JP2010287117A - Web site security assurance system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a new assurance mechanism as to security of a web site, which can exhibit quality of compensation when a problem concerned in use of the web site by a general user occurs, to the general user. <P>SOLUTION: This system includes a terminal 100 used by the general user; the general web site A providing a content; a site B security-monitoring the site A as an object; and a site C (insurance company) providing an assurance about a security state of the site A. The site C performs processing to update and calculate a content of the assurance, using monitoring result information from the site A by the site B. The site B performs processing to display information such as a security level (SL) of the site A, and information such as an assurance rank based on the information from the site A on a screen of the terminal 100 in a form of an image G1, when accessing the site A by the terminal 100. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to information (IT) security technology, and more particularly to security insurance technology.

  When a general user accesses a Web site (Web page) from a terminal and uses the information (content, service, etc.) on the Internet, there is generally a security risk. For example, there is a possibility of leakage of user personal information on an EC (electronic commerce) site or the like.

  As countermeasures against the above, various security products (software and hardware) are used. For example, as a general technique, there is an anti-virus function used by a terminal or the like. In addition, there is a function of inquiring / verifying a server (database) that updates and holds security-related information (such as vulnerability information) as needed.

  At present (conventional), there is a mechanism for notifying a general user (terminal) that a certain security product is being used in the above-described Web site or the like (providing and managing the same). For example, there is VeriSign Secured Seal (registered trademark) (Non-Patent Document 1).

  According to Verisign Secured Seal, general users should verify and confirm that the Web site on which the seal (image) is posted actually exists and that communication is encrypted by SSL. Can do. The Web site operator posts the sticker (image) on the Web page, thereby improving the reliability of the site with respect to general users.

  In recent years, a mechanism for providing a predetermined insurance (hereinafter referred to as “information security insurance” or simply “insurance”) related to Web site management or the like has appeared for security of Web sites in the Internet environment. For example, in a general information security insurance example, an insurance contract is directly concluded between a website operator and an insurance company. For example, the contents of the insurance are set based on an audit of the security status of the target site, which is performed once a year.

  There exists Unexamined-Japanese-Patent No. 2005-339336 (patent document 1) etc. as a prior art example regarding the said insurance.

JP 2005-339336 A

Verisign Secured Seal, VeriSign Japan, Internet, <URL: http://www.verisign.co.jp/index.html>

  There is a mechanism for notifying general users about the use of a predetermined security product related to a Web site, such as the above-mentioned sticker, etc., related to Web site security insurance technology. On the other hand, there is generally no security product that guarantees 100% safety (risk can be reduced but not zero).

  Therefore, at present, even if information related to Web site security is provided to general users using the above-described stickers and various security products, it cannot be said that the guarantee is 100%. In the conventional display information of this type, whether it is OK or NG is generally presented regarding the security of the site, or detailed information that is difficult to understand for general users is presented, and it is more easily understood. It does not present information (for example, a specific security level). In other words, for general users, there is a vague possibility (risk) of encountering a problem such as leakage of personal information when using a website, and it is difficult to realize the magnitude of the possibility (risk).

  As described above, in the past, general users have insufficient or unclear information about the security status (the magnitude of the risk that a problem will occur or the level of effectiveness of countermeasures) related to website use. . Furthermore, information on the quality of compensation / compensation (or content of guarantee of rights before the problem occurred) in the event of a problem is insufficient or unclear.

  In particular, regarding the quality of the compensation, for example, when a general user (self) encounters damage such as leakage of personal information due to the use of the website, or before that happens, the website operator (or other organization, etc.) Insufficient or unclear information about what type of compensation (such as damages) or protection of rights to you.

  In view of the above, the main object of the present invention relates to the above-mentioned information security insurance technology, the state of security related to the use of a Web site by a general user on a communication network (Internet), the quality of compensation when a problem occurs, etc. The information about the website can be presented to the general users in a clear and clear manner, and related to it, a new insurance system for website security can be provided. It is to provide technology that can be improved.

  Of the inventions disclosed in the present application, the outline of typical ones will be briefly described as follows. A representative embodiment of the present invention is a technology of an insurance system related to information security such as a Web site and an information processing system that performs processing for providing insurance information, and has the following configuration. And

  In this embodiment, information related to the security status and compensation quality related to the use of the general user's website is presented to the general user in an easy-to-understand manner, and is not limited to binary information such as OK / NG that has been conventionally presented. , Provide more detailed multi-level evaluation information. In particular, it provides information on insurance related to the quality of compensation (information security insurance). At the same time, this embodiment provides a mechanism for automatically updating insurance contents (insurance rate, etc.) according to the security status (audit result) of the Web site.

