Evaluation device, evaluation system, evaluation program, and evaluation method
The evaluation device and method address the challenge of assessing operational impact by identifying and calculating the business impact of vulnerabilities, improving the efficiency of vulnerability management.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HITACHI SYST LTD
- Filing Date
- 2025-07-11
- Publication Date
- 2026-06-25
AI Technical Summary
Existing vulnerability assessment methods, such as CVSS, fail to accurately evaluate the operational impact of vulnerabilities on individual information systems, making it difficult to prioritize and implement effective countermeasures.
An evaluation device and method that includes a storage unit, input unit, specification unit, and calculation unit to identify and calculate the business impact of vulnerabilities on target systems, using component and vulnerability information to determine the operational impact.
Accurately evaluates the degree of business impact caused by individual vulnerabilities, enabling better prioritization and implementation of countermeasures.
Smart Images

Figure JP2025024952_25062026_PF_FP_ABST
Abstract
Description
Evaluation device, evaluation system, evaluation program, and evaluation method
[0001] The present invention relates to an evaluation device, evaluation system, evaluation program, and evaluation method for evaluating the degree of impact on business operations due to vulnerabilities in a target system.
[0002] In recent years, with the advancement of IoT (Internet of Things), not only computers in the information technology field, but all kinds of devices and equipment (e.g., automobiles, industrial equipment, production equipment, etc.) are being connected to networks such as the internet, and by communicating with external devices and systems, they can be operated, controlled, and monitored from the outside. Hardware and software implemented in such IoT devices, equipment, and systems (hereinafter referred to as information systems) are required to have their vulnerabilities appropriately managed so that they can respond to threats via the network, i.e., cyberattacks from outside the system (hereinafter referred to as attacks). This means that vulnerabilities are identified as needed, their severity (also called the degree of risk) is evaluated, and countermeasures are taken according to that evaluation. Furthermore, in countries around the world, security regulations are being strengthened, making vulnerability management mandatory, and the need for vulnerability management is becoming even greater.
[0003] A common method for evaluating vulnerabilities is the Common Vulnerability Scoring System (CVSS). CVSS assesses the impact on three key security characteristics required of information systems—confidentiality (potential for information leakage), integrity (potential for information tampering), and availability (potential for business disruption)—based on criteria such as whether attacks are possible from the network. This allows for the assessment and determination of the severity of individual vulnerabilities.
[0004] However, the configurations of information systems as described above, that is, the hardware and software to be implemented, differ for each system, and moreover, the operation methods of individual hardware, software, or the information systems themselves also differ for each system. Therefore, it is difficult to determine from the evaluation results of individual vulnerabilities by CVSS how much impact the vulnerabilities regarding individual hardware and software have on the individual information systems in which they are implemented.
[0005] In contrast, Patent Document 1 discloses an analysis system, an analysis method, and an analysis program capable of analyzing the impact of vulnerabilities in individual systems.
[0006] Japanese Patent No. 7302665
[0007] As described above, the hardware and software implemented in information systems are diverse, and there are many different types of vulnerabilities regarding them. Therefore, for example, in a company (various organizations, groups, etc.) that operates an information system, as vulnerability management, an operation manager (system management department or its person in charge, etc.) needs to judge the presence or absence and the severity of the relationship with the information system that they themselves operate and manage for each individual vulnerability, and take corresponding measures (countermeasures) according to the degree of severity.
[0008] However, for example, the number of vulnerability information registered in the vulnerability countermeasure information database published by the National Institute of Information and Communications Technology has been on the rise, and a large number of vulnerability information is registered and published every day. Accordingly, the workload of the above-described vulnerability management tasks by operation managers has also increased, and there is a demand for improving the efficiency and reducing the load of vulnerability management tasks.
[0009] In order to improve the efficiency of vulnerability management tasks, etc., it is important to accurately evaluate and determine the degree of impact, etc. on the information system or the business in which the information system is used when the vulnerability is attacked, and to appropriately prioritize and take corresponding measures (countermeasures) based on the results.
[0010] In contrast, as mentioned above, CVSS can assess the severity of individual vulnerabilities, and therefore, the need to address individual vulnerabilities can be determined using the CVSS assessment results. However, CVSS does not consider the degree of impact on individual information systems that implement vulnerable hardware or software, or on the operations performed using such information systems (for example, parts processing operations or manufacturing operations in the case of a manufacturing system that processes parts), or on the business that includes those operations (for example, a product business incorporating manufactured parts), or the degree of impact on the security of the information system. Therefore, CVSS assessments cannot evaluate or determine such impacts on operations, businesses, or security (hereinafter referred to as "operational impact"). Consequently, even with the use of CVSS, the evaluation and determination of operational impact still must be considered independently by the system administrator, and there is a challenge in that it is difficult to evaluate and determine operational impact with high accuracy and to appropriately prioritize vulnerability countermeasures.
[0011] This invention has been made in view of these problems, and aims to provide an evaluation device, evaluation system, evaluation program, and evaluation method that can accurately evaluate the degree of business impact caused by individual vulnerabilities in the implemented hardware and software.
[0012] This invention includes several means to solve at least some of the above problems, one example of which is as follows. In other words, an evaluation device for evaluating the degree of business impact on one or more target systems in the event of a cyberattack on said target systems, comprising at least a storage device, an input unit, a specification unit, a calculation unit, and an output unit, wherein the storage device stores vulnerability information relating to a plurality of existing vulnerabilities, each including at least the technical impact characteristics of the respective vulnerability; the input unit receives external input of component information relating to one or more components constituting the target system and first impact information evaluating the degree of business impact on the target system in the event that any of the components is subjected to the cyberattack; the specification unit identifies one or more vulnerabilities present in any of the components based on the component information and the vulnerability information; the calculation unit extracts the technical impact characteristics of each of the one or more vulnerabilities from the vulnerability information, calculates second impact information by correcting the first impact information using the technical impact characteristics for each of the vulnerabilities; and the output unit outputs the second impact information.
[0013] According to the present invention, it is possible to provide an evaluation device, evaluation system, evaluation program, and evaluation method that can accurately evaluate the degree of business impact caused by individual vulnerabilities in the implemented hardware and software.
[0014] Other issues, configurations, and effects not mentioned above will be clarified by the following description of the embodiments.
[0015] This figure shows an example of the configuration diagram of the evaluation system in Example 1. This is a conceptual diagram showing an overview of the business impact evaluation process by the evaluation device in Example 1. This figure shows an example of the component information vulnerability information in Example 1. This figure shows an example of the first impact information in Example 1. This is a flowchart showing an example of the vulnerability identification process of a specific part in Example 1. This is a flowchart showing an example of the calculation process of the second impact by the calculation unit in Example 1. This is a conceptual diagram showing the correction process of the first impact by the calculation unit in Example 1. This figure shows an example of the second impact information displayed on the display device in Example 1. This figure shows an example of the first impact information in Example 2. This figure shows an example of the second impact information displayed on the display device in Example 2.
