JP2009009328A - Optimum account integrated support system, optimum account integrated support method and optimum account integrated support program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To select a combination optimally performing account integration of a plurality of systems after considering both convenience and security improvement having relation of trade-off to each other. <P>SOLUTION: This optimum account integrated support system 100 comprises: a grouping combination reception part 150 receiving pieces of kind information of the systems and information for designating the grouped combination allowing the account integration of them, and storing them into a memory 103; a risk value reception parts 151 receiving risk values of the plurality of systems, and storing them associatively to the kind information of the plurality of systems; and an optimum combination determination part 152 calculating account management cost based on a total account number after the account integration and risk increase about each the combination, and determining and outputting the optimum combination minimizing an objective function calculated as a difference of the account management cost and the risk increase. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an optimum account integration support system, an optimum account integration support method, and an optimum account integration support program, and in particular, a plurality of systems in consideration of both convenience and security improvement that are in a trade-off relationship with each other. The present invention relates to an optimal account integration support system, an optimal account integration support method, and an optimal account integration support program that enable selection of a combination for optimal account integration.

  For example, in various Web applications realized by various systems on the Internet and various information systems in a company (hereinafter simply referred to as a plurality of systems), a user usually inputs an ID and a password, that is, an account. Login and authentication (hereinafter collectively referred to as account authentication).

However, it is easy for the above users to memorize all of these multiple accounts, take notes and prevent forgetting, and change the contents periodically as a security safety measure. It was not inconvenient. In addition, for those managing the accounts of the above-mentioned multiple systems (hereinafter referred to as “account managers”), it is possible to manage all user accounts so as not to leak, or to change user attributes (for example, When the user's job is changed, the affiliation, the ID, and the like are changed), and the labor and cost required for appropriately changing all the accounts of the user are not small.
Therefore, a technique for receiving account authentication with a single account as much as possible with respect to the plurality of systems, that is, a technique related to account integration has been proposed.

For example, in Patent Document 1, when a user uses a plurality of systems at the same time, a multi-server login linkage system, a client device, and login management that can log in to all the systems only by inputting a user ID and a password once. In a multi-server login linkage system comprising a client device, a login management device, and a plurality of server devices, for the purpose of providing a device, a server device and a storage medium, the identification information input by the client device Is sent to the login management device, the login management device performs login processing based on the identification information sent from the client device, and sends encrypted data obtained by encrypting the identification information to the client device, The client device sends it from the login management device The client device sends the encrypted data to the server device when the desired server device is used among the plurality of server devices, and the server device sends the client device to the client device. A multi-server login linkage system, etc. is disclosed that decrypts the encrypted data sent from the server and generates the identification information, and performs login processing in the server device based on the generated identification information. Yes.
JP 2002-183094 A

  By the way, in considering the integration of accounts of a plurality of systems as described above, in the direction of integrating the accounts of all the systems into one, as in the above-mentioned Patent Document 1, the input of accounts is to be performed. Convenience such as convenience for the user to perform and cost required for account management can be improved, but conversely security risks are increased. This is because, for example, if an account leaks to a third party and unauthorized access to the multiple systems becomes possible, unauthorized access to all systems integrated with the account becomes possible. . In other words, when considering account integration, improvement in convenience and improvement in security are in a trade-off relationship. However, in considering account integration in a plurality of systems, there has not yet been a technique that appropriately considers not only improvement of convenience but also improvement of security, and development has been desired.

  Accordingly, the present invention has been made in view of the above problems, and enables selection of a combination that optimally integrates a plurality of systems in consideration of convenience and security improvement that are in a trade-off relationship with each other. The main purpose is to provide an optimal account integration support system.

  The optimal account integration support system of the present invention that solves the above problems is a system that supports account integration between a plurality of systems each of which requires user account authentication, the type information of the plurality of systems, System combination information for specifying a combination obtained by grouping a plurality of systems for each system group that can be integrated into an account, received from an input interface and stored in a memory, and a grouped combination reception unit, and each of the plurality of systems A risk value receiving unit that receives a risk value, which is an estimated loss amount in the event of a security accident in each system, from an input interface and stores the risk value in a memory in association with the type information of the plurality of systems; and the system combination information Read from memory For the combination, an increase in risk, which is an expected increase in risk value due to account integration, is calculated based on the risk value of each system read from the memory, and the account for the combination is based on the total number of accounts after account integration. Calculating a management cost, calculating the difference between the risk increase and the account management cost as an objective function for the combination, determining the combination that minimizes the objective function as an optimal combination, and outputting it through an output interface; And an optimum combination determination unit.

  In addition, the grouping combination reception unit generates the hierarchy display data by positioning the system combination information as the upper hierarchy every time the plurality of systems are set as the first hierarchy and are sequentially grouped. Is output via the output interface, and the input of the system combination information is accepted from the input interface in the display based on the hierarchical display data.

  Further, the optimum combination determination unit subtracts the maximum value of each risk value of the plurality of systems included in the combination from the total value of the risk values of the plurality of systems included in the combination, thereby increasing the risk. It is preferable to perform the above calculation.

