JP2018142284A - Risk calculation device, risk determination device equipped with risk calculation device, and risk calculation method - Google Patents

Abstract

[Problem] Risks due to data provision, which is an important matter for a company to determine whether or not to distribute data, have not been sufficiently studied. A risk calculation device is a device that calculates a risk when a data provider provides data to a data user, such as data to be provided, a data provider, a data provider customer, a data user, and the like. Based on the information, a risk factor relating to the data itself, a factor relating to the data user, and a factor relating to the relationship between the data provider and the data user are obtained, and a risk index is calculated. [Selection] Figure 1

Description

  Embodiments described herein relate generally to a risk calculation device that calculates a risk that occurs when a company provides its own data to the outside, a risk determination device that includes the risk calculation device, and a risk calculation method.

  In recent years, with the development and expansion of network communication, IoT (Internet of Things) that communicate with each other via the Internet has rapidly expanded. With this spread, it is estimated that the number of devices connected to the network further increases, and a considerable amount of data is distributed between these devices.

  Moreover, as a method of data distribution between companies in network communication, for example, 1) a data holder type model that provides and sells its own data to the outside, and 2) information collected from a plurality of data providers is analyzed. A data aggregator model that sells results; 3) a data marketplace model that mediates between data providers and users; and 4) data similar to the data marketplace model. There are four models known as a personal data store model that handles personal data with privacy risk, which mediates between a provider and a user.

"Proposal of Data Sharing Method in Real World Data Distribution Framework" Taichi Kawabata, Koichi Takasugi et al. IEICE Technical Report IN2012-70 (20122-9) “Research Report on Information Security Incident 2009” Version 1.1 NPO Japan Network Security Association Security Damage Investigation Working Group Revised on September 2, 2010

  For example, a data sharing method in a data distribution framework such as Non-Patent Document 1 has been proposed as a data distribution method / method described above and a technique for realizing the method. In order to promote data distribution, it is essential to provide a lot of data by a large number of companies, but companies must consider at least the effects of “profit” and “damage” when implementing data provision. Don't be. Among these, regarding “damage”, it is effective to quantitatively grasp whether or not data provision is possible. For example, the calculation of risks such as whether there is a risk of privacy infringement on the data provided and whether the corporate value is not impaired by the data provision is an important factor in determining whether a company can provide data. It is thought that it is one of.

  Thus, the “risk of data provision”, which is an important matter for determining whether or not a company circulates data, has not been sufficiently studied so far. The lack of such a comprehensive evaluation axis for knowing the “risks incurred by providing data to other companies” has been an obstacle to companies providing data in providing data.

  Accordingly, the present invention aims to provide a risk calculation device, a risk determination device equipped with a risk calculation device, and a risk calculation method that comprehensively capture risks generated by the implementation of data provision and show a framework for quantitative evaluation. And

In order to achieve the above object, (1) a risk calculation apparatus according to an embodiment of the present invention is a risk calculation apparatus that calculates a risk when a data provider provides data to one or more data users, A first risk factor relating to the data itself, including at least a sensitivity to data classified by data type and attribute, and a second risk factor relating to the data user, including at least the risk of occurrence of an incident by the data user, and Data distribution using the parameter management unit for obtaining the third risk factor relating to the relationship between the data provider and the data user who exchanges data, and the first risk factor, the second risk factor and the third risk factor And a risk calculation unit for calculating a risk of accompanying damage as a risk index.
(2) In the risk calculation unit of the embodiment according to the present invention, the first risk in which payment of damages is generated, the second risk in which competitiveness is reduced due to disclosure of trade secrets, and the lost profit due to customer withdrawal are generated. A plurality of risks including three risks are calculated as the risk index.

(3) In the embodiment according to the present invention, the risk calculation unit sets the first risk element as C1, the second risk element as C2, and the third risk element as C3, and the first risk as R1. When the second risk is R2, and the third risk is R3,
The first risk, the second risk, and the third risk are each calculated as a risk index using the following functional formula.

  (4) The risk determination device according to the embodiment of the present invention is connected to the risk calculation device, compares the risk index output from the risk calculation unit of the risk calculation device with a predetermined threshold, A condition determination unit that determines that the data is selectively provided to a data user whose risk index is less than the threshold, and the data is provided only to the data user selected by the condition determination unit And an output control unit.

(5) A risk calculation method according to an embodiment of the present invention is a risk calculation method for calculating a risk when a data provider provides data to one or more data users, and includes the type and attribute of the data itself. Occurs between the first risk factor relating to the data itself classified by the sensitivity of the data, the second risk factor relating to the data user causing the occurrence of the incident by the data user, and the two parties passing the data A third risk factor relating to the relationship between the data provider and the data user, and using the first risk factor, the second risk factor, and the third risk factor to determine the risk of suffering damage associated with data distribution Calculated as a risk index.
(6) In the risk calculation of the embodiment according to the present invention, the first risk in which payment of damages occurs, the second risk in which competitiveness is reduced due to the disclosure of trade secrets, and the third loss in which lost profits due to customer withdrawal occur. A plurality of risks including risks are calculated as the risk index.