[0016] The embodiments of the present invention will be described below with reference to the drawings. The embodiments are illustrative examples for explaining the present invention, and have been omitted and simplified as appropriate for clarity of explanation. The present invention can also be carried out in various other forms. Unless otherwise specified, each component may be singular or plural.
[0017] The position, size, shape, and extent of each component shown in the drawings may not represent the actual position, size, shape, and extent in order to facilitate understanding of the invention. Therefore, the present invention is not necessarily limited to the position, size, shape, and extent disclosed in the drawings. When there are multiple components having the same or similar function, they may be described using the same reference numeral with different subscripts. Furthermore, when it is not necessary to distinguish between these multiple components, the subscripts may be omitted in the description.
[0018] In the examples, processing performed by executing a program may be described. Here, the information processing device executes the program using a processor (e.g., CPU, GPU) and performs processing defined by the program using memory resources (e.g., memory) and interface devices (e.g., communication ports). Therefore, the main entity performing the processing by executing the program may be the processor. Similarly, the main entity performing the processing by executing the program may be a controller, device, system, computer, or node having a processor.
[0019] The main component of the processing performed by executing the program can be the arithmetic unit, and may include dedicated circuits for specific processing. Here, dedicated circuits include, for example, FPGAs (Field Programmable Gate Arrays), ASICs (Application Specific Integrated Circuits), and CPLDs (Complex Programmable Logic Devices).
[0020] The program may be installed on the computer from the program source. The program source may be, for example, a program distribution server or a storage medium readable by the computer. If the program source is a program distribution server, the program distribution server includes a processor and storage resources for storing the program to be distributed, and the processor of the program distribution server may distribute the program to other computers. In addition, in the embodiment, two or more programs may be implemented as one program, or one program may be implemented as two or more programs.
[0021] Figure 1 shows an example of the configuration of the evaluation system in Embodiment 1. In Figure 1, the evaluation system 1 consists of an evaluation device 11, an input device 12, a display device 13, and a vulnerability scanning device 14. The evaluation device 11 includes a storage device 101, an arithmetic unit 102, memory 103, an input / output interface 104, and an external communication interface 105, each connected by a bus 106. The storage device 101 stores (also called holding or storing) an evaluation program 111, configuration device information 112, component information 113, vulnerability information 114, first impact information 115, second impact information 116, etc. The evaluation program 111 includes programs that implement each function, such as the input unit 121, the identification unit 122, the calculation unit 123, the output unit 124, and the determination unit 125. When this evaluation program 111 is read into the memory 103 and executed by the arithmetic unit 102, each function, such as the input unit 121, the identification unit 122, the calculation unit 123, the output unit 124, and the determination unit 125, is implemented in the evaluation device 11 (the respective processes of the input unit 121, the identification unit 122, the calculation unit 123, the output unit 124, and the determination unit 125 are executed).
[0022] The evaluation device 11 is implemented by an information processing device such as a PC (Personal Computer) or a server device. The input device 12 includes one or more input means such as a keyboard, mouse, or touch panel display. The display device 13 is implemented by various display means such as a display or monitor. The input / output interface 104 of the evaluation device 11 includes one or more wired interfaces such as USB (Universal Serial Bus) or wireless interfaces, and the input device 12 and the display device 13 are connected to the input / output interface 104 by wire or wireless. The external communication interface 105 of the evaluation device 11 includes one or more network communication devices such as a wired LAN (Local Area Network) or wireless LAN, and is connected to a network 16 such as the Internet or LAN by wire or wireless.
[0023] Network 16 is connected to a vulnerability scanning device 14 and one or more systems 15 that are subject to vulnerability assessment. The assessment device 11 is connected to the vulnerability scanning device 14 and the one or more systems 15 via an external communication interface 105 and network 16.
[0024] The systems to be evaluated 15 are various information systems operated (also called used, utilized, or managed) by companies (various organizations, groups, etc.), and include, for example, various equipment and facilities such as robot processing systems, various systems such as customer management systems and inventory management systems, or automobiles and construction machinery. Each system to be evaluated 15 has a group of components 151 implemented (for example, devices and systems such as servers, PCs, and databases, hardware such as computer server equipment and network equipment that make up each device and system, and software such as OS (Operating System) and applications).
[0025] The vulnerability scanning device 14 is an information processing device such as a server device on which a vulnerability scanner tool (program) is installed to check for vulnerabilities in each of the component devices 151 implemented in the system under evaluation 15, which is connected via the network 16. The vulnerability scanning device 14 searches for vulnerabilities in the system under evaluation 15, and if it detects one or more vulnerabilities, it outputs information about all the detected vulnerabilities. Alternatively, instead of the vulnerability scanning device 14, or in addition to the vulnerability scanning device 14, a configuration management device (an information processing device on which a configuration management tool (program) is installed) that manages the component devices 151 implemented in the system under evaluation 15 may also be connected to the network 16.
[0026] In Embodiment 1, as shown in Figure 1, the vulnerability scanning device 14 is an independent device connected to the evaluation device 11 via the network 16. However, by installing a vulnerability scanner tool in the evaluation device 11, that is, by storing the vulnerability scanner tool in the storage device 101, the evaluation device 11 may internally have a function equivalent to the vulnerability scanning device 14 (for example, a vulnerability scanning unit as one of the evaluation programs 111). In this case, the vulnerability scanning unit checks for the presence or absence of vulnerabilities in the evaluation target system 15 connected via the network 16. Similarly, by installing a configuration management tool in the evaluation device 11, that is, by storing the configuration management tool in the storage device 101, the evaluation device 11 may internally have a function equivalent to a configuration management device (for example, a configuration management unit as one of the evaluation programs 111).
[0027] Next, the processing and operation of each function of the evaluation device 11, namely the input unit 121, the identification unit 122, the calculation unit 123, the output unit 124, and the determination unit 125, will be explained using Figure 2. Furthermore, the details of the information (or data) of the configuration device information 112, component information 113, vulnerability information 114, and first impact information 115 will be explained using Figures 3 to 6.
