A security device includes an attack detection part, a security risk state determination part, and an execution environment controller. The attack detection part detects a cyber attack on an embedded device controlled by an embedded control device. The security risk state determination part determines a security risk state indicating at least one of a type and degree of risk of threat in a security caused by the cyber attack based on a result of the detection. The execution environment controller is included in the embedded control device, determines a security function against the cyber attack in accordance with the security risk state, and constitutes an execution environment of the security function in the embedded control device so that the embedded control device can execute the security function.