  (7) A program for driving a risk calculation apparatus to be executed by a computer according to an embodiment of the present invention drives a risk calculation apparatus that calculates a risk when a data provider provides data to one or more data users. Program for data users, including at least a first risk element regarding data itself including at least sensitivity to data classified by data type and attributes, and at least a risk of occurrence of an incident by the data user. 2 parameter management, parameter management for obtaining a third risk factor related to the relationship between the data provider and the data user who exchanges data, and the first risk factor, the second risk factor and the third risk factor Risk calculation to calculate the risk of suffering damage due to data distribution as a risk index. To be executed in Yuta.

  (8) The risk calculation driving program to be executed by the computer according to the embodiment of the present invention is the risk calculation in which the first risk that damages are paid and the competitiveness due to the disclosure of trade secrets are reduced. 2 risks and a third risk in which lost profits are generated due to customer withdrawal are calculated as the risk index.

  According to the embodiments of the present invention (1), (2) risk calculation device and (5), (6) risk calculation method, the risk generated by the provision of data is comprehensively modeled, and quantitative risk calculation A framework can be realized. By organizing not only the data itself but also the players involved in the data provision and reflecting the relationship between the data senders and receivers, it is possible to comprehensively express the risks posed to the company at the time of the data provision. Therefore, it is possible to determine whether or not to provide data while observing the risk of damage to the company from a multifaceted viewpoint.

  (3) The risk calculation unit can easily calculate the first risk, the second risk, and the third risk as risk indices, respectively, using a preset function formula. Moreover, since the risk is calculated by the function formula, several risks are calculated under the same conditions, and thus the magnitudes of the calculated risks can be appropriately compared.

  (3) The risk judgment device is appropriate for the data user in order to judge whether the risk index calculated by the risk calculation unit is less than the threshold value by comparing with the threshold value of the judgment criterion set in advance. It can be determined whether or not it can be provided.

  (7), (8) The first to third risk elements and the first to third risks can be calculated and output using a driving program for causing the risk calculation apparatus to be executed by a computer. Comprehensive modeling of risks generated by data provision automatically and a quantitative risk calculation framework.

FIG. 1 is a diagram showing a conceptual configuration of a risk determination device according to an embodiment of the present invention. FIG. 2 is a flowchart for explaining an operation procedure of the risk determination apparatus. FIG. 3 is a diagram illustrating steps for determining a risk index from parameters in the risk calculation unit. FIG. 4 is a diagram for explaining a data flow in data provision. FIG. 5 is a diagram showing the sensitivity classification of the mental distress level and the economic loss level as a matrix. FIG. 6 is a diagram showing an example of quantifying the risks of each company from the A industry to the K industry in the primary industry to the tertiary industry. FIG. 7 is a diagram illustrating the relationship between companies that perform data communication. FIG. 8 is a diagram illustrating an example of a product category and a purchase channel. FIG. 9 is a diagram showing divisions for determining the importance in the data provider. FIG. 10 is a diagram illustrating an example of consumer purchase history data. FIG. 11 is a diagram showing a description example of a securities report. FIG. 12 is a diagram showing the relationship between risk factors and damage amounts. FIG. 13 is a diagram illustrating a risk calculation result regarding the calculation example (1). FIG. 14 is a diagram illustrating an example of management information classification of data to be handled. FIG. 15 is a diagram illustrating an example of railway use history data. FIG. 16 conceptually shows the profit amount of the related business from the securities report. FIG. 17 is a diagram illustrating an example of the relationship between risk factors and damage amounts stored in the parameter management unit. FIG. 18 is a diagram illustrating a risk calculation result regarding the calculation example (2).

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram showing a conceptual configuration of a risk determination device according to an embodiment of the present invention.
The risk determination device 1 is mainly composed of a risk calculation device 2 and a condition determination device 3. The risk calculation device 2 includes a parameter management unit 4 and a risk calculation unit 5, and calculates a risk index described later from a plurality of parameters. The parameter management unit 4 stores various parameters necessary for risk calculation at the time of data provision. The risk calculation unit 5 calculates a risk by calling a necessary parameter from the parameters managed by the parameter management unit 4.

  The condition determination device 3 includes a condition determination unit 6 and an output control unit 7. The condition determination device 3 inputs the risk index output from the risk calculation device 2, performs condition determination, and provides data. The condition determination unit 6 performs condition determination with a condition corresponding to the risk index as an input. Further, the output control unit 7 performs determination and the like to be described later, and controls to output (transmit) data to a data providing destination based on the result of the condition determination unit 6.

  Here, in describing the present embodiment, a risk calculation method for providing known data for comparison will be described. First, there is a method for calculating an assumed damage compensation amount using a category determined for each type of data. This method was not created for the purpose of quantifying the risk of data provision. Second, there is a method for quantifying individual-specific risks with respect to data related to individuals. This method is composed of a method for efficiently searching for a combination of attributes that can be personally specified for data stored in a relational type, and a method for quantifying the ease of specifying personal data. Data safety is discussed for these risk calculation methods. That is, it is to evaluate the trade-off relationship between safety by data processing such as anonymization and usability as data.