[0028] Figure 2 is a conceptual diagram showing the content of the business impact evaluation process by the evaluation program of the evaluation device in Embodiment 1. In Figure 2, the input unit 121 inputs the configuration device information 112 and the first impact information 115 from an external source via the input / output interface 104 to the evaluation device 11 and stores them in the storage device 101. The identification unit 122 reads the configuration device information 112 and the vulnerability information 114 that is pre-stored in the storage device 101 from the storage device 101, and based on these two pieces of information, determines whether or not there are vulnerabilities in the system to be evaluated 15, and if there are one or more vulnerabilities, identifies one or more of them, and outputs the information of the one or more identified vulnerabilities to the calculation unit 123. The calculation unit 123 reads the first impact information 115 and vulnerability information 114 from the storage device 101, calculates the second impact by correcting the first impact using the vulnerability information 114 for each of the one or more vulnerabilities identified by the identification unit 122, stores the second impact information 116, which summarizes the second impact for all identified vulnerabilities, in the storage device 101, and also outputs the second impact information 116 to the output unit 124. The output unit 124 outputs the second impact information 116 to the display device 13 via the input / output interface 104. Details of the vulnerability identification process by the identification unit 122, the calculation process of the second impact by the calculation unit 123, and the second impact information 116 output and displayed on the display device 13 will be described later.
[0029] Figure 3 shows an example of the configuration device information 112 in Embodiment 1. The configuration device information 112 summarizes information on various devices, systems, hardware, and software (hereinafter referred to as "devices") included in the group of configuration devices 151 implemented in one or more evaluation target systems 15. As shown in Figure 3, the configuration device information 112 includes a device ID assigned to each device to identify each device, the name of each device, a component list showing the hardware, OS, applications, etc. (hereinafter referred to as "components") included in each device (making up each device), and a system list showing the evaluation target system 15 on which each device is implemented.
[0030] The device ID is a unique set of arbitrary numbers, strings, or combinations thereof assigned to each device; Figure 3 shows an example of a set of consecutive numbers. The name is, for example, the product name, general name, or a name (or designation) arbitrarily assigned to each device by the company; Figure 3 shows an example of a name that represents the function of each device. The component list is a list of the names of one or more components included in (or constituting) each device, or the component IDs used to identify each component; Figure 3 shows an example of a list of component IDs. The system list is a list of system IDs used to identify the evaluation system 15 on which each device is implemented (or which includes each device as one of its components).
[0031] Here, when listing the names of each component in the component list, the Common Platform Enumeration (CPE) name is used as the name of each component. A CPE name is a standardized, globally recognized name used to identify platforms (corresponding to the components in this embodiment) such as hardware, operating systems, and applications. It is a name composed of (or described) the type of platform, vendor name, product name, version information, etc. A list of CPE names is published as the CPE Dictionary by the National Institute of Standards and Technology (NIST) in the United States. In addition, each component is assigned a CPE name by its vendor, and these CPE names are provided and published by the vendor.
[0032] However, as mentioned above, CPE names are generally long (long strings of letters, numbers, and symbols) because they consist of the type of component, vendor name, product name, version information, etc. If multiple CPE names are listed in the component list, the amount of information can increase, potentially making identification time-consuming. Therefore, as mentioned above, it is also possible to list component IDs in place of CPE names in the component list. Component IDs are arbitrary numbers, strings, or combinations thereof that are different from each other and assigned to each component. Figure 3 shows examples of combinations of numbers and strings such as "CPE001" and "CPE002". When component IDs are listed in the component list, component information 113 showing the correspondence between each component ID and the CPE name of each component is created and stored in the storage device 101 of the evaluation device 11. Component information 113 will be described later using Figure 4.
[0033] Furthermore, the above-mentioned system IDs, like component IDs, are unique arbitrary numbers, strings, or combinations thereof assigned to each evaluation target system 15. Figure 3 shows examples of number and string combinations such as "SYS001" and "SYS002". Although Figure 3 shows an example where one system ID is entered (or registered, or described) for each device in the system list, for example, if the device is a control server, application server, or other device / system as shown in Figure 3, there may be more than one evaluation target system 15 that includes that device as part of its configuration. Therefore, the system list will list one or more system IDs for each device in the evaluation target system 15.
[0034] In the example shown in Figure 3, the configuration device information 112 also includes, in addition to the above, the IP address assigned to each device and the exposure status, which indicates the connection status of each device to the external network and the possibility of external access. The IP address is arbitrarily assigned to each device by the company. The exposure status indicates the connection status to the external network and the possibility of external access based on criteria such as whether it is connected only to the local network within the company ("Small"), whether it is connected to the external network but external access is restricted by a firewall or other means ("Controlled"), or whether it is connected to the external network without any (or no) access restrictions ("Open"). However, the configuration device information 112 is not limited to the example shown in Figure 3, and for example, it does not have to include IP addresses or exposure status, and other information may be included instead of, or in addition to, IP addresses and exposure status.
[0035] The configuration device information 112 is pre-entered into the evaluation device 11 by the operations manager (system management department or its personnel, etc.) of the company operating the system under evaluation 15, and stored in the storage device 101. As an example of input, for example, the input unit 121 may display a GUI (Graphical User Interface) for inputting the configuration device information 112 on the display device 13, and the operations manager may input each item of the configuration device information 112 for each device using the input device 12. Alternatively, the operations manager may create the configuration device information 112 using another PC, etc., and input that configuration device information 112 via the network 16 or other communication means, or input it from the input device 12 using various storage media. Furthermore, when creating the configuration device information 112, the operations manager may investigate and understand the devices and components included in the group of configuration devices 151 implemented in one or more systems 15 under evaluation, and create the information manually. Alternatively, the operations manager may use various configuration management tools (programs) to create the information by directly using or editing the configuration device information obtained, created, or output by various configuration management tools. Alternatively, the vulnerability scanning device 14 may be used as a configuration management device to execute the configuration management tools and obtain the configuration device information. However, in this case, if there are items in the configuration device information 112 that are not present in the configuration device information output by various configuration management tools, the operations manager may manually input the information (data) for those items to create the configuration device information 112. For example, regarding the exposure status mentioned above, the operations manager may input "Small," "Controlled," or "Open" depending on the network connection status of each device.
[0036] Figure 4 shows an example of component information 113 in Embodiment 1. Like the component device information 112, component information 113 is information that is pre-entered into the evaluation device 11 by the operation manager, and is created, for example, together with the component device information 112. Component information 113 is information about the components included in (and constituting) each device implemented in one or more evaluation target systems 15, and, as described above, shows the correspondence between each component ID and each component's CPE name.
[0037] The system administrator obtains the CPE name for each of the one or more components contained in each device, for example, from each component, from the vendor of each component, or from the CPE Dictionary, and creates component information 113 for each component by pairing the assigned component ID with the CPE name. Alternatively, similar to the configuration device information 112, the system administrator may use various configuration management tools (programs) to have the tools identify the one or more components contained in each device and obtain the CPE names to create component information 113. Note that, as described above, if the CPE names are listed in the component list of the configuration device information 112, component information 113 is not necessary.
