JP2016191968A - Risk determination method, device, system, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow data shared by a plurality of users to be appropriately managed.SOLUTION: When a terminal 30A completes access to data in a data group 88 in a risk determination device 20A, a request unit 21 requests the terminal 30A, an access source to the data, to input an information classification corresponding to the accessed data. An associating unit 22 associates and records the input information classification with the data and stores them according to the input of the information classification from the access source terminal 30A. In addition, a determination unit 23A determines a risk of the input of the information classification from the access source on the basis of a new information classification input when the access source terminal 30A completes new access to the data, the stored information classification, and whether the data is changed or not due to the new access.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a risk determination method, a risk determination device, a risk determination system, and a risk determination program.

  In recent years, with the advancement of ICT (Information and Communications Technology) technology, when performing various operations, various types and large amounts of information assets are often handled and the information assets are often shared with many users. .

  As a conventional technique that can be applied to appropriately operate and manage this type of information asset, there is a technique that assigns a type to data to be managed and manages it.

  In this technique, management information in which a user's processing authority for management target data is associated with a type of management target data and a type of processing content for the management target data is stored in a storage unit. In this technique, the user's identification information and an operation by the user are accepted, and the processing authority held by the user is specified by the management information based on the received identification information. In this technique, the type of management target data that can be handled by the user and the type of processing content for the management target data with the specified processing authority are the processing target data and the processing for the management target data. Determine whether the contents are included in the range. In this technique, when the user's operation is included in the range of the processing authority, the operation is allowed.

JP 2014-203293 A

  By the way, in a form in which a common information asset (hereinafter referred to as “data”) is shared by a plurality of users, the information classification indicating the restriction of access to data or the restriction of use is changed, or the data itself. May be changed.

  In this case, it is necessary to appropriately change the information classification and maintain the current status according to the data change status, but this is not necessarily the case. For example, when the information classification is changed even though the data has not been changed, there is a high possibility that the change of the information classification is not appropriate. On the other hand, when the information classification is not changed although the data is changed, the change of the information classification may not be appropriate. As described above, when the information classification set for data shared by a plurality of users is not appropriate, the data cannot be properly managed, and information leakage or excessive access restriction occurs. There is a fear.

  With respect to this problem, the conventional technology does not take into consideration that the information classification is appropriate, and cannot solve the problem.

  An object of the present invention is to enable optimization of data management as one aspect.

  In one aspect, when access to the data stored in the storage unit is completed, the computer requests an input of an information section corresponding to the accessed data to the access source of the data, and from the access source In response to the input of the information section, the input information section is stored in the storage unit in association with the data, and a new input that is input when new access to the data from the access source is completed Determining a risk related to the input of the information category of the access source based on the information category, the information category stored in the storage unit, and whether or not the data is changed due to the new access. The process including is executed.

  As one aspect, it has an effect that it becomes possible to support optimization of data management.

It is a functional block diagram of the danger judgment system concerning a 1st embodiment. 1 is a block diagram showing a schematic configuration of a computer system according to a first embodiment. It is a chart showing an example of a data group concerning a 1st embodiment. It is a graph which shows an example of the information division database which concerns on 1st Embodiment. It is a chart which shows an example of the 1st risk point database concerning a 1st embodiment. It is a chart which shows an example of the 2nd risk point database concerning a 1st embodiment. It is a flowchart which shows an example of the terminal process which concerns on 1st Embodiment. It is a figure which shows an example of a structure of the information division designation | designated menu screen which concerns on 1st Embodiment. It is a flowchart which shows an example of the registration process which concerns on 1st Embodiment. It is a flowchart which shows an example of the danger determination process which concerns on 1st Embodiment. It is a figure with which it uses for description of the risk determination process which concerns on 1st Embodiment, and is a graph which shows an example of the fluctuation | variation of the information division accompanying the increase in the frequency | count of access. It is a figure with which it uses for description of the risk determination process which concerns on 1st Embodiment, and is a graph which shows the other example of the fluctuation | variation of the information division accompanying the increase in the frequency | count of access. It is a flowchart which shows an example of the 2nd risk determination process which concerns on 1st Embodiment. It is a flowchart which shows an example of the risk response process which concerns on 1st Embodiment. It is the schematic which shows an example of the warning screen which concerns on 1st Embodiment. It is the schematic which shows the other example of the warning screen which concerns on 1st Embodiment. It is a functional block diagram of the danger judgment system concerning a 2nd embodiment. It is a block diagram which shows schematic structure of the computer system which concerns on 2nd Embodiment. It is a flowchart which shows an example of the danger determination process which concerns on 2nd Embodiment. It is a flowchart which shows an example of the 2nd risk determination process which concerns on 2nd Embodiment. It is a functional block diagram of the danger judgment system concerning a 3rd embodiment. It is a block diagram which shows schematic structure of the computer system which concerns on 3rd Embodiment. It is a flowchart which shows an example of the registration process which concerns on 3rd Embodiment. It is a flowchart which shows an example of the additional registration process which concerns on 3rd Embodiment. It is a graph which shows an example of the change of the access frequency with progress of time. It is a graph which shows the other example of the change of the frequency | count of access with progress of time.

  Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the drawings.

[First Embodiment]
FIG. 1 shows a risk determination system 10A according to the present embodiment. As shown in FIG. 1, the risk determination system 10A according to the present embodiment includes a risk determination device 20A and a plurality of terminals 30A.

  The risk determination apparatus 20A according to the present embodiment includes a request unit 21, a correspondence unit 22, a determination unit 23A, and a processing unit 24. The risk determination device 20A stores a first storage unit 95A for storing the data group 88, a second storage unit 95B for storing the information classification database 80, a first risk point database 82, and a second risk point database 84. The third storage unit 95C is provided.

  When the access to any data in the data group 88 is completed, the request unit 21 requests the terminal 30A that is an access source of the data to input an information section corresponding to the accessed data. Further, the associating unit 22 associates the input information category with the data in response to the input of the information category from the access source terminal 30A in response to the request from the requesting unit 21, and the information category database (hereinafter, (Referred to as “information classification DB”).

  In the risk determination system 10A according to the present embodiment, as an example of the information classification, five types of “general information”, “related party secret”, “external secret”, “personal information”, and “confidential information” are provided. Classification is applied.

  “General information” is an information category that does not restrict access or use of corresponding data. The “related party confidentiality” is an information category that restricts access and use of corresponding data only to predetermined related parties. “Confidential” is an information category that restricts access and use of corresponding data only to users within the company. “Personal information” is an information category that restricts access and use of corresponding data only to the person who created the data. Furthermore, “confidential information” is an information category that restricts access and use of corresponding data only to users who are permitted access by a predetermined authorized person (hereinafter referred to as “qualified person”). In the risk determination system 10A according to the present embodiment, a person who is equal to or more than a predetermined manager (here, a general manager) of a company that uses the risk determination system 10A is applied as the authority. It is not limited to. For example, a system administrator or the like of the risk determination system 10A may be applied as the authority.

  Thus, in the risk determination system 10A according to the present embodiment, the above five types of information classification are applied, but the present invention is not limited to this. For example, it is good also as a form which applies 1 or more and the combination of 4 or less among the said 5 types of information division.

  On the other hand, the determination unit 23A refers to the information classification DB 80, and performs the next determination process using the new information classification input when new access to the data from the access source terminal 30A is completed. . That is, when the new information section is different from the corresponding information section stored in the information section DB 80 and there is no change in the data due to the new access, the determination unit 23A determines that the access source terminal 30A It is determined that there is a risk regarding the input of the information category in. Note that “hazardous” in the present embodiment means that there is a possibility that there is an error in the input information category.

  In addition, the determination unit 23A determines that the data is changed due to a new access, and that the new information section and the corresponding information section stored in the information section DB 80 match with the same data a predetermined number of times. If it occurs subsequently, it is determined that there is a risk regarding the input of the information category.

  Further, the determination unit 23A may induce an erroneous input of information classification when the information classification input for the same data is different among a plurality of access sources that are not determined to be dangerous. It is determined that there is data.

  Furthermore, the determination unit 23A stores a plurality of information sections corresponding to access to the same data from the same access source terminal 30A in the information section DB 80, and the plurality of information sections vary (blur). In the case, it is determined that there is a risk regarding the input of the information category.

  If the determination unit 23 </ b> A determines that there is a risk regarding the input of the information category, the access unit 30 </ b> A has access to the first risk point database (hereinafter referred to as “first risk point DB”) 82. Increase risk points corresponding to users. If the determination unit 23 </ b> A determines that the data is data that may induce an erroneous input of the information category, the determination unit 23 </ b> A performs a second risk point database (hereinafter referred to as “second risk point DB”) 84. Thus, the risk points corresponding to the data are increased.

  Then, the processing unit 24 refers to the first risk point DB 82 and performs a process of restricting access from the access source to the data that the determination unit 23A determines to be dangerous with respect to the input of the information category of the access source. Do. In addition, the processing unit 24 refers to the second risk point DB 84 and performs a process of restricting access to data that the determination unit 23A has determined to possibly cause an erroneous input of information classification. In the risk determination system 10A according to the present embodiment, the process for restricting access to the data is performed as the process for restricting the access, but is not limited thereto. For example, processing that restricts other accesses, such as processing that only allows browsing of the data, processing that prohibits changes, processing that prohibits transfer or take-out of the data, processing that prohibits changing information classification on the data, etc. is applied May be.

