risk factor (S60A). The adoption information determination unit 134 aggregates all security documents subject to aggregation for each basic risk factor and determines the security document with the most adoptions based on a majority vote to be adopted for that basic risk factor. 【0203】 Using the attack target in Figure 27 as an example, the adoption information determination unit 134 aggregates the adoption results for the attack target (three documents 3 and one document 2 in Figure 27) and, based on a majority vote, determines that document 3, which has the most adoptions, is the adopted security document. In this way, the adoption information determination unit 134 determines the adopted security documents for the corresponding basic risk factor items based on the adopted security documents for the detailed risk factor items. 【0204】 In this embodiment, in step S50, risk factor information is output that includes information based on one or more security documents determined for one or more detailed items of the basic items of the risk factor information, as risk factor values. 【0205】 (Embodiment 4) The information processing system according to this embodiment will be described below with reference to Figures 28 and 29. In the following description, the differences from Embodiment 3 will be the main focus, and the same or similar content as in Embodiment 3 will be omitted or simplified. 【0206】 Figure 28 is a flowchart showing the operation (information processing method) of the information processing system according to this embodiment. Figure 29 is a table for explaining the security document to be determined according to this embodiment. 【0207】In this embodiment, the risk factor information includes a plurality of basic items, each containing one or more detailed items, and the risk factor values ​​for each of the one or more detailed items contained within each of the plurality of basic items. Based on the security documents determined for each of the one or more detailed items contained within each of the plurality of basic items, a single security document for the plurality of basic items is determined. 【0208】 As shown in Figure 28, after step S40A, the adoption information determination unit 134 aggregates the adoption results of the detailed risk factor items and determines the security document to be adopted for the entire risk factor information (S60B). The adoption information determination unit 134 aggregates all the security documents to be aggregated for the entire basic risk factor items and determines the security document with the most adoptions based on a majority vote to be the security document to be adopted for the entire basic risk factor items (overall adopted security document). 【0209】 In the case of Figure 29, the adoption information determination unit 134 determines that Document 3 is the overall adopted security document because Document 1 has an adoption count of 2, Document 2 has an adoption count of 2, and Document 3 has an adoption count of 4. In this way, the adoption information determination unit 134 directly determines one security document for the entire set of basic risk factors based on the adopted security documents of the detailed risk factor items. Direct determination means that the unit determines one security document for the entire set of basic risk factors using only the adoption count of each document included in the adopted security document column of the detailed risk factor items in Figure 29. 【0210】 (Embodiment 5) The information processing system according to this embodiment will be described below with reference to Figures 30 and 31. In the following description, the differences from Embodiment 3 will be the main focus, and the same or similar content as in Embodiment 3 will be omitted or simplified. 【0211】 Figure 30 is a flowchart showing the operation (information processing method) of the information processing system according to this embodiment. Figure 31 is a table for explaining the security document to be determined according to this embodiment. 【0212】In this embodiment, security documents for one or more detailed risk factor items are used to determine security documents for the basic risk factor items corresponding to those detailed risk factor items, and security documents for each basic risk factor item are used to determine one security document for all basic risk factor items. 【0213】 As shown in Figure 30, the adoption information determination unit 134 executes the process of step S60 shown in Figure 23 of Embodiment 2 after step S60A shown in Figure 26 of Embodiment 3. In step S40A, the security document to be adopted for the detailed risk factor items shown in Figure 31 is determined, in step S60A, the security document to be adopted for the basic risk factor items shown in Figure 31 is determined, and in step S60, the overall security document to be adopted shown in Figure 31 is determined. As a result, two determination steps (S60A and S60) are executed, which suppresses the determination of a security document with a large number of adoptions for only a specific risk factor item as the overall security document. This makes it easier for an appropriate security document to be determined as the overall security document for each basic risk factor item. 【0214】 Thus, in this embodiment, for each of the multiple basic risk factor items, a security document for that basic risk factor item is determined from among the security documents determined for each of the one or more detailed risk factor items included in that basic risk factor item, and based on the security documents determined for each of the multiple basic risk factor items, one security document for the multiple basic risk factor items is determined. 