  This form is a system for providing insurance related to information security of a website, and provides a content and service by a web page or the like to a user terminal and a user terminal on a communication network. A first information processing system that manages a website; a second information processing system that performs an audit related to information security for the website; a third information processing system that manages insurance related to information security of the website; Have The second information processing system is involved in the process of creating audit result information by executing the process of auditing information security for the website (data such as content) and the access to the website by the user terminal, Based on the audit result information, the second information processing system displays display information (image, etc.) including multi-value evaluation information (security level, etc.) on the information security status of the website on the screen of the user terminal. The processing to be displayed and the third information processing system uses the audit result information (for example, security level) by the second information processing system to update and calculate the value of the variable (for example, insurance rate) that defines the contents of insurance. And processing.

  In addition, the second information processing system is involved in access to the website by the user's terminal, and based on the information related to insurance (insurance contract information, etc.) obtained from the third information processing system, The display information (image etc.) including the insurance information to be associated is displayed on the screen of the user's terminal.

  The effects obtained by typical ones of the inventions disclosed in the present application will be briefly described as follows. According to a typical embodiment of the present invention, it relates to the above-mentioned information security insurance technology, and relates to the security status related to the use of a website by a general user on a communication network, the quality of compensation when a problem occurs, etc. Information can be presented clearly and clearly enough to general users, and related to it, a new insurance system relating to website security can be provided, improving the reliability of website management, etc. Can do.

It is a figure which shows the structure outline | summary, the characteristic, etc. of the information processing system (Web site security insurance system) of one embodiment of this invention. It is a figure which shows the structural example of the hardware or a process part in the system of this Embodiment. It is a figure which shows a process part and a process sequence in the system of this Embodiment. It is a figure which shows the structural example etc. of data information in the system of this Embodiment. It is a figure which shows the example of a screen display in the system of this Embodiment. It is a figure which shows the relationship of the element in the case of having a some insurance in the system of this Embodiment.

  Hereinafter, an embodiment (Web site security insurance system) of the present invention will be described in detail based on the drawings (FIGS. 1 to 6). Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

<Overview>
The outline and characteristics of the configuration of the information processing system (including the website security insurance system) according to the embodiment of the present invention will be described below with reference to FIG. As a basic feature, an insurance (Web site security insurance) mechanism is provided in which contents are automatically updated based on Web site security audit result information. In addition, for general users, the insurance information is displayed as information on the quality of compensation related to the use of the website.

  In this system, a security audit related to a general target website A (first information processing system 1) used by a general user (terminal 100) on the Internet 90 is performed as an audit site B (second information processing system 2). For example, at a regular timing. Then, the contents of the insurance premium rate in the insurance between the site A operator and the insurance company (C) are automatically updated by the audit result information. The updated insurance information is presented to the general user (terminal 100) in the form of an image G or the like associated with the Web page of the site A together with the audit result information. In particular, the information based on the image G includes information on the security level (SL) of the site A. Further, the insurance information related thereto includes information such as the insurance participation status and insurance rank (multi-value evaluation information of the quality of compensation) on the site A.

  When the user uses the site A, the user can check the security state of the site A and the quality of insurance (compensation) related thereto in an easy-to-understand manner by referring to the image G. In addition, the insurance quality is high because insurance is provided that is updated according to the security status automatically and periodically.

<System>
A configuration example of the hardware and software of this system, a processing unit (program or logic), etc. will be described with reference to FIG. 2 (and FIG. 1 etc.). Overall, on the Internet (communication network) 90, a first information processing system 1 that provides and operates a terminal 100 (PC, mobile phone, etc.) used by general users and a site A (target website); It has a second information processing system 2 that provides and operates a site B (audit site), and a third information processing system 3 that provides and operates a site C (insurance company). The terminal 100 includes a web browser 110 and the like. Communication between processing units at each site is possible via the Internet 90. It is not always necessary to provide a web page for sites other than the site A.

  In this system, the audit function and image G (display information) provided by the site B (information processing system 2 such as a server system) are implemented as main functions (insurance (compensation, etc.) and a function for providing information). This is a form in which the function is linked with the insurance management function by the site C (information processing system 3 such as a server system). The terminal 100 can obtain an image G including insurance information by accessing the site B (server) (processing A). No special software or the like is required on the terminal 100 side.

  The site A (information processing system 1) is a system that provides a general Web site to a general user (terminal 100). The site A is configured by a general server system, for example. The site A includes, for example, a Web server device 101 that realizes the Web server (content providing unit) 10, a DB 102 that stores the content data 50 (entire site A), and the like. The target website A is, for example, an EC (electronic commerce) site, a bank (online banking) site, or the like, and includes a site where a transaction such as an account transfer occurs. Site A is subject to audit by Site B. Site A is a site that has an insurance contract with an insurance company (site C). Note that the number of sites A is not limited to one, and can be plural (in particular, when auditing a large number of sites A and providing insurance with a large number of sites A as subscribers).