  In addition, an account management cost calculation formula definition unit that receives a numerical value necessary for calculating the account management cost from an input interface and stores the numerical value in a memory, and the optimal combination determination unit reads the account management cost read from the memory It is preferable to calculate the account management cost based on the numerical value necessary for calculating the number of accounts and the total number of accounts after the account integration.

  In addition, the optimum combination determination unit outputs the optimum combination by displaying the groups included in the optimum combination by color from the system combination information as the hierarchy display displayed by the grouping combination reception unit. It is preferable to output the risk increase value, the account management cost value, and the objective function value in the optimal combination via an output interface.

  Further, according to the optimum account integration support method of the present invention, a computer that supports account integration between a plurality of systems that respectively require user account authentication allows the plurality of system type information and the plurality of systems to be accounted for. System combination information that specifies combinations grouped for each system group that can be integrated is received from the input interface and stored in the memory, and a prediction is made when a security accident occurs in each of the plurality of systems. A risk value that is a loss amount is received from the input interface, stored in a memory in association with the plurality of system type information, the system combination information is read from the memory, and the combinations are read from the memory. system's The risk increase, which is the expected increase in risk value due to account integration, is calculated based on the risk value, the account management cost is calculated based on the total number of accounts after account integration for the combination, and the risk is calculated for the combination. The difference between the increase and the account management cost is calculated as an objective function, the combination that minimizes the objective function is determined as the optimal combination, and the process of outputting via an output interface is executed.

In addition, the optimal account integration support program of the present invention is a computer that supports account integration among a plurality of systems that respectively require user account authentication.
Receiving a plurality of types of system information and system combination information for specifying combinations grouped for each system group capable of integrating the plurality of systems from an input interface and storing them in a memory; Receiving a risk value, which is an estimated loss amount when a security accident occurs in each system, from the input interface and storing it in a memory in association with the type information of the plurality of systems, and the system combination information Is calculated from the risk value of each system read from the memory for the combination, and the risk increase that is the expected increase in risk value due to account integration is calculated for the combination, and the total account after account integration is calculated for the combination The account management cost is calculated based on the difference, the difference between the risk increase and the account management cost is calculated as an objective function for the combination, the combination that minimizes the objective function is determined as the optimal combination, and the output interface is used. And a step for outputting.

  In addition, the problems disclosed by the present application and the solutions thereof will be clarified by the embodiments of the present invention and the drawings.

  According to the present invention, it is possible to select a combination that optimally integrates a plurality of systems in consideration of convenience and security that are in a trade-off relationship with each other.

--- System configuration ---
Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a configuration diagram of an optimum account integration system 100 according to this embodiment. The optimum account integration system 100 (hereinafter referred to as support system 100 as appropriate) is a system that supports account integration among a plurality of systems that respectively require user account authentication.

  More specifically, for example, in various Web applications realized by various systems on the Internet and various information systems in a company (hereinafter simply referred to as a plurality of systems), a user usually has an ID and a password. That is, it is necessary to log in or receive authentication by inputting an account (hereinafter collectively referred to as account authentication). The account management side (hereinafter referred to as the account manager side) of these multiple systems may appropriately integrate accounts issued to each user among these multiple systems in consideration of various conveniences. That is, the account manager side may perform account integration design of the system and execute the designed account integration. The support system 100 of this embodiment is a system that can be used as a tool for supporting such account integrated design / execution, for example.

  As a functional configuration of the support system 100 of the present embodiment, a program database 101 such as a rewritable memory is provided with a program 102 in order to realize the function of executing the optimum account integration method of the present invention. And executed by the CPU 104 which is an arithmetic unit. The system 100 includes an input interface 105 such as various buttons and an output interface 106 such as a display. In addition, the I / O unit 107 executes data buffering and various mediation processes between the various functional units of the system 100 and the input / output interfaces 105 and 106.

  The support system 100 may be connected to various external devices and systems via a communication network such as the Internet. In that case, what is necessary is just to have a communication apparatus etc. which bear data exchange between these various external devices and external systems.

  Subsequently, functional units that are configured and held by the system 100 based on the program 102 will be described.

  Such a support system 100 receives from the input interface 105 and stores in the memory 103 system type information specifying a combination of group information for each system group capable of integrating the plurality of systems. A grouping combination receiving unit 150 is provided.

  In the present embodiment, various business management systems in a certain company are assumed as the plurality of systems. More specifically, a travel expense settlement system (sys1), a business trip application system (sys2), an absence / worktime management system (sys3), an employee benefits system (sys4), a labor management system (sys5), a rules management system (sys6), and personnel Assume that the seven systems of the management system (sys 7) are the plurality of systems. The support system 100 of this embodiment supports optimal account integration among these seven systems. The “grouping” refers to a group consisting of a group of systems in which the accounts are integrated among the plurality of systems, that is, the accounts can be collectively managed by sharing the account of each user. . However, in the following description, a system that is not account-integrated with other systems and is managed as an account alone may be referred to as a “group” for convenience.

