Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

Comparison of Users' Perception of Information Security Elements on Computer Virus Between Large and Small-and-Medium Companies

대기업과 중소기업 간의 정보보안 요소에 대한 사용자의 인지 비교: 컴퓨터 바이러스를 중심으로

  • Kim, Jong-Ki (Pusan National University) ;
  • Jeon, Jin-Hwan (Research and Education Institute of Banking, Securities and Derivatives of Pusan National University)
  • 김종기 (부산대학교) ;
  • 전진환 (부산대학교 금융.증권.선물 교육연구사업단)
  • Published : 2006.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

Computer virus is one of the most common information security problems in the information age. This study investigates the difference of users' perception of security elements between large companies and small-and-medium companies on the subject of computer virus. Based on t-test, no significant difference is found in users' perception on security threat and security risk While users satisfy with the level of security policy, there is a significant difference on the level of security policy recognition between the two sizes of companies. Moreover, there are significant differences on information assets, security vulnerability and security effectiveness, which implies difference in the users' perception on importance of assets, exposure to threats and computer virus prevention efforts between large and small-and-medium companies.

컴퓨터 바이러스는 정보화 시대에 사용자들이 가장 흔하게 경험하는 정보보안 문제 중 하나이다. 본 연구에서는 컴퓨터 바이러스를 대상으로 대기업과 중소기업간 보안요소에 대한 사용자의 인지도 차이를 분석하였다. 설문지를 이용하여 수집된 자료에 대하여 t-test를 이용하여 기업규모별 인지차이를 분석한 결과 보안위협과 위험을 인지하는데 별다른 차이가 없는 것으로 나타났으며, 컴퓨터 바이러스에 대한 위협과 피해를 심각하게 고려하는 것으로 확인되었다. 또한, 사용자들은 전반적으로 소속된 조직의 보안정책 수준에 대해 만족하고 있으나 보안정책을 인지하는데 차이가 있으며 기업규모별 보안정책 집행의 효과에 차이가 있음을 확인하였다. 또한 바이러스에 대한 정보자산, 보안취약성, 보안효과를 인지하는데 차이가 있는 것으로 나타나 기업규모별 자산의 중요도와 위협의 노출정도, 바이러스 감염방지 노력의 결과가 상이한 것으로 분석되었다.