  The site B (information processing system 2) is an audit system that performs security audit of the target site A, provision of an image G, and the like. The system at the site B is configured by a general server system, for example. The site B includes, for example, a Web server device 201 that implements the G providing unit 21 and the like, an audit processing device (computer) 202 that implements the auditing unit (Web site security auditing unit) 22 and the like, each data information (audit information DB 61, contract) DB 203 for storing the information DB 62).

  The G providing unit 21 (Web server device 201) provides services (functions, contents, etc.) of the site B including a function of providing an image G (display information) for confirming the SL and insurance rank of the target site A. provide.

  The audit unit 22 (audit processing apparatus 202) executes an audit process of the site A related to the provision of the image G and the update of the insurance content.

  Site C (information processing system 3) is a system of an insurance company that provides and manages the insurance that site A joins. The site C includes, for example, an insurance management apparatus (computer) 301 that realizes the insurance rate determination unit (insurance content update unit) 31, the contract information transmission unit (insurance information management unit) 32, and the like of FIG. , Content etc.) and a DB 303 including the insurance rate history DB 71 and the contract information DB 72 in FIG.

  Regarding the use of this system, insurance (and audits related to its provision, etc.) is based on contracts (agreements) among the target site A, audit site B, and site C (insurance company) in advance. Provided. There may be a plurality of insurance companies (C) and a plurality of types of insurance (described later, FIG. 6). For example, there may be a plurality of types of insurance that site A joins. In that case, it can be realized by the same processing.

  Based on the audit result information (audit information DB 61) of the target site A, the G providing unit 21 determines and confirms the security level (SL) of the target site A and the insurance rank indicating the quality of compensation related thereto. Then, an image G (display information) based on the result is transmitted to the user terminal 100 and displayed.

  Specifically, the G providing unit 21 includes an audit information determining unit 211, a contract information determining unit 212, and a transmission information determining unit 213. The audit information determination unit 211 determines the SL of the target site A and the like. The contract information determination unit 212 determines the contract relationship and insurance (compensation) information of the target site A. The transmission information determination unit 213 finally determines the image G to be transmitted in response to the terminal 100 and performs response transmission processing.

  The audit unit 22 performs an audit process on the target site A (content data 50) at a predetermined periodic timing such as once a day via the Internet 90, and as a result, includes the SL at that time. Audit result information is stored in the audit information DB 61.

  Further, a specific processing unit (G providing unit 21 or the like) at the site B stores the contract relationship information related to the target site A in the contract information DB 62. In particular, the insurance contract information provided from the site C (insurance company) is stored in the contract information DB 62.

  The insurance rate determination unit 31 of the site C calculates the insurance rate of the insurance of the target site A based on the audit result information (B3) of the target site A obtained from the site B (audit information DB 61), particularly the SL at that time. The information such as the insurance premium rate is stored in the insurance premium rate history DB 71 as a history. The contract information transmitting unit 32 transmits / provides the insurance contract information of the target site A managed and stored in the contract information DB 72 to the site B in response to a request from the site B (B4).

  In addition to the above forms, for example, the G providing unit 21 and the auditing unit 22 constituting the site B may be separated into different systems and cooperated.

  In the present embodiment, SL and the like are determined by the auditing unit 22 each time, but may be performed by the G providing unit 21.

<Data information>
With reference to FIG. 4 and the like, data information handled by the present system and an example of its structure will be described below.

  (Site A) Site A has content data 50 (entire site A) handled by a processing unit such as Web server 10. The content data 50 is data such as Web pages constituting the entire site A, and includes a plurality of Web pages (content data) 52 such as HTML and JSP, and a link to the image G (link to the site B). And a web page (web page with G link) 51 such as HTML described.

  In this example, the G-linked page 51 includes content in the page 51, and the image G displayed by the link is information such as an audit result on the page (51) itself. As another form, the image G displayed by the G-linked page 51 may indicate information such as an audit result regarding a page of other content instead of the page 51. Moreover, about the display of the page 51 with G link and the image G, it is good also as a form made into one of all the pages (50), for example, and the site A operator wants to show the said display information with respect to a general user for every page The image G may be displayed on the screen.

  (Site B) The DB 203 of the site B includes an audit information DB (Web site security audit result information DB) 61 and a contract information DB (Web site contract information DB) 62. The DB 203 also stores image G data (63).

  In the audit information DB 61, as a role, information on the security status of the target site A is managed. As a specific example of the information, audit result information including security level (SL) information is included.

  The audit information DB 61 in FIG. 4 includes audit target site information, its URL (address information), audit result information for each audit execution timing (date and time), and the like. The audit result information includes information such as the value of each audit item and the security level (SL). The audit items include the number of contents, login method (type), and SQL injection countermeasures.

  The number of contents is the number of contents (Web page, file, etc.) constituting the target site. For example, the insurance premium rate is determined according to the number of contents (audit result). The login method is information such as the type of login method that affects the audit result (security state). SQL injection is an item that affects the problem of leakage of personal information as an example of an audit item, and a numerical value for the countermeasure is calculated. The audit items include various items according to the auditing method (and related insurance types, etc.) applied by the auditing unit 22.

