An attack activity definition information database 111 stores, for a plurality of events, attack activity definition information describing an event, a precondition, and an achieved phenomenon. The event is observed by an information system when an attack against the information system is underway. The precondition is a prerequisite condition for the event to be observed. The achieved phenomenon is a phenomenon of the time after the event is observed. An event receiving part 108 receives observed event notice information notifying an observed event which is observed by the information system. An attack activity predicting part 105 acquires an achieved phenomenon from the attack activity definition information describing the observed event notified by the observed event notice information, and extracts an event that is predicted to be observed by the information system, based on the attack activity definition information describing a precondition corresponding to the acquired achieved phenomenon of the observed event.