Keywords

References

  1. Finne, T., 'A Conceptual Framework for Information Security Management,' Computers & Security, Vol. 17, No. 4, pp. 303-307, 1998 https://doi.org/10.1016/S0167-4048(98)80010-2
  2. 김세헌, 정보보호 관리 및 정책, 생능, 2002
  3. Russell, D. and G. Gangemi, Computer Security Basics, O'Reilly & Associates, 1991
  4. David, J., 'The New Face of the Virus Threat,' Computers & Security, Vol. 15, No. 1, pp. 13-16, 1996 https://doi.org/10.1016/0167-4048(96)87618-8
  5. Szor, P., The Art of Computer Virus Research and Defense, Addison-Wesley, 2005
  6. Nachenberg, C., 'Computer Virus-Anti Virus Coevolution,' Communications of the ACM, Vol. 40, No. 1, pp. 46-51, 1997 https://doi.org/10.1145/242857.242869
  7. Tedeschi, B., 'Protect Your Identity,' PCWORLD, pp. 107-112, Dec. 2004
  8. 최운호, 전영태, '대규모 컴퓨터 바이러스/웜의 공격시 종합침해사고대응시스템에서의 자동화된 역추적 절차,' 정보보호학회논문지, 제15권, 제1호, pp. 50-60, 2005
  9. 한국정보보호진흥원, 새로운 사이버 위협: 피싱 - 피싱에 따른 기술, 사회, 법제적 대응 및 시사점, 정책기획 05-6K, 한국정보보호진흥원, 2005
  10. Lee, J. and Y. Lee, 'A Holistic Model of Computer Abuse within Organizations,' Information Management & Computer Security, Vol. 10, No. 2, pp. 57-63, 2002 https://doi.org/10.1108/09685220210424104
  11. Gordineer, J., 'Blended Threats: A New Era in Anti-Virus Protection,' Information Systems Security, Vol. 12, No. 3, pp. 45-47, 2003 https://doi.org/10.1201/1086/43327.12.3.20030701/43626.7
  12. Kankanhalli, A., H. Teo, B. Tan, and K. Wei, 'An Integrative Study of Information Systems Security Effectiveness,' International Journal of Information Management, Vol. 23, No. 2, pp. 139-154, 2003 https://doi.org/10.1016/S0268-4012(02)00105-6
  13. Post, G. and A. Kagan, 'Management Tradeoffs in Anti-Virus Strategies,' Information & Management, Vol. 37, No. 1, pp. 13-24, 2000 https://doi.org/10.1016/S0378-7206(99)00028-2
  14. Hoffer, J. and D. Straub, 'The 9 to 5 Underground: Are You Policing Computer Crimes?,' Sloan Management Review, Vol. 30, No. 4, pp. 35-43, 1989
  15. White, S., Open Problems in Computer Virus Research, IBM Thomas J. Watson Research Center, NY USA, 1998
  16. Lee, Y. and K. Kozar, 'Investigating Factors Affecting the Adoption of Anti-Spyware Systems,' Communications of the ACM, Vol. 48, No. 8, pp. 72-77, 2005
  17. Hubbard, J. and K. Forcht, 'Computer Viruses: How Companies Can Protect Their Systems,' Industrial Management & Data Systems, Vol. 98, No. 1, pp. 12-16, 1998 https://doi.org/10.1108/02635579810199708
  18. Frank, J., B. Shamir, and W. Briggs, 'Security-related Behavior of PC Users in Organizations,' Information & Management, Vol. 21, No. 3, pp. 127-135, 1991 https://doi.org/10.1016/0378-7206(91)90059-B
  19. Wen, H., 'Internet Computer Virus Protection Policy,' Information Management & Computer Security, Vol. 6, No. 2, pp. 66-71, 1998 https://doi.org/10.1108/09685229810209388
  20. Thatcher, J. and P. Perrewe, 'An Empirical Examination of Individual Traits as Antecedents to Computer Anxiety and Computer Self-Efficiency,' MIS Quarterly, Vol. 26, No. 4, pp. 381-396, 2002 https://doi.org/10.2307/4132314
  21. Stonburner, G., A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems, NIST SP 800-30, National Institute of Standard and Technology, 2001
  22. BSI, BS7799: Code of Practices for information Security Management, United Kingdom, 1999
  23. ISO/IEC, Guidelines for the management of IT security (GMITS)-Part 1: Concepts and models of IT security, ISO/IEC JTC1 SC27 TR 13335-1, 2000
  24. CSI, IPAK: Information Protection Assessment Kit, Computer Security Institute, 1997
  25. Pipkin, D., Information Security - Protecting the Global Enterprise, Hewlett-Packard Professional Books, 2000
  26. Peltier, T., Information Security Risk Analysis, Auerbach, 2001
  27. Bissett, A. and G. Shipton, 'Some Human Dimensions of Computer Virus Creation and Infection,' International Journal of Human-Computer Studies, Vol. 52, pp. 899-913, 2000 https://doi.org/10.1006/ijhc.1999.0361
  28. CMU/SEI, Operationally Critical Threat, Asset, Vulnerability Evaluation (OCTAVE) Framework, Ver. 1.0, CMU/SEI-99-TR- 017, June 1999