【0215】 (Embodiment 6) The information processing system according to this embodiment will be described below with reference to Figures 32 and 33. In the following description, the differences from Embodiment 2 will be the main focus, and the same or similar content as in Embodiment 2 will be omitted or simplified. 【0216】Figure 32 is a diagram showing the detailed operation (information processing method) according to this embodiment, corresponding to step S60 shown in Figure 23. Figure 33 is a table for explaining the security document to be determined according to this embodiment. 【0217】 In this embodiment, weight coefficients are used instead of the number of documents to be adopted when determining the security documents after aggregation. For example, one security document for each basic risk factor is determined from among the security documents determined for each basic risk factor, based on the weight coefficients. The weight coefficients are just examples of weights. 【0218】 As shown in Figure 32, the recruitment information determination unit 134 executes step S60C instead of step S60 shown in Figure 23 of Embodiment 2. 【0219】 The recruitment information determination unit 134 acquires all recruitment security documents to be aggregated (S61) and acquires weight coefficients for all risk factor items to be aggregated (S63). The weight coefficients for each risk factor item (in this case, each basic risk factor item) are set in advance and stored in the storage unit 136. As shown in Figure 33, in this case, a weight coefficient of "1" is acquired for threats (an example of a weight coefficient for a basic risk factor item), a weight coefficient of "0.8" is acquired for attack targets, a weight coefficient of "1" is acquired for damages, and a weight coefficient of "1.4" is acquired for countermeasures. 【0220】 Next, the adoption information determination unit 134 sums the weight coefficients for each adopted security document (S64). The adoption information determination unit 134 calculates 2 as the sum of the weight coefficients for document 1 by adding "1" corresponding to the threat and "1" corresponding to the damage. The adoption information determination unit 134 also calculates 2.2 as the sum of the weight coefficients for document 3 by adding "0.8" corresponding to the target of the attack and "1.4" corresponding to the countermeasures. 【0221】Next, the adoption information determination unit 134 determines that the security document with the largest sum of weight coefficients is the adopted security document (in this case, the overall adopted security document) (S65). The adoption information determination unit 134 compares the sum value "2" for document 1 with the sum value "2.2" for document 3, and since the sum value for document 3 is larger, it determines that document 3 is the adopted security document. 【0222】 Since users can set weighting coefficients, the decision on which basic risk factors a user prioritizes can be reflected in the security document. 【0223】 The recruitment information determination unit 134 has described an example using the sum of the weight coefficients, but is not limited to this. For example, statistical values ​​such as the mean, median, maximum, and minimum values ​​of the weight coefficients may be used. Also, the recruitment information determination unit 134 has described an example using the addition of weight coefficients, but is not limited to this. For example, subtraction, multiplication, division, etc., may be used. 【0224】 The above describes an example of using weight coefficients when determining the overall security documents to be adopted from security documents for basic risk factors, but is not limited to this. For example, weight coefficients may be used when (i) determining the security documents for the corresponding basic risk factors from security documents for detailed risk factors, or (ii) determining the overall security documents to be adopted from security documents for detailed risk factors. In case (i), a weight coefficient is set for each basic risk factor, and in case (ii), a weight coefficient is set for each detailed risk factor. 【0225】 (Embodiment 7) The information processing system according to this embodiment will be described below with reference to Figures 34 to 36. In the following description, the differences from Embodiment 1 will be the main focus, and the same or similar content as in Embodiment 1 will be omitted or simplified. 【0226】 Figure 34 is a diagram showing the detailed operation (information processing method) according to this embodiment, corresponding to step S120 shown in Figure 15. 【0227】In this embodiment, when there are two or more candidates for security documents for a risk factor detail item or a risk factor basic item, one security document is selected from the two or more security documents based on whether or not there are any inconsistencies between the two or more security documents and the security documents for other risk factor detail items or risk factor basic items for which security documents have already been determined. Below, an example in which there are two candidates for security documents for a risk factor basic item will be described. 【0228】 As shown in Figure 34, the recruitment information determination unit 134 executes step S120A instead of step S120 shown in Figure 14 of Embodiment 1. Step S120A executes step S129 in addition to the detailed operation of step S120 (see Figure 16). 【0229】 The adoption information determination unit 134 executes step S129 after step S126. Specifically, the adoption information determination unit 134 checks for inconsistencies with existing adopted security documents (S129). In this embodiment, step S126 does not necessarily have to be executed; for example, step S129 may be executed immediately after step S125. 