[0038] Figure 5 shows an example of vulnerability information 114 in Example 1. Vulnerability information 114 is a compilation of information on numerous existing vulnerabilities, and is, for example, a database. As shown in Figure 5, vulnerability information 114 includes an identifier assigned to each vulnerability to identify each vulnerability, a CVSS evaluation result of the impact on confidentiality, integrity, and availability if each vulnerability is attacked, i.e., technical impact characteristics indicating the severity or risk of each vulnerability, and a component list indicating the component in which each vulnerability exists.
[0039] The identifier is, for example, the CVE identification number (CVE-ID) in the Common Vulnerabilities and Exposures (CVE) framework. Figure 5 shows an example where a CVE-ID is registered as an identifier. CVE is a mechanism for sharing information about vulnerabilities in individual components, and each vulnerability is assigned a unique CVE-ID for management. CVE-IDs are assigned and managed by Mitre Corporation, a non-profit organization supported by the U.S. government and the proponent of CVE, and are published on the CVE-ID management site. However, identifiers are not limited to CVE-IDs; they can be any number, string, or combination thereof that are different from each other.
[0040] As described above, the technical impact characteristics are the CVSS evaluation results for each vulnerability, and the impact on confidentiality, integrity, and availability is evaluated on a three-level scale: "High," "Low," and "None." However, the technical impact characteristics are not limited to the impact on confidentiality, integrity, and availability. Instead of, or in addition to, the impact on confidentiality, integrity, and availability may also be evaluated (or included as evaluation items), for example, the impact on authenticity, reliability, accountability, non-repudiation, and security. In this case, the impact on all of these—confidentiality, integrity, availability, authenticity, reliability, accountability, non-repudiation, and security—may be evaluated, or the impact on one or more of these may be evaluated. These technical impact characteristics are also published on the CVE-ID management site mentioned above, along with the CVE-ID, vulnerability name, and content for each vulnerability.
[0041] As described above, the component list indicates the components in which each vulnerability exists. If a single vulnerability exists in one or more components, the CPE names of those one or more components are listed in the component list. Furthermore, if a single component has one or more vulnerabilities, the CPE names of the same component are shown in each of the component lists for those one or more vulnerabilities. The CPE names of the vulnerable components shown in this component list are also published on the CVE-ID management site mentioned above, along with the CVE-ID and technical impact characteristics for each vulnerability. However, the components listed in the component list are not limited to CPE names; they may also be component IDs, for example, as shown in Figure 5. When listing component IDs in the component list, the CPE names of the components corresponding to each component ID should be identifiable and obtainable using component information 113.
[0042] In the example shown in Figure 5, vulnerability information 114 also includes, in addition to the above, exploitation history indicating the exploitation status of each vulnerability, automation feasibility indicating whether attacks against the vulnerability can be automated, and value density indicating the value (resources that can be controlled / taken over, etc.) obtained by attacking the vulnerability. Exploitation history indicates the exploitation status based on criteria such as "None" (never exploited), "PoC" (proof of concept) (exploitation example), and "Active" (exploitation history). Automation feasibility indicates whether automation is possible based on criteria such as "No" (cannot be automated) and "Yes" (can be reliably automated). Value density indicates value based on criteria such as "Diffuse" (limited value / controllable resources) and "Concentrated" (rich value / controllable resources). However, vulnerability information 114 is not limited to the example shown in Figure 5; for example, exploitation history, automation feasibility, and value density do not necessarily have to be included, and other information may be included instead of, or in addition to, exploitation history, automation feasibility, and value density.
[0043] Vulnerability information 114 is created in advance by the operations manager. For example, the operations manager may collect or acquire information such as the CVE-ID, technical impact characteristics, component list, exploitation history, automation possibility, and value density of vulnerabilities published on the CVE-ID management site or other sites mentioned above, and create vulnerability information 114 by creating a database of this information. Alternatively, an external database containing similar information may be acquired (purchased, etc.). However, in this case, if there are items in the vulnerability information 114 that are not present in the acquired information or database, the operations manager may manually input the information (data) for those items to create the vulnerability information 114. The vulnerability information 114 created or acquired in this way is input into the evaluation device 11 and stored in the storage device 101. For example, the operations manager may input the vulnerability information 114 via the network 16 or other communication means, or input it from the input device 12 using various storage media.
[0044] FIG. 6 is a diagram showing an example of the first impact degree information 115 in Example 1. The first impact degree information 115 assumes that, for each evaluation target system 15 of 1 or more, any one or a plurality of devices included in the component device group 151 are in a vulnerable state (with 1 or more vulnerabilities) where they can be subjected to arbitrary attacks or the like, and shows the impact degree that the assumed attack gives to the evaluation target system 15 when the attack occurs in any one or a plurality of those devices. As shown in FIG. 6, the first impact degree information 115 also includes a system ID for identifying each evaluation target system 15 and a system name of each evaluation target system 15. As described above, for each evaluation target system 15, the impact degree (first impact degree) given by an attack on any one or a plurality of devices is shown in each item (or also referred to as a viewpoint) of confidentiality, integrity, and availability. Note that the impact degree given to the evaluation target system 15 refers to the impact degree on the business executed by or using the evaluation target system 15, the business including that business, or the safety of the evaluation target system 15 (hereinafter referred to as the business impact degree).
[0045] The system ID is the same as that shown in the component list of the component device information 112, as described at that time. The system name is, for example, the product name of each system, a general name, or a name (or designation) arbitrarily given to each system in the company. The first impact degree shows the impact on confidentiality, integrity, and availability as the business impact degree that the attack gives to each evaluation target system 15 in four levels of "Very High (extremely high)", "High (high)", "Medium (medium)", and "Low (low)". However, the business impact degree is not limited to the impact on confidentiality, integrity, and availability. Instead of or in addition to the impact on confidentiality, integrity, and availability, for example, the impact on authenticity, reliability, accountability traceability, non-repudiation, security, etc. may be evaluated (even if they are included as evaluation items). In this case, the impact on all of confidentiality, integrity, availability, authenticity, reliability, accountability traceability, non-repudiation, security, etc. may be evaluated, or any one or more of those impacts may be evaluated.
[0046] The first impact information 115 is evaluated and created in advance by the operations manager. As an example of evaluation, the operations manager assumes that for each system 15 under evaluation, one or more devices included in the group of devices 151 have one or more vulnerabilities with the highest severity, i.e., those that are rated "High" in terms of impact on confidentiality, integrity, and availability according to CVSS, and evaluates the business impact on the system in terms of confidentiality, integrity, and availability if one or more of these vulnerabilities are attacked. In this case, any device can be assumed to have the most severe vulnerability, but for example, the operations manager assumes the device that is thought to have the greatest impact on the system. This allows the magnitude of the impact in the event of an attack that is expected to have the greatest impact (or greatest damage) on the system to be evaluated in three categories.
