Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

Improvement of Information Security Management System Evaluation Model Considering the Characteristics of Small and Medium-Sized Enterprises

중소기업의 특성을 고려한 정보보호 관리체계 평가 모델 개선

  • 김이헌 (충북과학기술혁신원) ;
  • 김태성 (충북대학교 경영정보학과/보안경제연구소)
  • Received : 2021.12.06
  • Accepted : 2021.12.30
  • Published : 2022.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Although more than 99% of all Korean companies are small and medium-sized enterprises (SMEs), which accounts for a large part of the national economy, they are having difficulties in securing information protection capabilities due to problems such as budget and manpower. On the other hand, as 97% of cyber incidents are concentrated in SMEs, it is urgent to strengthen the information protection management and response capabilities of SMEs. Although the government is promoting company-wide information security consulting for SMEs, the need for supplementing it's procedures and consulting items is being raised. Based on the results of information security consulting supported by the government in 2020, this study attempted to derive improvement plans by interviewing SME workers, information security consultants, and system operators. Through the research results, it is expected to create a basis for SMEs to autonomously check the information security management system and contribute to the reference of related policies.

Keywords

Acknowledgement

본 논문은 충북대학교 국립대학육성사업(2021)지원을 받아 작성되었음.

References

  1. 곽재연, "중소기업의 정보보호 활동을 위한 지원정책의 방향성 연구", 한양대학교 대학원 석사학위논문, 2019.
  2. 권장기, 김경일, "자원 제약하의 중소기업 정보보안계획 수립방안 연구", 융합정보논문지, 제l7권, 제2호, 2017, 119-12. https://doi.org/10.22156/CS4SMB.2017.7.2.119
  3. 김신석, 유혜정, "중소기업의 개인정보 기술적 보호조치방안 연구", 한국정보기술학회논문지, 제18권, 제1호, 2020, 157-169.
  4. 김양훈, 장항배, "적정 수준의 중소기업 정보보호 추진 방향", 정보보호학회지, 제23권, 제4호, 2013, 41-46.
  5. 김재남, "중소기업 컨설팅 사례기반 정보보호 효과와 개선방안", 한국컴퓨터정보학회눈문지, 제21권, 제11호, 2019, 201-208
  6. 김정덕, 장항배, 류성렬, "중소기업 정보보호 특성을 고려한 정보보호 관리체계 연구", 중소기업연구, 제41권, 제4호, 2006, 267-294.
  7. 노민선, 이삼열, "중소기업의 산업보안 역량에 대한 영향요인 평가", 한국행정학보, 제44권 제3호, 2010, 239-259.
  8. 박경태, 김세헌, "탐색적 요인 분석을 이용한 기업의 ISMS 인증 시 장애요인에 관한 연구", 정보보호학회눈문지, 제24권, 제5호, 2014, 951-959.
  9. 서동호, 신현민, "기업규모와 특성에 따른 정보보호관리체계(ISMS) 적용 방안 연구", 한국정보처리학회 학술대회논문집, 제24권, 제1호, 2017, 227-229.
  10. 연합뉴스, "해킹 피해 98%는 중소기업...지역단위 지원체계 필요", 2018. Available at https://www.yna.co.kr/view/AKR20180510147800017?input=1195m (Accessed October 19. 2021).
  11. 이정우, 박준기, 이준기, "중소기업 정보보호관리 모델의 개발: 실증연구", 경영정보학연구, 제15권, 제1호, 2005, 115-133.
  12. 이효경, "중소기업 정보보호 지원 관련 법제 현황 및 개선방향", 경제법연구, 제18권, 제3호, 2019, 73-101. https://doi.org/10.22829/KELA.2019.18.3.73
  13. 장상수, "중소기업 정보보호 컨설팅 개선을 위한 방법론 비교 분석", 융합정보논문지, 제10권, 제8호, 2020, 1-6. https://doi.org/10.22156/CS4SMB.2020.10.08.001
  14. 장상수, "국내 중소기업 정보보호 지원 정책 개선 방안에 관한 연구", 융합정보논문지, 제10권, 제11호, 2020, 332-339. https://doi.org/10.22156/CS4SMB.2020.10.11.332
  15. 장항배, "중소기업 산업기술 유출방지를 위한 정보보호 관리체계 설계", 멀티미디어학회논문지, 제13권, 제1호, 2010, 111-121.
  16. 한국인터넷진흥원, "정보보호 및 개인정보보호 관리체계 인증제도 안내서", 2021.
  17. 한국정보보호산업협회, "2020년 정보보호 실태조사", 2021.
  18. Antunes, M., M. Maximiano, R. Gomes, and D. Pinto, "Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal", Journal of Cybersecurity and Privacy, Vol.1, No.2, 2021, 219-238. https://doi.org/10.3390/jcp1020012
  19. Barlette, Y. and V.V. Fomin, "The Adoption of Information Security Management Standards: A Literature Review", Information Resources Management, Vol.1, No.4, 2010, 69-90. https://doi.org/10.4018/978-1-61520-965-1.ch104