  On the other hand, each of the plurality of terminals 30 </ b> A according to the present embodiment includes an input unit 31 and a transmission unit 32.

  The input unit 31 receives an input of the information category requested by the request unit 21 of the risk determination device 20A. In addition, the transmission unit 32 transmits the information classification received by the input unit 31 to the risk determination device 20A.

  The request unit 21 in the risk determination device 20A is an example of a request unit according to the disclosed technique, the correspondence unit 22 is an example of a correspondence unit according to the disclosed technique, and the determination unit 23A is based on the disclosed technique. It is an example of the determination part which concerns. The input unit 31 in the terminal 30A is an example of an input unit according to the disclosed technique, and the transmission unit 32 is an example of a transmission unit according to the disclosed technique.

  The risk determination device 20A and the plurality of terminals 30A described above can be realized by the server 40A and the plurality of terminals 50A included in the computer system 60A shown in FIG. The computer system 60A according to the present embodiment includes a server 40A capable of communicating via a network 90 and a plurality of terminals 50A.

  The terminal 50A is a terminal used by each user of the risk determination system 10A, and includes a CPU (Central Processing Unit) 51, a memory 52, a storage unit 53, an input unit 54, a display unit 55, a medium read / write device (R / W) 56 and a wireless communication unit 57. The CPU 51, the memory 52, the storage unit 53, the input unit 54, the display unit 55, the medium read / write device 56, and the wireless communication unit 57 are connected to each other via a bus 58. The medium read / write device 56 reads information written on the recording medium 96 and writes information on the recording medium 96.

  The storage unit 53 can be realized by an HDD (Hard Disk Drive), a flash memory, or the like. The storage unit 53 stores a terminal processing program 53A for causing the terminal 50A to function as the terminal 30A illustrated in FIG. The terminal processing program 53A is configured such that the recording medium 96 in which the terminal processing program 53A is written is set in the medium reading / writing device 56, and the medium reading / writing device 56 reads the terminal processing program 53A from the recording medium 96. Remembered. The CPU 51 reads the terminal processing program 53A from the storage unit 53, expands it in the memory 52, and sequentially executes the processes included in the terminal processing program 53A.

  The terminal processing program 53A has an input process 53A1 and a transmission process 53A2. The CPU 51 operates as the input unit 31 illustrated in FIG. 1 by executing the input process 53A1. Further, the CPU 51 operates as the transmission unit 32 illustrated in FIG. 1 by executing the transmission process 53A2. As described above, the terminal 50A that has executed the terminal processing program 53A functions as the terminal 30A shown in FIG.

  On the other hand, the server 40A is a device that collectively stores and manages various types of information handled by the computer system 60A, and is provided in a predetermined information management center. The server 40A includes a CPU 41, a memory 42, a storage unit 43, an input unit 44, a display unit 45, a medium read / write device 46, and a communication interface (I / F) unit 47. The CPU 41, the memory 42, the storage unit 43, the input unit 44, the display unit 45, the medium read / write device 46, and the communication I / F unit 47 are connected to each other via a bus 48. The medium read / write device 46 reads information written in the recording medium 96 and writes information in the recording medium 96.

  The storage unit 43 can be realized by an HDD, a flash memory, or the like. The storage unit 43 stores a registration processing program 43A for causing the server 40A to function as the risk determination device 20A.

  The registration processing program 43A is configured such that the recording medium 96 in which the registration processing program 43A is written is set in the medium read / write device 46, and the medium read / write device 46 reads the registration processing program 43A from the recording medium 96. Remembered. The CPU 41 reads out the registration processing program 43A from the storage unit 43, expands it in the memory 42, and sequentially executes processes included in the registration processing program 43A.

  The registration processing program 43A includes a request process 43A1, an association process 43A2, a determination process 43A3A, and a processing process 43A4. The CPU 41 operates as the request unit 21 illustrated in FIG. 1 by executing the request process 43A1. Further, the CPU 41 operates as the association unit 22 illustrated in FIG. 1 by executing the association process 43A2. Further, the CPU 41 operates as the determination unit 23A illustrated in FIG. 1 by executing the determination process 43A3A. Furthermore, the CPU 41 operates as the processing unit 24 illustrated in FIG. 1 by executing the processing process 43A4.

  As described above, the server 40A that has executed the registration processing program 43A functions as the risk determination device 20A illustrated in FIG. The registration processing program 43A is an example of a risk determination program according to the disclosed technology.

  The storage unit 43 includes a data group storage area 43C, an information classification DB storage area 43D, a first risk point DB storage area 43E, and a second risk point DB storage area 43F. The CPU 41 expands the data stored in the data group storage area 43C in the memory 42, thereby creating the data group 88 shown in FIG. Further, the CPU 41 develops the data stored in the information partition DB storage area 43D in the memory 42, thereby creating the information partition DB 80 shown in FIG. Further, the CPU 41 develops the data stored in the first risk point DB storage area 43E in the memory 42, thereby creating the first risk point DB 82 shown in FIG. Further, the CPU 41 expands the data stored in the second risk point DB storage area 43F in the memory 42, thereby creating the second risk point DB 84 shown in FIG.

  As illustrated in FIG. 3, the data group 88 according to the present embodiment includes data ID (Identification) and data information.

  The data ID is identification information assigned to each data in order to identify each data with respect to all data (hereinafter referred to as “handling data”) to be handled in the risk determination system 10A. . That is, in the risk determination system 10A according to the present embodiment, each piece of handling data is individually managed using the data ID.

  On the other hand, as shown in FIG. 4, the information classification DB 80 according to the present embodiment includes data ID, date / time, accessor, information classification, operation, and operation size information.

  The data ID is the same information as the data ID of the data group 88, the date and time is information indicating the date and time when the corresponding data was accessed, and the accessor is the user who accessed the corresponding data at the corresponding date and time. It is information which shows. In the information classification DB 80 according to the present embodiment, the name of the accessor is applied as the information indicating the accessor, but the present invention is not limited to this. For example, when each of the plurality of terminals 50A is distributed to each user, the URL (Uniform Resource Locators) of the access source terminal 50A is applied as information indicating the accessor. Also good.

  The information classification is information indicating the information classification of the corresponding data designated by the corresponding user at the corresponding date and time. In addition, the operation is information indicating the content of the operation performed by the corresponding user on the corresponding data at the corresponding date and time, and the operation size is when some change is made to the corresponding data This is information indicating the size of the part to be changed.

  In the risk determination system 10A according to the present embodiment, when new data is registered as handling data for the data group 88 by the server 40A, a new data ID to be given to the data is generated and the data is added. It is supposed to be registered with the data. However, the present invention is not limited to this. When data newly created by the terminal 50A is registered in the server 40A, a data ID to be given to the data is generated by the terminal 50A and registered in the data group 88. It is good also as a form.

  On the other hand, as shown in FIG. 5, the first risk point DB 82 according to the present embodiment includes information on the accessor and the first risk point.

  The accessor is the same information as the accessor of the information classification DB 80, and is information indicating each user of the risk determination system 10A individually. The first risk point is information indicating the level of danger when the corresponding user accesses any of the handling data. In the first risk point DB 82 according to the present embodiment, the first risk point is a default value. 0 (zero) is preset.

  Further, as shown in FIG. 6, the second risk point DB 84 according to the present embodiment includes data ID and second risk point information.

  The data ID is the same information as the data ID of the data group 88, and is identification information individually assigned to the handling data. The second risk point is information indicating the level of danger when the user accesses the corresponding data. In the second risk point DB 84 according to the present embodiment, 0 (zero) is preset as a default value. Is set.

  In the computer system 60A according to the present embodiment, a general-purpose tablet PC (Personal Computer) in which a touch panel is provided on the display surface of the display unit 55 is applied as the terminal 50A, but is not limited thereto. As the terminal 50A, another computer such as a notebook PC may be applied. In addition, the terminal 50A is not limited to the above-described PC, and may be configured to apply a smartphone.

  Next, the operation of this embodiment will be described. Here, the risk determination system 10A is applied at a predetermined company (hereinafter referred to as “managed company”), and a person belonging to the managed company is a user of the risk determination system 10A. Assuming that Here, the data managed by assigning the information classification may be, for example, all data held by the management target company or, for example, certain data such as data related to a certain project. It may be a part of data selected by the reference.

  When the user of the risk determination system 10A accesses any of the handling data, the user determines the type of the data (hereinafter referred to as “access target data”) for the terminal 50A distributed to the user. Start running the application program. Then, the user causes the display unit 55 to display information indicated by the access target data using the function of the application program.

  Here, when changing the access target data, the user changes the access target data by performing an operation for changing the information displayed on the display unit 55 via the input unit 54. Thereby, the access target data of the data group 88 is updated. Then, when ending access to the access target data, the user ends the application program.

  The terminal 50A executes the terminal processing program 53A when the application program is terminated, whereby the terminal processing shown in FIG. 7 is performed.

  As will be described later, when access to any of the handling data from any of the terminals 50A is completed, the server 40A issues an information division request for requesting input of an information division corresponding to the access target data. To 50A.