Next, a rough operation procedure of the risk determination device 1 will be described with reference to the flowchart shown in FIG.
First, as an initial setting, a threshold value serving as a determination criterion corresponding to the value of the risk index is input to the condition determination unit 6 (step S1). Next, a plurality of parameters to be described later necessary for risk calculation are set and stored in the parameter management unit 4 (step S2). Thereafter, the risk calculation unit 5 calculates three risk elements C1, C2, and C3 described later using the parameters stored in the parameter management unit 4 (step S3). Thereafter, the risk calculation unit 5 calculates a risk index using the risk element (step S4). Next, the condition determination unit 6 determines whether or not the risk index calculated from the risk calculation unit 5 is less than the threshold by comparing with a threshold of a determination criterion set in advance (step S5). If the risk index is less than the threshold within this range (YES), it is determined that the risk is low or there is no risk, and the data is provided to the customer data user (step S6). On the other hand, if the risk index is greater than or equal to the threshold (YES), it is determined that there is a risk, and data is not provided to the data user (step S7).

Next, risk calculation in the risk calculation unit 5 will be described with reference to FIGS. 3 and 4.
FIG. 3 is a diagram illustrating an example of steps for determining a risk index from a parameter in the risk calculation unit. FIG. 4 is a diagram for explaining a data flow in data provision.

  As shown in FIG. 3, when calculating risk elements C1, C2, C3, parameters are sent from the parameter group and calculated, and the risk risk Ri (i = 1, 2,...) Is calculated from the calculated risk elements C1, C2, C3. ) Is calculated.

First, the risk of suffering damage due to data distribution is defined by a function having the following risk elements C1, C2, and C3 as variables. Here, when the players involved in data provision are organized, as shown in FIG. 4, the company that becomes the data provider is A, the customer is a, and the data user (providing destination) is B. The risk at the time of data provision is calculated in the presence of these three parties. Each risk factor is
C1: Section on the data itself (first risk factor)
C2: Data user B section (second risk factor)
C3: Section on the relationship between data provider A and data user B (third risk factor)
And

  In these risk factors, the term C1 relating to the data itself depends on what represents the data itself, for example, the type and attribute of data, accuracy, granularity, and rarity. The term C2 relating to the data user depends on the state of the data user, for example, the security response status, financial status, stock price status, and company scale. The term C3 relating to the relationship between the data provider and the data user depends on the relationship between the two parties (or between the two companies), for example, the difference in the type of business or the subordinate relationship. Each risk factor is also expressed as a function determined using a plurality of parameters. The risk of damage set by an arbitrary number is calculated using each risk factor.

An example of risk determination by the risk determination apparatus 1 of the present embodiment will be described. Three items of risk factor C here are assumed as follows.
C1: Importance of data for each player
C2: Data user security level
C3: Dissimilarity between data providers and data users
Using the above risk index C, the risk of suffering damage due to data distribution is obtained. Here, one or more risks are determined as a risk index by a quantitative value. Specifically, it is calculated by one comprehensive value, or classified by priority of action (legal restriction, in-contract restriction, restriction by implicit consent, etc.), or classified by aggressiveness of damage. It is possible. In the following, an example in which the classification is determined according to the aggressiveness of damage is classified into three. Positive damage means that payment is generated, and passive damage means that profits that should be obtained cannot be obtained.

R1: Risk of payment for damages (first risk)
R2: Risk of reduced competitiveness due to exposure of trade secrets (second risk)
R3: Risk of lost profits due to customer withdrawal (third risk)
First, C1: The importance of the data for each player will be described. The sensitivity classification between the mental distress level and the economic loss level shown in FIG. 5 is shown in a three-level matrix. Of course, this sensitivity classification is an example, and the level of each item differs depending on the individual.
As shown in FIG. Those with an economic loss level (Y-axis) of 1 and a mental level (X-axis) of 1 include name, date of birth, gender, address, phone number, physical information (height, weight, blood type, physical fitness measurement) Value), marriage, family structure, financial institution, license number, industry, occupation, company name, school name, job title, employee number, member number, resident card code, health insurance card number, pension certificate number, health insurance card information , Pension insurance card information, email address, handle name, etc. B. Those with an economic loss level of 2 and a mental level of 1 include passport information, purchase records, ISP accounts and passports, account numbers, credit card numbers, login accounts with financial websites, seal registration certificates, etc. And C. Those with an economic loss level of 3 and a mental level of 1 are account numbers and PINs, credit card numbers and passwords, financial website login accounts and passwords, etc.

  Furthermore, D.C. Those with an economic loss level of 1 and a mental level of 2 are information on race, ethnicity, nationality, dialect, educational background, work history, prizes, grades, hobbies, special skills, preferences, illness (health check results, medical history, Surgery history, pregnancy history, nursing records, other physical examination records, treatment methods), information on disability (disability information, disability certificate information, intellectual disability information), biometric information (fingerprint, vein, voiceprint, retina, Face image), body characteristics (three sizes), psychological test results, personality judgment diagnosis results, diary, mail contents, and the like. E. Economic loss level 2 and mental level 2 are information on income / property, etc., annual income / annual income classification, assets (real estate: land, movable property: securities, etc.), borrowed balance, salary, bonus Amount, tax payment, etc. F. An economic loss level of 3 and a mental level of 2 is, for example, a will. G. Those with an economic loss level of 1 and a mental level of 3 are those related to harassment (power harassment, sexual harassment, etc.), creed, religion, belief, sexuality, and current disease (disease name, medical condition, possessed infection) Disease, medical record). H. Those whose economic loss level is 2 and whose mental level is 3 are unemployment or job change information due to harassment, unemployment information due to company bankruptcy, and the like. I. Those with an economic loss level of 3 and a mental level of 3 include information on antisocial careers (arrest history, pre-registration history, violent political struggle), credit blacklists, and the like. These sensitivity categories are not limited and can be changed.