  20. Benz, M. and D. Chatterjee, "Calculated Risk? A cybersecurity evaluation tool for SMEs", Business Horizons, Vol.63, No.4, 2020, 531-540. https://doi.org/10.1016/j.bushor.2020.03.010
  21. Cholez, H. and F. Girard, "Maturity assessment and process improvement for information security management in small and medium enterprises", Journal of Software: Evolution and Process, Vol.26, No.5, 2013, 496-503. https://doi.org/10.1002/smr.1609
  22. Groner, R. and P. Brune, "Towards an Empirical Examination of IT Security Infrastructures in SME", Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, Vol.7617, 2012, 73-88.
  23. Javaid, M.I. and M.M.W. Iqbal, "A comprehensive people, process and technology (PPT) application model for Information Systems (IS) risk management in small/medium enterprises (SME)", 2017 International Conference on Communication Technologies (ComTech), 2017, 78-90
  24. Kljucnikov, A., L. Mura, and D. Sklenar, "Information security management in SMEs: factors of success", Entrepreneurship and Sustainability Issues, Vol.6, No.4, 2019, 2081-2094. https://doi.org/10.9770/jesi.2019.6.4(37)
  25. Kurpjuhn, T., "The SME security challenge", Computer Fraud & Security, Vol.2015, No.3, 2015, 5-7. https://doi.org/10.1016/s1361-3723(15)30017-8
  26. Mijnhardt, F., Baars, T. and Spruit M., "Organizational Characteristics Influencing SME Information Security Maturity", Journal of Computer Information Systems, Vol.156, No.2, 2016, 106-115. https://doi.org/10.1080/08874417.2016.1117369
  27. Osborn, E., "Business versus Technology: Sources of the Perceived Lack of Cyber Security in SMEs", Terms and Conditions of Use for Oxford University Research Archive, 2015, 1-20.
  28. Ozkan, B.Y. and M. Spruit, "Addressing SME Characteristics for Designing Information Security Maturity Models. Human Aspects of Information Security and Assurance", HAISA 2021. IFIP Advances in Information and Communication Technology, Vol.593, 2020, 161-174.
  29. Ozkan, B.Y. and M. Spruit, "Cybersecurity Standardisation for SMEs: The Stakeholder's Perspectives and Research Agenda", International Journal of Standardization, Vol.17, No.2, 2019, 1-25.
  30. Paul, S., "Reinforcing your SME against cyberthreats", Computer Fraud & Security, Vol.2017, No.10, 2017, 13-15. https://doi.org/10.1016/S1361-3723(17)30091-X
  31. Rae, A. and A. Patel, "Defining a New Composite Cybersecurity Rating Scheme for SMEs in the U.K.", Information Security Practice and Experience, Lecture Notes in Computer Science, Vol.11879, 2019, 362-380.
  32. Saban, K.A., S. Rau, and C.A. Wood, "SME executives' perceptions and the information security preparedness model", Information and Computer Security, Vol.29, No.1, 2021
  33. Tawileh, A., J. Hilton, and S. McIntosh, "Managing Information Security in Small and Medium Sized Enterprises: A Holistic Approach", ISSE/SECURE 2007 Securing Electronic Business Processes, 2007, 331-339.
  34. Valdevit, T., N. Mayer, and B. Barafort, "Tailoring ISO/IEC 27001 for SMEs: A Guide to Implement an Information Security Management System in Small Settings. EuroSPI 2009: Software Process Improvement", Communications in Computer and Information Science, Vol.42, 2009, 201-212. https://doi.org/10.1007/978-3-642-04133-4_17
  35. Yildirim, E.Y., G. Akalp, S. Aytac, and N. Bayram, "Factors influencing information security management in small and medium-sized enterprises: A case study from Turkey", International Journal of Information Management, Vol.31, No.4, 2011, 360-365. https://doi.org/10.1016/j.ijinfomgt.2010.10.006