  Therefore, in step 100 of the terminal process, the input unit 31 stands by until an information classification request is received from the server 40A, and when an information classification request is received from the server 40A, an affirmative determination is made and the process proceeds to step 102. .

  In step 102, the input unit 31 controls the display unit 55 to display a predetermined information category designation menu screen. In the next step 104, the input unit 31 selects any of the information category designation menu screens. Wait until the information category is specified.

  FIG. 8 shows an information category designation menu screen 55B according to the present embodiment. As shown in FIG. 8, the information classification designation menu screen 55B according to the present embodiment is displayed in a state of being superimposed on the normal display screen 55A displayed on the display unit 55 at that time.

  Further, as shown in FIG. 8, the “no information” button is displayed on the information classification designation menu screen 55 </ b> B according to the present embodiment for a case where there is no corresponding information classification. In addition, on the information category designation menu screen 55B according to the present embodiment, a “general information” button that is designated when the information category of the access target data is considered to be “general information” is displayed. In addition, the information category designation menu screen 55B according to the present embodiment displays a “related party confidential” button that is designated when the information category of the access target data is considered to be “related party confidential”. In addition, on the information category designation menu screen 55B according to the present embodiment, a “confidential” button that is designated when the information category of the access target data is considered to be “confidential” is displayed. In the information category designation menu screen 55B according to the present embodiment, a “personal information” button is displayed that is designated when the information category of the access target data is considered to be “personal information”. Furthermore, on the information category designation menu screen 55B according to the present embodiment, a “confidential information” button that is designated when the information category of the access target data is considered to be “confidential information” is displayed.

  When the information category designation menu screen 55B shown in FIG. 8 is displayed on the display unit 55, the user designates a button corresponding to the information category of the access target data via the input unit 54. In response, step 104 is affirmative and the process proceeds to step 106.

  In step 106, the transmitting unit 32 transmits the information section corresponding to the button specified by the user on the information section specifying menu screen 55B to the server 40A, and thereafter ends the terminal processing. At this time, the transmission unit 32 transmits the above-described operation and operation size information related to the operation performed on the access target data by the user together with the information classification to the server 40A. In the risk determination system 10A according to the present embodiment, as the operation information, “browsing” indicating a state where the access target data is simply browsed and “rewriting” indicating a state where some change is made to the access target data. Are applied. Below, each information of information classification, operation, and operation size transmitted here is called "information classification information group."

  On the other hand, when the server 40A according to the present embodiment accesses any of the handling data from any of the terminals 50A, the registration processing shown in FIG. 9 is performed by executing the registration processing program 43A. .

  In step 200 of the registration process, the request unit 21 waits until the access to the access target data from the terminal 50A is completed, and when the access is completed, an affirmative determination is made and the process proceeds to step 202.

  In step 202, the request unit 21 transmits the above-described information classification request to the access source terminal 50A. In the next step 204, the associating unit 22 waits until the information division information group is received from the access source terminal 50A, and when the information division information group is received, an affirmative determination is made and the processing proceeds to step 206. To do.

  In step 206, the associating unit 22 stores (registers) each piece of information included in the received information category information group in the information category DB 80 in association with the data ID assigned to the access target data. At this time, the associating unit 22 acquires information indicating the date and time at this time, which is timed by a clock function built in the CPU 41, as information indicating the date and time at this time, and registers the information in the information classification DB 80. . At this time, the associating unit 22 identifies the user from the user ID and password input when the access source user logs in at the terminal 50A (Log-in), and provides information indicating the identified user to the accessor. Is registered in the information classification DB 80 as the above information.

  In the next step 208, the determination unit 23A performs a risk determination process shown in FIG.

  In step 300 of the risk determination process, the determination unit 23A reads all information corresponding to the access target data (hereinafter referred to as “read information”) from the information classification DB 80. In the next step 302, the determination unit 23 </ b> A determines whether or not the information category registered this time in the information category DB 80 has changed from the previously registered information category based on the read information. Transition to 304.

  In step 304, the determination unit 23 </ b> A refers to the information indicating the operation registered this time in the information classification DB 80 to determine whether or not the access target data has been changed. If the determination is affirmative, the process proceeds to step 306. Transition.

  In step 306, the determination unit 23A determines, based on the read information, whether or not the user indicated by the accessor registered this time in the information classification DB 80 is the same user as the user indicated by the accessor registered last time. When it becomes, it transfers to step 308.

  For example, when the read information is information read about the access target data to which “10001” is assigned as the data ID from the information classification DB 80 shown in FIG. 4 as an example, the specific determination results in steps 302 to 306 are as follows: It becomes as follows. In this case, the information registered this time in the information classification DB 80 is information in which the accessor is “Mr. C”.

  That is, in this case, since the “information classification” registered this time has been changed from “general information” to “related party confidential”, the determination in step 302 is affirmative. In this case, since the “operation” registered this time is “view”, it is assumed that the data has not been changed, and the determination in step 304 is affirmative. Further, in this case, since the “access person” registered this time is “Mr. C” instead of “Mr. B” registered last time, it is considered that the access person is not the same user, and the determination in step 306 is negative. It becomes.

  In step 308, the determination unit 23 </ b> A determines whether or not the same determination result as the determination result in steps 302 to 306 has been continued a plurality of times (in this embodiment, five times) in the read information. If it is determined, the process proceeds to step 310. If the determination in step 308 is affirmative, the process proceeds to step 312 described later.

  In step 310, the determination unit 23 </ b> A includes the information category registered this time in the information category DB 80, and changes to the registered information category for a plurality of times (15 times in this embodiment) retroactively from the registration of the information category. It is determined whether (blur) has occurred. If the determination is affirmative, the determination unit 23A proceeds to step 312. Hereinafter, the plurality of information classifications applied here are referred to as “application information classification groups”.

  In the risk determination processing according to the present embodiment, it is determined whether or not the application information classification group is fluctuated (blurred) by determining whether the information classification registered adjacent in the time series order of the application information classification group is different. This is done by determining whether or not the number of combinations is greater than or equal to a predetermined number. In the risk determination processing according to the present embodiment, the predetermined number is the number of a predetermined ratio with respect to the number of information categories included in the application information category group (in this embodiment, the information category included in the application information category group). 30% of the number) is applied, but is not limited to this. For example, the predetermined number may be input to the user of the server 40A via the input unit 44.

  In step 312, the determination unit 23A increases the first risk point corresponding to the current accessor by a predetermined value (1 in the present embodiment), and then proceeds to step 334. If a negative determination is made in step 310, the process proceeds to step 334 without executing the process in step 312.

  That is, in this embodiment, even if the access target data is not changed, the registered information classification is changed from the previous time, and the accessor continues to be the same as the user who registered last time multiple times, It is assumed that there is a risk regarding the input of information classification by the user. In this case, in this embodiment, the first risk point of the user is increased.

  Further, in this embodiment, even when the access target data is not changed, the information classification is changed, and the access person is not the same as the previous time, the application information classification group has a variation (blur). , There is a risk regarding the input of information classification by the user.

  In other words, it is originally preferable that the selection of information sections by the same user gradually approaches a certain information section as time passes. On the other hand, as illustrated in FIG. 11 and FIG. 12, when there is a variation (blur) in the selection of information categories with the passage of time (increase in the number of accesses), the risk becomes relatively high. In particular, when the access target data has not been changed, there is a fluctuation (blurring) in the selection of the information category, and the above risk tends to be higher than when the access target data is changed. It is in. Therefore, in this embodiment, the first risk point of the user is also increased in this case.

  Note that the information category selected from the beginning up to a predetermined number of times is considered in the selection of the information category at the initial stage for the data to be accessed, considering that there is a high possibility that an erroneous operation by the user or an erroneous selection due to easy selection will occur. May not be used for determination of fluctuation (blur).

  On the other hand, if a negative determination is made in step 306, the process proceeds to step 314, and the determination unit 23A determines whether or not the read information includes different information classifications by a plurality of accessors having a relatively low risk. If the determination is affirmative, the process proceeds to step 316.

  In the risk determination process according to the present embodiment, the determination as to whether or not the access person has a relatively low risk corresponds to the access person included in the read information with reference to the first risk point DB 82. This is performed by determining whether or not the first risk point is less than a predetermined threshold. In the risk determination processing according to the present embodiment, the predetermined threshold value is applied with a predetermined ratio of the number of accesses by the corresponding accessor to the handling data (in this embodiment, 40% of the number of accesses). However, it is not limited to this. For example, the predetermined threshold value may be input to the user of the server 40A via the input unit 44.

  In step 316, the determination unit 23A increases the second risk point corresponding to the access target data by a predetermined value (1 in the present embodiment), and then proceeds to step 334. If the determination in step 314 is negative, the process proceeds to step 334 without executing the process in step 316.

  That is, in this embodiment, when the information division input with respect to the same data differs between the some users whose 1st risk point is relatively low and is not judged to be dangerous, The data is determined as data that may cause an erroneous input of the information category. In this case, the second risk point corresponding to the data is increased.

  On the other hand, if a negative determination is made in step 302, the process proceeds to step 318, and the determination unit 23A refers to information indicating the operation registered this time in the information classification DB 80 to determine whether or not the access target data has been changed. If the determination is affirmative, the process proceeds to step 320.

  In step 320, the determination unit 23A determines, based on the read information, whether or not the user indicated by the accessor registered this time in the information classification DB 80 is the same user as the user indicated by the accessor registered last time. If so, the process proceeds to step 322.