[0047] In this embodiment, the pessimistic scenario (or worst-case scenario) is defined as the assumption that such an attack occurs, that is, the assumption that the most severe vulnerability in the equipment considered to have the greatest impact on the system is attacked. Therefore, in the above evaluation example, the first impact level based on the pessimistic scenario is evaluated for each of the 15 systems under evaluation. Figure 6 shows such an evaluation example. As a concrete example of evaluation based on the pessimistic scenario, for example, if a severe vulnerability in the control server constituting the robot processing system (system ID: SYS001) is attacked, the impact on the confidentiality of the control server (the impact if confidentiality is compromised and information is leaked) is not very large ("Medium"), but the impact on integrity (the impact if integrity is compromised and control parameters for controlling the robot's operation are tampered with, etc.) is extremely large ("Very High") as there is a possibility of physical or personal damage due to abnormal operation or runaway robot operation due to tampering with parameters, etc.
[0048] Furthermore, the evaluation of the first impact degree in the first impact degree information 115 is not limited to being based on the above pessimistic scenario. For example, for each evaluation target system 15, assuming that there is a specific vulnerability in any one or a plurality of devices included in the component device group 151, the business impact degree on the system when the specific vulnerability is attacked may be evaluated from the viewpoints of confidentiality, integrity, and availability. In this case, the specific vulnerability may be arbitrarily selected or assumed by the operation manager regardless of its severity, and the device in which the specific vulnerability is assumed to exist may also be arbitrarily selected or assumed by the operation manager. For example, the operation manager may select or assume vulnerabilities and devices based on cyber-attack cases that have occurred in its own company, related companies, or competing companies, or cases that are considered likely to occur, or cyber-attack cases that have recently occurred frequently at home and abroad or have attracted attention in the world. In this embodiment, the case where such a specific vulnerability is assumed to be attacked is referred to as a specific scenario (or specific case).
[0049] Moreover, the evaluation of the first impact degree in the first impact degree information 115 is not limited to being based on only one of the above pessimistic scenario or specific scenario. For each evaluation target system 15, even if the pessimistic scenario or specific scenario is selected and evaluated, that is, the evaluation based on the pessimistic scenario and the evaluation based on the specific scenario may be mixed, or for each evaluation target system 15 or some of the evaluation target systems 15, evaluations based on both the pessimistic scenario and the specific scenario may be performed.
[0050] Furthermore, the evaluation of the first impact degree in the first impact degree information 115 may also consider the impacts such as business continuity, economic loss, psychological damage, physical damage, environmental damage, and health damage that may occur in each evaluation target system 15 or are related to or caused by each evaluation target system 15 when a vulnerability is attacked based on the above pessimistic scenario or specific scenario, and then evaluate the impacts on confidentiality, integrity, and availability.
[0051] The first impact information 115, which has been evaluated and created as described above, is input to the evaluation device 11 and stored in the storage device 101. As an example of input, for example, the input unit 121 may display a GUI for inputting the first impact information 115 on the display device 13, and the operations manager may input each item for each system to be evaluated 15 using the input device 12. Alternatively, the operations manager may evaluate and create the first impact information 115 using another PC, etc., and input the first impact information 115 via the network 16 or other communication means, or input it from the input device 12 using various storage media.
[0052] Figure 7 is a flowchart showing an example of vulnerability identification processing by the identification unit 122 in Embodiment 1. In Figure 7, at S701, the identification unit 122 reads the device information 112 and vulnerability information 114 from the storage device 101. At S702, the identification unit 122 compares the component lists contained in both pieces of information read and determines whether there is one or more matching CPE names or component IDs in both component lists. At S702, if there is no one or more matching CPE names or component IDs in both component lists, the identification unit 122 terminates the vulnerability identification processing. At S702, if it is determined that there is one or more matching CPE names or component IDs, that is, one or more matching components, at S703, the identification unit 122 identifies one or more vulnerability identifiers contained in the component list of the one or more matching CPE names or component IDs, that is, one or more vulnerabilities present in the one or more matching components, using the vulnerability information 114 (vulnerabilities present in a component in this way are also called possessed vulnerabilities). In S704, the identification unit 122 extracts from the component information 112 one or more device IDs and one or more system IDs in which one or more matching CPE names or component IDs are included in the component list, i.e., one or more devices containing the component with the identified one or more vulnerabilities, and one or more evaluation target systems 15 in which those one or more devices are implemented (or included as one of the configurations). In S705, the identification unit 122 associates the identifiers of the identified one or more vulnerabilities with the extracted one or more device IDs and system IDs, i.e., associates each of the identified one or more vulnerabilities with the device containing the component in which each vulnerability exists (hereinafter referred to as the device with the vulnerability) and the evaluation target system 15 that includes that device (hereinafter referred to as the system with the vulnerability), and outputs this to the calculation unit 123.
[0053] Furthermore, the vulnerability identification process performed by the identification unit 122 is not limited to the example shown in Figure 7. For example, information on all vulnerabilities present in the constituent devices 151 of each system to be evaluated, detected and output by the vulnerability scanning device 14, may be used to identify vulnerabilities and associate them with devices and systems.
[0054] Figure 8 is a flowchart showing an example of the calculation process for the second influence by the calculation unit 123 in Embodiment 1. Figure 9 is a conceptual diagram showing the correction process for the first influence by the calculation unit 123 in Embodiment 1. The details of the process by which the calculation unit 123 corrects the first influence and calculates the second influence will be explained using Figures 8 and 9.
[0055] In Figure 8, at S801, the calculation unit 123 receives one or more vulnerability identifiers identified by the identification unit 122, and one or more device IDs and one or more system IDs associated with each of them, i.e., one or more identified vulnerabilities and one or more devices and one or more systems in which each of them exists. At S802, the calculation unit 123 reads vulnerability information 114 and first impact information 115 from the storage device 101. At S803, the calculation unit 123 extracts one or more technical impact characteristics corresponding to each of the received one or more vulnerability identifiers from the vulnerability information 114. At S804, the calculation unit 123 extracts one or more first impacts corresponding to each of the received one or more system IDs from the first impact information 115.
[0056] In S805, the calculation unit 123 determines, for each of the one or more identified vulnerabilities, whether there is an item in the technical impact characteristics corresponding to the vulnerability identifier that is evaluated as "None," that is, whether the evaluation of the impact on confidentiality, integrity, or availability is "None." For example, in Figure 9, the impact on integrity among the technical impact characteristics of the vulnerability with identifier "CVE-2024-XXXX" is evaluated as "None," so in this case, the calculation unit 123 determines that there is an item evaluated as "None."
