I. INTRODUCTION
We live in a society where anytime, anywhere can be connected with the touch of a finger. People are connected, people are connected, things are connected. Artificial intelligence and big data analytics technologies are combined with IoT to bring incredible innovation and change. This factor of change is particularly possible thanks to the data. In recent years, the paradigm of the global economy has shifted to the data economy. The data economy is a system that creates new added value based on data assets. Data is a source resource that enables innovation in all areas, including big data, artificial intelligence, autonomous vehicles, smart factories, and smart healthcare. Among data, personal data is a key asset in the data-driven economy. Korea recently revised the Privacy Act in January 2020 to ensure the use and protection of personal data in order to secure the initiative in the data-driven economy [1]. These changes in the environment will require data subjects to find new balances in advancing the data economy without losing control over their personal data and to seek win-win strategies for both data subjects, data controllers and data users.
To do this, data subjects, data controllers, and data users all need a way to securely manage their personal information. However, the higher the utilization of personal information, the higher the risk of personal data infringement. State agencies and private companies use personal data to increase the use of personal data to deal with complaints or to pursue revenue through marketing. However, the risk of personal data infringement is increasing due to lack of awareness or mistakes of personal data handlers. According to the Korea Internet Agency, about 159,255 personal data infringement reports were received in 2019, and even after entering in recent years, personal data leakage and abuse cases have continued to increase [2]. Due to such accidents related to personal information, at the corporate level, we are experiencing cost expenditures due to legal disputes and the deterioration of corporate credit, and personal data is used indiscriminately at the individual level as well. Accordingly, the number of cases of damage such as invasion of privacy and phishing is increasing. In order to reduce the damage caused by such careless handling of personal information, the government is continuously strengthening public relations for changing awareness of personal data protection. Is committed to the security protection of personal data managed by public institutions. Institutions and companies have long recognized the importance of protecting personal data and, in order to manage it continuously, have introduced a certification of various personal data management systems such as ISMS-P (Personal Information and Information Security Management System) [3] and ISO27002 [4] to build a risk management system. It was However, even if a systematic management system of personal data protection is established at the organizational level, some members of the organization neglect the management of personal information, lack of consciousness, intentional leakage of personal information, etc. When an accident occurs, it becomes a big problem. The theory-based education and paper-based personal data breach response training do not greatly help raise awareness among members of the organization. In this paper, we design and propose a framework for assessing responsiveness to personal data breaches based on Capture-the-Flag. Capture the Flag (CTF) is a game that challenges problems composed of complex scenarios and is a useful way to solve many problems of engineering or fusion [5]. The Problem Method scenario is designed using the various types of privacy breaches that have occurred over the past five years, as well as indicators of ISMS-P and ISO29151 [6]. The framework for evaluating personal information infringement response based on Capture-the-Flag is an educational design plan aimed at helping anyone to easily detect signs of personal information infringement and increase the ability to respond quickly to accidents. In this research, we analyze the processing pattern of personal data managed by the organization, detect signs of abnormality, and can easily handle personal data leakage and abuse in advance, personal data leakage response training platform I will try to present you about the design proposal. In order to design such a framework for assessing responsiveness to personal data breaches based on Capture-the-Flag, we first identify the risks that may occur in connection with personal data leakage and identify the root causes that can cause the risk. We will try to define the important risk factors, and how to create important risk indicators that can be managed by quantifying the important risk factors. In particular, by giving an example of the main risk indicators related to the leakage of personal data and presenting them so that they can solve problems for each processing step and processing difficulty, the technical management of the organization for personal data protection It presents about the method that can implement the protective measures as a concrete system.
II. THEORETICAL BACKGROUND
2.1. Classification of Personal data
Personal data defined in the Personal data Protection Act refers to information that can identify an individual by using information that can be recognized by a living person, such as name, social security number, and video, or by using additional information that can be easily combined. The classification of personal data was classified into four stages, as shown in Table 1, by evaluating whether the person was identified and the risk of infringement [7].
Table 1. The classification of personal data.
