An analysis unit which effectively detects incidents on the basis of events detected by a security unit such as an intrusion detection system (IDS) or a firewall (FW) installed in a network stores statistical information that is frequency-distributed information of event information obtained from the collection unit, frequency component information obtained by frequency-analyzing the statistical information and the result obtained by making analysis on the basis of the frequency component. The collection unit collects and normalizes event log information outputted by IDS or FW to be stored in an event database (DB). An alert notification unit includes an alert database (DB) for storing an alert instruction transmitted from the analysis unit and an alert notification destination and reports occurrence of incidents to a manager or the like in accordance with the instruction.