  In short, the optimum account integration support method of the present embodiment, its system, and program determine the optimum combination from the viewpoint of ensuring convenience and security among the various combinations of these multiple systems sys1-7. To do. In other words, mathematically speaking, it solves a kind of combinatorial optimization problem.

  The “system group capable of account integration” refers to a system group that can actually integrate and group the plurality of systems. For example, in the example of the present embodiment, among the seven systems sys1 to 7, an accounting system (for example, in the example of the present embodiment, a travel expense settlement system (sys1), a business trip application system (sys2), etc. ) And a personnel system (for example, in the example of the present embodiment, the attendance management system (sys3), the labor management system (sys5), the personnel management system (sys7), etc.) are integrated with each other. Is not possible or effective in view of practical conditions such as system management. That is, the “system group capable of account integration” refers to any group that can be grouped from the viewpoint of some commonality or similarity, excluding such grouping by unrealistic account integration. However, in this embodiment, designation of the combinations grouped for each system group that can be integrated with an account is manually input by the user on the account administrator side (hereinafter referred to as an administrative user) via the input interface 105. Therefore, it is possible to specify a flexible combination by appropriately setting an accounting system and a personnel system to be grouped.

  Further, the support system 100 receives a risk value, which is an expected loss amount when a security accident occurs in each of the plurality of systems sys 1 to 7, from the input interface 105, and receives the risk values of the plurality of systems sys 1 to 7. A risk value receiving unit 151 is provided that stores the information in the memory in association with the type information.

  The definition of the risk value may be appropriately set by the management user who is the user of the support system 100.

  In addition, the grouping combination receiving unit 150 generates the hierarchy display data by positioning the system combination information as the upper hierarchy every time the plurality of systems sys1 to 7 are set as the first hierarchy, and sequentially grouping them. It is preferable to output the hierarchical display data via the output interface 106 and accept the input of the system combination information from the input interface 105 in the display based on the hierarchical display data.

  FIG. 2 shows a hierarchical display data input screen 300 that is an example of a screen in which hierarchical display data displayed as such a hierarchical tree structure is displayed on the display screen 106 that is the output interface 106. The hierarchical display data input screen 300 mainly includes an upper hierarchical group display unit 310 and a lower drawing component display unit 350. The management user or the like can use a plurality of drawing tools 351 to 356 displayed on the drawing component display unit 350 and a system that can integrate a plurality of systems sys 1 to 7 in the hierarchical group display unit 310 and account them. These are specified by drawing a hierarchical group of a tree structure that is grouped hierarchically for each group.

  Each of the various drawing tools 351 to 356 includes, in order from the left side of the screen 300, subgroups that are grouped (here, as described above, each of the plurality of single systems sys1 to 7 in the first hierarchy = the lowest layer, This also applies to the grouping tool 351 for associating the grouped upper groups with each other, and the first layer = the plurality of systems sys1 to 7 at the lowest layer are drawn and specified in the form of icons as shown in FIG. System drawing tool 352, upper group drawing tool 353 for designating and designating upper groups obtained by grouping lower groups in the form of icons as shown in FIG. 2, and risk for causing support system 100 to calculate a risk increase to be described later Increase calculation button 354 for causing the support system 100 to calculate an account management cost to be described later TCO (Total Cost of Ownership: system management cost of such) calculation button 355, and, and a optimal solution calculation button 356 for causing determine the optimum combination to be described later support system 100.

  The icon shape of the system drawing tool 352 is composed of three upper and lower parts, and in order from the top, a group candidate identifier input unit 352a, a system identifier input unit 352b, and a risk value input unit 352c into which the risk value is input. It is. The upper group drawing tool 353 is composed of two upper and lower parts, and from the top, the group candidate identifier input unit 353a similar to the group candidate identifier input unit 352a, and the risk of displaying the risk increase calculation result described later are displayed. This is an additional display unit 353b.

  At the bottom of the hierarchical group display unit 310, a plurality of systems sys1 to 7 that are the first hierarchy are specified by being drawn in the icon shape by using the system drawing tool 352 by the management user or the like. In the present embodiment, the management user or the like includes group candidate identifiers (id7 to 13 in FIG. 2), system identifiers in the group candidate identifier input unit 352a, system identifier input unit 352b, and risk value input unit 352c, respectively. (Sys 1 to 7 in FIG. 2) and the risk value (amount “500,000” to “1 million” in FIG. 2) are input from the input interface 105. In this embodiment, the management user or the like inputs a group candidate identifier (id 1 to 6 in FIG. 2) in the group candidate identifier input unit 353a. The group candidate identifier and the system identifier input from the input interface 105 are received by the grouping combination receiving unit 150 and stored in the memory 103. On the other hand, the risk value input from the input interface 105 is received by the risk value receiving unit 151 and stored in the memory 103.