  In the contract information DB 62, the role is to manage information on the quality of compensation when a problem (damage or the like) occurs in relation to the security status of the target site A, and contract related information on the target site A related thereto. . As specific examples of the information, insurance information is included. The insurance information includes insurance contract information of insurance provided by site C (insurance company) and joined by site A. If there is a contract relationship other than insurance (for example, a contract related to audit), the contract information may also be included. Further, when a plurality of types of insurance are handled by one insurance company (or a plurality of insurance companies), a plurality of insurance information is included.

  The contract information DB 62 in FIG. 4 includes target site information (insurance contract site) and contract information (insurance contract information, etc.). As insurance contract information, insurance identification information (insurer (insurance company) and insurance type, etc.) and insurance rank (multi-level evaluation information of the quality of compensation) regarding one or more insurances to which the target site A is subscribed ) Etc.

  (Site C) The DB 303 of the site C has an insurance rate history DB 71 (insurance content information DB) and a contract information DB 72 (insurance contract information DB). The insurance rate history DB 71 stores information defining insurance contents such as the insurance rate. In particular, past information is also held and used as a history for each update timing. The contract information DB 72 manages and stores insurance contract information and the like. The information in the DB (71, 72) may be integrated and managed as insurance information.

  The example of each data information of FIG. 4 is as follows. In the information in the audit information DB 61, the target site A provides content such as a Web page with a predetermined URL. In the audit result of an audit date and time (March 12, 2009), the total number of contents of site A is 999, and the login method is, for example, the one-time password method (type # 1). As an audit item, for example, the numerical value of SQL injection countermeasures is 97%. As a result, the current SL is determined to be 9 (“Aaa”, “OK”).

  In the present embodiment, the audit result information stored in the audit information DB 61 includes, in particular, a numerical value of the security level (SL) that is evaluated and calculated by the audit unit 22. For example, the SL level is evaluated with a value of 1 to 9 at the minimum. Further, for example, a rating notation such as “Aaa” for the highest level and “C” for the lowest level may be used (example based on the rating notation in the financial field). Further, “OK” (security OK) may be determined when SL is equal to or higher than a predetermined level, and “NG” (security NG) may be determined when SL is less than a predetermined level.

  Further, in the information of the contract information DB 62, the target site A makes a contract with the insurance company (C) (and the audit site B) in advance for a predetermined insurance (type: C- # 1) and subscribes to it. . This insurance contract also includes an audit contract. This insurance (C- # 1) is determined to have an insurance rank of 3 at that time. The insurance rank is, for example, a minimum of 1 to a maximum of 5.

  Further, in the information of the insurance premium rate history DB 71, the insurance premium rate (for example, the history of one day) of the insurance (C- # 1) relating to the target site A is 2.0, for example, as of March 12, 2009, and As of March 11, it is 2.1, etc. In addition, in the information in the insurance contract information DB 72, the target site A is in a state where it is already subscribed to the insurance type C- # 1, and is in a state where it is not yet subscribed to other insurance, for example, the insurance type C- # 2.

<SL>
SL is a value obtained by comprehensively evaluating multi-valued risks related to information security when a general user accesses the target site A. That is, for example, when SL is low, it is determined that the possibility of occurrence of a problem is high. A predetermined type of SL is determined based on a result of a predetermined audit process based on an existing or unique predetermined information security standard.

<Insurance rank>
The insurance rank is a value obtained by evaluating the quality of insurance compensation at the target site A with multiple values. For example, when a general user accesses the target site A and a problem such as damage (for example, leakage of personal information) occurs, the quality of compensation for the general user is determined based on the insurance contract information of the target site A, etc. Value. In other words, it can be called a compensation level. Note that the multi-level evaluation information such as the level and rank may be other expressions such as a score and%.

<Processing>
In FIG. 1, FIG. 3, etc., there are roughly two processes performed in this system. As processing A, there is a processing sequence indicated by arrows such as A1 to A8, which indicates processing at the time of access by the user terminal 100. Further, as the process B, there is a process sequence indicated by arrows such as B1 to B4, which is a process in the background of this system independent of the process A, for example, a regular / periodic process.

  In the process A, between the general user terminal 100 and the sites A and B, the audit result information (SL etc.) is displayed on the screen of the terminal 100 (partial display area 410 of the Web page 400 of the site A) using the image G. And processing to display information on insurance (compensation, etc.). In particular, “SL” or “OK” / “NG” images are provided as display information of the security status. In addition, as insurance quality display information, images of “insurance rank” and insurance coverage status (“enrolled” / “not subscribed”) are provided.

  In the process B, the process of updating the insurance contents in conjunction with the audit is automatically executed between the sites A, B, and C.

<Processing A sequence>
The processing A sequence will be described with reference to FIG. Relatedly, FIG. 5 shows a screen display example.

