Risk evaluation device, risk evaluation method, and program product

What is claimed is: 1 . A risk evaluation device, comprising: one or more hardware processors configured to function as: a vulnerability information input unit configured to receive an input of vulnerability information to be subjected to risk evaluation; an individual countermeasure acquisition unit configured to acquire at least one security countermeasure introduced into a system to be evaluated; a parameter acquisition unit configured to acquire a candidate parameter value to be used for calculation of a risk of vulnerability for each of security countermeasures based on the security countermeasure and the vulnerability information; a determination unit configured to determine a parameter to be used for the calculation of the risk of vulnerability from candidate parameter values; and a calculation unit configured to calculate a risk value indicating the risk of vulnerability by using the parameter determined by the determination unit. 2 . The risk evaluation device according to claim 1 , wherein the vulnerability information is common vulnerabilities and exposures (CVE). 3 . The risk evaluation device according to claim 1 , wherein the one or more hardware processors are configured to further function as: a target risk value input unit configured to receive an input of a target risk value and determine a risk value higher than the target risk value as a risk value to be output; and an output unit configured to output the risk value to be output. 4 . The risk evaluation device according to claim 1 , wherein the parameter acquisition unit acquires, for each security product introduced into the system to be evaluated, the c parameter value further based on the type of vulnerability when the type of vulnerability that is handleable by the security product can be acquired. 5 . The risk evaluation device according to claim 1 , wherein the one or more hardware processors are configured to further function as: an evaluation unit configured to specify an assumed attack source, evaluate whether the security countermeasure is effective based on whether there is a device that performs the security countermeasure on a path from the attack source to the system to be evaluated, and change the candidate parameter value acquired for each of the security countermeasures when the security countermeasure is not effective. 6 . The risk evaluation device according to claim 5 , wherein, when there is a device that performs the security countermeasure on the path, the evaluation unit further evaluates whether the security countermeasure is effective from a setting of the device and changes the candidate parameter value acquired for each of the security countermeasures when the security countermeasure is not effective. 7 . The risk evaluation device according to claim 1 , wherein the calculation unit further receives an input of a security requirement degree of the system to be evaluated and calculates the risk value based on the security requirement degree. 8 . The risk evaluation device according to claim 7 , wherein the one or more hardware processors are configured to further function as: an adjustment unit configured to adjust the security requirement degree from program information of a program operating in the system to be evaluated and a predetermined adjustment rule. 9 . The risk evaluation device according to claim 8 , wherein the program information includes an operation time of the program, and the adjustment rule is a rule for adjusting the security requirement degree according to the operation time. 10 . The risk evaluation device according to claim 8 , wherein the program information includes a usage status of a library linked to the program, and the adjustment rule is a rule for adjusting the security requirement degree according to the usage status. 11 . The risk evaluation device according to claim 8 , wherein the program information includes information indicating whether the program performs network communication, and the adjustment rule is a rule for adjusting the security requirement degree according to presence or absence of the network communication. 12 . The risk evaluation device according to claim 1 , wherein the one or more hardware processors are configured to further function as: a generation unit configured to generate a combination of unintroduced security countermeasures into the system to be evaluated, wherein the calculation unit further calculates a risk value when the combination of the unintroduced security countermeasures is introduced. 13 . The risk evaluation device according to claim 12 , wherein the one or more hardware processors are configured to further function as: a constraint consideration unit configured to give a priority to a combination of the unintroduced security countermeasures from a constraint condition when the combination of the unintroduced security countermeasures is introduced; and an output unit configured to output the combination of the unintroduced security countermeasures and the priority. 14 . A risk evaluation method implemented by a computer, the method comprising: receiving, by the risk evaluation device, an input of vulnerability information to be subjected to risk evaluation; acquiring, by the risk evaluation device, at least one security countermeasure introduced into a system to be evaluated; acquiring, by the risk evaluation device, a candidate parameter value to be used for calculation of a risk of vulnerability for each of security countermeasures based on the security countermeasure and the vulnerability information; determining, by the risk evaluation device, a parameter to be used for the calculation of the risk of vulnerability from candidate parameter values; and calculating, by the risk evaluation device, a risk value indicating the risk of vulnerability by using the determined parameter. 15 . A computer program product having a non-transitory computer readable medium including programmed instructions stored thereon, wherein the instructions, when executed by a computer, cause the computer to function as: a vulnerability information input unit configured to receive an input of vulnerability information to be subjected to risk evaluation; an individual countermeasure acquisition unit configured to acquire at least one security countermeasure introduced into a system to be evaluated; a parameter acquisition unit configured to acquire a candidate parameter value to be used for calculation of a risk of vulnerability for each of security countermeasures based on the security countermeasure and the vulnerability information; a determination unit configured to determine a parameter to be used for the calculation of the risk of vulnerability from candidate parameter values; and a calculation unit configured to calculate a risk value indicating the risk of vulnerability by using the parameter determined by the determination unit.