  FIG. 3 shows an example data structure of the system-specific risk value setting table 200 stored in the memory 103 by the risk value receiving unit 151. As shown in FIG. 3, the system-specific risk value setting table 200 is a table that stores risk value data associated with the plurality of system type information. For example, the risk value identifier is a system identifier key. , A set of records in which information such as risk values are associated.

  In FIG. 2, for simplicity, icon-shaped group candidate identifier input units 352 a, system identifier input units 352 b, risk identifiers representing the first-level multiple systems sys 1 to 7 drawn in the hierarchical group display unit 310 are displayed. About the value input part 352c, the code | symbol is attached | subjected and shown only in the part. Similarly, in FIG. 2, only a part of the icon-shaped group candidate identifier input unit 353 a and the risk increase display unit 353 b representing the upper group drawn in the hierarchical group display unit 310 are denoted by reference numerals. It shows.

  In FIG. 2, an individual system identification name input field 311 for inputting identification names of the systems sys 1 to 7 is also provided below the icons representing the multiple systems sys 1 to 7 of the first hierarchy. Yes.

  As described above, in the support system 100 according to the present embodiment, by using a GUI (Graphical User Interface) expressed by the hierarchical display data as illustrated in FIG. 2, the management user or the like can be configured as a plurality of systems sys 1 to 7. It is possible to input and specify the combination of grouping that can be integrated with the account in a very easy and intuitive way, and to integrate these multiple systems sys1 to 7 and their accounts. It is advantageous because it is possible to easily grasp a combination of various groupings clearly and sensorially.

  Further, the support system 100 reads the system combination information from the memory 103, and calculates a risk increase that is an expected increase in risk value due to account integration based on the risk value of each system read from the memory 103 for the combination. For the combination, the account management cost is calculated based on the total number of accounts after the account integration, and the difference between the risk increase and the account management cost is calculated as an objective function for the combination, and the objective function is minimized. An optimum combination determining unit 152 that determines the combination to be determined as an optimum combination and outputs the combination through the output interface 106.

  The optimum combination determining unit 152 mainly performs processing for obtaining the following three items. That is, (a) increased risk, (b) account management cost, and (c) optimal combination. Hereinafter, processes for obtaining (a) to (c) will be described in order.

  First, calculation of an increase in risk, which is an index that specifically indicates the degree of security decrease associated with account integration, will be described. Although various methods can be considered for calculating the risk increase, in the present embodiment, as a suitable example, the optimal combination determination unit 152 is a sum of the risk values of the plurality of systems sys1 to 7 included in the combination. The risk increase is calculated by subtracting the maximum value of each risk value of the plurality of systems sys1 to 7 included in the combination from the value.

  Specific examples of combinations will be described later. The combinations in the present embodiment refer to all combinations that can group the seven systems sys1 to 7 that can be account-integrated as described above. For example, the upper group “id1” displayed at the top of the hierarchical group display unit 310 in FIG. 2 is a combination of all the systems sys1 to 7 integrated into one group. Taking the combination of group id1 as an example, a method for calculating the above risk increase will be specifically described below.

  First, the total value of each risk value of the plurality of systems sys1 to 7 included in this combination is the risk value (500,000, 400,000, 400,000, etc.) input to the risk value input unit 352c of the systems sys1 to 7. 300,000, 600,000, 200,000, 1 million) is calculated to be 3.4 million. Next, by subtracting the maximum value of each risk value of the plurality of systems sys1 to 7 included in the combination, that is, 1 million of the system sys7, from this total value of 3.4 million, it is calculated as 2.4 million. This increases the risk of the combination of this group id1. In the present embodiment, the calculated risk increase is displayed on the risk increase display section 353b, which is the lower part of the icon indicating the upper group of the hierarchical group display section 310 of FIG.

  In the present embodiment, the optimal combination determination unit 152 calculates the risk increase value not only for the combination that is the group called id1 but also for all the upper hierarchical groups (id2 to 6). They are stored in the memory 103 in association with each group, and then displayed on the risk increase display section 353b of the icon 353 of each group.

  FIG. 4 shows an example of the data structure of the group-specific risk increase storage table 400 stored in the memory 103 by the optimum combination determining unit 152. As shown in FIG. 4, the loop-by-loop risk increase storage table 400 is a table for storing risk increase value data associated with each of the higher-level groups, for example, using the group identifier as a key, It is a collection of records in which information such as system identifiers of systems included in the group, risk increase identifiers, and risk increase values are associated with each other. In FIG. 4, a plurality of systems sys 1 to 7 in the first layer, that is, groups (not higher ranks) of group candidate identifiers id 7 to 13 are also listed, but these risk increase values are all zero. . This is because the risk increase is a value indicating the degree of risk that occurs during account integration, that is, grouping, and therefore, risk increase does not occur in a first-tier system that is not an upper group and is not account integrated.

  Unlike the above example where the combination is composed of one upper group id1, when the combination includes a plurality of upper groups, the risk increase values of these upper groups are read from the group-specific risk increase storage table 400 shown in FIG. By summing them, the value of the risk increase of the combination is calculated. Therefore, if all the combinations are configured from the first-level systems sys 1 to 7, that is, if no account integration is performed and no upper group is included, the risk increase value is zero. This is consistent with the empirical fact that there is no increase in risk associated with account integration because no account integration is performed.

