In order to provide an information security policy evaluation system in which information security policies can be efficiently and appropriately defined and operated in an organization, such as a corporation, treated threats operated on a second site are transmitted from a second information processing apparatus on the second site to a first information processing apparatus on a first site, threat information is transmitted from a third site collecting information on threats to the first information processing apparatus on the first site. The first information processing apparatus extracts treated threats which have been effective for threats having occurred actually, and untreated threats, out of the received treated threat and generates an evaluation report in which these are described. Moreover, a compensation amount of insurance against threats is changed based on the generated evaluation report.