2.2. ISO/IEC29151 & ISMS-P
ISO/IEC29151 [9] defines control objectives, controls and control guidelines to meet the requirements identified by the risk and impact assessment associated with the protection of personally identifiable information, based on ISO/IEC 27002. The system applies to both public and private companies, government agencies and non-profit organizations that process personal information. Personal Information and Information Security Management System (ISMS-P) [10] is a system suitable for Korea based on the international standard ISO27001 and ISO29151. This system is a system that the Korea Internet & Security Agency investigates and certifies that the organization's personal information protection and information management system is properly established and operated.
Table 2. Check list of ISMS-P & ISO29151.
2.3. Process for responding to infringement of personal data
In the event of a personal data breach, respond step by step as shown in Figure 1 [11].
Fig. 1. Process for responding to infringement of personal data.
2.4. Analysis of Personal Data Infringement Cases
The major infringement incidents of personal data from 2018 to 2020 are shown in Table 3. Most of the cases were found to have been caused by poor management and lack of awareness of personal information handlers.
Table 3. Infringement of Personal data (2018-2020).
2.5. Limitations of Related Research
So far, various curricula and simulations have been conducted to prevent the leakage and outflow of personal data from state agencies and a number of corporate-level applications. However, as the education system adopted a one-sided education system centered on legal compliance and theory, it lacked awareness of personal information handling and the personal information handler was always at risk of infringement. Simulated response tests based on virtual scenarios are limited to the participation of only some of the agencies and personnel who have personal information, and many of the personal information handlers do not understand the procedures for personal information infringement and thus cannot handle accidents quickly. To overcome this, this study proposes the design of framework for assessing responsiveness to personal data breaches based on Capture-the-Flag.
III. DATASET ANALYSIS AND PLATFORM DESIGN PROPOSAL
3.1. Design of framework based on Capture-the-Flag
A response assessment framework for assessing responsiveness to personal data breaches based on Capture-the-Flag is proposed as shown in Figure 2. The proposed framework was divided into stages 1 to 3 by difficulty. Level 1 is a sub-level question that measures basic concepts such as the definition of personal data and general legislation. Level 2 is designed as a virtual environment in which management methods and technical, administrative and physical security measures for systems collecting personal data can be practiced to help them understand the process of personal data processing at an intermediate level. Level 3 focuses on developing the ability to quickly respond to various personal information breaches at the top level. At this stage, it is designed as a problem-solving method to learn how to take action at a high level for fault results measured by standard indicators such as ISMS-P, ISO27001, ISO29151.
Fig.2. Design of framework for assessing responsiveness to personal data breaches based on Capture-the-Flag
All the problems given to each level were solved so that they could move on to the next level, and if they did not pass, they had to study online education courses and guides to give feedback. Ranking is given based on processing completion time. Through all stages, the overall score and ranking could be checked, and the evaluation results could be checked and printed by item.
3.2. Measurement Item Classification and Metrics by Level
The problem types of the personal information infringement response assessment platform for problem solving methods are as shown in Table 4, and the composition is divided by difficulty level. Based on the casebook published by the Personal Information Protection Commission (2012-2018) [15] and the casebook for personal information protection evaluation between 2013 and 2017 [16], data by case were collected and analyzed. Defect cases based on the results of the ISMS-P [17] certification review by local governments were classified as cases and designed as a solution to the problem [18]. The scoring criteria for each question were given one point, and the measurement methods were multiple choice and practical.
Table 4. Measurement item classification and metrics by level
IV. CONCLUSION
We have conducted various curricula and mock training to prevent the leakage and outflow of personal data. As the education system adopted a one-sided education system centered on legal compliance and theory, there was a lack of awareness of the handling of personal information, and the personal information handler was always at risk of infringement. Simulated response training is also conducted based on virtual scenarios, with only part of the agencies and personnel holding personal information participating. As a result, many personal information handlers are unable to handle accidents quickly because they do not understand the procedures for personal information infringement.