  Next, calculation of the account management cost (b) will be described. The account management cost is a cost required for the account manager side to perform account management. In general, the greater the degree of account integration, that is, the smaller the number of groups included in the combination, the lower the account management cost. That is, the account management cost decreases as the total number of accounts after account integration decreases. The combination with the smallest account management cost is when all the systems sys 1 to 7 are integrated as a group (that is, the group id 1 itself). In this case, the number of groups included in the combination, that is, the total number of accounts after account integration is 1.

  As described above, the account management cost is used as an index representing the convenience of account integration in the support system 100 of the present embodiment. The combination when all the systems sys1 to 7 are integrated as one group has the highest convenience, but the security shown by the increased risk is the lowest.

  There are various specific methods for calculating the account management cost. In the present embodiment, as a preferred example, the support system 100 inputs a numerical value necessary for calculating the account management cost. And an account management cost calculation formula definition unit 153 that receives the data from the memory 103 and stores it in the memory 103. The optimum combination determination unit 152 includes a numerical value necessary for calculating the account management cost read from the memory 103, the account The account management cost is calculated based on the total number of accounts after integration.

  FIG. 5 shows an example of an input screen 500 for inputting numerical values necessary for calculating such account management costs. This input screen is displayed as a pop-up window 500 superimposed on the hierarchical display data input screen 300 shown in FIG. The input screen 500 mainly includes various numerical value input units 501 to 505, a total account number X display unit 506 that displays the total account number X, and an account management cost calculation formula 507. The total account number X is automatically obtained by the support system 100 as the number of groups included in the combination and output (displayed).

  In the example of the present embodiment, the various numerical value input units 501 to 505 specifically input the number of users A that inputs the number of users (mainly employees of the company) of the plurality of systems sys1 to 7. Unit 501, annual personnel change rate B input unit 502 in the company concerned, corresponding time C input unit 503 for inputting time C required by the administrator in response to one account change, target system number D input unit 504, time A labor cost / time E input unit 505 for inputting the labor cost of the manager who corresponds to the above account change. Enter the numerical value of the annual personnel change rate B at the company when the user's job is changed within the company. This is because it is necessary to change to

  In this embodiment, as shown in the account management cost calculation formula 507, the account management cost is the number of users A, personnel change rate B, response time C, personnel cost / time E, and total account number X. Calculated from numerical values.

  Next, the determination of the optimum combination in (c) will be described. As described above, the optimal combination is calculated by calculating the difference between the risk increase and the account management cost as an objective function for all the combinations of the present embodiment, and determining the combination that minimizes the objective function as the optimal combination. Then, it is determined by solving the combinatorial optimization problem.

  In the present embodiment, the optimal combination is determined using an exact solution instead of an approximate solution according to the following formulas (1) to (5). The exact solution can be used because the number of combinations is relatively small in the combination optimization problem for supporting optimal account integration as in the present embodiment.

First, the objective function (evaluation value) in this solution is defined by the following equation (1).
For all combinations, the objective function PI in equation (1) is obtained, and the combination that minimizes the PI is determined as the optimal combination. At that time, the following equation (2) is defined as a constraint condition.

In the above formulas (1) and (2), R indicates an increase in risk, and ΣR is the total risk increase for each combination. The calculation of the total value of this risk increase has already been described in the explanation of (a) above. ID j, k is a j-th combination candidate set consisting of k account numbers. Therefore, ΣR is the total value of the risk increase values R (idx) of all group candidates idx included in IDj, k (x is 1 to 13 in the present embodiment, see FIGS. 2 and 4). T is the account management cost of the j-th combination candidate set IDj, k consisting of k accounts. The calculation method has already been described in the description of (b) above.
The specific meaning of Expression (2) is a constraint condition that the combination candidate set IDj, k includes a plurality of system groups sys1 to 7 that are temporary hierarchies without excess or deficiency.

In the expression (2), sys (idx) is a temporary hierarchical system included in the group candidate idx with respect to n temporary hierarchical systems sys1 to 7 (thus, n is 7 in the present embodiment, see FIGS. 2 and 3). Is the instruction vector. Specifically, it is as shown in Equation (3).
In equation (3), sysn is an indicator variable indicating whether or not each temporary hierarchical system sys1 to 7 is included (1 ... included, 0 ... not included). When this is expressed by an equation, the equation (4) is obtained.

If sys (idx) shown in Formula (3) in this embodiment is specifically written,
sys (id1) = [1,1,1,1,1,1,1]
sys (id2) = [1,1,1,0,0,0,0]
sys (id3) = [0, 0, 0, 1, 1, 1, 1]
sys (id4) = [1,1,0,0,0,0,0]
sys (id5) = [0, 0, 0, 1, 1, 0, 0]
sys (id6) = [0, 0, 0, 0, 0, 1, 1]
sys (id7) = [1, 0, 0, 0, 0, 0, 0]
sys (id8) = [0, 1, 0, 0, 0, 0, 0]
sys (id9) = [0, 0, 1, 0, 0, 0, 0]
sys (id10) = [0, 0, 0, 1, 0, 0, 0]
sys (id11) = [0, 0, 0, 0, 1, 0, 0]
sys (id12) = [0, 0, 0, 0, 0, 1, 0]
sys (id13) = [0, 0, 0, 0, 0, 0, 1]
It becomes.

