산업경영시스템학회지 (Journal of Korean Society of Industrial and Systems Engineering)

  • 제38권4호
  • /
  • Pages.193-201
  • /
  • 2015
  • /
  • 2005-0461(pISSN)
  • /
  • 2287-7975(eISSN)
한국산업경영시스템학회 (Society of Korea Industrial and System Engineering)
권호 표지
DOI QR코드

DOI QR Code

기업 정보보안 전략 수립을 위한 보안 사고 유형 분류에 관한 연구

A Study on Categorization of Accident Pattern for Organization's Information Security Strategy Establish

  • 김희올 (한양대학교 일반대학원 경영컨설팅학과) ;
  • 백동현 (한양대학교 경상대학 경영학부)
  • Kim, Hee-Ohl (Graduate School of Management Consulting, Hanyang University) ;
  • Baek, Dong-Hyun (Department of Business Administration, Hanyang University)
  • 투고 : 2015.11.17
  • 심사 : 2015.12.14
  • 발행 : 2015.12.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Corporation's valuable intelligent asset is being threatened from the skills of threatening subject that has been evolved along with the growth of the information system and the amount of the information asset. Domestically, attempts of various private information attacks, important information extortion, and information damage have been detected, and some of them have abused the vulnerability of security of information system, and have become a severe social problem that generates security incident. When accessing to the security, most of companies used to establish a strategy with a consistent manner and a solution plan. However, this is not a proper way. The order of priorities vary depending on the types of business. Also, the scale of damage varies significantly depending on the types of security incidents. And method of reaction and critical control point vary depending on the types of business and security incidents. In this study, I will define the security incidents by their types and preponderantly examine how one should react to those security incidents. In this study, analyzed many types of security accidents that can occur within a corporation and an organization considering various factors. Through this analysis, thought about factors that has to be considered by corporations and organizations when they intend to access to the information security. This study focuses on the response methodology based on the analysis of the case analysis of the leakage of industrial secret and private secret other than the conceptual response methodology that examines the way to prevent the leakage of the industry security systems and the industry information activities. And based on these factors, want to be of help for corporations to apply a reasonable approach when they establish a strategy to information security.