【0230】 Figure 35 is a flowchart showing the detailed operation (information processing method) of step S129 shown in Figure 34. Figure 36 is a table illustrating the security document to be determined according to this embodiment. 【0231】 As shown in Figure 35, the adoption information determination unit 134 determines whether there are multiple security documents with the highest adoption ranking (S1291), and if it determines that there are multiple security documents with the highest adoption ranking (YES in S1291), it designates the relevant security documents as candidates for adoption (S1292). In the example in Figure 36, documents 2 and 3 are listed as candidates for security documents against the target of attack. When determining security documents against a target of attack from the risk factor details corresponding to the target of attack, it is possible that there may be two or more candidates for security documents, such as when the number of adoptions for documents 2 and 3 in each risk factor details is the same. 【0232】 Next, the adoption information determination unit 134 determines whether or not there is already a security document that has been selected for adoption (S1293). For example, if only one security document has been selected as a candidate security document for the basic risk factor item in Figure 36, the adoption information determination unit 134 determines that a security document that has been selected for adoption for that basic risk factor item already exists (YES in S1293). 【0233】 Next, the adoption information determination unit 134 acquires risk factor information corresponding to the security documents that have been selected for adoption (S1294) and determines whether or not there are any unconfirmed candidate security documents for adoption (S1295). If the adoption information determination unit 134 determines that there are unconfirmed candidate security documents for adoption (YES in S1295), it selects one from the unconfirmed candidate security documents for adoption (S1296). For example, the adoption information determination unit 134 selects one of document 2 and document 3 for the target of the attack. 【0234】 Next, the adoption information determination unit 134 determines whether there is a contradiction between the adopted security document and the candidate security document (S1297). The adoption information determination unit 134 determines whether the first description of the risk factor basic item corresponding to the candidate security document in the adopted security document matches the second description of the risk factor basic item corresponding to the candidate security document in the candidate security document. For example, if the first description includes that the target of the attack is A, and the second description includes that the target of the attack is not A, the adoption information determination unit 134 determines that there is a contradiction. 【0235】 For example, if security document candidates are determined in the order of threat, target, damage, and countermeasures, the security document that has already been selected at the time of determining the security document candidate for the target is the security document for the threat. For example, in step S1297, the adoption information determination unit 134 determines whether there is a contradiction between document 2 and document 1, and whether there is a contradiction between document 3 and document 1. 【0236】Next, if the adoption information determination unit 134 determines that there is a contradiction (YES in S1297), it removes the security document that was determined to have a contradiction from the list of candidates for adoption security documents (S1298). For example, if a contradiction is determined in document 2 of document 3, document 2 is removed. If the adoption information determination unit 134 determines that there is no contradiction (NO in S1297), it proceeds to step S1299. 【0237】 Next, the recruitment information determination unit 134 changes the status of document 2 and document 3 in the table containing the status of the candidate security documents to "inconsistency confirmed" (S1299). Then, the process returns to step S1295 and continues. 【0238】 Furthermore, if the result is determined to be NO in step S1291, step S1293, or step S1295, the process proceeds to step S1300. The adoption information determination unit 134 selects one of the candidates for adoption security documents (S1300) and terminates the process. 【0239】 As shown in Figure 36, if Document 2 is inconsistent with Document 1, and Document 3 is not inconsistent with Document 1, then Document 3 is determined to be the security document to adopt for the target of the attack. 【0240】 If the answer in step S1297 is YES, instead of exclusion, the degree of inconsistency may be set according to the risk factor value (for example, the difference in risk factor values), and the security document with the least inconsistency, i.e., the security document with the smallest degree of inconsistency, may be adopted. 【0241】 (Embodiment 8) The information processing system according to this embodiment will be described below with reference to Figure 37. In the following description, the differences from Embodiment 1 will be the main focus, and the same or similar content as in Embodiment 1 will be omitted or simplified. 【0242】 Figure 37 is a diagram showing the configuration of the information processing system according to this embodiment. 【0243】As shown in Figure 37, the server 100a may not have a risk factor information analysis unit, and the information terminal 400a may have a risk factor information analysis unit 420. The function of the risk factor information analysis unit 420 is the same as that of the risk factor information analysis unit 130 according to Embodiment 1. 