This paper deals with the trial development of a new cyber risk visualization system. Although numerous organizations have implemented a wide variety of information technology (IT) systems in recent years, the number of cybersecurity incidents demanding rapid and efficient responses continues to increase. Furthermore, while it is desirable for organizations to set appropriate target levels when addressing such risks, the process is difficult because managers are seldom information security specialists. In such situations, management typically sets goals regarding information security, communicates risk factors with the information department, and then provides decision support for concrete measures. However, the fact that they are not security experts often makes it difficult to implement these measures. As a partial countermeasure to such cases, we believe that an approach by which an organization can gain an understanding of similar situations in other organizations, understand and adjust the methods by which they approach related issues, and then adapt those methods to their own use can be effective. However, a primary concern regarding information sharing between organizations is that while one organization may desire to know the status of other organizations, they do not want necessarily want to share similar information related to their own organizations. As a result, active efforts to facilitate such sharing have seen little progress. In this paper, we report on the development of a system that visualizes cyber-risks related to a particular organization, shows similar results for other organizations in the form of average values within a range that allows k-anonymity to be maintained, and then makes comparisons among those results. This makes it difficult for other participating organizations to gain a specific understanding of conditions within a specific organization. We then developed a prototype system using LimeSurvey, which is an easily modifiable open source web application, in order to make our proposed system easy to customize and use. Our experimental results show that this prototype enables comparisons to be made regarding situations among various participating organizations in the same industries while maintaining the anonymity of each individual organization.