  In step 322, the determination unit 23 </ b> A determines whether or not the same determination results as the determination results in steps 302 and 318 to 320 described above are continued a plurality of times (in this embodiment, five times) in the read information. If the determination is negative, the process proceeds to step 324. If the determination in step 322 is affirmative, the process proceeds to step 326 described later.

  In step 324, the determination unit 23 </ b> A determines whether or not fluctuation (blurring) has occurred in the application information classification group in the same manner as the process in step 310 described above, and proceeds to step 326 if an affirmative determination is made.

  In step 326, the determination unit 23A increases the first risk point corresponding to the current accessor by a predetermined value (1 in the present embodiment), and then proceeds to step 334. If a negative determination is made in step 324, the process proceeds to step 334 without executing the process in step 326.

  In other words, in the present embodiment, when the access target data is changed, the registered information category is the same as the previous time, and the accessor is the same as the user who registered last time, and it continues multiple times. It is assumed that there is a risk regarding the input of information classification by the user. In this case, in this embodiment, the first risk point of the user is increased.

  Further, in this embodiment, even when the access target data is changed, the information classification is the same, and the accessor is not the same as the previous time, the application information classification group has a variation (blur). , There is a risk regarding the input of information classification by the user. Also in this case, the first risk point of the user is increased.

  On the other hand, when a negative determination is made in step 320, the process proceeds to step 328, and the determination unit 23A determines whether or not the read information includes different information classifications by a plurality of users with relatively low risks. If the determination is affirmative, the process proceeds to step 330. It should be noted that the determination whether or not the access risk is relatively low is also performed in the same manner as the processing in step 314 described above.

  In step 330, the determination unit 23A increases the second risk point corresponding to the access target data by a predetermined value (1 in the present embodiment), and then proceeds to step 334. If the determination in step 328 is negative, the process proceeds to step 334 without executing the process in step 330.

  That is, also here, when the information divisions inputted to the same data are different among a plurality of users whose first risk points are relatively low and are not judged to be dangerous, the data It is determined that the data may cause erroneous input of information classification. Also in this case, the second risk point corresponding to the data is increased.

  On the other hand, when a negative determination is made at step 304 and when a negative determination is made at step 318, the selection of the current information category is considered to be relatively valid and the process proceeds to step 332A. The second risk determination process shown in FIG. 13 is performed.

  In step 340 of the second risk determination process, the determination unit 23A reduces the first risk point corresponding to the current accessor by a predetermined value (1 in the present embodiment). In the next step 342, the determination unit 23A reduces the second risk point corresponding to the access target data by a predetermined value (1 in the present embodiment), and thereafter ends the second risk determination process. When the second risk determination process ends, the process proceeds to step 334 of the risk determination process shown in FIG.

  In step 334, the processing unit 24 performs the risk handling process shown in FIG.

  In step 400 of the risk handling process, the processing unit 24 determines whether or not the first risk point corresponding to the current accessor is equal to or greater than the predetermined threshold value TH1, and proceeds to step 406 if a negative determination is made. On the other hand, if the determination is affirmative, the routine proceeds to step 402. In the risk handling process according to the present embodiment, a predetermined ratio of the number of accesses by the current accessor to the handling data (in this embodiment, 30% of the number of accesses) is applied as the predetermined threshold TH1. However, the present invention is not limited to this. For example, the predetermined threshold TH1 may be input to the user of the server 40A via the input unit 44.

  In step 402, the processing unit 24 executes a predetermined warning process. In the risk handling process according to the present embodiment, as the warning process, a process of displaying the warning screen shown in FIG. 15 on the display unit 45 of the server 40A as an example, which suggests that there is a problem in the setting of the information category, is applied. However, it is not limited to this. For example, a process of displaying the warning screen on the display unit 55 of the access source terminal 50A may be executed as the warning process.

  In the next step 404, the processing unit 24 executes a predetermined specific user access restriction process, and then proceeds to step 406. In the risk handling process according to the present embodiment, a process for prohibiting access to subsequent access target data by the current accessor is applied as the specific user access restriction process. However, the process is not limited to this. is not. For example, it is possible to apply a process that permits the subsequent access to the access target data but does not allow a change as the specific user access restriction process.

  In step 406, the processing unit 24 determines whether or not the second risk point corresponding to the access target data is equal to or greater than the predetermined threshold value TH2. If the determination is negative, the risk corresponding process is terminated. When it becomes determination, it transfers to step 408. In the risk handling processing according to the present embodiment, a predetermined ratio of the number of accesses to the access target data (in this embodiment, 40% of the number of accesses) is applied as the predetermined threshold TH2. It is not limited. For example, the predetermined threshold value TH2 may be input to the user of the server 40A via the input unit 44.

  In step 408, the processing unit 24 executes a predetermined warning process. In the present embodiment, as the warning process, the warning shown in FIG. 16 is shown as an example, which indicates that the access target data is instructed to refrain from transferring by e-mail because there is a risk of causing erroneous setting of the information category. A process of displaying a screen on the access source terminal 50A is applied. However, it is not limited to this. For example, a process for displaying a warning screen substantially similar to the warning screen on the display unit 45 of the server 40A may be executed as the warning process.

  In the next step 410, the processing unit 24 executes a predetermined specific data access restriction process, and thereafter ends the risk handling process. In the risk handling process according to the present embodiment, as the specific data access restriction process, a process of changing the information classification of the subsequent access target data and prohibiting the change of the access target data is applied. Is not to be done. For example, a process for prohibiting only the subsequent change of the information classification of the access target data may be applied as the specific data access restriction process.

  When the risk handling process ends, the risk determination process shown in FIG. 10 also ends. When the risk determination process ends, the registration process shown in FIG. 9 also ends.

  As described above in detail, in this embodiment, when access to the data stored in the storage unit is completed, the access source of the data is requested to input the information classification corresponding to the accessed data. . Further, in the present embodiment, in response to the input of the information section from the access source, the input information section is stored in the storage unit in association with the data. Further, in the present embodiment, in the following case, it is determined that there is a risk regarding the input of the information classification of the access source. That is, the new information section input when the new access to the data from the access source is completed is different from the information section stored in the storage unit, and the data of the data by the new access is different. This is the case when there is no change. For this reason, in the present embodiment, it is possible to appropriately manage data shared by a plurality of users by using the result of the determination.

  In the present embodiment, it is determined that there is a risk regarding the input of the access source information category also in the following cases. In other words, when there is a data change due to a new access, and the new access to the data from the access source is completed, the new information section input matches the information section stored in the storage unit. This is a case where the data has been generated a predetermined number of times. For this reason, in this embodiment, it is possible to more appropriately manage data shared by a plurality of users by using the result of this determination.

  Further, in the present embodiment, when the information classification input for the same data is different among a plurality of access sources that are not determined to be dangerous, the data may be erroneously input to the information classification. It is determined that there is data. For this reason, in this embodiment, it is possible to more appropriately manage data shared by a plurality of users by using the result of this determination.

  Further, in this embodiment, when a plurality of information sections corresponding to access to data from the same access source are stored in the storage unit and there are blurs in the plurality of information sections, the input of the access source information section is input. It is judged that there is a risk regarding. Thus, by using the result of this determination, it is possible to more appropriately manage data shared by a plurality of users.

  Further, in this embodiment, when it is determined that there is a risk regarding the input of the information classification of the access source, a process for restricting access to the data from the access source is performed. Thereby, data shared by a plurality of users can be managed more appropriately.

  Further, in the present embodiment, when it is determined that there is a possibility of erroneous input of information classification, processing for restricting access to the data is performed. Thereby, data shared by a plurality of users can be managed more appropriately.

  Further, in the present embodiment, a process for prohibiting the access is applied as the process for restricting the access. As a result, access to data with danger can be reliably prevented.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. FIG. 17 shows a risk determination system 10B according to the present embodiment. In FIG. 17, the same components as those shown in FIG. 1 are denoted by the same reference numerals as those in FIG.

  As illustrated in FIG. 17, in the risk determination system 10B according to the present embodiment, the risk determination apparatus 20A has a determination unit 23B that performs a determination process different from the determination unit 23A instead of the determination unit 23A. The determination device 20B is different from the risk determination system 10A.

  The terminal 30A and the risk determination device 20B of the risk determination system 10B according to the present embodiment can be realized by the terminal 50A and the server 40B included in the computer system 60B shown in FIG. Hereinafter, the configuration of the terminal 50A and the server 40B according to the present embodiment will be described with reference to FIG. In FIG. 18, the same components as those of the computer system 60A in FIG. 2 are denoted by the same reference numerals as those in FIG.

  As shown in FIG. 17, the server 40B according to this embodiment is different from the server 40A in that the determination process 43A3A in the registration processing program 43A is a determination process 43A3B that performs a determination process different from the determination process 43A3A. Yes. The CPU 41 operates as the determination unit 23B illustrated in FIG. 17 by executing the determination process 43A3B. As a result, the server 40B that has executed the registration processing program 43A functions as the risk determination device 20B shown in FIG.