In this study, we proposed the design of CTF game-based personal information leakage response education platform that can analyze the processing patterns of personal information managed by the organization, detect anomalies, and easily handle leakage and abuse of personal information in advance. The platform focused on understanding the possible risks associated with personal data breaches, identifying the root causes of risk induction and strengthening the ability to resolve them on its own. In particular, it is expected that organizations and managers in charge of personal data protection will help by guiding and presenting major risk indicators related to personal data leakage through a web-based platform to solve problems by processing stage and level of difficulty. In future research, we would like to establish a proposed training and training platform and conduct empirical research on institutional personnel.
Acknowledgement
This work was supported by the Ministry of Education of the Republic of Korea and the National Research Foundation of Korea (NRF-2019S1A5C2A04083374).
참고문헌
- S. Kim. "Meanings and Tasks of the Three Revised Bills which Ease Regulations on the Use of Personal Information," Journal of Information and Security, vol. 20, no. 2, pp. 59-68, 2020. https://doi.org/10.33778/kcsa.2020.20.2.059
- Personal Information Protection Commission. "Annual Report on Personal Information." Personal Information Protection Commission, pp. 2-30, 2020.
- S. Oh, W. Jung, and N. Park. "A Study on the Improvement and Application of Information Protection Management System Model for the Application of State and Public Institutions," Journal of Academic Announcement of the Korean Information Science Association, vol. 19, no. 6, pp. 1162-1164, 2019.
- Georg Disterer. "ISO/IEC 27000, 27001 and 27002 for Information Security Management," Journal of Information Security, vol. 13, no. 4, pp. 92-100, 2013. https://doi.org/10.4236/jis.2013.42011
- H. Huang. et al. "A differential game approach to planning in adversarial scenarios: A case study on capture-the-flag," 2011 IEEE International Conference on Robotics and Automation Robotics and Automation (ICRA), 2011 IEEE International Conference on, pp. 1451-1456, 2011.
- Kung A. et al. "A Privacy Engineering Framework for the Internet of Things," Law, Governance and Technology Series, vol. 17, no. 36, pp. 163-202, 2017. https://doi.org/10.1007/978-3-319-50796-5_7
- C. Park. et al. (full authors list) "Improvement of Personal Information Protection Level in the Military Using the Measurement of Disclosure Risk," Journal of Security Engineering, vol. 12, no. 6, pp. 581-596, 2015. https://doi.org/10.14257/jse.2015.12.06
- L. Leng. "Dynamic weighted discrimination power analysis: A novel approach for face and palmprint recognition in DCT domain," International Journal of Physical Sciences, vol. 5, no. 17, pp.2543-2554, 2010.
- International Organization for Standardization. "ISO/IEC 29151:2017." https://www.iso.org/standard/62726.html (Sep. 7, 2020)
- Korea Internet & Security Agency. "Personal Information & Information Security Management System." https://isms.kisa.or.kr/main/ispims/intro/ (Sep. 7, 2020)
- Seogwipo city, "Guidelines for Information Protection and Personal Information Management," Seogwipo city, vol. 1, pp. 5-242, 2020.
- Boan News. "Large-scale information leakage cases that caused havoc in 2018. https://www.boannews.com/media/view.asp?idx=75796 (Sep. 7, 2020).
- DongA.com. Ilbo, "Anyone can see personal information recorded for quarantine purposes," https://www.donga.com/news/article/all/20200904/102787012/1 (Sep. 7, 2020).
- Halla-Ilbo. "I'm sorry to the citizens for exposing their personal information on tax returns," http://www.ihalla.com/read.php3?aid=1598407971690676048 (Sep. 7, 2020).
- Personal Information Protection Commission. "Casebook of rulings on matters concerning personal information protection of local governments." https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS079&mCode=D070020000&nttId=6159 (Sep. 7, 2020).
- Ministry of Public Administration and Security. "Personal Information Inspection and Administrative Action Casebook (2013-2017)," Ministry of Public Administration and Security, pp. 48-344, 2018.
- S. Oh, N. Park. "The Improvement of Information Protection Service Cost Model in Public Institution," Journal of the Korean Society of Information Technology, vol. 17, no. 7, pp. 123-131, 2019.
- S. Oh, N. Park. "Performance Analysis and Improvement for the Cost Model of Information Protection Service," Domestic Master's Degree Paper, Graduate School, Jeju National University, jeju, pp. 27-41, 2020.