[0057] If there are items evaluated as "None" in S805, in S806, the calculation unit 123 corrects the evaluation of the items corresponding to the items evaluated as "None" in the technical impact characteristics among the first impact levels corresponding to the system ID associated with the vulnerability identifier, i.e., the system ID of the system in which the vulnerability exists, to "Low". For example, in Figure 9, as described above, the impact on integrity among the technical impact characteristics of the vulnerability with identifier "CVE-2024-XXXX" is evaluated as "None", while the impact on integrity in the first impact level corresponding to the system ID of the system in which this vulnerability exists is evaluated as "Very High". Therefore, the calculation unit 123 changes the evaluation level of this impact on integrity from "Very High" to "Low", as shown in Figure 9. If it is determined in S805 that there are no items evaluated as "None" in the technical impact characteristics, the calculation unit 123 proceeds to the processing in S807.
[0058] Next, in S807, the calculation unit 123 determines, for each of the one or more identified vulnerabilities, whether there is an item in the technical impact characteristics corresponding to the vulnerability identifier that is evaluated as "Low," that is, whether the evaluation of the impact on confidentiality, integrity, or availability is "Low." For example, in Figure 9, the impact on availability among the technical impact characteristics of the vulnerability with identifier "CVE-2024-XXXX" is evaluated as "Low," so in this case, the calculation unit 123 determines that there is an item evaluated as "Low."
[0059] If there are items evaluated as "Low" in S807, in S808, the calculation unit 123 adjusts the evaluation level of the items corresponding to the items evaluated as "Low" in the technical impact characteristics among the first impact levels corresponding to the system ID associated with the vulnerability identifier, i.e., the system ID of the system in which the vulnerability exists, by one level. For example, in Figure 9, as described above, the impact on availability among the technical impact characteristics of the vulnerability with identifier "CVE-2024-XXXX" is evaluated as "Low," while the impact on availability in the first impact level corresponding to the system ID of the system in which this vulnerability exists is evaluated as "High." Therefore, the calculation unit 123 lowers the evaluation level of this impact on availability by one level, from "High" to "Medium," as shown in Figure 9. If it is determined in S807 that there are no items evaluated as "Low" in the technical impact characteristics, the calculation unit 123 terminates the calculation process.
[0060] Furthermore, the reduction in the evaluation level of the first impact item in S808 is not limited to the single step described above; for example, it may be two steps, or not reduced at all. The reduction in the evaluation level may be determined arbitrarily according to the approach to the "Low" evaluation in the technical impact characteristics.
[0061] Furthermore, if the technical impact characteristics and primary impact include, in place of or in addition to, the assessment of impacts on confidentiality, integrity, and availability, for example, authenticity, reliability, accountability, non-repudiation, and security, then in S805 to S808, the above judgments and modifications shall also be made for items other than confidentiality, integrity, and availability included in the technical impact characteristics and primary impact.
[0062] The calculation process for the second impact level by the calculation unit 123 shown in Figures 8 and 9 is an example where the first impact level is evaluated based on the pessimistic scenario described above. However, when the first impact level is evaluated based on a specific scenario described above, some items of the first impact level may be evaluated optimistically (at a lower evaluation level). In such cases where the first impact level is evaluated based on a specific scenario, the calculation unit 123, for example, in addition to S805 to S808, determines whether there are any items in the technical impact characteristics corresponding to the vulnerability identifier that are evaluated as "High" for each vulnerability. If there are, it may adjust the evaluation level of the corresponding item in the first impact level upward by one level or more, or change it to "Very High". The amount of adjustment in this case can also be arbitrarily determined according to the interpretation of the "High" evaluation in the technical impact characteristics. By adjusting the evaluation of the first impact level upward or downward according to the technical impact characteristics in this way, the calculation unit 123 can calculate a more appropriate second impact level.
[0063] By performing the above calculation process, the calculation unit 123 corrects each of the one or more first impacts for one or more systems in which one or more vulnerabilities identified by the identification unit 122 exist, using the technical impact characteristics of each vulnerability, to calculate one or more second impacts corresponding to each of the one or more first impacts. Subsequently, the calculation unit 123 collects the calculated one or more second impacts for each vulnerability and the device in which that vulnerability exists to create second impact information 116, stores it in the storage device 101, and outputs it to the output unit 124. In creating the second impact information 116, for example, as described above, since the vulnerabilities in each evaluation target system 15 and the devices in which those vulnerabilities exist have been identified by the vulnerability identification process by the identification unit 122, it is possible to create it by replacing the system ID corresponding to each first impact with the identifier of the vulnerability in the system indicated by that system ID and the device ID of the device in which that vulnerability exists, and replacing the first impact with the calculated (corrected) second impact.
[0064] Figure 10 shows an example of the second influence information 116 displayed on the display device 13 in Embodiment 1. As described above, the output unit 124 outputs the second influence information 116 output from the calculation unit 123 to the display device 13. The display device 13 displays the second influence information 116 received from the output unit 124 on the screen.
[0065] As shown in Figure 10, the secondary impact information 116 includes the vulnerability identifier, the device ID of the device in which each vulnerability exists, and the secondary impact calculated by the calculation unit 123. Since the secondary impact information 116 shows the secondary impact for each vulnerability and the device in which that vulnerability exists, even if the same vulnerability exists in multiple devices, the secondary impact for that vulnerability will be shown for each device. Furthermore, if a device has multiple vulnerabilities, the secondary impact will naturally be shown for each vulnerability.
[0066] In the example shown in Figure 10, the secondary impact information 116 also includes an overall assessment as a secondary impact item, in addition to the above. The overall assessment can be, for example, the highest level among the confidentiality, integrity, and availability assessment levels for each secondary impact, and Figure 10 shows an example where such an assessment level is used for the overall assessment. For example, the highest assessment level among the secondary impact levels of the vulnerability with identifier "CVE-2024-XXX" is "Medium," so the overall assessment is also "Medium." The next highest assessment level among the secondary impact levels of the vulnerability with identifier "CVE-2022-XXX" is "Very High," so the overall assessment is also "Very High." However, the assessment level of the overall assessment is not limited to the above examples, and the assessment level of the overall assessment may be determined based on any method, such as, for example, the average assessment level of the confidentiality, integrity, and availability assessment levels for each secondary impact.
[0067] Furthermore, in the example shown in Figure 10, the secondary impact information 116 also includes a response policy. The response policy indicates the priority of when and how to respond to each vulnerability. For example, based on the equipment in which each vulnerability exists and the overall assessment of its secondary impact, the priority is shown in four levels: "Defer (no action at this time)", "Scheduled (to be addressed during regular maintenance)", "Out-of-cycle (to be addressed faster than usual)", and "Immediate (to be addressed as quickly as possible, even if it means suspending normal operations)". As described above, this response policy is determined by the decision unit 125 based on the equipment in which each vulnerability exists and the overall assessment of its secondary impact. As described above, in the secondary impact information 116, even for the same vulnerability, the secondary impact of that vulnerability is shown for each equipment in which it exists. Similarly, even for the same vulnerability, the response policy is shown for each equipment in which it exists, and the content may differ from equipment to equipment.
