Users and providers of an information system should clearly understand the threats caused by the system as well as clarify the requirements for the system before they use the system. Especially, they should be very careful when they use a system with components and/or services provided by third parties. However, there are few methods or tools to learn and confirm such issues. In this paper, we present a supporting tool called “PORTAM” for such users and providers to understand the threats and the requirements. Suppose some requirements cannot be satisfied when some threats are avoided, and vice versa. In such cases, they should decide whether the requirements should be satisfied or the threats should be avoided. The tool also helps them to decide such kinds of trade-offs. Current version of this tool handles Java mobile code applications, thus users of our tool can easily feel real threats. Although the current version deals only with Java components, the ideas behind the tool ...