Information security policy evaluation system and method of controlling the same

1. An information security policy evaluation system comprising:

• a first information processing apparatus located at a first site;
  
  a second information processing apparatus located at a second site;
  
  a third information processing apparatus located at a third site; and
  
  a fourth information processing apparatus located at a fourth site,the first to fourth information processing apparatuses in data communication with each other,wherein the second information processing apparatus having a treated threat data storage section for storing treated threat data, the treated threat data being data indicating a threat which can be countered by an information security policy operating at the second site,the third information processing apparatus having a threat data storage section for storing threat data which is data indicating a previous occurrence of a threat, and a loss amount data storage section for storing loss amount data, the loss amount data being data which indicates, for each piece of the threat data, a magnitude of a loss occurring in a case where damage is suffered due to a threat,the second information processing apparatus having a treated threat data transmission section for transmitting the treated threat data to the first information processing apparatus,the third information processing apparatus having a threat data transmission section for attaching the loss amount data to the threat data and transmitting the threat data to the first information processing apparatus,the first information processing apparatus having a treated threat data reception section for receiving the treated threat data and a threat data reception section for receiving the loss amount data as well as the threat data,the first information processing apparatus having a correspondence data storage section for storing correspondence data which is data indicating correspondence between the threat data and the treated threat data, and a loss amount data storage section for storing the received loss amount data,the first information processing apparatus having an effective treated threat data extraction section for extracting a piece of treated threat data to which there is a piece of threat data corresponding in the threat data received by the threat data reception section, out of the treated threat data received by the treated threat data reception section, based on the correspondence data, and an evaluation data generation section for generating evaluation data in which the extracted treated threat data is described,the fourth information processing apparatus having a compensation amount storage section for storing a compensation amount of insurance which an organization operating the second site has taken out and which compensates a loss occurring in a case where damage due to a threat is suffered,the first information processing apparatus having an evaluation data transmission section for transmitting the evaluation data generated by the evaluation data generation section to the fourth information processing apparatus,the fourth information processing apparatus having an evaluation data reception section for receiving the evaluation data,the fourth information processing apparatus having a compensation amount setting section for resetting the stored compensation amount to the compensation amount determined in accordance with the evaluation data received by the evaluation data reception section.