【0244】 Furthermore, the functions of the risk factor information analysis unit may be distributed among the devices within the information processing system in any way; for example, a server may have some of the functions of the risk factor information analysis unit, while an information terminal may have the remaining functions. 【0245】 (Other Embodiments) Although information processing methods, etc., relating to one or more embodiments have been described above based on Embodiments 1 to 8 (each embodiment), this disclosure is not limited to these embodiments. Without departing from the spirit of this disclosure, various modifications that a person skilled in the art could conceive of may be applied to these embodiments, and forms constructed by combining components from different embodiments may also be included in this disclosure. 【0246】 Furthermore, in each of the above embodiments, each component may be implemented by being composed of dedicated hardware or by executing a software program suitable for each component. Each component may also be implemented by a program execution unit such as a CPU or processor reading and executing a software program recorded on a recording medium such as a hard disk or semiconductor memory. 【0247】 Furthermore, the order in which each step in the flowchart is performed is illustrative for the purpose of specifically illustrating this disclosure, and may be in a different order. Also, some of the above steps may be performed simultaneously (in parallel) with other steps, and some of the above steps may not be performed. 【0248】 Furthermore, the division of functional blocks in the block diagram is just one example; multiple functional blocks can be implemented as a single functional block, a single functional block can be divided into multiple parts, or some functions can be moved to other functional blocks. In addition, the functions of multiple functional blocks with similar functions can be processed in parallel or time-sharing by a single piece of hardware or software. 【0249】 Furthermore, the risk factor information analysis unit or server according to each of the above embodiments may be implemented as a single device or as a plurality of devices. When the risk factor information analysis unit is implemented as a plurality of devices, the components of the risk factor information analysis unit or server may be distributed among the plurality of devices in any manner. For example, this disclosure may be implemented by cloud computing or by edge computing. Also, when the risk factor information analysis unit or server is implemented as a plurality of devices, the method of communication between the plurality of devices is not particularly limited and may be wireless communication or wired communication. Furthermore, wireless communication and wired communication may be combined between the devices. 【0250】 Furthermore, each component described in the above embodiments may be implemented as software, or typically as an integrated circuit (LSI). These may be individually integrated onto a single chip, or some or all of them may be integrated onto a single chip. Here, we refer to it as an LSI, but depending on the degree of integration, it may also be called an IC, system LSI, super LSI, or ultra LSI. Moreover, the method of integrated circuit implementation is not limited to LSIs; it may also be implemented using a dedicated circuit (a general-purpose circuit that executes a dedicated program) or a general-purpose processor. After LSI manufacturing, a programmable FPGA (Field Programmable Gate Array) or a reconfigurable processor that can reconfigure the connections or settings of circuit cells inside the LSI may be used. Furthermore, if an integrated circuit implementation technology that replaces LSIs emerges due to advances in semiconductor technology or other derived technologies, it is natural that the components may be integrated using that technology. 【0251】A system LSI is a highly functional LSI manufactured by integrating multiple processing units onto a single chip. Specifically, it is a computer system composed of a microprocessor, ROM (Read Only Memory), RAM (Random Access Memory), and other components. The ROM stores the computer program. The system LSI achieves its function by having the microprocessor operate according to the computer program. 【0252】 Furthermore, one aspect of this disclosure may be a computer program that causes a computer to perform characteristic steps included in the information processing method shown in any of Figures 5 to 9, 11, 13, 14, 16 to 19F, 22 to 24, 26, 28, 30, 32, 34, and 35. 【0253】 Furthermore, for example, the program may be a program to be executed by a computer. Also, in one aspect of this disclosure, such a program may be recorded on a computer-readable non-temporary recording medium. For example, such a program may be recorded on a recording medium and distributed or made available. For example, by installing the distributed program on a device having another processor and having that processor execute the program, it becomes possible to have that device perform the above-mentioned processes. 【0254】 This disclosure is useful for devices and other equipment used to assess vulnerability risks. 【0255】 100, 100a Server 110 Security document acquisition unit 120 Security document storage unit 130, 420 Risk factor information analysis unit 131 Communication unit (acquisition unit) 132 Description target vulnerability extraction unit (grouping unit) 133 Risk factor information extraction unit 134 Adoption information determination unit (determination unit) 135 Risk factor information output unit (output unit) 136 Storage unit 136a Risk factor adoption means information 136b Security document 136c Risk factor information group 200 Information source 300 Communication network 400, 400a Information terminal 410 Output unit

