DOI QR코드

DOI QR Code

Study on Development of Framework of Company Classification in Information Security Perspective

정보보호 관점의 기업 유형 분류 프레임워크 개발에 관한 연구

  • Kim, Hee-Ohl (Graduate School of Management Consulting, Hanyang University) ;
  • Baek, Dong-Hyun (Department of Business Administration, Hanyang University)
  • 김희올 (한양대학교 일반대학원 경영컨설팅학과) ;
  • 백동현 (한양대학교 경상대학 경영학부)
  • Received : 2016.07.19
  • Accepted : 2016.07.30
  • Published : 2016.09.30

Abstract

For most organizations, a security infrastructure to protect company's core information and their technology is becoming increasingly important. So various approaches to information security have been made but many security accidents are still taking place. In fact, for many Korean companies, information security is perceived as an expense, not an asset. In order to change this perception, it is very important to recognize the need for information security and to find a rational approach for information security. The purpose of this study is to present a framework for information security strategies of companies. The framework classifies companies into eight types so company can receive help in making decisions for the development of information security strategy depending on the type of company it belongs to. To develope measures to classify the types of companies, 12 information security professionals have done brainstorming, and based on previous studies, among the factors that have been demonstrated to be able to influence the information security of the enterprise, three factors have been selected. Delphi method was applied to 29 security experts in order to determine sub items for each factor, and then final items for evaluation was determined by verifying the content validity and reliability of the components through the SPSS analysis. Then, this study identified characteristics of each type of eight companies from a security perspective by utilizing the developed sub items, and summarized what kind of actual security accidents happened in the past.