  In the above sensitivity classification, for example, the name, address, date of birth, etc. are both set to a pain level and a loss level of 1, and the data risk index is set to a low level. This level 1 is an item that is frequently entered in various documents, questionnaires, etc., and is therefore set to a low level. On the other hand, when data is provided, what gives the highest mental distress level and economic loss level for the individual is, for example, an antisocial behavioral history such as a criminal record or a previous medical history. Such an antisocial career has an impact on interpersonal relationships and artificial restrictions on employment relationships, and the level of economic loss is high in terms of income. In particular, when information is disclosed on the Internet, information provision is disclosed for a long period of time, so that the loss is also set for a long period of time.

  In addition, the data risk index for a company indicates the importance of data in the company, so the information classification managed by the company is replaced with a number. Replacing this information category with a number improves usability, and it is possible to use various dangerous states that are difficult to grasp by just setting each number to a number.

Next, C2: The security level of the data user will be described.
The degree of risk that increases when a data provider provides data is considered as the risk (probability) that the data user generates an incident≈the security level of the data user. The data user's security level uses data from the information security countermeasure benchmark. In the present embodiment, the above incidents indicate interruptions, inhibitions, losses, emergencies, and situations that may cause a crisis.

  FIG. 6 is an example of quantifying information security risks of each company from the A industry to the K industry of the primary industry to the tertiary industry, for example. FIG. 6 shows the information security level of the data user. The higher the value, the higher the risk that an incident such as information leakage will occur. By quantifying this risk, comparison between companies becomes easy.

Next, C3: The difference between the data provider and the data user will be described.
FIG. 7 is a diagram illustrating the relationship between companies that perform data communication. As shown in FIG. 7, when the A industry to the E industry are connected by a network, the risk is considered to change depending on the relationship between the companies that exchange data, particularly the difference in the industry. In the same industry, for example, the provision of data between companies A1 to A4 in the A industry has a risk of exposing information that the business know-how and strengths, etc. do not want to be known to competitors. On the other hand, providing data between different industries is considered to be less risky. For example, when a health care company knows know-how about cars, it is used in the health care field, so it is difficult for data providers to suffer.

In the present embodiment, each risk is weighted according to the type of industry. In the case of the same industry, it is assumed that the risk is 1.2 times greater than that of the different industry, and either (different industry: 1 / same industry: 1.2) is selected.
The risk index in the present embodiment is represented by the product of the degree of risk (probability) that the risk of damage occurs and the assumed amount of damage (scale).

Next, R1: The risk of payment for damages will be described.
It is expressed as the product of the risk (probability) that damages will occur and the expected damage amount. The risk (probability) of the occurrence of damages (to the data provider's customer) is the risk (incidence) that the breach of contract with the customer will occur. (Probability) ≒ Use the security level of the data user. The damage amount to be damaged is used by extending an existing evaluation formula (see Non-Patent Document 2) defined by the Japan Network Security Association. There are cases where the customer is a company and an individual, but both are values proportional to the importance of the data.

R2: Explain the risk of a decline in competitiveness due to disclosure of trade secrets.
It is determined by the product of the risk (probability) of the exposure of trade secrets and the assumed damage amount. The degree of risk (probability) at which the exposure of trade secrets occurs is divided into cases where data leaks when it occurs when data is provided, and is defined as the sum of these. These are represented by the importance of the data to the data provider and the security level of the data user. We assume that the expected amount of damage can be used by extracting business profits related to the target data from public documents such as securities reports.

R3: Explain the risk of lost profits due to customer withdrawal.
It is determined by the product of the risk (probability) of lost profits resulting from customer withdrawal and the estimated amount of damage. (The method of obtaining R3 is similar to R2.) The degree of risk (probability) that a customer leaves may occur when the customer leaves when the data is provided (for example, the customer distrusts in providing the data itself). And when the customer leaves when the data is leaked, it is defined by adding them together. These are represented by the importance of the data for the data provider customer and the security level of the data user. As for the expected amount of damage, we can extract and use the profit amount of the business related to the target data from public documents such as securities reports as above.

  In the present embodiment, the risk at the time of data provision is classified into the above three and calculated. In the calculation example, the following calculation formula is used.

K _1, k ₂ : The ratio of the risk of damage when data is provided to the risk of damage when data is leaked, {(probability of damage due to leakage) / (provide data The probability of occurrence of damage due to implementation itself)}.

g: Information risk calculated from sensitivity classification and information classification. In the case of personal information, it is expressed as Max (10 ^x-1 +5 ^y-1 ), otherwise it is expressed as Max (10 ^x-1 ). expressed.