Claims

1. An information processing method for outputting risk factor information for evaluating security vulnerabilities of a product, wherein the risk factor information includes basic items indicating risk factor items and risk information including information relating to the risks of the basic items, obtains a plurality of security documents, each containing information relating to the vulnerabilities of the product, groups the plurality of security documents according to the types of vulnerabilities described, determines one or more security documents from two or more security documents belonging to a group for the basic items of the risk factor information, outputs the risk factor information including information based on the one or more security documents determined for the basic items of the risk factor information, there are a plurality of determination methods for determining one or more security documents from two or more security documents, and in determining one or more security documents, determines a determination method corresponding to the basic items from the plurality of determination methods, and uses the determined determination method to determine one or more security documents from two or more security documents.

2. The information processing method according to claim 1, wherein in determining one or more security documents, one security document is determined from among the two or more security documents belonging to one group for the basic items of the risk factor information, and in outputting the risk factor information, the risk factor information is output which includes information based on the one security document determined for the basic items of the risk factor information.

3. The information processing method according to claim 2, wherein, in outputting the risk factor information, the risk factor information is output in which a string containing a word extracted from the one security document determined for the basic item of the risk factor information is output as the risk information for the basic item of the risk factor information.

4. The information processing method according to claim 2, wherein the risk factor information includes a plurality of basic items and risk information for each of the plurality of basic items, and a security document is determined for each of the plurality of basic items based on the security document determined for each of the plurality of basic items of the risk factor information, and in outputting the risk factor information, the risk factor information is output for each of the plurality of basic items of the risk factor information, which includes a string containing a word extracted from the one security document as the risk information.

5. The information processing method according to claim 4, wherein the number of identical security documents is counted for each basic item among the two or more security documents, and the security document with the highest count value is determined to be the one security document for the plurality of basic items.

6. The information processing method according to claim 4, wherein each basic item of the risk factor information is assigned a weight for determining a security document, and one security document for the risk factor information is determined from among the security documents determined for each basic item based on the weight.

7. The information processing method according to claim 4, in the case where there are two or more candidate security documents for one of the basic items of the risk factor information, the method determines the security document for that one basic item from the candidate security documents based on whether or not there is a contradiction with the security document already determined for the other basic items of the basic item.