Keywords

References

  1. Bharadwaj, A., Keil, M., and Mahring, M., Effects of information technology failures on the market value of firms. The Journal of Strategic Information Systems, 2009, Vol. 18, No. 2, pp. 66-79. https://doi.org/10.1016/j.jsis.2009.04.001
  2. Brancheau, J.C., Janz, B.D., and Wetherbe, J.C., Key Issues in Information Systems Management : 1994-95 SIM Delphi Results, MIS Quarterly, 1996, Vol. 20, No. 2, pp. 225-242. https://doi.org/10.2307/249479
  3. Calder, A. and Van Bom, J., Implementing Information Security Based on ISO 27001/ISO 17799, Van Haren Publishing, 2006.
  4. Chang, H.B., The Design of Information Security Management System for SMEs Industry Technique Leakage Prevention, Korea Multimedia Society, 2010, Vol. 13 No. 1, pp. 111-121.
  5. Doherty, N.F. and Fulford, H., Do Information Security Policies Reduce the Incidence of Security Breaches : An Exploratory Analysis, Information Resources Management Journal, 2005, Vol. 4, pp. 21-38.
  6. Dzazali, S. and Zolait, A.H., Assessment of Information Security Maturity : an Exploration Study of Malaysian Public Service Organizations, Journal of Systems and Information Technology, 2012, Vol. 14, No. 1, pp. 23-57. https://doi.org/10.1108/13287261211221128
  7. Ettredge, M. and Richardson, V.J., Information Transfer among Internet Firms : the Case of Hacker Attacks, Journal of Information Systems, 2003, Vol. 17, No. 2, pp. 71-82. https://doi.org/10.2308/jis.2003.17.2.71
  8. Flint, D.J., Woodruff, R.B., and Gardial, S.F., Exploring the Phenomenon of Customers Desired Value Change in a Business to Business Context, Journal of Marketing, 2002, Vol. 66, No. 4, pp. 102-117.
  9. Gorman et al., Least Effort Strategies for Cybersecurity, The Critical Infrastructure Project Workshop I : Working Papers, May 2003, pp. 1-14.
  10. Hagen, J.M., Albrechtsen, E., and Hovden, J., Implementation and Effectiveness of Organizational Information Security Measures, Information Management and Computer Security, 2008, Vol. 16, No. 4, pp. 377-397. https://doi.org/10.1108/09685220810908796
  11. Hawkins, S. and Yen, D.C., Awareness and Challenges of Internet Security, Information Management and Computer Security, 2000, Vol. 8, No. 3, pp. 131-143. https://doi.org/10.1108/09685220010372564
  12. Hu, Q., Hart, P., and Cooke, D., The Role of External and Internal Influences on Information Systems Security Practices : An Institutional Perspective, The Journal of Strategic Information Systems Archive, 2006, Vol. 16, No. 2, pp. 153-172.
  13. Introduction to privacy and personal information management framework, Financial Security Institute, 2011.
  14. Kankanhalli et al., An Integrative Study of Information Systems Security Effectiveness, Journal of Information Management, 2003, Vol. 23, No. 2, pp. 139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  15. Karyda, M., Kiountouzis, E., and Kokolakis, S., Information security policies : a contextual perspective, Computers and Security, 2005, pp. 246-260.
  16. Kast, F.E. and Rosenzweig, J.E., General Systems Theory : Applications for Organization and Management, Academy of Management Journal, 1972, Vol. 15, No. 4, pp. 447-465. https://doi.org/10.2307/255141
  17. Katz, D. and Kahn, R.L., The Social Psychology of Organizations( 2nd ed.). New York : Wiley, 1978.
  18. Kim et al., The Effects of Information Security Policies, Security Controls and User's Characteristics on Anti-Virus Security Effectiveness, Journal of Information Systems, 2006, Vol. 15 No. 1, pp. 145-168.
  19. Kim, H.O. and Baek, D.H., A Study on Categorization of Accident Pattern for Organization's Information Security Strategy Establish, Journal of the Society of Korea Industrial and Systems Engineering, 2015, Vol. 38 No. 4, pp. 193-201. https://doi.org/10.11627/jkise.2015.38.4.193
  20. Kim, M.S., Jeoune, D.S., Nam, K.H., Kim, G.R., and Han, C.M., Implication of Industrial Security Capacity Based on Level Evaluation, The Korean Society for Quality Management, 2013, Vol. 41, No. 4, pp. 649-658. https://doi.org/10.7469/JKSQM.2013.41.4.649
  21. Korea Communications Commission Report, A Fact-Finding on Leak Out of Personal Data, KCC, 2015.
  22. Lohmeyer, D.F., McCrory, J., and Pogreb, S., Managing Information Security, The McKinsey Quarterly, Special Edition : Risk and Resilience, 2002, Vol. 2, pp. 12-16.
  23. Mckelvey, B. and Aldrich, H., Populations, Natural Selection, and Applied Organizational Science, Administrative Science Quarterly, 1983, Vol. 28, No, 1, pp. 101-128. https://doi.org/10.2307/2392389
  24. Miller, P., Strategic Industrial Relations and Human Resource Management-Distiction, Definition and Recognition, Journal of Management Studies, 1987, Vol. 24, No. 4, pp. 347-361. https://doi.org/10.1111/j.1467-6486.1987.tb00450.x
  25. Mintzberg, H., The design school : Reconsidering the basic premises of strategic management, Strategic Management Journal, 1990, Vol. 11, No. 3, pp. 171-195. https://doi.org/10.1002/smj.4250110302
  26. Morgan, R.T., Image of organization. Sage Publications, 1986.
  27. National Defense Science and Technology Vocabulary, 2011.
  28. Pfhleeger, C.P., Security in Computing, Second edn, Prentice Hall, United States of America, 1997.
  29. Phares, E.J., Introduction to personality, Columbus, OH : Carles E. Merrill, 1984.
  30. Rich, P., The Organizational Taxionomy : Definition and Design, Academy of Management Review, 1992, Vol. 17, No. 4, pp. 758-781. https://doi.org/10.5465/amr.1992.4279068
  31. Sanchez, J.C., The Long and Thorny way to an Organizational Taxonomy, Organization Studies, 1993, 14/1: 73-92. https://doi.org/10.1177/017084069301400106
  32. Sarker, S., Lau, F., and Sahay, S., Using an Adapted Grounded Theory Approach for Inductive Theory Building About Virtual Team Development, DATA BASE for Advances in Information Systems, 2001, Vol. 2, No. 1, pp. 38-56.
  33. Schneier, B., Secrets & Lies-Digital Security in a Networked World, Wiley Computer Publishing, New York, 2002.
  34. Sherwood, J., SALSA : A Method for Developing the Enterprise Security Architecture and Strategy, Computers and Security, 1996, Vol. 15, Issue. 6, pp. 501-506. https://doi.org/10.1016/S0167-4048(97)83124-0
  35. Smith, E., Kritzinger, E., Oosthuizen, H.J., and Von Solms, S.H., Information Security Education, in Proceedings of the WISE 4 Conference, Moscow, Russia, 2004.
  36. Solms, V. and Solms, R., The 10 Deadly Sins of Information Security Management, Computers and Security, 2004, Vol. 23, No. 5, pp. 371-376. https://doi.org/10.1016/j.cose.2004.05.002
  37. Spears, J.L. and Barki, H., User Participation in Information Systems Security Risk Management, MIS Quarterly, 2010, pp. 503-522.
  38. Survey of personal information, Ministry of Science, ICT and Future Planning, 2015.
  39. Thomson, M.E. and Von Solms, R., Information Security Awareness : Educating Your Users Effectively, Information Management and Computer Security, 1998, Vol. 6, No. 4, pp. 167-173. https://doi.org/10.1108/09685229810227649
  40. Von Solms, R. and Von Solms, S.H., From policies to culture, Computers and Security, 2004, Vol. 23, No. 4, pp. 275-279. https://doi.org/10.1016/j.cose.2004.01.013
  41. Von Solms, S.H., Information Security Management through Measurement, in Proceedings of the SEC99 conference, Johannesburg, South-Africa, 1999.
  42. Werlinger, R., Muldner, K., Hawkey, K., and Beznosov, K., Preparation, detection, and analysis : the diagnostic work of IT security incident response, Information Management and Computer Security, 2010, Vol. 18, No. 1, pp. 26-42. https://doi.org/10.1108/09685221011035241
  43. Wood, C.C., Why Information Security is Now Multi-Disciplinary, Multi-Departmental, and Multi-Organizational in Nature. Computer Fraud and Security, 2004, No. 1, pp. 16-17.
  44. Yngstrom, L., A Systemic-Holistic Approach to Academic Programmes in IT Security, Ph.D Thesis, Department of Computer and Systems Sciences, University of Stockholm and the Royal Institute of Technology, 1996.

Cited by

  1. 쌍대비교를 활용한 기업 유형 분류에 따른 보안 전략 우선순위 결정 vol.39, pp.4, 2016, https://doi.org/10.11627/jkise.2016.39.4.097