According to the present invention, objective indicators are presented to users in risk evaluation. Attack route information (21) includes information on an attack route including one or more attack steps including an attack source, an attack destination, and an attack method. A vulnerability specifying means (11) specifies the vulnerability used for attacking the attack destination in the attack step with reference to the attack route information (21). A vulnerability information DB (22) stores the vulnerability in association with the presence or absence of an attack verification code for the vulnerability. A diagnostic evaluation generation means (12) examines whether or not the attack verification code exists for the specified vulnerability with reference to the vulnerability information DB (22), and generates, for an attack step, a risk diagnosis evaluation including the number of specified vulnerabilities and the presence or absence of the attack verification code. An output means (13) outputs the attack step and the risk diagnosis evaluation in association with each other.
展开▼