Further, when the account management cost T, the risk increase R, and the objective function PI are obtained for all of the combination candidate sets IDj, k satisfying the constraint condition shown in Expression (2) by strict solution, the following is obtained. It becomes.
k = 1 / ID1,1 = {id1} /T=250,000/R=2.4 million / PI = 21.5 million;
k = 2 / ID1,2 = {id2, id3} /T=500,000/R=1.9 million / PI = 1.4 million;
k = 3 / ID1,3 = {id4, id9, id3} /T=750,000/R=1.5 million / PI = 750,000;
k = 3 / ID2,3 = {id2, id5, id6} /T=750,000/R=1.3 million / PI = 550,000;
k = 3 / ID3,3 = {id3, id4, id9} /T=750,000/R=1.5 million / PI = 750,000;
k = 4 / ID1,4 = {id2, id5, id12, id13} / T = 1,000,000 / R = 1,100,000 / PI = 100,000;
k = 4 / ID2,4 = {id2, id6, id10, id11} / T = Million / R = Million / PI = 0000; Adopted (optimum solution)
k = 4 / ID3,4 = {id3, id7, id8, id9} / T = 1,000,000 / R = 1,100,000 / PI = 100,000;
k = 4 / ID4,4 = {id4, id9, id5, id6} / T = 1,000,000 / R = 900,000 / PI = −100,000;
k = 5 / ID1,5 = {id2, id10, id11, id12, id13} /T=1.25 million / R = 800,000 / PI = −450,000;
k = 5 / ID2,5 = {id5, id6, id7, id8, id9} /T=1.25 million / R = 500,000 / PI = −750,000;
k = 6 / ID1,6 = {id4, id9, id10, id11, id12, id13} /T=1.5 million / R = 400,000 / PI = −1.1 million;
k = 6 / ID2,6 = {id7, id8, id9, id5, id12, id13} /T=1.5 million / R = 300,000 / PI = −1.2 million;
k = 6 / ID3,6 = {id7, id8, id9, id10, id11, id6} /T=1.5 million / R = 200,000 / PI = −1.3 million;
k = 7 / ID1,7 = {id7, id8, id9, id10, id11, id12, id13} /T=1.75 million / R = 0000 / PI = −1.75 million;

Among the combination candidate sets IDj, k, ID2 and ID4 are optimal solutions that minimize PI, that is, optimal combinations. At that time, the account management cost T was 1 million, the risk increase R was 1 million, and the objective function PI was zero.
The combination of IDs 2 and 4 is a combination including all the temporary hierarchical systems sys1 to 7 by including group candidates id2, id6, id10, and id11. In other words, the upper hierarchical group of id2 in which the temporary hierarchical systems sys1 to 3 are account integrated, the upper hierarchical group of id6 in which the temporary hierarchical systems sys6 and 7 are integrated, and the temporary hierarchical systems sys4 and 5 are included. The combination is determined as the optimal account integration combination.

  As described above, according to the support system 100 of the present embodiment, by solving the combinatorial optimization problem so as to optimize the evaluation value = objective function, and by taking the exact solution instead of the approximate solution. Be able to determine the optimal combination of account integration, very quickly and accurately. As can be seen from the above calculation method, the determined optimal combination is a combination in which the account management cost, which is a convenience index, and the risk increase value, which is a security index, are best balanced. In other words, it can be determined that the most cost-effective combination can be determined, not just the highly convenient combination.

  As described above, the optimum combination determined as the final result is output via the output interface 106. In the present embodiment, as a preferred example, the optimum combination determination unit 152 color-codes groups included in the optimum combination from the system combination information as the hierarchical display displayed by the grouping combination reception unit 150. By displaying, the optimal combination is output, and the risk increase value, the account management cost value, and the objective function value in the optimal combination are output via the output interface 106.

  Specifically, in this embodiment, the display 106 as the output interface 106 outputs the optimum combination, the risk increase value, the account management cost value, and the objective function value in the optimum combination. Display the decision result screen. FIG. 6 shows an example of such a determination result screen 600. This determination result 600 screen is displayed as a pop-up window 600 superimposed on the hierarchical display data input screen 300 shown in FIG. Further, the groups id2, id6, id10, and id11 corresponding to the optimum combination in the hierarchical group display unit 310 of the hierarchical display data input screen 300 displayed below the determination result 600 screen are displayed in different colors (for easy understanding). Not shown).

  The determination result screen 600 mainly includes an optimum combination display unit 601 that displays the contents of the optimum combination, a TCO display unit 602 that displays account management costs in the optimum combination, and a risk increase display that displays an increase in risk in the optimum combination. A unit 603 and an objective function value display unit 604 for displaying the value of the objective function in the optimum combination.