  A1: The user accesses the site A (Web page) from the Web browser 110 of the terminal 100 and uses the content, service, and the like. When accessing a Web page, an operation such as inputting a URL (clicking a link) or the like is appropriately performed by the user. At that time, for example, the user accesses a Web page (51) such as HTML in which a link to the image G is described (A1). This access (A1) is a request by, for example, normal HTTP (or HTTPS).

  A2: In response to the access request of A1, the Web page 51 with the G link is transmitted as a response from the site A to the terminal 100 (A2). In the web page 51 with G link, link information (URL or the like) to the image G (site B) is described. As a result, the Web browser 110 displays the Web page P1 (401) on the screen (FIG. 5). The display content of the Web page P1 (401) includes, for example, a normal content display area and a link information display area (411). The link information is link information to the image G (site B) associated with the web page P1 or another web page P2.

  A3: The user clicks, for example, link information (411) to the image G with the mouse on the Web page 51 with G link displayed on the screen of the terminal 100 (FIG. 5, page P1 (401)). As a result, the link is interpreted by the Web browser 110, and access to the site B (A3) occurs. This access (A3) is a request by, for example, normal HTTP (or HTTPS), and is accompanied by information (for example, URL of site A) indicating “linked from site A”.

  A4: In response to the access request of A3, the site B determines and determines the requested information (image G) by the G providing unit 21 (processing of A4 to A7). For this purpose, the G providing unit 21 activates the audit information determining unit 211, the contract information determining unit 212, the transmission information determining unit 213, and the like, and causes each of them to perform processing.

  A5: The contract information determination unit 212 refers to the contract information DB 62 and acquires (reads) the contract relation information (insurance information) of the target site A. That is, information such as insurance (for example, C- # 1) to which the target site A is subscribed and its insurance rank (for example, 3) is acquired.

  A6: The audit information determination unit 211 refers to the audit information DB 61 to acquire (read) the audit result information of the target site A. That is, information such as SL (for example, 9) at the latest audit date is acquired.

  A7: The transmission information determination unit 213 determines display information (image G1) to be transmitted in response to the terminal 100 using the information acquired by the processes of A5 and A6. That is, the transmission information determination unit 213, for example, as the image G corresponding to the SL information by A6, “SL” image g1 (the display content includes a specific SL numerical value (example: 9)) and the insurance by A5. As the image G corresponding to the information, image data 63 corresponding to the “insurance rank” image g2 (the display content includes a specific insurance rank numerical value (eg, 3)) is read from the DB 203 or the like.

  A8: Then, the G providing unit 21 transmits data including the determined image G1 (eg, SL (g1), insurance rank (g2)) to the terminal 100 (A8). In addition to the SL and insurance rank, an image of “OK” / “NG” in the security state and an image of “enrolled” / “not subscribed” in the insurance state may be returned. In this example, image data (such as a GIF file) is transmitted. However, other formats, for example, web page data including the image data may be used.

  On the page P1 / P2 (402) displayed on the screen by the web browser 110 of the terminal 100 based on the acquisition of the image G1, for example, the link information (411) in the web page 51 (P1) with the G link described above. The image G1 (g1, g2) is displayed in a predetermined display area (412) corresponding to the place or in a predetermined display area (412) in another Web page (P2) to be linked. Thereby, the user sees the image G1 (g1, g2) displayed on, for example, a part (412) of the Web page (402) on the display screen. Thereby, the user can recognize the security state of the target site A and the quality of compensation.

<Processing B sequence>
The processing B sequence will be described with reference to FIG.

  B1: The audit unit 22 at the site B automatically executes the security audit process for the target site A at a predetermined timing, for example, once a day, once a hour, etc. This access (B1) of the audit process is an access via the Internet 90 by, for example, HTTP (or HTTPS).

  By this access (B1), the auditing unit 22 scans (diagnose) the content data 50 using HTML or the like that configures the site A via a network device, a server, or the like, and executes an audit process according to a predetermined audit item. Various techniques can be applied to this audit process. The audit items include, for example, resistance check against various attacks (for example, SQL injection), vulnerability detection, and the like. For each item, a numerical value (% etc.) indicating the measure level is calculated.

  The above-described audit processing is, for example, predetermined audit processing other than the normal operation time zone (a time zone in which general users have a lot of access) as access to the Web server apparatus 101 or the like based on a prior contract between the sites A and B. It may be a form that is executed during a business time zone.

  B2: Based on the result of the audit process, the audit unit 22 finally collects the audit result information including the SL evaluation calculation value and stores it in the audit information DB 61.