When defined as described above, each of R1, R2, and R3 is expressed by a function having C1, C2, and C3 as variables. Below, the calculation example of said R1-R3 and C1-C3 is demonstrated. Thus, since the risk is calculated by the functional expression, several risks are calculated under the same conditions, and thus the magnitudes of the calculated risks can be appropriately compared.

Calculation Example (1): When Considering Provision of Consumer Purchase History Data An example of calculating a risk index generated when a company provides data to another company will be described for data held by an existing company.

FIG. 8 shows an example of the product category and purchase channel of M Corporation.
Data is acquired by scanning the barcode of the product purchased by the consumer using a dedicated application, such as “Purchaser attribute information”, “Scan date / time”, “Purchased”, “Product JAN code”, “Purchased quantity”, etc. Is included. Taking the case where the data owned by M Co., Ltd. is provided to another company as an example, the risk is calculated.

Here, as the providing destination (data user B): Real estate B1 company / 2. Manufacturing B2 company / 3. Consider offering to 3 companies of wholesale B3. After describing each risk element C1 to C3, calculation of the risk in which they are applied to the formulas R1 to R3 will be described in detail.
First, the risk factor C1 (importance of data per player) will be described.
As shown in FIG. 9, the importance C11 (x) for the data provider A is determined by which management information category of the company A the data to be handled belongs to. Since it was originally collected as data for sale outside, the level of management classification is considered low. In this example, C11 is set to 0.1.

  The importance C12 (x, y) of the data provider customer a represents how important the data to be handled is for the customer (in the case of this embodiment, an individual). In FIG. 5 described above, importance (= sensitivity) for an individual is determined by a matrix of economic loss levels and mental distress levels (two-axis expansion) for each type of data.

FIG. 10 is a diagram illustrating an example of consumer purchase history data.
Assuming that the purchase history data is the type of data handled in this embodiment, the sensitivity of these data is obtained with reference to the matrix diagram shown in FIG. Among these, the value with the largest x and y is adopted as C12. here,
Living area / sex / age / unmarried / single
= [Mental distress level x = 1, economic loss level y = 1],
Purchase place / product category / purchase channel
= [Mental distress level x = 1, Economic loss level y = 2], Date and time = [Other than personal information]
C12 → MAX (x, y) = (1, 2)
The risk factor C2 (data user security level) will be described.
Here, the security levels of data users belonging to C, G, and I shown in FIG. 6 are described as manufacturing industry C, wholesale industry G, and real estate industry I, for example. Here, the average value of the scores of each industry is used. The value is used by normalizing 0 to 140 to 0 to 1. In FIG. 6, the higher the value, the more security measures are taken, and the value obtained by subtracting the value from 1 is used as the security risk.

C21 → Manufacturing industry C: 1-0.62 = 0.38
C22-> Wholesale G: 1-0.53 = 0.47
C23 → Real estate I: 1-0.60 = 0.40
Next, the risk factor C3 (similarity between the data provider and data user industries) will be described. Here, different industry: 1 / same industry: 1.2 is set.

In this case, since data provider A and users B1, B2, and B3 are different industries, C3 → 1.
In addition, the assumed damage amount N will be described. In the description here, the matters described in Non-Patent Document 2 are used as a reference.

f (C ₁₂ ): Customer a is company = basic information value [500] × information risk [Max (10 ^{× −1} )]
C ₁₂ = x × Social responsibility level of the information leakage source organization [2,1]
Note that the information risk level Max (10 ^{× −1} ) is g (C ₁₂ ).

f (C ₁₂ ): Customer a is an individual = basic information value [500] × information risk [Max (10 ^x-1 +5 ^y-1 )]
C ₁₂ = (x, y) × Estimated person identification [6,3,1] × Social responsibility of the information leakage source organization [2,1] Note that the information risk Max (10 ^x-1 +5 ^{y- 1} ) is g (C ₁₂ ).
Damage compensation amount = basic information value [500] x information risk [Max (10 ^x-1 +5 ^y-1 )]
× Personal ease of identification [6,3,1] × Social responsibility of the organization that leaked information [2,1] × Ex-post evaluation [2,1]
[Assumed damage amount of R1] N1 = f (C ₁₂ )
f (C ₁₂ (x, y) = (1, 2)) = 500 × (10 ^ 0 + 5 ^ 1) × 1 × 1 = 3,000 yen This amount is assumed per customer when information is leaked It will be 3,000 yen that will be paid for damages. If the number of customers providing the purchase history data of this embodiment is 30,000,
Damage amount N1 = 3,000 × 30,000 → 90 million yen.

[Assumed damage amount of R2, R3] N2
This will be described with reference to a description example of the securities report shown in FIG. Assume that N2 → 1,234 (thousand yen) (of which net income) is shown in FIG.

FIG. 12 shows a table of the parameter management unit in which the risk factors C1, C2, and C3 and the loss amounts N1 and N2 are stored.
Risk indices R1, R2, and R3 are obtained using the above parameters. The risk index is indicated by a value proportional to the expected value (amount) of the assumed damage based on the product of the risk (probability) of the damage risk and the assumed amount of damage (scale). Here, a value obtained by dividing the product of the risk level and the damage amount by 1 million is defined as a risk index [no unit].

    However, Risk Index R1: Assume the risk of payment for damages.