  The management user who is the user of the support system 100 of the present embodiment can perform account integration design / execution and the like based on the result output like an individual.

  Note that each of the functional units 150 to 153 in the support system 100 described so far may be realized as hardware, or as a program 102 stored in an appropriate storage device such as the memory 103 or an HDD (Hard Disk Drive). You may do that. In this case, the CPU 104 of the support system 100 reads the corresponding program from the storage device into the memory 103 and executes it in accordance with the execution of the program 102.

--- Processing flow example ---
Hereinafter, a processing flow example corresponding to the optimum account integration support method in the present embodiment will be described with reference to the drawings. Note that various operations corresponding to the optimum account integration support method described below are realized by the program 102 that the support system 100 reads into the appropriate memory 103 and executes. Such a program 102 is composed of codes for performing various operations described below.

--- Processing flow example 1 ---
FIG. 7 is a flowchart showing an execution procedure example 1 of the optimum account integration support method of the present embodiment. Here, the following processing for realizing the optimum account integration support method of the present embodiment is executed.

  First, the grouping combination receiving unit 150 of the support system 100 receives, as an input interface, a plurality of types of system information and system combination information that designates a combination of the plurality of systems grouped for each system group capable of account integration. The data is received from 105 and stored in the memory 103 (s100).

  At that time, the grouping combination accepting unit 150 generates the hierarchy display data by positioning the system combination information as the first hierarchy with the plurality of systems as the first hierarchy and sequentially grouping them (see FIG. 2). The hierarchical display data is output through the output interface 106, and the system combination information is input from the input interface 105 in the display based on the hierarchical display data (see FIG. 2).

  In the present embodiment, corresponding information is also input to the group candidate identifier input unit 352a and the system identifier input unit 352b in the icon shape of the system drawing tool 352 corresponding to the systems sys1 to 7 of the first hierarchy. The grouping combination receiving unit 150 receives these and stores them in the memory 103. In addition, corresponding information is also input to the group candidate identifier input unit 353a in the icon shape of the upper group drawing tool 353 corresponding to each of the upper group ids 1 to 6, and the grouping combination receiving unit 150 receives these, and the memory 103 To store.

  Next, the risk value receiving unit 151 of the support system 100 receives, from the input interface 105, a risk value that is an estimated loss amount when a security accident occurs in each of the plurality of systems. Is stored in the memory 103 in a format such as the system-specific risk value setting table 200 shown in FIG. 3 (s102).

  Specifically, information corresponding to the risk value input unit 352c in the icon shape of the system drawing tool 352 corresponding to each of the first-level systems sys1 to 7 is input, and the risk value receiving unit 151 receives the information, and the memory 103.

  Next, the optimum combination determination unit 152 of the support system 100 reads the system combination information from the memory 103, and for the combination, the risk value is expected to rise by account integration based on the risk value of each system read from the memory 103. An increase in risk, which is the amount, is calculated (s104).

  Specifically, the management user or the like presses a risk increase calculation button 354 in the drawing component display unit 350 of the hierarchical display data input screen 300 shown in FIG. The risk increase of each of the upper groups id1 to 6 displayed on the part 310 is calculated, stored in the memory 103 in the form of the group-specific risk increase storage table shown in FIG. 4, and displayed on the risk increase display part 353b. At that time, the risk values of the systems sys1 to 7 in the first hierarchy are read out from the system-specific risk value setting table 200 shown in FIG. 3, and these values are used.

  Next, the optimum combination determination unit 152 of the support system 100 calculates an account management cost for the combination based on the total number of accounts after the account integration (s108).

  In this embodiment, more specifically, before step s108, the account management cost calculation formula definition unit 153 receives a numerical value necessary for calculating the account management cost from the input interface 105 and stores it in the memory 103. (S106), the optimum combination determination unit 152 calculates the account management cost based on the numerical value necessary for calculating the account management cost read from the memory 103 and the total number of accounts after the account integration. Calculate (s108).

  Specifically, the account management cost is calculated by pressing a TCO calculation button 355 in the drawing component display unit 350 of the hierarchical display data input screen 300 shown in FIG. Is executed by.

  Next, the optimal combination determination unit 152 of the support system 100 calculates the difference between the risk increase and the account management cost as an objective function for the combination, and determines the combination that minimizes the objective function as the optimal combination ( s110).

  Next, the optimal combination determination unit 152 of the support system 100 outputs the optimal combination determined in step s110 via the output interface 106 (s112).

  In the present embodiment, more specifically, the optimum combination determination unit 152 selects a group included in the optimum combination from the system combination information as the hierarchical display displayed by the grouping combination reception unit 150. By color-coded display, the optimal combination is output, and the risk increase value, the account management cost value, and the objective function value in the optimal combination are output to the display 106 via the output interface ( (See FIG. 6).

  This is the end of the processing of this flow example.