  B3: The latest audit result information according to B2 is transmitted from the processing unit (such as the auditing unit 22) that manages the audit information DB 61 of the site B to the insurance rate determining unit 31 of the site C. The information may be acquired by requesting from the site C side. The insurance rate determination unit 31 performs a process of updating and calculating the insurance rate of a predetermined insurance (for example, C- # 1) to which the target site A is subscribed based on the acquired audit result information. The renewal calculation method is based on a predetermined insurance design (risk evaluation method). For example, the insurance premium rate is calculated to be lower as the above-described SL is higher. That is, the insurance premium paid to the insurance company (C) by the site A is so low that problems (damage etc.) are unlikely to occur at the site A. The updated insurance rate information is stored in the insurance rate history DB 71. In addition to the insurance premium rate, the subject of the update calculation according to the audit result information such as SL may be another element related to the design of the insurance.

  B4: Further, when there is an insurance contract for the target site A, the contract information transmission unit 32 (contract information DB 72) of the site C transfers to the processing unit (G providing unit 21 or the like) that manages the contract information DB 62 of the site B. , Give and receive the insurance contract information. For example, at the time of an insurance contract or when updating the contents of an insurance contract, the contract information transmission unit 32 transfers the insurance (insurance between the insurance company (C) and the site A to the contract information DB 62 of the site B (example : C- # 1)) insurance contract information (insurance type, etc.) is transmitted. The information may be acquired by requesting from the site B side.

  Note that the information acquisition process related to A6 (B3) and A5 (B4) can be omitted if there is no update information. Further, when the contents of the insurance rate history DB 71 of the site C (information such as the insurance rate that defines the contents of insurance) and the contents of the contract information DB 72 (insurance contract information) are linked, the DB 72 is updated as the DB 71 is updated. The content is also updated.

<Image G>
It is the following about the image G (G1) displayed on a user's terminal 100. FIG. The G providing unit 21 of the site B has data (63) of various types of images G that can be provided in the DB 203. That is, there are images indicating “SL”, “OK” / “NG”, etc. relating to the security status, and images indicating “insurance rank” relating to the quality of insurance (compensation), “enrolled” / “not subscribed”, etc. The design on the display of the image G can be freely designed by combining images, text messages, shapes, colors, and the like. The image G data (display information) provided to the terminal 100 is not limited to an image file format such as GIF, but may be text data (character information) or Web page data format.

  In the present embodiment, “SL” image g1 is included as image G1 provided to terminal 100. In addition, when there is an insurance to which the site A is subscribed, the “insurance rank” image g2 is included. By presenting such multi-value information to the user, it becomes easier to understand the security status and the quality of compensation compared to the conventional case where binary (OK / NG or the like) is presented.

<Detailed information>
Furthermore, not only the display of the image G but also a mode of linking to detailed information about the image G by, for example, a user clicking on the image G may be used. In this case, the user can verify and confirm the security status and the quality of compensation in more detail by browsing the detailed information.

  For example, clicking on the image G may jump to a web page such as audit result information provided by the site B. Further, when there is insurance, the user may jump to a Web page for detailed information on the insurance provided by the site C (insurance company). In this case, the link information is associated with the data of the image G. For example, when the site B responds with the detailed information, the site B reads out the above-described audit result information and contract information from the DB (61, 62), generates a Web page of the detailed information including them, and sends it to the terminal 100. Send a response.

  For example, the detailed information may present information for each audit item that is the basis of a value such as SL. Further, for example, instead of items such as SQL injection countermeasure numerical values, the information may be summarized by a predetermined item (viewpoint) so that the user can easily understand. For example, a value calculated from the viewpoint of “personal information leakage” may be presented.

  Further, the insurance information presented to the general user may include information on a specific insurance type and insurance content, information on compensation for the general user, and the like.

<Insurance>
The form of insurance provided in the present embodiment is insurance (particularly liability insurance) based on contracts between a plurality of target sites A and an insurance company (C). The target site A operator (insurer) joins the insurance company (C) (insurer) and joins this insurance (insurance product, insurance service). In addition, since the security audit is incorporated in the insurance system, the audit site B is also included in the contractor or contract clause. The target site A operator pays a predetermined insurance premium to the insurance company (C). As described above, the insurance premium is determined by the insurance premium rate updated as needed according to the audit result (SL or the like) of the target site A. The insurance premium rate is a ratio at the time of calculating the insurance premium paid by each policyholder with respect to the insurance amount as a standard (unit). The insurance premium rate is calculated based on the probability of occurrence of a problem (insurance accident) (can be evaluated from the audit result information such as SL). When a problem (insurance accident) occurs at the target site A (for example, when damage is caused to a general user due to leakage of personal information), a predetermined insurance amount is paid to the target site A from the insurance company (C). For example, at the site A, when a problem occurs, a compensation (damage insurance) is paid to a general user (victim).