  Next, the operation of this embodiment will be described. Since the operation of the risk determination system 10B according to the present embodiment is the same as that of the first embodiment except for the risk determination processing, here, with reference to FIG. 19, the risk determination processing according to the present embodiment. Will be described. Note that steps in FIG. 19 that perform the same processing as the risk determination processing in FIG. 10 are denoted by the same step numbers as in FIG. 10 and description thereof is omitted.

  As illustrated in FIG. 19, the risk determination process according to the present embodiment has no processing of step 314, step 316, step 328, and step 330 compared to the risk determination process according to the first embodiment. It is different. Further, the risk determination process of the present embodiment is different from the risk determination process according to the first embodiment in that the process proceeds to step 310 when the determination of step 306 is negative and the determination of step 320 The difference is that the process proceeds to step 324 when a negative determination is made. Furthermore, in the risk determination process according to the present embodiment, the second risk determination process in step 332A is different from the second risk determination process in comparison with the risk determination process according to the first embodiment. The difference is that step 332B is performed.

  That is, in the present embodiment, even when the access target data is not changed, the information classification is changed from the previous time, and the access person is different from the previous user, Suppose that there is a danger regarding the input of information categories by the user. Further, in this embodiment, even when the access target data is changed, the information classification is not changed from the previous time, and the access person is different from the previous user, Suppose that there is a danger regarding the input of information categories by the user.

  In step 332B of the risk determination process according to the present embodiment, the determination unit 23B performs a second risk determination process shown in FIG.

  In step 350 of the second risk determination process, the determination unit 23B determines, based on the read information, whether or not the user indicated by the accessor registered this time in the information classification DB 80 is the same user as the user indicated by the accessor registered last time. Determine whether. If the determination unit 23B makes a positive determination here, the determination unit 23B proceeds to step 352.

  In step 352, the determination unit 23 </ b> B determines whether or not fluctuation (blurring) has occurred in the application information classification group in the same manner as in step 310 described above. If the determination is negative, the determination unit 23 </ b> B performs the second risk determination process. If the determination is affirmative, the process proceeds to step 354.

  In step 354, the determination unit 23B increases the first risk point corresponding to the current accessor by a predetermined value (1 in the present embodiment), and thereafter ends the second risk determination process.

  That is, in this embodiment, even when the access target data and the information classification are changed and the accessor is the same as the previous registrant, the information classification registered multiple times most recently fluctuates (blurs). In some cases, there is a risk regarding the input of information classification by the user. Also in this case, the first risk point of the user is increased.

  On the other hand, if a negative determination is made in step 350, the process proceeds to step 356. In step 356, the determination unit 23 </ b> B determines whether or not the read information includes different information classifications by a plurality of accessors with relatively low risks in the same manner as in step 314 described above, and when an affirmative determination is made. Goes to step 358.

  In step 358, the determination unit 23B increases the second risk point corresponding to the access target data by a predetermined value (1 in the present embodiment), and thereafter ends the second risk determination process. In addition, when it becomes negative determination in step 356, this 2nd risk determination process is complete | finished, without performing the process of step 358. When the second risk determination process ends, the process proceeds to step 334 of the risk determination process shown in FIG.

  That is, also in this embodiment, when the information division input with respect to the same data differs between the some users whose 1st risk point is relatively low and is not judged to be dangerous, The data is determined as data that may cause an erroneous input of the information category. In this case, the second risk point corresponding to the data is increased.

  As described above in detail, in this embodiment, a plurality of information sections corresponding to accesses to the same data from different access sources are stored in the storage unit, and the plurality of information sections are blurred. In this case, it is determined that there is a risk regarding the input of the information category of the access source. For this reason, in this embodiment, in addition to the same effects as those of the first embodiment, it is possible to more appropriately manage data shared by a plurality of users by using the result of this determination. .

[Third Embodiment]
Next, a third embodiment of the present invention will be described. FIG. 21 shows a risk determination system 10C according to the present embodiment. As shown in FIG. 21, a risk determination system 10C according to the present embodiment includes a server 20C and a plurality of risk determination devices 30B.

  Each of the risk determination devices 30B according to the present embodiment includes a reception unit 33, a correspondence unit 34, a determination unit 35, a processing unit 36, a transmission unit 37, and an acquisition unit 38. Each of the risk determination devices 30B includes a fourth storage unit 95D in which the information classification DB 80B is stored, and a fifth storage unit 95E in which the first risk point DB 82 and the second risk point DB 84 are stored. .

  When the use of data is completed, the receiving unit 33 receives an input of an information category corresponding to the used data. The association unit 34 stores the information classification received by the reception unit 33 in the information classification DB 80B in association with the data.

  Also in the risk determination system 10C according to the present embodiment, as the above information classification, for example, “general information”, “confidential to the public”, “confidential”, “personal information”, and “personal information” are the same as those in the first embodiment. Five types of “confidential information” are applied. As described above, in the risk determination system 10C according to this embodiment, the above five types of information classification are applied, but the present invention is not limited to this. For example, a combination of one or more and four or less combinations among the above five types of information classification may be applied as the information classification.

  On the other hand, the determination unit 35 refers to the information classification DB 80B and performs the next determination using the new information classification input when the new use of the data is completed. That is, when the information section is different from the information section of the data stored in the information section DB 80B and there is no change in the data due to the new use, the determination unit 35 is in danger of entering the information section. Judge that there is sex. Note that “hazardous” in the present embodiment also means that there is a possibility that there is an error in the input information category.

  The determination unit 35 also determines that there is a risk regarding the input of the information classification in the following cases. That is, there is a change in the data due to the new use, and the new information category input when the new use for the data is completed matches the information category stored in the information category DB 80B. This is the case where the above data has occurred a predetermined number of times.

  In addition, the determination unit 35 may induce erroneous input of the information classification when the information classification input for the same data is different among a plurality of users who are not determined to be dangerous. It is determined that there is some data.

  Further, the determination unit 35 determines that there is a risk with respect to the input of the information category when a plurality of information categories corresponding to the use of the data are stored in the information category DB 80B and the information categories are blurred.

  In addition, the determination part 35 will increase the risk point with respect to the user of an own machine with respect to 1st risk point DB82, when it determines with there being danger regarding the input of an information classification. In addition, when the determination unit 35 determines that the data is data that may induce an erroneous input of the information classification, the determination unit 35 causes the second risk point DB 84 to increase risk points for the data.

  And the process part 36 performs the process which restrict | limits the use with respect to the data which the determination part 35 determined with the danger regarding the input of an information division with reference to 1st risk point DB82. In addition, the processing unit 36 refers to the second risk point DB 84 and performs a process of restricting the use of the data determined by the determination unit 35 to be likely to cause an erroneous input of information classification. In the risk determination system 10C according to the present embodiment, the process for restricting the use is performed as the process for restricting the use, but is not limited thereto. For example, a process that restricts other uses, such as a process that only allows browsing of the data, a process that prohibits modification, a process that prohibits transfer or take-out of the data, or a process that prohibits changes in the information category for the data is applied. May be.

  In addition, when the own unit is allowed to access the server 20C and there is an information category information group newly registered in the information category DB 80B since the previous access to the server 20C, The information classification information group is transmitted to the server 20C.

  Further, when the own device is allowed to access the server 20C and the unregistered information category information group is registered in the information category DB 80B of the own device in the server 20C, the acquisition unit 38 An information division information group is acquired from the server 20C and registered in the information division DB 80B.

  On the other hand, the server 20 </ b> C according to the present embodiment includes an additional registration unit 25. The additional registration unit 25 registers the information classification information group transmitted from the risk determination device 30B in the information classification DB 80A together with information indicating the date and access person.

  The server 20C and the risk determination device 30B described above can be realized by the server 40C and the plurality of terminals 50B included in the computer system 60C shown in FIG. Hereinafter, the configuration of the server 40C and the terminal 50B according to the present embodiment will be described with reference to FIG. In FIG. 22, the same components as those of the computer system 60A in FIG. 2 are denoted by the same reference numerals as those in FIG.

  As shown in FIG. 22, the server 40C according to the present embodiment is different from the server 40A in that an additional registration processing program 43B is stored in the storage unit 43 instead of the registration processing program 43A. The server 40C according to the present embodiment is different from the server 40A in that the first risk point DB storage area 43E and the second risk point DB storage area 43F are not provided in the storage unit 43.

  In the additional registration processing program 43B, the recording medium 96 in which the additional registration processing program 43B is written is set in the medium read / write device 46, and the medium read / write device 46 reads the additional registration processing program 43B from the recording medium 96. It is stored in the storage unit 43. The CPU 41 reads the additional registration processing program 43B from the storage unit 43, expands it in the memory 42, and sequentially executes the processes of the additional registration processing program 43B.

  The additional registration processing program 43B has an additional registration process 43B1. The CPU 41 operates as the additional registration unit 25 illustrated in FIG. 21 by executing the additional registration process 43B1. As a result, the server 40C executing the additional registration processing program 43B functions as the server 20C shown in FIG.

  On the other hand, as shown in FIG. 22, the terminal 50B according to the present embodiment is different from the terminal 50A in that a registration processing program 53B is stored in the storage unit 53 instead of the terminal processing program 53A. Further, in the terminal 50B according to the present embodiment, a data group storage area 53C, an information classification DB storage area 53D, a first risk point DB storage area 53E, and a second risk point DB storage area 53F are provided in the storage unit 53. The point is different from the terminal 50A.

