KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

An Study on the Impact of N/A Check Item on the Security Level Result through Empirical Verification

실증검증을 통한 N/A 점검항목이 보안 수준 결과에 미치는 영향에 관한 연구

  • Received : 2014.01.17
  • Accepted : 2014.07.31
  • Published : 2014.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

This study analyzed that N/A check items affect the results of the security level degree, when performing vulnerability analysis evaluation. For this, we were used vulnerability analysis evaluation range, check items and quantitative calculation method. Furthermore, were applied grade and weight for the importance of the items. In addition, because technology develop rapidly, the institution is always exposed risk. therefore, this study was carried out empirical analysis by applying RAL(Risk Acceptabel Level). According to the analyzed result N/A check items factors affecting the level of security has been proven. In other words, this study found that we shall exclude inspection items irrelevant to the institution characteristics, when perform vulnerability analysis evaluation. In this study suggested that security level evaluation shall performed, after that exclude items irrelevant to the institution characteristics based on empirical verification. And also, it proposed that model research is required for establish check items for which analysis-evaluate vulnerability based on empirical verification.

본 연구는 취약점 분석 평가 수행 시 N/A 점검항목이 보안 수준 결과에 미치는 영향 정도를 분석하였다. 이를 위하여, 본 논문에서는 취약점 분석 평가 범위 및 점검항목과 정량적 산출 방식을 이용하였으며, 항목의 중요성에 따른 등급과 가중치를 부여하였다. 또한, 주위 환경과 IT 기술 발달로 기관은 항상 위험에 노출되어 있으므로 위험 허용 수준을 적용하여 실증적 분석을 수행하였다. 분석한 결과, N/A 점검항목이 보안 수준에 영향을 미치는 요인으로 증명되었다. 즉, 취약점 분석 평가 수행 시 기관 특성상 연계성이 없는 점검항목은 제외시켜야 하는 것을 알 수 있었다. 본 연구에서는 실증검증을 토대로 기관 특성과 연계성을 갖지 않는 항목을 제외한 후 보안 수준 평가를 수행해야 함을 시사 하였으며, 기관 특성을 고려한 취약점 분석 평가 점검항목 정립 모델 연구가 필요함을 제시하였다.

Keywords

References

  1. Korea Communication Commission, "A Study on Solutions for the Advancement of Security Legislation", Dec., 2011.
  2. Ministry of Science, ICT and Future Planning, "The main information and communication infrastructure, vulnerability analysis and ratings", 2013.
  3. Ministry of Security and Public Administration(MOSPA), "Vulnerability Analysis Score Equation", 2013.
  4. ICT News, "Cyber Security level improving for National critical infrastructure", 2008.
  5. Ajunews.com, "Information and communication infrastructure, expanding into 400 to 2017", 2013.
  6. Kang. J. M. etc. 5, "A Study on National Cyber Capability Assessment Methodology", The Journal of KIISC, Vol.22, No.5, pp.1039-1055, 2012.
  7. Kim H. G., "A study on National Information Policies", KISA, 2010.
  8. Kim, Y. J., Lee, J. H., Lim, J. I., "A Study on the Secure Plan of Security in SCADA Systems", The Journal of KIISC, Vol.19, No.6, pp.145-152, 2009.
  9. Park, J. S., Kim, K. K., Lee, K. J., Jung, J. H., "The main information and communication infrastructure, sophisticated research on information security level evaluation", The Journal of The NIPA, 2009.
  10. Lee, Y. R., Jo, J. W., "A Study on the Evaluation Consulting Methodology of Important Information Communication Base Facility", The Journal of the SDPM, Vol.5, No.1, pp.55-68, 2007.
  11. Kang, D.J., Lee, J.J., Lee, Y., Lee, I.S., Kim, H.K., "Quantitative Methodology to Assess Cyber Security Risks of SCADA system in Electric Power Industry", The Journal of the KIISC, Vol.23, No.3, pp.53-58, 2013.