The risk (probability) C2 at which the damage amount N occurs will be described.
The risk factor C2 (security level of the data user) is used as the risk of occurrence of an incident that increases due to the provision of data.
In the present embodiment, it is assumed that the risk factors C21, 22, and 23 of the three companies are values proportional to the “occurrence probability” of damage.
Assumed damage amount (scale) N1 for damages is N1 = f (C12) = 90 million yen, and the value of C21-23 × assumed damage amount / million R1 → Manufacturing: 34.2 Wholesale Industry: 42.3 Real estate industry: 36.0.

However, Risk Index R2: Risk of decline in competitiveness due to disclosure of trade secrets.

(Section 1: Risk of damage due to provision) + (Section 2: Risk of damage due to leakage)
The value of k ₁ is (damage occurrence probability due to leakage) / (damage occurrence probability due to data provision itself).
There is a risk that the secret will be exposed when the data is provided. Further, when data is leaked, the risk of secret exposure is further increased, which corresponds to the second term. It is considered that the risk is greatly increased when data is leaked than when data was provided.

In the present embodiment, it is assumed that the probability of secret exposure at the time of data leakage is five times higher than when data is provided, and k ₁ = 5 is set.

  The assumed loss (scale) N2 due to secret exposure is assumed to affect the final sales profit of the business = 80,827 (thousand yen). See FIG.

  (Risk of provision + Risk of leakage) x Estimated damage / million R2 → Manufacturing: 3.91 Wholesale: 4.51 Real estate: 4.04. See FIG.

However, the risk index R3 is the risk of lost profits due to customer withdrawal.

(Section 1: Risk of damage due to provision) + (Section 2: Risk of damage due to leakage)
The value of k ₂ is a (loss probability due to the leakage) / (Breakage probability by itself to carry out the data provided).
There is a risk that the customer will leave when the data is provided (eg, the customer feels distrust), and this is item 1. If data is leaked, the risk of leaving the customer is further increased. This is the second term.
Regarding the risk of leaving the customer, it is considered that the risk at the time of providing the data is higher than the risk of secret exposure (of R2). In the present embodiment, it is assumed that the probability of customer departure at the time of data leakage is about twice that at the time of data provision, and k ₂ = 2.

The estimated amount (scale) N2 of lost profit is assumed to be sales profit of the business (profit obtained from customers) = 80,827 (thousand yen).
(Risk of provision + Risk of leakage) x Assumed damage / million R3 → Manufacturing: 2.28 Wholesale: 2.51 Real estate: 2.38.

FIG. 13 collectively shows the risk calculation results described above for calculation example (1).
In each past data provision case, the risk is calculated, and the value is compared with the value in this embodiment to determine whether the data provision in this embodiment is safer or more dangerous than the past case. Judgment can be made.

For example, for each risk R1 to R3, if the average value of cases that could be safely traded in the past is R1 = 50, R2 = 5, and R3 = 5, the risk index of this embodiment is all below, so the provision of data is , It can be judged as “relatively safe”.
Further, when comparing the three supply destinations assumed in the present embodiment, since the risk index is higher in the wholesale business B2 than in other companies, it can be said that the trade needs attention.

Next, calculation example (2): a case where railway use history data is provided will be described.
An example in which data is provided to another company and a risk index generated at the time of data provision is obtained using the risk calculation method of the present embodiment will be described. An example of calculating the risk of being criticized by a customer when a railway company provides its railway usage history data to other companies will be described. Hereinafter, after describing the risk elements C1 to C3, how to calculate the risk by applying them to the equations R1 to R3 will be described.

Next, the risk factor C1 (importance of data for each player) will be described.
FIG. 14 is a diagram illustrating an example of management information classification of data to be handled. FIG. 15 is a diagram illustrating an example of railway use history data.
The importance C11 (x) in the data provider A is determined by which management information category the data to be handled belongs to. Here, since the data is originally stored as the customer's personal information, the level of the management classification is C11 as 0.2.

  The importance C12 (x, y) of the data provider customer a represents how important the data to be handled is for the customer (in this embodiment, an individual). For each type of data shown in FIG. 5 described above, importance (= sensitivity) in an individual is determined by a matrix of economic loss level and mental distress level. For the data handled in FIG. 15, the sensitivity of the data handled in the present embodiment is obtained with reference to FIG. Among these, the value with the largest “x” and “y” is adopted as C12.

Use date / time / birth / sex = [mental distress level x = 1, economic loss level y = 1]
Boarding / exiting station = [mental distress level x = 2, economic loss level y = 1]
Identification number, usage amount = [other than personal information]
Therefore, C12 → MAX (x, y) = (2, 1).

  The risk factor C2 (data user security level) will be described. The railway use history data is assumed to have been provided to a manufacturing company C. Here, the average value of the industry is used. The risk factor C2 is obtained with reference to FIG. Therefore, risk factor C21 → manufacturing industry: 1-0.62 = 0.38.