  The registration processing program 53B is configured such that the recording medium 96 in which the registration processing program 53B is written is set in the medium read / write device 56, and the medium read / write device 56 reads the registration processing program 53B from the recording medium 96. Remembered. The CPU 51 reads the registration processing program 53B from the storage unit 53, expands it in the memory 52, and sequentially executes the processes included in the registration processing program 53B.

  The registration processing program 53B includes a reception process 53B1, an association process 53B2, a determination process 53B3, a processing process 53B4, a transmission process 53B5, and an acquisition process 53B6. The CPU 51 operates as the reception unit 33 illustrated in FIG. 21 by executing the reception process 53B1. Further, the CPU 51 operates as the association unit 34 illustrated in FIG. 21 by executing the association process 53B2. The CPU 51 operates as the determination unit 35 illustrated in FIG. 21 by executing the determination process 53B3. Further, the CPU 51 operates as the processing unit 36 illustrated in FIG. 21 by executing the processing process 53B4. Further, the CPU 51 operates as the transmission unit 37 illustrated in FIG. 21 by executing the transmission process 53B5. Furthermore, the CPU 51 operates as the acquisition unit 38 illustrated in FIG. 21 by executing the acquisition process 53B6. As described above, the terminal 50B that has executed the registration processing program 53B functions as the risk determination device 30B illustrated in FIG.

  Note that the configuration of the information partition DB 80A and the information partition DB 80B according to the present embodiment is the same as that of the information partition DB 80 according to the first embodiment shown in FIG. Further, the configuration of the data group 88, the first risk point DB 82, and the second risk point DB 84 according to the present embodiment is the same as that shown in FIGS. 3, 5, and 6, respectively. Omitted.

  Also in the computer system 60C according to the present embodiment, a general-purpose tablet PC provided with a touch panel on the display surface of the display unit 55 is applied as the terminal 50B, but is not limited thereto. Another computer such as a notebook PC may be applied as the terminal 50B. Further, the terminal 50B is not limited to the above-described PC, and may be configured to apply a smartphone.

  Next, the operation of this embodiment will be described. Here, it is assumed that the risk determination system 10C is applied in the management target company, and a person belonging to the management target company is a user of the risk determination system 10C.

  When the user of the risk determination system 10C downloads any of the handling data from the server 40C, the user starts execution of the application program corresponding to the type of the data to the terminal 50B distributed to the user Let Then, using the function of the application program, the user downloads the data together with the corresponding data ID and stores it in the data group storage area 53C of the storage unit 53.

  In addition, when viewing or changing data downloaded from the server 40C, the user activates the application program by the terminal 50B. In this case, the user causes the display unit 55 to display information indicated by desired data using the function of the application program. In the following, the data displayed by the display unit 55 at this time is referred to as “use target data”.

  Here, when making a change to the usage target data, the user changes the usage target data by performing an operation for changing the information displayed on the display unit 55 via the input unit 54. Then, when the user ends the use of the target data, the user ends the application program.

  The terminal 50B executes the registration processing program 53B when the application program is terminated, whereby the registration processing shown in FIG. 23 is performed.

  In step 150 of the registration process, the accepting unit 33 controls the display unit 55 to display a predetermined information category designation menu screen 55B (see also FIG. 8). In the next step 152, the receiving unit 33 waits until any information section is specified on the information section specifying menu screen 55B.

  When the information category designation menu screen 55B is displayed on the display unit 55, the user designates a button corresponding to the information category of the data to be used via the input unit 54. Accordingly, step 152 is affirmative and the process proceeds to step 154.

  In step 154, the associating unit 34 displays the information classification received on the information classification designation menu screen 55B, together with the date and time at this time, the user of the terminal 50B, the operation and the operation size information described above, to the information classification DB 80B. Remember (register). At this time, the association unit 34 registers these pieces of information in association with the data IDs assigned to the use target data. At this time, for the sake of convenience, the associating unit 34 registers information indicating the user of the terminal 50B as information indicating the “accessor” in the information classification DB 80B. At this time, the associating unit 34 identifies the user from the user ID and password input when the user logs in at the terminal 50B (Log-in), and sets information indicating the identified user as “accessor” information. Register in the information classification DB 80B. Further, at this time, the associating unit 34 acquires the information indicating the date and time at this time, which is timed by the clock function built in the CPU 51, as information indicating the date and time, and registers it in the information classification DB 80B.

  In the next step 156, the determination unit 35 performs substantially the same process as the risk determination process shown in FIG.

  The risk determination process according to the present embodiment is that the determination unit 35 executes the process executed by the determination unit 23A and that “access target data” is “use target data”. This is different from the risk determination processing according to the above. In addition, the risk determination processing according to the present embodiment also uses the information classification DB 80B provided in the own device instead of the information classification DB 80 provided in the server as a database to be used in the first embodiment. This is different from the risk determination process. In addition, the risk determination process according to the present embodiment is the first risk point DB 82 provided in the own machine instead of the first risk point DB 82 provided in the server as a database to be used. This is different from the risk determination processing according to the embodiment. Furthermore, the risk determination processing according to the present embodiment is also characterized in that the database to be used is the second risk point DB 84 provided in the own device instead of the second risk point DB 84 provided in the server. This is different from the risk determination processing according to the embodiment.

  The risk handling process executed in the risk determination process according to the present embodiment is different from the risk handling process according to the first embodiment in that the processing unit 36 executes the process executed by the processing unit 24. . In addition, the risk handling processing according to the present embodiment is that the warning processing is performed on the own device, and the processing target by the specific user access restriction processing and the specific data access restriction processing is set as the user of the own device or the use target data. Is different from the risk handling process according to the first embodiment.

  In the next step 158, the transmitting unit 37 determines whether or not the own device is accessible to the server 40C at this time. If the determination is negative, the transmission unit 37 ends the registration process, If YES, the process proceeds to step 160.

  In step 160, the transmitting unit 37 determines whether or not there is an information category information group newly registered in the information category DB 80B since the last access to the server 40C. Migrate to Moreover, the transmission part 37 transfers to step 162, when it becomes affirmation determination here. In step 162, the transmitting unit 37 reads out the newly registered information category information group from the information category DB 80B together with the corresponding data ID, date and time, and accessor information, and transmits them to the server 40C. Transition. Hereinafter, the information classification information group to be transmitted to the server 40C and each information of the data ID, date and time, and accessor are referred to as “additional registration information”.

  In step 164, the acquisition unit 38 refers to the information classification DB 80 </ b> A of the server 40 </ b> C and determines whether or not an unregistered information classification information group is registered in the information classification DB 80 </ b> B of its own device. Goes to step 166.

  In step 166, the acquisition unit 38 reads the unregistered information category information group from the information category DB 80A together with the corresponding data ID, date and time, and accessor information, and registers the information in the information category DB 80B of the own device. The registration process ends. If a negative determination is made in step 164, the main registration process is terminated without executing the process in step 166.

  On the other hand, when the server 40C according to the present embodiment receives the additional registration information from any of the terminals 50B, the additional registration processing shown in FIG. 24 is performed by executing the additional registration processing program 43B.

  In step 500 of the additional registration process, the additional registration unit 25 registers the received additional registration information in the information classification DB 80A of the own device, and thereafter ends the additional registration process.

  As described above in detail, in the present embodiment, when the use of data is completed, an input of an information section corresponding to the used data is received, and the received information section is associated with the data in the storage unit. Remember. Here, in the present embodiment, the new information section input when the new use of the data is completed is different from the information section of the data stored in the storage unit, and is based on the new use. If there is no change in the data, it is determined that there is a risk regarding the input of the information category. For this reason, in the present embodiment, it is possible to appropriately manage data shared by a plurality of users by using the result of the determination.

  In the present embodiment, it is determined that there is a risk regarding the input of the information category also in the following cases. That is, there is a change in data due to a new use, and the new information classification input when the new use for the data is completed matches the information classification stored in the storage unit, This is a case where the above data has occurred a predetermined number of times. For this reason, in this embodiment, it is possible to more appropriately manage data shared by a plurality of users by using the result of this determination.

  Further, in the present embodiment, when the information classification input for the same data is different among a plurality of users who are not determined to be dangerous, there is a possibility that the data may be erroneously input to the information classification. It is determined that there is some data. For this reason, in this embodiment, it is possible to more appropriately manage data shared by a plurality of users by using the result of this determination.

  Further, in the present embodiment, when a plurality of information classifications corresponding to access to data from the same user are stored in the storage unit and there are blurs in the plurality of information classifications, there is a risk regarding input of the information classifications. Judge that there is. Thus, by using the result of this determination, it is possible to more appropriately manage data shared by a plurality of users.

  Further, in the present embodiment, when it is determined that there is a risk regarding the input of the information category, processing for restricting the use of the data is performed. Thereby, data shared by a plurality of users can be managed more appropriately.

  Further, in the present embodiment, when it is determined that the data is data that may cause an erroneous input of information classification, processing for restricting use of the data is performed. Thereby, data shared by a plurality of users can be managed more appropriately.

  Further, in the present embodiment, a process for prohibiting the use is applied as the process for restricting the use. Thereby, it is possible to reliably prevent the use of data with danger.

