In order to provide an information security policy evaluation system in
which information security policies can be efficiently and appropriately
defined and operated in an organization, such as a corporation, treated
threats operated on a second site are transmitted from a second
information processing apparatus on the second site to a first
information processing apparatus on a first site, threat information is
transmitted from a third site collecting information on threats to the
first information processing apparatus on the first site. The first
information processing apparatus extracts treated threats which have been
effective for threats having occurred actually, and untreated threats,
out of the received treated threat and generates an evaluation report in
which these are described. Moreover, a compensation amount of insurance
against threats is changed based on the generated evaluation report.