[0068] The decision unit 125 may also decide on this response policy using SSVC (Stakeholder-Specific Vulnerability Categorization), a vulnerability evaluation method. According to SSVC, the priority of response for each vulnerability can be determined based on decision trees prepared for each of the three types of stakeholders: deployers (those who apply security patches to the software), suppliers (those who provide the patches), and coordinators (those who manage vulnerability response). For example, the decision tree prepared for deployers has four branching items: "Exploitation (history of vulnerability exploitation)", "System Exposure (network connectivity status of the configured devices (exposure status))", "Utility (usefulness to attackers)", and "Human Impact (magnitude of impact (impact on business operations)". Of these, "Utility (usefulness to attackers)" further has items such as "Automatable (possibility of automation)" and "Value Density (value density)". By selecting pre-prepared values (criteria or levels) for each of these items, the final priority of response can be derived.
[0069] Therefore, the decision unit 125 may, for example, use the exposure status included in the configuration device information 112 and the exploitation history, automation possibility, and value density included in the vulnerability information 114 as "System Exposure (Network connection status of configuration devices (exposure status))", "Exploitation (exploitation history of vulnerabilities)", "Automatable (automation possibility)", and "Value Density (value density)", respectively, and further use the overall evaluation included in the second impact as "Human Impact (magnitude of impact (business impact))", and proceed with making judgments on each item in the decision tree prepared for the deployer to determine the priority of countermeasures for each vulnerability as a countermeasure policy, and present it as a countermeasure policy in the second impact information 116.
[0070] However, the second impact information 116 is not limited to the example shown in Figure 10. For example, it does not have to include an overall assessment or response plan, and other information may be included in place of, or in addition to, an overall assessment or response plan.
[0071] As explained above, the evaluation device, evaluation system, and evaluation program in Example 1 make it possible to correct the first impact, which indicates the degree of business impact on the system under evaluation, using the technical impact characteristics of each vulnerability (evaluation level of impact on confidentiality, integrity, and availability), even if the first impact is overestimated or underestimated based on a pessimistic scenario or a specific scenario. The second impact calculated in this way will more accurately and appropriately indicate the degree of business impact because the overestimation or underestimation in the first impact has been corrected. Therefore, the evaluation device, evaluation system, and evaluation program make it possible to evaluate the degree of business impact for each vulnerability with high accuracy, and based on such high-accuracy business impact, it becomes possible to determine a more appropriate and efficient response policy.
[0072] In Example 1, we described an example in which, as the first impact information 115, the overall business impact (first impact) of the system when a vulnerability is attacked based on a pessimistic scenario or a specific scenario is evaluated for each system 15 under evaluation, in terms of confidentiality, integrity, and availability. In this example, as described in the explanation of the first impact information 115, when evaluating the first impact of each system 15 under evaluation, the evaluation of each item may be carried out by comprehensively considering the impacts on business continuity, economic losses, psychological damage, physical damage, environmental damage, health damage, etc., that may occur in the system or be related to or caused by the system. However, instead of comprehensively considering the impacts of the above damages, etc., the evaluation of each item may be carried out by considering them individually. By evaluating the first impact in this way, it is possible to further improve the accuracy of the evaluation of the second impact, which is calculated by correcting the first impact. Therefore, in Example 2, we will describe an example in which the first and second impacts are evaluated by individually considering the impacts of the above damages, etc. Note that in the following explanation, explanations that overlap with Example 1 will be omitted, and only the differences will be explained.
[0073] Figure 11 shows an example of primary impact information in Example 2. As shown in Figure 11, the primary impact information 215 evaluates the primary impact of an attack on any or more devices of each system 15 under evaluation. The impacts on business continuity, economic loss, psychological damage, physical damage, environmental damage, health damage, etc., that may occur in, related to, or caused by the system are individually evaluated in the categories of confidentiality, integrity, and availability. Figure 11 shows specific examples of the evaluations for business continuity and physical damage among the above-mentioned damages. Note that the primary impact information 215 may include all of the above-mentioned damages, or it may include one or more of them.
[0074] When using such first impact information 215, the second impact, calculated by correcting the first impact, will similarly be an evaluation of the impact of the damage, etc., individually. Figure 12 shows an example of second impact information displayed on the display device in Embodiment 2. As shown in Figure 12, in the second impact information 216, the impact of the damage, etc., is individually evaluated in terms of confidentiality, integrity, and availability, as the second impact calculated by correcting the first impact in the first impact information 215 by the calculation unit 123. Figure 12 shows specific examples of the evaluation in terms of business continuity and physical damage among the damage, etc. If the first impact information 215 does not include all of the damage, etc., but includes one or more of them, the second impact information 216 will be the same. In Embodiment 2, the calculation unit 123 also performs the same calculation process as shown in Figure 8, and in S806 and S808, it calculates the second impact shown in Figure 12 by changing the evaluation level of each item for each impact of the damage, etc., according to the technical impact characteristics.
[0075] Furthermore, the overall evaluation in the second impact information 216 may be determined based on any method, similar to the overall evaluation in the second impact information 116 of Example 1. For example, it may be determined by using the highest evaluation level among the evaluation levels for each item for each of the above-mentioned impacts, or by using the average evaluation level of all evaluation levels. The response policy in the second impact information 216 is determined by the determination unit 125, similar to the response policy in the second impact information 116 of Example 1. For example, it is determined based on the equipment in which each vulnerability exists and the overall evaluation of each second impact, or by using SSVC.
[0076] As explained above, according to the evaluation device, evaluation system, and evaluation program in Example 2, the impact on business continuity, economic loss, psychological damage, physical damage, environmental damage, health damage, etc., that may occur in, or in relation to or caused by, each system under evaluation, is adjusted for the first impact, which is individually evaluated for each item of confidentiality, integrity, and availability, to calculate the second impact. This allows for a more detailed and accurate evaluation of the business impact on each system under evaluation for each vulnerability, further improving the accuracy of business impact evaluation and enabling the determination of a more appropriate and efficient response policy.
[0077] Although embodiments of the present invention have been described in detail above, the present invention is not limited to the embodiments described above, and various design modifications can be made without departing from the spirit of the invention as described in the claims. For example, each of the embodiments described above is described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to having all of the described configurations. Furthermore, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Moreover, it is possible to add, delete, or replace parts of the configuration of each embodiment with other configurations.
