The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Security Assessment Metrics Model for Online Services

온라인 서비스를 위한 보안성 평가 지표 모델

  • Choo, Yeun-Su (Department of computer Graduate School Soongsil University) ;
  • Park, Jae-Pyo (Graduate School of Information Sciences Soongsil University) ;
  • Jun, Moon-Seog (Department of computer Graduate School Soongsil University)
  • Received : 2013.12.26
  • Accepted : 2014.04.11
  • Published : 2014.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Internet Services have security issues. To prepare proper security measures for these security issues, security level setting is positively necessary. Until now, we use a security level with CIA (Confidentiality, Integrity, and Availability) Security Levels. However, CIA Security Levels has problems with ambiguous measures for the middle level of security setting. Moreover, security level overlap occurs, in some cases, when user authentications are not done. Additionally, there exist some levels among CIA Security Levels which cannot be applied to Internet services. In this paper, new security level model, CIAA Security Levels with deletion of ambiguous middle level of security setting and addition of authentication to one of security level setting factors, is proposed. The CIAA Security Levels model can be applied to more concrete security measures than CIA Security Levels. The proposed Security Levels model is applicable to almost any on-line services and it can be applied to new online services.

인터넷을 이용한 서비스는 보안 문제를 가지고 있다. 이에 따른 적절한 보안 대책을 위해서 보안 등급을 설정하는 것은 반드시 필요하다. 지금까지는 CIA(Confidentiality, Integrity, Availability) 보안 등급을 이용하여 보안등급을 설정하였다. 하지만 CIA 보안 등급은 중간 강도의 보안 설정에 대한 보안 대책이 모호하다는 문제점이 있으며, 서비스에 따라 별도의 사용자 인증을 하지 않으면 보안 등급의 중복 현상이 나타난다. 또한 CIA 보안 등급 중 실제 서비스에 사용할 수 없는 등급들이 존재한다. 따라서 본 논문에서는 모호한 대책을 야기시키는 중간 강도의 보안 강도를 삭제하고 인증을 보안 등급 설정의 요소로 추가하여 CIAA 보안 등급 모델을 제안한다. CIAA 보안 등급 모델이 CIA 보안 등급보다 더 구체적인 보안 대책 설정이 가능하다. 제안하는 보안 등급 모델은 거의 모든 온라인 서비스에 적용가능하며 추후에 새롭게 제공되는 온라인서비스에도 적용 가능한 보안 등급 모델이다.

Keywords

References

  1. J. Bang, R. Ha, P. Kang, and H. Kim, "Security verification framework for e-GOV mobile app," The Korea Inst. Commun. Inf. Sci., vol. 37c, no. 2, pp. 119-130, Feb. 2012. https://doi.org/10.7840/KICS.2012.37C.2.119
  2. J. Bang and R. Ha, "Research on major weakness rules for secure software development," The Korea Inst. Commun. Inf. Sci., vol. 38c, no. 10, pp. 831-840, Oct. 2013. https://doi.org/10.7840/kics.2013.38C.10.831
  3. J. Bang and R. Ha, "Validation test codes development of static analysis tool for secure software," The Korea Inst. Commun. Inf. Sci., vol. 38c, no. 5, pp. 420-427, May 2013. https://doi.org/10.7840/kics.2013.38C.5.420
  4. L. M. Yeal, "A study of information security pre-evaluation model in ubiquitous information technology of u-logistics service environment," Department of Information Sevurity Gradute School, University of Soongsil, 2011.
  5. J.-S. Sung, "A study of contents secure in smart phone," J. Security Eng., vol. 8, no. 6, pp. 665-672, Dec. 2011.
  6. L. G. Seok, L. J. Myung, and B. J. Ho, "Correlation analysis between strength of function and evaluation assurance level of common criteria," Korea Inf. Commun. Soc. Summer Conf., pp. 1627-1628, Jeju island, Korea, Jun. 2009.
  7. J. Ahn, J. Bang, and E. Lee, "Quantitative scoring criteria on the importance of software weaknesses," J. Korea Inst. Inf. Security Cryptology, vol. 22, no. 6, pp. 1407-1417, Dec. 2012.
  8. "Study of malware detection based mobile OS," Korea Inf. Security Agency, 2010
  9. ISO/IEC JTC 1/SC 27, Information technology - Security techniques - Entity authentication assurance framework, 2011
  10. "The preliminary diagnosis practice guidebook for information security," Korea Inf. Security Agency, 2010