키워드

참고문헌

  1. Aljifri, H. and Navarro, D.S., International Legal Aspects of Cryptography. Computers and Security, 2003, Vol. 22, No. 3, pp. 196-203. https://doi.org/10.1016/S0167-4048(03)00305-5
  2. Announcement on National Industrial Security Center, NISC, 2015.
  3. Besnard, D. and Arief, B., Computer security impaired by legitimate user. Computers and Security, 2004, pp. 253-264.
  4. Bharadwaj, A. and Keil, M. and Mahring, M., Effects of Information Technology Failures on the Market Value of Firms. The Journal of Strategic Information Systems archive, 2009, Vol. 18, No. 2, pp. 66-79. https://doi.org/10.1016/j.jsis.2009.04.001
  5. Brancheau, J.C., Janz, B.D., and Wetherbe, J.C., Key Issues in Information Systems Management : 1994-95 SIM Delphi Results. MIS Quarterly, 1996, Vol. 20, No. 2, pp. 225-242. https://doi.org/10.2307/249479
  6. Broderick, J.S., Information Security Risk Management- When should it be Managed?. Information Security Technical Report, 2001, Vol. 6, No. 3, pp. 12-18. https://doi.org/10.1016/S1363-4127(01)00303-X
  7. Calder, A. and Van Bom, J., Implementing Information Security Based on ISO 27001/ISO 17799. Van Haren Publishing, 2006.
  8. Cavusoglu, H. and Raghunathan, S., Economics of IT Security Management : Four Improvements to Current Security Practices. Communications of the Association for Information Systems, 2004, Vol. 14, No. 3.
  9. Deloitte, Touche and Tohmatsu (2005). Global Security Survey, Available at : www.deloitte.com.
  10. Dhillon, G. and Moores, S., Computer Crimes : Theorizing about the Enemy within. Computers and Security, 2001, Vol. 20, No. 8, pp. 715-723. https://doi.org/10.1016/S0167-4048(01)00813-6
  11. Doherty, N.F. and Fulford, H., Do Information Security Policies Reduce the Incidence of Security Breaches : An Exploratory Analysis. Information Resources Management Journal, 2005, Vol. 4, pp. 21-38.
  12. Ettredge, M. and Richardson, V.J., Information Transfer among Internet Firms: the Case of Hacker Attacks. Journal of Information Systems, 2003, Vol. 17, No. 2, pp. 71-82. https://doi.org/10.2308/jis.2003.17.2.71
  13. Finne, T., Information Systems Risk Management : Key Concepts and Business Processes. Computer and Security; 2000, Vol. 19, No. 3, pp. 234-42. https://doi.org/10.1016/S0167-4048(00)88612-5
  14. Flint, D.J., Woodruff, R.B. and Gardial, S.F., Exploring the Phenomenon of Customers Desired Value Change in a Business-to-Business Context. Journal of Marketing, 2002, Vol. 66, pp. 102-117.
  15. Hagen, J.M. and Albrechtsen et al., Implementation and Effectiveness of Organizational Information Security Measures. Information Management and Computer Security, 2008, Vol. 16, No. 4, pp. 377-397. https://doi.org/10.1108/09685220810908796
  16. Halliday, S., Badenhorst, K., and von Solms, R., A Business Approach to Effective Information Technology Risk Analysis and Management. Information Management and Computer Security, 1996, Vol. 4, No. 1, pp. 19-31. https://doi.org/10.1108/09685229610114178
  17. Hawkins, S. and Yen, D.C., Awareness and Challenges of Internet Security. Information Management and Computer Security, 2000, Vol. 8, No. 3, pp. 131-143. https://doi.org/10.1108/09685220010372564
  18. Hu, Q., Hart, P., and Cooke, D., The Role of External and Internal Influences on Information Systems Security Practices : An Institutional Perspective. The Journal of Strategic Information Systems Archive, 2006, Vol. 16, No. 2, pp. 153-172.
  19. Information Security Specialist's CISSP Note, 2012.
  20. Jahner, S. and Krcmar, H., Beyond Technical Aspects of Information Security : Risk Culture as a Success Factor for IT Risk Management, AMCIS 2005 Proceedings, 2005, p. 462.
  21. Karyda, M., Kiountouzis, E., and Kokolakis, S., Information security policies : a contextual perspective. Computers and Security, 2005, pp. 246-260.
  22. Kim et al., Implication of Industrial Security Capacity Based on Level Evaluation. Journal of the Korean Society for Quality Management, 2013, Vol. 41, No. 4, pp. 649-658. https://doi.org/10.7469/JKSQM.2013.41.4.649
  23. Korea Communications Commission Report, A Fact-Finding on Leak Out of Personal Data, KCC, 2015.
  24. Kotulic, A.J. and J.G. Clark, Why There aren't more Information Security Research Studies. Information and Management, 2004, Vol. 41, No. 5, pp. 597-607. https://doi.org/10.1016/j.im.2003.08.001
  25. Lebek, B., Degirmenci, K., and Breitner, M.H., Investigating the Influence of Security, Privacy, and Legal Concerns on Employees Intention to Use BYOD Mobile Devices, Proceedings of the Nineteenth Americas Conference on Information Systems, Chicago, Illinois, 2005, pp. 15-17.