  29. Wack, J. and L. Carnahan, Computer Viruses and Related Treats: A Management Guide, NIST SP 500-166, National Institute of Standards and Technology, 1989
  30. Gordon, S., 'Application Program Security Fighting Spyware and Adware in the Enterprise,' Information systems security, Vol. 14, No. 3, pp. 14-17, 2005 https://doi.org/10.1201/1086.1065898X/45390.14.3.20050701/89147.4
  31. CSE, Guide to Security Risk Management for IT Systems, Communications Security Establishment, Government of Canada, 1996
  32. Cannon, C., 'The Real Computer Virus,' American journalism review, pp. 28-35. Apr., 2001
  33. Poston, R., F. Stafford, and A. Hennington, 'Spyware: A View from the (Online) Street,' Communications of the ACM, Vol.48, No. 8, pp. 96-99, 2005 https://doi.org/10.1145/1076211.1076247
  34. CSI, Eighth Annual CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2005
  35. Lee, S., S. Lee, and S. Yoo, 'An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories,' Information & Management, Vol. 41, No. 6, pp. 707-718, 2004 https://doi.org/10.1016/j.im.2003.08.008
  36. Skoudis, E. and Zeltser, L., Malware: Fighting Malicious Code, Prentice Hall, 2003
  37. Loch, K., H. Carr, and M. Warkentin, 'Threats to Information Systems: Today's Reality, Yesterday's Understanding,' MIS Quarterly, Vol. 16, No. 2, pp. 173-186, 1992 https://doi.org/10.2307/249574
  38. Jung, B., I. Han, and S. Lee, 'Security Threats to Internet: A Korean Multi-Industry Investigation,' Information & Management, Vol. 38, No. 8, pp. 487-498, 2001 https://doi.org/10.1016/S0378-7206(01)00071-4
  39. Mtembu, K. and Y. Cairns, 'How to Manage and Reduce Computer Crime,' IS Audit & Control Journal, Vol. 6, pp. 27-31, 1997
  40. Highland, H., 'A History of Computer Viruses: The Famous Trio,' Computer & Security, Vol. 16, No. 5, pp. 416-429, 1997 https://doi.org/10.1016/S0167-4048(97)82246-8
  41. Straub, D. and W. Nance, 'Discovering and Disciplining Computer Abuse in Organizations: A Field Study,' MIS Quarterly, Vol. 14, No. 1, pp. 45-60, 1990 https://doi.org/10.2307/249307
  42. Straub, D., 'Effective IS Security: An Empirical Study,' Information System Research, Vol. 1, No. 3, pp. 255-276, 1990 https://doi.org/10.1287/isre.1.3.255
  43. Gogan, J., 'Should 'Personal' Computers Be Personally Allocated?', Journal of Management Information Systems, Vol. 7, No. 4, pp. 91-106, 1991 https://doi.org/10.1080/07421222.1991.11517905
  44. Goodhue, D. and D. Straub, 'Security Concerns of System Users: A Study of Perception of the Adequacy of Security,' Information & Management, Vol. 20, No. 1, pp. 13-27, 1991 https://doi.org/10.1016/0378-7206(91)90024-V
  45. Venkatesh, V. and M. Morris, 'Why Don't Men Ever Stop to Ask For Direction? Gender, Social Influence, ad Their Role in Technology Acceptance and Usage Behavior,' MIS Quarterly, Vol. 24, No. 1, pp. 115-139, 2000 https://doi.org/10.2307/3250981
  46. Agarwal, R. and J. Prasad, 'The Antecedents and Consequents of User Perceptions in Information Technology Adoption,' Decision Support Systems, Vol. 22, No. 1, pp. 15-29, 1998 https://doi.org/10.1016/S0167-9236(97)00006-7
  47. McGraw, G. and G. Morrisett, 'Attacking Malicious Code: A Report to the Infosec Research Council,' IEEE Software, Vol. 17, No. 5, pp. 33-41, 2000
  48. Sherif, J. and D. Gilliam, 'Deployment of Anti-Virus Software: A Case Study,' Information Management & Computer Security, Vol. 11, No. 1, pp. 5-10, 2003 https://doi.org/10.1108/09685220310463678
  49. Gasser, M., Building a Secure Computer Systems, Van Nostrand Rienhold Company, 1988
  50. Barsanti, C., 'Modern Network Complexity Needs Comprehensive Security,' Security, Vol. 36, No. 7, pp. 65, 1999
  51. Coursen, S., 'Financial Impact of Viruses,' Information Systems Security, Vol. 6, No. 1, pp. 64-70, 1997 https://doi.org/10.1080/10658989709342530
  52. 김종기, 이동호, 서창갑, '전자상거래환경에서 위험분석방법론의 타당성에 대한 연구,' 정보보호학회논문지, 제14권, 제4호, pp. 61-74, 2004
  53. 채서일, 사회과학조사방법론, 학현사, 2003
  54. Whitman, M., 'In Defense of the Realm: Understanding the Threats to Information Security,' International Journal of Information Management, Vol. 24, No. 1, pp. 43-57, 2004 https://doi.org/10.1016/j.ijinfomgt.2003.12.003