  As described above, according to the present embodiment, it is possible to select a combination that optimally integrates a plurality of systems in consideration of convenience and security improvement that are in a trade-off relationship with each other.

  As mentioned above, although embodiment of this invention was described concretely based on the embodiment, it is not limited to this and can be variously changed in the range which does not deviate from the summary.

It is a block diagram of the optimal account integration support system of this embodiment. It is a figure which shows the hierarchy display data input screen which is an example of the screen which displayed the hierarchy display data in this embodiment. It is a figure which shows the data structure example 200 of the risk value setting table classified by system in this embodiment. It is a figure which shows the data structure example 400 of the risk increase storage table according to this embodiment. It is a figure which shows the hierarchy display data input screen which is an example of the input screen for inputting the numerical value required in order to calculate account management cost in this embodiment. It is a figure which shows the determination result screen which is an example of the screen for outputting the optimal combination in this embodiment, the value of the said risk increase in the said optimal combination, the value of the said account management cost, and the value of the said objective function. It is a figure which shows the process flow example 1 corresponding to the optimal account integration support method of this embodiment.

Explanation of symbols

100 Optimal Account Integration Support System 101 Program Database 102 Program 103 Memory 104 CPU
105 Input Interface 106 Output Interface 107 I / O Unit 150 Grouping Combination Receiving Unit 151 Risk Value Receiving Unit 152 Optimal Combination Determination Unit 153 Account Management Cost Calculation Formula Definition Unit

Claims (7)

A system that supports account integration between multiple systems that each require user account authentication,
A grouping combination receiving unit that receives type information of the plurality of systems and system combination information that specifies a combination of the plurality of systems grouped for each system group that can be account-integrated from an input interface and stores the information in a memory. When,
For each of the plurality of systems, accepting a risk value that is an expected loss amount when a security accident occurs in each system from the input interface, and storing the value in a memory in association with the type information of the plurality of systems And
The system combination information is read from the memory, and for the combination, a risk increase that is an expected increase in the risk value due to account integration is calculated based on the risk value of each system read from the memory. Calculate the account management cost based on the total number of accounts, calculate the difference between the risk increase and the account management cost as an objective function for the combination, and determine the combination that minimizes the objective function as the optimal combination , An optimal combination determination unit that outputs via an output interface;
An optimal account integration support system characterized by comprising: The grouping combination accepting unit generates the hierarchy display data by positioning the system combination information as the upper hierarchy every time the plurality of systems are set as the first hierarchy, and outputs the hierarchy display data. Output via an interface, and accepting input of the system combination information from an input interface in the display based on the hierarchical display data,
The optimal account integration support system according to claim 1. The optimal combination determination unit calculates the risk increase by subtracting the maximum value of each risk value of the plurality of systems included in the combination from the total value of each risk value of the plurality of systems included in the combination. Is characterized by
The optimal account integration support system according to claim 1 or 2. An account management cost calculation formula definition unit that receives a numerical value necessary for calculating the account management cost from an input interface and stores it in a memory,
The optimal combination determination unit calculates the account management cost based on a numerical value necessary for calculating the account management cost read from a memory and the total number of accounts after the account integration,
The optimal account integration support system according to claim 1. The optimum combination determination unit outputs the optimum combination by displaying the groups included in the optimum combination by color from the system combination information as the hierarchical display displayed by the grouping combination receiving unit. And outputting the value of the risk increase in the optimal combination, the value of the account management cost, and the value of the objective function via an output interface,
The optimal account integration support system according to claim 2. A computer that supports account integration between multiple systems that each require user account authentication.
A process of accepting from the input interface and storing the system combination information specifying the grouped information for each system group capable of integrating the accounts of the plurality of systems into the memory;
For each of the plurality of systems, a process of receiving a risk value that is an expected loss amount in the event of a security accident of each system from the input interface, and storing in a memory in association with the type information of the plurality of systems;
The system combination information is read from the memory, and for the combination, a risk increase that is an expected increase in the risk value due to account integration is calculated based on the risk value of each system read from the memory. Calculate the account management cost based on the total number of accounts, calculate the difference between the risk increase and the account management cost as an objective function for the combination, and determine the combination that minimizes the objective function as the optimal combination , Processing to output via the output interface;
The optimal account integration support method characterized by performing. A computer that supports account integration between multiple systems that require user account authentication.
Receiving from the input interface and storing in the memory system type information specifying the combination of grouped information for each system group capable of integrating the plurality of systems, and the type information of the plurality of systems;
For each of the plurality of systems, receiving a risk value that is an expected loss amount in the event of a security accident of each system from the input interface, and storing in a memory in association with the type information of the plurality of systems;
The system combination information is read from the memory, and for the combination, a risk increase that is an expected increase in the risk value due to account integration is calculated based on the risk value of each system read from the memory. Calculate the account management cost based on the total number of accounts, calculate the difference between the risk increase and the account management cost as an objective function for the combination, and determine the combination that minimizes the objective function as the optimal combination Outputting via the output interface;
Optimized account integration support program to execute.