  26. Lee, A.S., Retrospect and Prospect : Information Systems Research in the Last and Next Twenty-Five Years. Journal of Information Technology, 2010, Vol. 25, No. 4, pp. 336-348. https://doi.org/10.1057/jit.2010.24
  27. Lee, J.H., Shin, W.S., and Park, H.J., A Study on Improvement Plans for Technology Protection of SMEs in Korea. Journal of Society of Korea Industrial and Systems Engineering, 2014, Vol. 37, No. 2, pp. 77-84. https://doi.org/10.11627/jkise.2014.37.2.77
  28. Lewis, A., Time to Elevate IT Security to the Boardroom. e Secure, 2000, Vol. 1, No. 1, p. 28.
  29. Lohmeyer, D.F., McCrory, J., and Pogreb, S., Managing Information Security, The McKinsey Quarterly, Special Edition : Risk and Resilience, 2002, Vol. 2, pp. 12-16.
  30. National Defense Science and Technology Vocabulary, 2011.
  31. National Institute of Standards and Technology, An Introduction to Computer Security : The NIST Handbook, Special Publication, 2000, pp. 800-12.
  32. NIST, Information Security Handbook : A Guide for Managers, 2006.
  33. Peppard, J., The Conundrum of IT Management. European Journal of Information Systems, 2007, pp. 336-345.
  34. Pfhleeger, C.P., Security in Computing, Second edn, Prentice Hall, United States of America, 1997.
  35. Posthumus, S. and Von Solms, R., A Framework for the Governance of Information Security. Computers and Security, 2004, Vol. 23, No. 8, pp. 638-646. https://doi.org/10.1016/j.cose.2004.10.006
  36. Ransbotham, S. and Mitra, S., Choice and Chance : A Conceptual Model of Paths to Information Security Compromise. Information Systems Research, 2009, Vol. 20, No. 1, pp. 121-139. https://doi.org/10.1287/isre.1080.0174
  37. Sarker, S., Lau, F., and Sahay, S., Using an Adapted Grounded Theory Approach for Inductive Theory Building About Virtual Team Development. DATA BASE for Advances in Information Systems, 2001, Vol. 2, No. 1, pp. 38-56.
  38. Smith, E., Kritzinger, E., Oosthuizen, H.J., and Von Solms, S.H., Information Security Education, in Proceedings of the WISE 4 Conference, Moscow, Russia, 2004.
  39. Son, J.Y. and Benbasat, I., Organizational Buyer's Adoption and Use of B2B Electronic Marketplace : Efficiency and Legitimacy-Oriented Perspectives. Journal of Management Information Systems, 2007, Vol. 24, No. 1, pp. 55-99. https://doi.org/10.2753/MIS0742-1222240102
  40. Spears, J.L. and Barki, H., User Participation in Information Systems Security Risk Management. MIS Quarterly, 2010, pp. 503-522.
  41. Squara, D., LAN Security will become a Priority in the Networks of Tomorrow. Available at: http://itweb.co.za. 29, 2000.
  42. Stiles, P. and Taylor, B., Boards at work : How directors view their roles and responsibilities. Oxford : Oxford University Press, 2001.
  43. Straub, D. and Welke, R., Coping with Systems Risk : Security Planning Models for Management Decision Making. MIS Quarterly, 1998, Vol. 22, No. 4, pp. 441-469. https://doi.org/10.2307/249551
  44. The 9th Korean Standard Industrial Classification, 2007.
  45. Thomson, M.E. and Von Solms, R., Information Security Awareness : Educating Your Users Effectively. Information Management and Computer Security, 1998, Vol. 6, No. 4, pp. 167-173. https://doi.org/10.1108/09685229810227649
  46. Unfair Competition Prevention and Business Secret Protection Law, 2007.
  47. Vidgen, R. and Wang, X., Coevolving Systems and the Organization of Agile Software Development. Information Systems Research, 2009, Vol. 20, No. 3, pp. 355-376. https://doi.org/10.1287/isre.1090.0237
  48. Von Solms, R. and Von Solms, S.H., From policies to culture. Computers and Security, 2004, Vol. 23, No. 4, pp. 275-279. https://doi.org/10.1016/j.cose.2004.01.013
  49. Von Solms, S.H., Information Security Management through Measurement, in Prodeedings of the SEC99 conference, Johannesburg, South-Africa, 1999.
  50. Whiteman, W. and Mattord, H.J., Principles of Information Security, Thomson-Course Technology, Canada, 2003.
  51. Wood, C.C., Why Information Security is Now Multi- Disciplinary, Multi-Departmental, and Multi-Organizational in Nature. Computer Fraud and Security, 2004, No. 1, pp. 16-17.

피인용 문헌

  1. 정보보호 관점의 기업 유형 분류 프레임워크 개발에 관한 연구 vol.39, pp.3, 2016, https://doi.org/10.11627/jkise.2016.39.3.018
  2. 쌍대비교를 활용한 기업 유형 분류에 따른 보안 전략 우선순위 결정 vol.39, pp.4, 2015, https://doi.org/10.11627/jkise.2016.39.4.097
  3. 기계 학습 알고리즘을 이용한 효과적인 대상 영역 분할 vol.19, pp.5, 2015, https://doi.org/10.5762/kais.2018.19.5.697