The risk factor C3 (the difference between the data provider and data user industries) will be described. Here, different industries: 1 / same industries: 1.2.
In this embodiment, since data provider A and user B are different industries, C3 → 1.
Explain the expected damage. In the description here, the matters described in Non-Patent Document 2 are referred to.

f (C ₁₂ ): Customer a is company = basic information value [500] × information risk [Max (10 ^{× −1} )]
C ₁₂ = x × Social responsibility level of the information leakage source organization [2,1]
Note that the information risk level Max (10 ^{× −1} ) is g (C ₁₂ ).
f (C ₁₂ ): Customer a is an individual = basic information value [500] × information risk [Max (10 ^x-1 +5 ^y-1 )]
C ₁₂ = (x, y) × Estimated person identification [6,3,1] × Social responsibility of the information leakage source organization [2,1] Note that the information risk Max (10 ^x-1 +5 ^{y- 1} ) is g (C ₁₂ ).
Damage compensation amount = basic information value [500] x information risk [Max (10 ^x-1 +5 ^y-1 )]
× Personal ease of identification [6,3,1] × Social responsibility of the organization that leaked information [2,1] × Ex-post evaluation [2,1]
[Assumed damage amount of R1] N1 = f (C ₁₂ )
f (C ₁₂ (x, y) = (2,1)) = 500 × (10 ^ 1 + 5 ^ 0) × 1 × 1 = 5,500 yen This value is the assumption per customer when information is leaked Is the amount of damages to be paid. Since there are about 4 million customers providing the purchase history data of this embodiment, N1 = 5,500 × 4,000,000 → 2,200 (million yen).

[Assumed damage amount of R2, R3] N2 will be described.
FIG. 16 conceptually shows the profit amount of the related business from the securities report. Suppose that N2 → 26,730 (thousand yen).
FIG. 17 is a diagram illustrating an example of the risk elements C1, C2, and C3 and the values of N1 and N2 stored in the parameter management unit. FIG. 18 is a diagram illustrating a risk calculation result regarding the calculation example (2).

  The risk indices R1, R2, and R3 are obtained using the parameters described in FIG. The risk index is represented by a value proportional to the expected value (amount) of the assumed damage based on the product of the risk (probability) of the risk of damage and the assumed amount of damage (scale). In the present embodiment, a value obtained by dividing the product of the degree of risk and the amount of damage by one million is defined as a risk index [no unit].

However, Risk Index R1: Assume the risk of payment for damages.

The risk (probability) C2 at which the damage occurs uses the risk factor C2 (the security level of the data user) as the risk of the occurrence of an incident that increases due to the provision of data.
The assumed damage amount (scale) N1 for damage compensation will be described.
f (C12) = 2,200 (million yen)
However, the value of risk factor C2 x assumed loss / million.

  Therefore, R1 → 836.

However, Risk Index R2: Risk of decline in competitiveness due to disclosure of trade secrets.

(Section 1: Risk of damage due to provision) + (Section 2: Risk of damage due to leakage)
However, the value of k1 is (damage occurrence probability due to leakage) / (damage occurrence probability due to data provision itself). There is a risk that the secret will be exposed when the data is provided. If data is leaked, the risk of secret exposure increases. This is the second term. It is considered that the risk is greatly increased when data is leaked than when data was provided. In the present embodiment, it is assumed that the probability of secret exposure at the time of data leakage is five times higher than when data is provided, and k1 = 5.

The assumed damage amount (scale) N2 due to the secret exposure will be described.
We think that it will affect the final sales profit of the business = 26,730 (1,000 yen)
(Risk of provision + Risk of leakage) x Estimated damage / million.
Therefore, R2 → 2.58.

However, the risk index R3 is the risk of lost profits due to customer withdrawal.

(Section 1: Risk of damage due to provision) + (Section 2: Risk of damage due to leakage)
However, the value of k2 is (damage occurrence probability due to leakage) / (damage occurrence probability due to data provision itself). There is a risk that the customer will leave when the data is provided (eg, the customer feels distrust), and this is item 1. If data is leaked, the risk of leaving the customer is further increased. This is the second term. Regarding the risk of leaving the customer, it is considered that the risk at the time of providing the data is higher than the risk of secret exposure (of R2).
In the present embodiment, it is assumed that the probability of customer withdrawal at the time of data leakage is about twice that at the time of data provision, and k2 = 2.

The assumed amount (scale) N2 of lost profit will be described.

Business sales profit (profit from customers) = 26,730 (thousand yen).
However, (Danger of provision + Risk of leakage) x Estimated damage / million. Therefore, R3 → 1.38.

  As described above, in the past data provision examples, whether the data provision of this embodiment is safe compared to the past cases by calculating the risk and comparing the value with the value of this embodiment. It can be judged whether it is dangerous. For example, for each risk R1 to R3, if the average value of cases that could be safely traded in the past is R1 = 50, R2 = 5, R3 = 5, this case may be that R1 is much higher than the average value. I understand. From this, it can be determined that the payment of compensation to the customer is large ≒ The expected value of damage (economic and mental damage) to be incurred by the customer is large, so it is necessary to pay close attention to the transaction .

This actual case is not a case that caused an incident such as a leak, but has been greatly criticized by customers. The occurrence of this criticism was due to lack of explanation to customers.
The risk calculation apparatus 2 of the present embodiment can calculate and output the first to third risk elements and the first to third risks described above using a driving program to be executed by a computer.
The parameter group shown in FIG. 3, the sensitivity classification shown in FIG. 5, various other information, and the above-described mathematical formula are stored in a computer storage medium, and the operator inputs the setting information and conditions for the data user. Output and automatically calculate risk. Also in data provision, it can be automatically transmitted to the corresponding data user based on the risk judgment result.