<Effect of Embodiment>
As described above, according to the present embodiment, it is possible to provide insurance that is linked to the security status of the Web site, particularly insurance that automatically updates the insurance rate according to SL or the like. In addition, according to this configuration, a series of processing including insurance content update processing can be automatically executed by a computer instead of reviewing insurance content in units of once a year by a conventional non-automatic mechanism. Therefore, it is possible to realize a mechanism for updating the insurance content (insurance rate) in regular units such as once a day. In other words, high quality insurance can be provided. In addition, since the insurance information can be presented to general users together with information on the security status such as SL, the quality of compensation can be easily recognized for general users, and the reliability of website use can be improved. it can.

<Modification (1)>
The following is possible as a modified example (another embodiment). Only when the security status of the target site A by the site B is “OK” (for example, SL is equal to or higher than a predetermined level), the target site A is sufficiently reliable, and the image G of “OK” is displayed to the user. To the terminal 100. If the result is “NG” (for example, SL is less than a predetermined level), the site A is inadequate for security measures, and information to that effect is transmitted from the site B to the site A operator (contact). Thus, the improvement of security is promoted, and the “NG” image G is not presented to the user terminal 100.

<Modification (2)>
As a modification, regardless of whether there is a prior contract (acceptance) between the sites A and B, the site B executes an audit process for a large number of sites A (of course, within a range that does not interfere with normal operation). For example, even when the site B determines that the target site A has low SL (“NG”), display information such as the image “NG” or “SL” G is presented to the user terminal 100. That is, it is a system form that generally ranks and presents SLs of site groups.

<Example of processing (insurance rank)>
It is the following about the process example regarding the above-mentioned insurance rank. In the above-described form, the site B determines or confirms the insurance rank for the insurance between A and C, and the information on the insurance rank is presented to the user terminal 100 by the image G. For example, the G providing unit 21 (contract information determining unit 212) of the site B may be configured based on the audit result information (B2) from the audit unit 22 or the insurance contract information (B4) from the insurance company (C). Judgment or confirmation of insurance rank. Detailed processing examples in this regard are possible as follows.

  (A) A form in which the insurance rank is fixed (static). That is, the insurance rank of the insurance is determined in advance according to the type of insurance and the like, and does not change according to the audit result such as SL.

  (B) A form in which the insurance rank is changed (dynamic). That is, the insurance rank of the insurance is determined so as to fluctuate according to the audit result such as SL at that time. For example, the higher the SL is, the higher the insurance rank (evaluation of compensation quality) is. As an example of processing, the G provision unit 21 (contract information determination unit 212 or the like) determines the insurance rank at that time using the SL determination result by the audit information determination unit 211 or the like at that time.

<Example of processing (insurance information)>
There are the following processing examples for the insurance information (insurance content information, insurance contract information) and the insurance (compensation) information presented in the image G at the site C described above.

  (A) A form in which the update (B3, 31, 71) of the insurance premium rate (insurance content information) at the site C and the content (B4, 32, 72) of the contract information (insurance contract information) are independent. In this case, even if the insurance premium rate of the insurance is updated by B3, the contract information side is not updated, and therefore the content of the information related to insurance (compensation) among the information presented by the image G to the user does not change.

  (B) The content (B4, 32, 72) of the contract information (insurance contract information) is updated in conjunction with the update (B3, 31, 71) of the insurance premium rate (insurance content information) at the site C. In this case, when the insurance premium rate of the insurance is updated by B3, the contract information side is also updated, and therefore the content of the information related to insurance (compensation) among the information presented to the user by the image G varies.

<Multiple insurance>
FIG. 6 shows a case where a plurality of insurances are handled as a supplement regarding the above-described embodiment. For example, it has a plurality of sites C (insurance companies) {C1, C2,...}, And a plurality of insurance, for example, {C1- # 1, # 2, ..., C2- # 1, # 2,. I will provide a. For example, a site A group {A1,..., Am} that subscribes to a certain insurance C1- # 1 is included.

  The audit site B performs an audit process (B1), for example, on the site A group {A1,..., Am} subscribing to the insurance C1- # 1 (audit # 1). As a result, the images G {GA1,..., GAm} indicating the respective SLs are associated with the contents of the site A group {A1,. Each user terminal 100 displays the corresponding image G provided from the site B when accessing and using the desired site A.

  When auditing by the site B, the same auditing method is used regardless of the type of insurance associated with the target site A group. For example, the insurance C1- # 1 and the insurance C2- # 1 have the same audit (audit # 1, audit # 2) method. That is, in this case, the site B is an audit system that provides a unified audit result independent of the insurance system.

  Further, when auditing by the site B, a type of auditing method corresponding to the type of insurance associated with the target site A group may be used. For example, insurance C1- # 1 and insurance C2- # 1 have different audit (audit # 1, audit # 2) methods based on the contract. That is, in this case, the site B is an audit system that provides an audit result that is subordinate to a predetermined insurance system (that is, useful for designing a predetermined insurance).