8. The information processing method according to any one of claims 1 to 3, wherein the basic item of the risk factor information includes one or more detailed items, the determination method is determined for each of the one or more detailed items of the basic item, and in outputting the risk factor information, the risk factor information is output, which includes information based on one or more security documents determined for the one or more detailed items of the basic item of the risk factor information.

9. The information processing method according to claim 8, which determines a security document for a basic item based on a security document determined for each of the one or more detailed items included in the basic item.

10. The information processing method according to claim 8, wherein the risk factor information includes a plurality of basic items, each containing one or more detailed items, and risk information for each of the one or more detailed items included in each of the plurality of basic items, and a security document for the plurality of basic items is determined based on the security documents determined for each of the one or more detailed items included in each of the plurality of basic items.

11. The information processing method according to claim 10, which directly determines one security document for each of the plurality of basic items based on security documents determined for each of the one or more detailed items included in each of the plurality of basic items.

12. The information processing method according to claim 10, wherein, for each of the plurality of basic items, a security document for the basic item is determined from among the security documents determined for each of the one or more detailed items included in the basic item, and the one security document for the plurality of basic items is determined based on the security documents determined for each of the plurality of basic items.

13. The information processing method according to any one of claims 4 to 7, wherein the plurality of basic items of the risk factor information include at least two of the following: the threat of a cyberattack, the target of the cyberattack, the damage caused by the cyberattack, and countermeasures against the cyberattack.

14. The basic items and the decision method to be adopted from among the plurality of decision methods are predetermined, and the information processing method is as described in any one of claims 1 to 7.

15. The information processing method according to claim 13, wherein for the threat, the latest date method is pre-configured as the determination method, which adopts the security document with the most recent creation date; for the target of the attack and the countermeasure, the specificity-focused method is pre-configured as the determination method, which adopts the security document with the most proper nouns among the extracted risk information; and for the damage, the party information-priority method is pre-configured as the determination method, which adopts the security document to which the organization to which the document creator belongs matches the organization related to the vulnerability.

16. The information processing method according to claim 13, wherein the threat includes an attack method indicating the method of the cyberattack and an attack difficulty indicating the difficulty of the cyberattack as detailed items of the threat, and the target of the attack includes an attack objective indicating the purpose of the cyberattack, a target product indicating the product that is the target of the cyberattack, a history of misuse indicating the history of misuse of information leaked by the cyberattack and the expected damage expected to occur as a result of the cyberattack as detailed items of the target of the attack.

17. The information processing method according to claim 16, wherein the attack method is predetermined to use a past adoption method, which selects the security document most frequently used as risk information in the past as the determination method, and the attack difficulty is predetermined to use a latest date and time method, which selects the security document with the most recent creation date and time as the determination method.

18. The information processing method according to claim 16, wherein for the attack objective and the product of the target of the damage, a specificity-prioritizing method is pre-configured, which selects the security document with the most proper nouns among the extracted risk information; for the exploitation history, a party information-prioritizing method is pre-configured, which selects the security document to which the organization to which the document creator belongs matches the organization related to the vulnerability; and for the anticipated damage, a risk-maximizing method is pre-configured, which selects the security document containing the risk information with the greatest risk.

19. An information processing device that outputs risk factor information for evaluating security vulnerabilities of a product, wherein the risk factor information includes basic items indicating risk factor items and risk information including information relating to the risks of the basic items, and comprises: an acquisition unit that acquires a plurality of security documents, each containing information relating to the vulnerabilities of the product; a grouping unit that groups the plurality of security documents according to the type of vulnerability described; a determination unit that determines one or more security documents from two or more security documents belonging to a group for the basic items of the risk factor information; and an output unit that outputs the risk factor information, which includes information based on the one or more security documents determined for the basic items of the risk factor information, wherein there are a plurality of determination methods for determining one or more security documents from two or more security documents, and the determination unit determines a determination method from the plurality of determination methods according to the basic items, and uses the determined determination method to determine one or more security documents from two or more security documents.

20. A program for causing a computer to execute the information processing method described in any one of claims 1 to 7.

Images