Next, a configuration example of the risk determination device will be described.
The risk determination apparatus 1 according to the present embodiment can perform various operations according to risk determination by changing the form of the output control unit 7.

[Configuration example 1]
The condition determination unit 6 outputs the risk index as it is to the output control unit 7.
The output control unit 7 transmits the result of the risk index to the data provider as it is. By observing the risk index when the granularity of data is changed, it becomes possible to provide data with appropriate importance.

[Configuration example 2]
The condition determination unit 6 determines the risk index with a threshold value. If you are considering providing to multiple companies (or data users), this is the company (or data) that will be the data provider based on the decision that it is less than the threshold → available / more than the threshold → unavailable. User).
The output control unit 7 controls the access destination (providing destination) and transfers data only to companies (or data users) that are determined to be available.

[Configuration example 3]
The condition determination unit 6 determines the risk index with a threshold value. In this case, the data type and the degree of disclosure are input in a plurality of patterns, and data that can disclose the most information within an appropriate risk range is selected.
The output control unit 7 controls the access destination and transfers only a data set less than a certain risk index.

  The risk calculation apparatus and the risk calculation method of the present embodiment described above can comprehensively model the risks that occur due to the implementation of data provision, and can realize a quantitative risk calculation framework. By organizing not only the data itself but also the players involved in the data provision and reflecting the relationship between the data senders and receivers, it is possible to comprehensively express the risks posed to the company at the time of the data provision. Therefore, it is possible to determine whether or not to provide data while observing the risk of damage to the company from a multifaceted viewpoint.

  DESCRIPTION OF SYMBOLS 1 ... Risk determination apparatus, 2 ... Risk calculation apparatus, 3 ... Condition determination apparatus, 4 ... Parameter management part, 5 ... Risk calculation part, 6 ... Condition determination part, 7 ... Output control part.

Claims (8)

A risk calculation device for calculating a risk when a data provider provides data to one or more data users,
A first risk factor relating to the data itself, including at least a sensitivity to data classified by data type and attribute, and a second risk factor relating to the data user, including at least the risk of occurrence of an incident by the data user, and A parameter management unit for determining a third risk factor relating to the relationship between the data provider and the data user who exchange data;
Using the first risk element, the second risk element, and the third risk element, a risk calculation unit that calculates a risk of suffering damage associated with data distribution as a risk index;
A risk calculation device.   The risk calculation unit includes a plurality of risks including a first risk that payment of damages occurs, a second risk that decreases competitiveness due to disclosure of trade secrets, and a third risk that generates lost profits due to customer withdrawal. The risk calculation device according to claim 1, wherein the risk calculation device is calculated as a risk index. The risk calculation unit
The first risk element is C1, the second risk element is C2, and the third risk element is C3, the first risk is R1, the second risk is R2, and the third risk is R3. When
The risk calculation apparatus according to claim 2, wherein the first risk, the second risk, and the third risk are each calculated as a risk index using a function formula of: It is connected with the risk calculation device according to any one of claims 1 to 3,
The risk index output from the risk calculation unit of the risk calculation device is compared with a predetermined threshold, and the data is selectively selected for data users whose risk index is less than the predetermined threshold. A condition determination unit that determines to provide
A risk determination device comprising: a condition determination device having an output control unit that provides data only to the data user selected by the condition determination unit. A risk calculation method for calculating a risk when a data provider provides data to one or more data users,
A first risk factor relating to the data itself classified by sensitivity to the data including the type and attribute of the data itself, a second risk factor relating to the data user causing the occurrence of the incident by the data user, and the data Seeking a third risk factor regarding the relationship between the data provider and the data user that occurs between the two parties
A risk calculation method of calculating, as a risk index, a risk of suffering damage associated with data distribution using the first risk element, the second risk element, and the third risk element.   In the calculation of the risk, a plurality of risks including a first risk in which payment of damages is generated, a second risk in which competitiveness is reduced due to disclosure of trade secrets, and a third risk in which lost profit is generated due to customer withdrawal are described above. The risk calculation method according to claim 5, wherein the risk calculation method is calculated as a risk index. A risk calculation device driving program for calculating a risk when a data provider provides data to one or more data users,
A first risk factor relating to the data itself, including at least a sensitivity to data classified by data type and attribute, and a second risk factor relating to the data user, including at least the risk of occurrence of an incident by the data user, and Parameter management for determining a third risk factor relating to the relationship between the data provider and the data user who exchanges data;
Using the first risk element, the second risk element, and the third risk element, a risk calculation for calculating a risk of suffering damage associated with data distribution as a risk index;
The program for driving the risk calculation apparatus according to claim 1, wherein the program is executed by a computer.     In the risk calculation, the first risk that payment of damages is generated, the second risk that competitiveness is reduced due to disclosure of trade secrets, and the third risk that is lost profit due to customer withdrawal are calculated as the risk index. The program for driving the risk calculation apparatus according to claim 7, wherein the program is executed by a computer.