  In addition, although this embodiment demonstrated the case where the terminal 50B hold | maintains information classification DB80B, 1st risk point DB82, and 2nd risk point DB84, it is not limited to this. For example, these pieces of information may be attached to the usage target data as attribute information of the usage target data (for example, property information). In this case, the information classification DB 80B, the first risk point DB 82, and the second risk point DB 84 become unnecessary.

  Further, in the present embodiment, the case has been described in which the process of matching the registration information in the information classification DB 80B with the registration information in the information classification DB 80A is performed at the timing of executing the registration process in steps 158 to 166 of the registration process. However, the present invention is not limited to this. For example, the matching process may be performed each time the terminal 50B accesses the server 40C. As a form in this case, the form which performs the process of steps 160-166 in a registration process as an interruption process when the terminal 50B accesses the server 40C is illustrated.

  Moreover, although each said embodiment demonstrated the case where a fixed value (1 in this embodiment) is applied as a value increased or reduced with respect to a 1st risk point and a 2nd risk point, it is limited to this. It is not a thing. For example, the value that increases or decreases for each risk point may be switched according to the attribute of the accessor or the attribute of the access target data.

  For example, when this embodiment is applied to the first embodiment, information indicating a department or project to which each user of the risk determination system 10A belongs is registered in advance in the server 40A. Information indicating the department or project to which the creator of the first version of each data managed by the risk determination system 10A belongs is also registered in advance in the server 40A.

  When the first risk point corresponding to the accessor is increased, if the department or project to which the accessor belongs matches the department or project to which the creator of the first edition of the access target data belongs, Increase the increase value in comparison. Even if the second risk point corresponding to the access target data is increased, it does not match if the department or project to which the accessor belongs matches the department or project to which the creator of the first version of the access target data belongs. Increase the increase value compared to the case.

  In addition, if the frequency of access to the data to be accessed or the frequency of use of the data to be used is high, and the information category has changed despite the fact that the data has not changed, it is considered more dangerous. It is done. For example, when the transition of the access count for the access target data with the passage of time is as shown in the graphs of FIGS. 25 and 26, the access frequency is relatively high in the portion where the slope of the graph is relatively large. Part. Therefore, in the case where the information classification is fluctuating although there is no data change, the increase value may be increased as the frequency of access or the frequency of use increases.

  In each of the above embodiments, whether or not there is a risk regarding the input of the information category by the user is determined based on whether the access target data (use target data) is changed, whether the information category is changed, and the accessor (use The case where it is performed depending on whether or not the same person) is the same has been described. However, it is not limited to this. For example, regardless of whether or not the access users (users) are the same, there is a risk regarding the input of information categories depending on whether the access target data (use target data) is changed and whether the information category is changed. It is good also as a form which determines whether there exists.

  Further, in each of the above embodiments, when the information category registered this time is different from the information category registered last time and there is no change in the access target data (use target data), the information The case where it was determined that there is a risk regarding the input of the category was explained. However, the present invention is not limited to this. For example, the information category registered this time is different from the information category registered last time, and there is no change in the access target data (use target data) even once. In such a case, it may be determined that there is a risk regarding the input of the information category.

  In each of the above-described embodiments, the case where the information classification is input using the information classification designation menu screen 55B illustrated in FIG. 8 as an example has been described. However, the present invention is not limited to this. For example, first, the current information classification of access target data (use target data) is displayed to check whether there is a change, and when change is selected, other information classifications may be displayed as options. Good.

  In the first and second embodiments, the mode in which the server monitors the end of access to data has been described. However, the present invention is not limited to this. For example, the terminal may monitor the end of access to data, and when the terminal detects the end of access, the terminal may request the user to input an information section and send the input information section to the server accordingly. .

  In each of the above embodiments, the processing related to the information classification when data is accessed or used has been described. On the other hand, for example, when copy / paste is performed on the data, for example, a process is performed in which the information classification information of the copy source data is inherited as the information classification information of the copy destination data. It is good. In addition, for example, if information indicating that the data is used as a template of a document is added, the information of the information classification is selectively selected according to the use of the data, such as not inheriting the information classification information. You may make it succeed to.

  Moreover, although each said embodiment demonstrated the case where data were memorize | stored by server 40A-40C which performs a registration process etc., it is not limited to this. For example, data may be registered in another server such as a file server other than these servers 40A to 40C.

  Moreover, although each said embodiment demonstrated the case where this invention was applied as a risk determination system in a company, it is not limited to this. For example, the present invention may be applied to educational sites such as universities. In this case, as the information classification, in addition to “general information”, “confidential secret”, etc., which are the same as those in the above embodiments, classifications such as “university confidentiality”, “undergraduate confidentiality”, “teacher confidentiality” are applied. It is possible.

  In each of the above embodiments, various modes such as the terminal processing program 53A and the registration processing program 43A are read from the recording medium 96 into the storage unit via the medium read / write device. However, the present invention is not limited to this. . For example, these programs may be stored (installed) in advance in a corresponding device, or may be downloaded from an external device to the storage unit via the network 90.

  All documents, patent applications and technical standards mentioned in this specification are to the same extent as if each individual document, patent application and technical standard were specifically and individually stated to be incorporated by reference. Incorporated by reference in the book.

  Regarding the above embodiments, the following additional notes are disclosed.

(Appendix 1)
Computer
When access to the data stored in the storage unit is completed, the access source of the data is requested to input the information section corresponding to the accessed data,
In response to the input of the information section from the access source, the input information section is associated with the data and stored in the storage unit,
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access Based on the above, a risk relating to input of the information category of the access source is determined.
A risk determination method characterized in that a process including the above is executed.

(Appendix 2)
The new information section input when new access to the data from the access source is completed is different from the information section stored in the storage unit, and the data by the new access If there is no change, it is determined that there is a risk regarding the input of the information classification of the access source,
The risk determination method according to appendix 1.

(Appendix 3)
The new information section input when there is a change of the data due to the new access and the new access to the data from the access source is completed, and the information section stored in the storage unit Is determined that there is a risk with respect to the input of the information classification of the access source, if it occurs continuously for a predetermined number of times for the data,
The risk determination method according to Supplementary Note 1 or Supplementary Note 2.

(Appendix 4)
When the information classification input with respect to the same data is different among a plurality of access sources that are not determined to be dangerous, the data is determined to be data that may cause an erroneous input of the information classification. ,
The risk determination method according to any one of supplementary notes 1 to 3.

(Appendix 5)
When a plurality of information sections corresponding to access to the data from the access source are stored in the storage unit, and there is a blur in the plurality of information sections, there is a risk regarding input of the information section of the access source Determine that there is
The risk determination method according to any one of supplementary notes 1 to 4.

(Appendix 6)
When a plurality of the information sections corresponding to access to the data from different access sources are stored in the storage unit, and there is a blur in the plurality of information sections, there is a risk regarding input of the information section of the access source Determine that there is
The risk determination method according to any one of supplementary notes 1 to 5.

(Appendix 7)
When it is determined that there is a risk regarding input of the information classification of the access source, a process for restricting access to the data from the access source is performed.
The risk determination method according to any one of supplementary notes 1 to 6.

(Appendix 8)
When it is determined that the data is data that may cause an erroneous input of information classification, a process for restricting access to the data is performed.
The risk determination method according to appendix 4.

(Appendix 9)
The process for restricting the access is a process for prohibiting the access.
The risk determination method according to appendix 7 or appendix 8.

(Appendix 10)
When access to the data stored in the storage unit is completed, a request unit that requests an input of an information section corresponding to the accessed data from the access source of the data;
An associating unit for storing the input information category in association with the data in the storage unit in response to the input of the information category from the access source in response to a request by the request unit;
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access , Based on the determination unit for determining the risk regarding the input of the information classification of the access source,
A risk judgment device having

(Appendix 11)
The determination unit is different from a new information section input when new access to the data from the access source is completed, and the information section stored in the storage unit, and the new section When there is no change in the data due to a random access, it is determined that there is a risk regarding the input of the information classification of the access source.
The danger determination device according to appendix 10.

(Appendix 12)
The determination unit stores in the storage unit a new information section input when the data is changed due to the new access and the new access to the data from the access source is completed. If the information classification that has been made coincides with the data for a predetermined number of times, it is determined that there is a risk regarding the input of the information classification of the access source.
The danger determination apparatus according to Supplementary Note 10 or Supplementary Note 11.

(Appendix 13)
If the information section input to the same data is different among a plurality of access sources that are not determined to be dangerous, the determination unit may cause erroneous input of the information section. It is determined that there is some data
The danger determination device according to any one of appendix 10 to appendix 12.

(Appendix 14)
The determination unit stores a plurality of the information sections corresponding to access to the data from the access source in the storage unit, and there is a blur in the plurality of information sections, the information section of the access source Determining that there is a risk with respect to
The danger determination device according to any one of appendix 10 to appendix 13.

(Appendix 15)
The determination unit stores a plurality of the information sections corresponding to access to the data from different access sources in the storage unit, and there is a blur in the plurality of information sections. Determining that there is a risk with respect to
The danger determination device according to any one of appendix 10 to appendix 14.

(Appendix 16)
A processing unit for performing a process of restricting access to the data from the access source when the determination unit determines that there is a risk regarding input of the information classification of the access source;
The risk determination device according to any one of appendix 10 to appendix 15, further comprising:

(Appendix 17)
A second processing unit for performing a process of restricting access to the data when the determination unit determines that the data is data that may cause an erroneous input of an information category;
The danger determination device according to supplementary note 13, further comprising:

(Appendix 18)
The process for restricting the access is a process for prohibiting the access.
The danger determination device according to supplementary note 16 or supplementary note 17.

