DOI QR코드

DOI QR Code

보안 위험성향 측정을 위한 프레임워크 개발에 관한 연구

A Study on Developing Framework for Measuring of Security Risk Appetite

  • 김기삼 (중앙대학교 산업융합보안학과) ;
  • 박진상 (중앙대학교 융합보안학과) ;
  • 김정덕 (중앙대학교 산업보안학과)
  • Gim, Gisam (Dept. of Industrial Convergence Security, Chung-Ang University) ;
  • Park, Jinsang (Dept. of Convergence Security, Chung-Ang University) ;
  • Kim, Jungduk (Dept. of Industrial Security, Chung-Ang University)
  • 투고 : 2018.10.30
  • 심사 : 2019.01.20
  • 발행 : 2019.01.28

초록

디지털 기술의 발전으로 지능화 및 융합화가 가속화됨에 따라, 비즈니스 모델 및 인프라, 기술 등 여러 측면에서 기존 방식을 초월한 변화가 요구되고 있다. 변화된 비즈니스 환경에서는 다양한 보안 위험이 점증하고 있으며, 보안 위험관리의 중요성이 더욱 커지고 있다. 기존의 정보자산 기반의 위험관리에서 벗어나 비즈니스 중심의 위험관리가 대두되고 있는 시점에서 이를 위해서는 비즈니스 목표 달성을 위한 위험성향(Risk Appetite)을 파악하는 것이 필수적이며, 이는 추후 프로세스에서 발생하는 제반 의사결정 과정에 있어 판단 기준을 제공한다. 따라서 본 논문에서는 기존 위험성향 선행연구 분석 및 보호동기이론을 분석하여, 보안 위험성향 수준을 파악할 수 있는 프레임워크를 개발하였다. 또한 개발된 위험성향 프레임워크의 실무적 타당성을 검토하기 위해, 보안 위험관리 실무 전문가들로 구성된 자문위원회를 통해 적용가능성과 중요성을 검토하였다. 검토 결과, 재무, 운영, 기술, 평판, 컴플라이언스, 문화 6개의 보안 위험성향 고려 위험분야와 인지된 심각성, 인지된 취약성, 자기효능감, 반응효능감 4개의 요인이 보안 위험성향 측정을 위한 프레임워크 구성요소로서 타당한 것으로 검토되었다.

The advancement of digital technology accelerates intelligence, convergence, and demands better change beyond traditional methods in all aspects of business models and technologies, infrastructure, processes, and platforms. Risk management is becoming more important because of various security risks, depending on the changing business environment and aligned to business goals is emerging from the existing information asset based risk management. For business aligned risk management, it is essential to understand the risk appetite for achieving business goals, which provides a basis for decision-making in subsequent risk management processes. In this paper, we propose a framework for analyzing the risk management framework, pre - existing risk analysis, and protection motivation theory that influences decisions on security risk management. To examine the practical feasibility of the developed risk appetite framework, we reviewed the applicability and significance of the proposed risk appetite framework through an advisory committee composed of security risk management specialists.

키워드

DJTJBT_2019_v17n1_141_f0001.png 이미지

Fig. 1. Shifting the Risk Conversation

DJTJBT_2019_v17n1_141_f0002.png 이미지

Fig. 2. Framework for Measuring Security Risk Appetite

Table 1. Definition of Risk Appetite

DJTJBT_2019_v17n1_141_t0001.png 이미지

Table 2. Key Domain & Factor of Security Risk Appetite

DJTJBT_2019_v17n1_141_t0002.png 이미지

Table 3. Focus Group Interview Members

DJTJBT_2019_v17n1_141_t0003.png 이미지

Table 4. Review of Framework for Measuring of Security Risk Appetite using FGI

DJTJBT_2019_v17n1_141_t0004.png 이미지

참고문헌

  1. J. D. Kim & C. G. Jin. (2016). International Standardization Trends and Issues of Cyber Resilience, Review of KIISC, 26(4), 11-15.
  2. Cybersecurity as a Growth Advantage. (2016). San Jose:CISCO.
  3. A new posture for cybersecurity in a networked world. (2018). New York:Mckinsey.
  4. COSO ERM Integrating with Strategy and Performance. (2017). California:COSO.
  5. G. Stoneburner, A. Goguen & A. Feringa. (2002). Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. Gaithersburg:NIST.
  6. M. E. Whitman. (2003). Enemy at The Gate: Threats to Information Security. Communications of the ACM, 46(8), 91-95. https://doi.org/10.1145/859670.859675
  7. Achieving Resilience in the cyber ecosystem. (2014). London:Ernst & Young.
  8. Risk management 31000. (2018). ISO, Switzerland, ISBN 978-92-67-10784-4.
  9. ISO/IEC. ISO/IEC 27005:2014. (2014). Geneva:ISO.
  10. W. S. Kim & J. H. Min. (2018). A Practical Approach to Measuring the Risk Attitudes of Individual Investors. Journal of the Korean Operations Research and Management Science Society, 43(1), 1-19. https://doi.org/10.7737/JKORMS.2018.43.1.001
  11. J. G. March & Z. Shpira. (1987). Managerial Perspectives on risk and risk taking. Management Science, 33(11), 1404-1418. https://doi.org/10.1287/mnsc.33.11.1404
  12. C. E. Irwin Jr. (1993). Adolescence and risk taking: How are they related. Thousand Oaks:SAGE Publications.
  13. S. H. Joung & M. K. Shin. (2011). A Study on the Related Variables to Financial Risk Tolerance and the Ratio of Risky Asset Possession. Financial Planning Review, 4(4), 1-20.
  14. The Gartner Strategic Risk Evaluation Approach for Digital Business. (2014). Stamford:Gatner.
  15. B. Richard. (2016). Risk appetite - How hungry are you?. London:PwC.
  16. Risk appetite frameworks How to spot the genuine article. (2014). New York:Deloitte.
  17. P. Mukul. (2013). What Is Your Risk Appetite?. Illinois:ISACA.
  18. S. H. Jang & E. J. Yoon. (2016). A Comparative Study on the Awareness of Health Risks and the Risk Reduction Measures Related to Sodium Intake between Female and Male University Students in Busan and Gyeongnam : An Application of Protection Motivation Theory. Korean Journal of Food and Cookery Science, 32(1), 136-146. https://doi.org/10.9724/kfcs.2016.32.1.136
  19. R. W. Rogers. (1983). Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation. Social psychophysiology: A sourcebook, 153-176.
  20. H. J. An, J. Y. Jang & B. S. Kim. (2015). Factors Drawing Members of a Financial Institution to Information Security Risk Management. Information Systems Review, 17(3), 39-64. https://doi.org/10.14329/isr.2015.17.3.039
  21. Y. M. Song & S. H. Kim. (2012). A Study on the Impact of the Security Risk Management Awareness Management in the Organization. Korean Association Of Industrial Business Administrarion, 425-440.
  22. David L. Morgan. (2007). Foucs groups as qualitative research. Seoul:KOONJA.
  23. D. Cabrera, J. T. Mandel & J. P. Andras. (2008). What is the crisis? efining and prioritizing the world's most pressing problems. Front Ecol Environ, 6(9), 469-475. https://doi.org/10.1890/070185