[0078] 1...Evaluation system 11...Evaluation device 12...Input device 13...Display device 14...Vulnerability scanning device 15...System to be evaluated 16...Network 101...Storage device 102...Arithmetic unit 103...Memory 104...Input / output interface 105...External communication interface 106...Bus 111...Evaluation program 112...Configuration device information 113...Component information 114...Vulnerability information 115, 215...First impact information 116, 216...Second impact information 121...Input unit 122...Identification unit 123...Calculation unit 124...Output unit 125...Determination unit 151...Configuration device group
Claims
1. An evaluation device for evaluating the degree of business impact on one or more target systems in the event of a cyberattack on the target system, comprising at least a storage device, an input unit, a specification unit, a calculation unit, and an output unit, wherein the storage device stores vulnerability information relating to a plurality of existing vulnerabilities, each including at least the technical impact characteristics of the respective vulnerability; the input unit receives external input of component information relating to one or more components constituting the target system and first impact information evaluating the degree of business impact on the target system if any of the components are subjected to the cyberattack; the specification unit identifies one or more vulnerabilities present in any of the components based on the component information and the vulnerability information; the calculation unit extracts the technical impact characteristics of each of the one or more vulnerabilities from the vulnerability information, calculates second impact information for each of the vulnerabilities by correcting the first impact information using the technical impact characteristics; and the output unit outputs the second impact information.
2. An evaluation device according to claim 1, wherein the technical impact characteristics indicate an evaluation of the impact on at least confidentiality, integrity, and availability when each of the vulnerabilities is subjected to the cyberattack; the first impact information is an evaluation of the impact on at least confidentiality, integrity, and availability as the business impact of the system under evaluation; and the second impact information is an evaluation in which, for each of the vulnerabilities, the level of the evaluation of the impact on at least confidentiality, integrity, and availability in the business impact of the system under evaluation where the vulnerabilities exist is corrected according to the respective levels of the evaluation of the impact on at least confidentiality, integrity, and availability in the technical impact characteristics.
3. An evaluation device according to claim 2, wherein the first impact information is an evaluation of the business impact based on a pessimistic scenario in which the cyberattack expected to have the greatest impact on the system under evaluation occurs, and the calculation unit corrects the evaluation level in the business impact downward for each of the vulnerabilities if the evaluation level of the impact on at least one of the items of confidentiality, integrity, and availability in the technical impact characteristics is lower than the evaluation level of the impact on the same item in the business impact of the system under evaluation in which the vulnerability exists.
4. An evaluation device according to claim 2, wherein the first impact information is an evaluation of the business impact based on a specific scenario in which a cyberattack occurs against a specific vulnerability in the system under evaluation, and the calculation unit adjusts the evaluation level in the business impact upward or downward depending on whether the evaluation level of the impact on at least one of the items of confidentiality, integrity, and availability in the technical impact characteristics relating to the specific vulnerability is higher or lower than the evaluation level of the impact on the same item in the business impact of the system under evaluation in which the specific vulnerability exists.
5. An evaluation device according to claim 2, further comprising a determination unit, wherein the calculation unit determines, for each of the vulnerabilities in the second impact information, an overall evaluation regarding the impact on at least confidentiality, integrity, and availability of the business impact of the system under evaluation in which the vulnerabilities exist, and the determination unit determines, for each of the vulnerabilities, a response policy indicating the priority of responses to the vulnerabilities based on the component equipment in which the vulnerabilities exist and the overall evaluation.
6. An evaluation device according to claim 2, further comprising a determination unit, wherein the component information includes an exposure status indicating the possibility of external access for each component, the vulnerability information includes, for each vulnerability, an exploitation record indicating the exploitation status, an automation possibility indicating whether an attack against the vulnerability can be automated, and a value density indicating the resources that can be controlled by an attack against the vulnerability, the calculation unit determines, in the second impact information, an overall evaluation of the impact on at least confidentiality, integrity, and availability of the business impact of the evaluation target system in which the vulnerability exists, for each of the possessed vulnerabilities, and the determination unit determines, for each possessed vulnerability, a response policy indicating the priority of responses to the possessed vulnerability based on the exposure status, the exploitation record, the automation possibility, the value density, and the overall evaluation, an evaluation device.
7. An evaluation device according to claim 1, wherein the technical impact characteristics indicate an evaluation of the impact on one or more of the following when each vulnerability is subjected to the cyberattack: confidentiality, integrity, availability, authenticity, reliability, accountability, non-repudiation, and security; the first impact information is an evaluation of the impact on one or more of the following of the following as the business impact for each system under evaluation, as the business impact; and the second impact information is an evaluation in which, for each vulnerability, the level of the evaluation of the impact on confidentiality, integrity, availability, authenticity, reliability, accountability, non-repudiation, or security in the business impact of the system under evaluation where the vulnerability exists is corrected according to the respective levels of the evaluation of the impact on confidentiality, integrity, availability, authenticity, reliability, accountability, non-repudiation, or security in the technical impact characteristics.
8. An evaluation device according to claim 2, wherein the first impact information is an evaluation of the impact on confidentiality, integrity, and availability for one or more items from business continuity, economic loss, psychological damage, physical damage, environmental damage, and health damage occurring in or caused by the system under evaluation, and the second impact information is a correction of any level of the evaluation of the impact on confidentiality, integrity, and availability for one or more items in the business impact.
9. An evaluation system for evaluating the degree of business impact on one or more systems under evaluation in the event of a cyberattack on said systems, comprising: an evaluation device according to claim 1; and a display device for displaying the second impact information output by the evaluation device.
10. An evaluation program that causes an evaluation device, comprising at least a processing unit and a memory device, to perform an evaluation of the degree of business impact on one or more systems under evaluation in the event of a cyberattack on the said systems, wherein the memory device stores vulnerability information relating to a plurality of existing vulnerabilities, each of which includes at least the technical impact characteristics, and the evaluation program causes the evaluation device to input from an external source: an input process that inputs to the evaluation device one or more component information relating to one or more components constituting the system under evaluation, and first impact information which evaluates the degree of business impact on the system under evaluation in the event that any of the component is subjected to the cyberattack; an identification process that identifies one or more vulnerabilities present in any of the component based on the component information and the vulnerability information; a calculation process that extracts the technical impact characteristics relating to each of the one or more vulnerabilities from the vulnerability information and calculates second impact information for each of the vulnerabilities by correcting the first impact information using the technical impact characteristics; and an output process that outputs the second impact information.
11. An evaluation method for evaluating the degree of business impact on one or more target systems in the event of a cyberattack on the said target system, comprising: identifying one or more vulnerabilities present in any of the configuration devices based on configuration device information relating to one or more configuration devices constituting the target system and vulnerability information relating to a plurality of existing vulnerabilities, which includes at least the technical impact characteristics relating to each of the said vulnerabilities; extracting the technical impact characteristics relating to each of the one or more said vulnerabilities from the vulnerability information; calculating a second impact information by correcting the first impact information, which evaluates the degree of business impact on the target system in the event that any of the configuration devices is subjected to a cyberattack, using the technical impact characteristics for each said vulnerability; and outputting the second impact information.