  In addition, when there are a plurality of types of insurance (for example, C1- # 1, # 2) provided by an insurance company, they are, for example, viewpoints that general users and target site A operators care about information security (want to risk hedge) It is good also as insurance in the unit of a specific item. For example, there are various types of insurance such as insurance based on leakage of personal information and insurance corresponding to violation of service level agreement. A predetermined audit item is associated with the type of insurance.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  Since this system can be applied in the same way even when the terminal 100 of a general user (consumer) is replaced with a computer of another company or the like, it can be applied not only to BtoC but also to a BtoB mechanism.

  The present invention can be used for a website system, an audit system, an insurance system, and the like.

DESCRIPTION OF SYMBOLS 1 ... 1st information processing system (site A), 2 ... 2nd information processing system (site B),
3 ... 3rd information processing system (site C), 10 ... Web server (content providing unit), 21 ... SL judging unit (G providing unit), 22 ... Auditing unit (Web site security auditing unit), 31 ... Insurance premium rate Determination unit (insurance content information update unit), 32 ... Contract information transmission unit (insurance contract information management unit), 50 ... Site A whole content data, 51 ... Image (G) Linked page (content data), 52 ... Page ( Content data), 61 ... Audit information DB (Web site security audit result information DB), 62 ... Contract information DB (Web site contract information DB), 63 ... Image data, 71 ... Insurance premium rate history DB (insurance content information DB), 72 ... Contract information DB (insurance contract information DB), 90 ... Internet, 100 ... Terminal, 101 ... Web server device, 102 ... DB, 110 Web browser, 201 ... Web server device, 202 ... Audit processing device, 203 ... DB, 211 ... Audit information judgment unit (SL judgment unit), 212 ... Contract information judgment unit (insurance (compensation) information judgment unit), 213 ... Transmission Information determination unit (G transmission unit), 301 ... insurance management device, 302 ... Web server device, 303 ... DB, 400, 401, 402 ... Web page, 410, 411, 412 ... display area, G, G1 ... image.

Claims (11)

A system for providing insurance related to information security of a website,
A terminal used by a general user on a communication network, a first information processing system that manages a general Web site that provides content and services to the terminal of the user, and information security for the Web site A second information processing system for performing an audit; and a third information processing system for managing insurance related to information security of the website.
The second information processing system performs a process of creating audit result information by executing an audit process of the information security for the Web site,
The third information processing system uses the audit result information from the second information processing system to perform a process of updating and calculating a value of a variable that defines the insurance content. Security insurance system. In the website security insurance system according to claim 1,
The third information processing system uses the audit result information from the second information processing system to perform a process of updating and calculating a premium rate value as a variable that defines the insurance content. Web site security insurance system. In the website security insurance system according to claim 1,
The third information processing system uses the security level, which is multi-level evaluation information related to the information security status of the website, of the audit result information obtained by the second information processing system to determine the contents of the insurance. A website security insurance system characterized by performing a process of updating and calculating a value of a prescribed variable. In the website security insurance system according to claim 1,
When the user terminal accesses the Web site and obtains the content or service, the second information processing system uses the insurance information obtained from the third information processing system. And performing a process of displaying display information including the insurance information associated with the Web site on the screen of the user terminal. In the website security insurance system according to claim 4,
Using information representing the insurance rank as the insurance information,
The second information processing system determines or confirms the rank of the insurance associated with the Web site based on the information related to the insurance obtained from the third information processing system, and determines the rank of the insurance. A Web site security insurance system characterized by performing a process of displaying display information including the display information on a screen of the user terminal. In the website security insurance system according to claim 4,
The insurance information includes information on whether or not the Web site has insurance for information security, and is obtained from the third information processing system,
The website security insurance system according to claim 1, wherein the insurance is a type of insurance in which an insurance money is paid to compensate the user when a problem such as damage to the user occurs on the website. In the website security insurance system according to claim 1,
The second information processing system performs the process of creating the audit result information and storing the history by executing the information security audit process for the Web site at every predetermined periodic timing. Done
The third information processing system uses the history of the audit result information to update and calculate the value of a variable that defines the contents of the insurance at each predetermined periodic timing, and stores the history A website security insurance system characterized by In the website security insurance system according to claim 1,
The second information processing system includes:
An auditing unit that performs a process of creating audit result information including evaluation information related to an information security state relating to the website by executing the information security auditing process on the website;
When the user terminal accesses the website and obtains the content or service, display information including the evaluation information is displayed on the screen of the user terminal based on the audit result information. A website security insurance system, comprising: a providing unit that performs processing. In the website security insurance system according to any one of claims 1 to 8,
The Web site security insurance system, wherein the display information includes a predetermined image displayed in a Web page of the target Web site. In the website security insurance system according to claim 1,
The second information processing system performs a process of displaying detailed information on the insurance on the screen of the terminal in response to an operation of the user with respect to display information displayed on the screen of the terminal. Web site security insurance system. In the website security insurance system according to claim 2,
The Web site security insurance system characterized in that the number of contents provided by the Web site is included as an item of the audit by the second information processing system.