(Appendix 19)
When access to the data stored in the storage unit is completed, a request unit that requests an input of an information section corresponding to the accessed data from the access source of the data;
An associating unit for storing the input information category in association with the data in the storage unit in response to the input of the information category from the access source in response to a request by the request unit;
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access , Based on the determination unit for determining the risk regarding the input of the information classification of the access source,
A risk determination device having:
An input unit for receiving an input of the information category requested by the request unit;
A transmission unit for transmitting the information classification received by the input unit to the risk determination device;
A terminal having
Risk assessment system including

(Appendix 20)
The determination unit is different from a new information section input when new access to the data from the access source is completed, and the information section stored in the storage unit, and the new section When there is no change in the data due to a random access, it is determined that there is a risk regarding the input of the information classification of the access source.
The danger determination system according to appendix 19.

(Appendix 21)
The determination unit stores in the storage unit a new information section input when the data is changed due to the new access and the new access to the data from the access source is completed. If the information classification that has been made coincides with the data for a predetermined number of times, it is determined that there is a risk regarding the input of the information classification of the access source.
The danger determination system according to supplementary note 19 or supplementary note 20.

(Appendix 22)
If the information section input to the same data is different among a plurality of access sources that are not determined to be dangerous, the determination unit may cause erroneous input of the information section. It is determined that there is some data
The danger determination system according to any one of appendix 19 to appendix 21.

(Appendix 23)
The determination unit stores a plurality of the information sections corresponding to access to the data from the access source in the storage unit, and there is a blur in the plurality of information sections, the information section of the access source Determining that there is a risk with respect to
The danger determination system according to any one of appendix 19 to appendix 22.

(Appendix 24)
The determination unit stores a plurality of the information sections corresponding to access to the data from different access sources in the storage unit, and there is a blur in the plurality of information sections. Determining that there is a risk with respect to
The danger determination system according to any one of appendix 19 to appendix 23.

(Appendix 25)
A processing unit for performing a process of restricting access to the data from the access source when the determination unit determines that there is a risk regarding input of the information classification of the access source;
The risk determination system according to any one of appendix 19 to appendix 24, further comprising:

(Appendix 26)
A second processing unit for performing a process of restricting access to the data when the determination unit determines that the data is data that may cause an erroneous input of an information category;
The risk determination system according to appendix 22, further comprising:

(Appendix 27)
The process for restricting the access is a process for prohibiting the access.
The risk determination system according to supplementary note 25 or supplementary note 26.

(Appendix 28)
When access to the data stored in the storage unit is completed, the access source of the data is requested to input the information section corresponding to the accessed data,
In response to the input of the information section from the access source, the input information section is associated with the data and stored in the storage unit,
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access Based on the above, a risk relating to input of the information category of the access source is determined.
A risk determination program for causing a computer to execute processing.

(Appendix 29)
The new information section input when new access to the data from the access source is completed is different from the information section stored in the storage unit, and the data by the new access If there is no change, it is determined that there is a risk regarding the input of the information classification of the access source,
The danger determination program according to appendix 28.

(Appendix 30)
The new information section input when there is a change of the data due to the new access and the new access to the data from the access source is completed, and the information section stored in the storage unit Is determined that there is a risk with respect to the input of the information classification of the access source, if it occurs continuously for a predetermined number of times for the data,
The danger determination program according to supplementary note 28 or supplementary note 29.

(Appendix 31)
When the information classification input with respect to the same data is different among a plurality of access sources that are not determined to be dangerous, the data is determined to be data that may cause an erroneous input of the information classification. ,
The risk determination program according to any one of appendix 28 to appendix 30.

(Appendix 32)
When a plurality of information sections corresponding to access to the data from the access source are stored in the storage unit, and there is a blur in the plurality of information sections, there is a risk regarding input of the information section of the access source Determine that there is
The risk determination program according to any one of appendix 28 to appendix 31.

(Appendix 33)
When a plurality of the information sections corresponding to access to the data from different access sources are stored in the storage unit, and there is a blur in the plurality of information sections, there is a risk regarding input of the information section of the access source Determine that there is
The risk determination program according to any one of appendix 28 to appendix 32.

(Appendix 34)
When it is determined that there is a risk regarding input of the information classification of the access source, a process for restricting access to the data from the access source is performed.
The risk determination program according to any one of appendix 28 to appendix 33.

(Appendix 35)
When it is determined that the data is data that may cause an erroneous input of information classification, a process for restricting access to the data is performed.
The danger determination program according to attachment 31.

(Appendix 36)
The process for restricting the access is a process for prohibiting the access.
The risk determination program according to Supplementary Note 34 or Supplementary Note 35.

(Appendix 37)
Computer
When the use of the data is completed, the information classification corresponding to the used data is accepted,
The received information classification is stored in the storage unit in association with the data,
Based on the new information section input when the new use of the data is completed, the information section of the data stored in the storage unit, and whether or not the data is changed due to the new use To determine the risk associated with the input of the information category,
A risk determination method characterized in that a process including the above is executed.

10A to 10C Risk determination system 20A, 20B Risk determination device 20C Server 21 Request unit 22 Corresponding unit 23A, 23B Determination unit 24 Processing unit 25 Additional registration unit 30A Terminal 30B Risk determination device 31 Input unit 32 Transmission unit 33 Reception Unit 34 Corresponding unit 35 Determination unit 36 Processing unit 37 Transmission unit 38 Acquisition unit 40A to 40C Server 41 CPU
43 storage section 43A registration processing program 43B additional registration processing program 43C data group storage area 43D information division DB storage area 43E first risk point DB storage area 43F second risk point DB storage area 44 input section 45 display sections 50A, 50B terminal 51 CPU
53 Storage Unit 53A Terminal Processing Program 53B Registration Processing Program 54 Input Unit 55 Display Units 60A-60C Computer System 80 Information Classification DB
80A, 80B information classification DB
82 1st Risk Point DB
84 2nd risk point DB
88 data groups 96 recording media

Claims (10)

Computer
When access to the data stored in the storage unit is completed, the access source of the data is requested to input the information section corresponding to the accessed data,
In response to the input of the information section from the access source, the input information section is associated with the data and stored in the storage unit,
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access Based on the above, a risk relating to input of the information category of the access source is determined.
A risk determination method characterized in that a process including the above is executed. The new information section input when new access to the data from the access source is completed is different from the information section stored in the storage unit, and the data by the new access If there is no change, it is determined that there is a risk regarding the input of the information classification of the access source,
The risk determination method according to claim 1. The new information section input when there is a change of the data due to the new access and the new access to the data from the access source is completed, and the information section stored in the storage unit Is determined that there is a risk with respect to the input of the information classification of the access source, if it occurs continuously for a predetermined number of times for the data,
The risk determination method according to claim 1 or 2. When the information classification input with respect to the same data is different among a plurality of access sources that are not determined to be dangerous, the data is determined to be data that may cause an erroneous input of the information classification. ,
The risk determination method according to any one of claims 1 to 3. When a plurality of information sections corresponding to access to the data from the access source are stored in the storage unit, and there is a blur in the plurality of information sections, there is a risk regarding input of the information section of the access source Determine that there is
The risk determination method according to any one of claims 1 to 4. When a plurality of the information sections corresponding to access to the data from different access sources are stored in the storage unit, and there is a blur in the plurality of information sections, there is a risk regarding input of the information section of the access source Determine that there is
The risk determination method according to any one of claims 1 to 5. When access to the data stored in the storage unit is completed, a request unit that requests an input of an information section corresponding to the accessed data from the access source of the data;
An associating unit for storing the input information category in association with the data in the storage unit in response to the input of the information category from the access source in response to a request by the request unit;
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access , Based on the determination unit for determining the risk regarding the input of the information classification of the access source,
A risk judgment device having When access to the data stored in the storage unit is completed, a request unit that requests an input of an information section corresponding to the accessed data from the access source of the data;
An associating unit for storing the input information category in association with the data in the storage unit in response to the input of the information category from the access source in response to a request by the request unit;
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access , Based on the determination unit for determining the risk regarding the input of the information classification of the access source,
A risk determination device having:
An input unit for receiving an input of the information category requested by the request unit;
A transmission unit for transmitting the information classification received by the input unit to the risk determination device;
A terminal having
Risk assessment system including When access to the data stored in the storage unit is completed, the access source of the data is requested to input the information section corresponding to the accessed data,
In response to the input of the information section from the access source, the input information section is associated with the data and stored in the storage unit,
A new information section input when new access to the data from the access source is completed, the information section stored in the storage unit, and whether or not the data is changed by the new access Based on the above, a risk relating to input of the information category of the access source is determined.
A risk determination program for causing a computer to execute processing. Computer
When the use of the data is completed, the information classification corresponding to the used data is accepted,
The received information classification is stored in the storage unit in association with the data,
Based on the new information section input when the new use of the data is completed, the information section of the data stored in the storage unit, and whether or not the data is changed due to the new use To determine the risk associated with the input of the information category,
A risk determination method characterized in that a process including the above is executed.

Images