The Journal of the Convergence on Culture Technology (문화기술의 융합)

The International Promotion Agency of Culture Technology (국제문화기술진흥원)
권호 표지
DOI QR코드

DOI QR Code

Study on SBOM(Software Bill Of Materials) adoption in domestic companies :Focusing on the moderating effect of management support and institutional support

국내기업 대상 SBOM (Software Bill Of Materials) 도입에 관한 연구 : 경영층의 지원과 제도적 지원의 조절 효과를 중심으로

  • Ryu Han Min ;
  • Lee Sin-Bok (Dept. of Assistant Professor, Business Administration, Nazarene University)
  • 유한민 (한양대학교 대학원 경영학과) ;
  • 이신복 (나사렛대학교 경영학과)
  • Received : 2024.03.04
  • Accepted : 2024.04.20
  • Published : 2024.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

With the development of ICT, the use of software has become essential for organizations to exchange information or manage operations. However, security and software management issues that have increased with the development of ICT are issues that need to be continuously addressed. In 2021, the U.S. government has standardized and established SBOM as one of the countermeasures for software security. This research was initiated as a study to lay the groundwork for the introduction of SBOM in Korea. Based on the effects of SBOM characteristics on adoption intention, we tested management support and institutional support as moderating variables. As a result, security management was found to be a significant moderating variable for management support, and transparency was found to be a significant moderating variable for government institutional support. This study verified that SBOM adoption requires both corporate and government efforts, and the variables that are important from each perspective are different. We hope that this study will contribute to the development and adoption of SBOM.

ICT의 발달과 함께 기업에서는 정보교환 또는 운영관리를 위해 소프트웨어를 필수적으로 사용하게 되었다. 그러나 ICT의 발달과 함께 증가한 보안 및 소프트웨어 관리이슈는 지속해서 해결해나가야 할 문제이다. 2021년 미국에서는 이러한 소프트웨어 보안 대응책 중 하나로 SBOM을 정부주도하에 표준화 및 제도를 수립하였다. 본 연구는 이러한 SBOM이 국내에 도입되기 위한 초석을 마련하는 연구로서 시작되었다. SBOM의 대표적인 특징들이 도입 의도에 미치는 영향을 바탕으로 경영층 지원과 제도적 지원을 조절 변수로 검증하였다. 그 결과, 경영층 지원으로는 보안관리가 유의미한 조절 변수로 나타났으며, 정부의 제도적 지원에서는 투명성이 유의미한 조절 변수로 나타났다. SBOM을 도입하기 위해서는 기업과 정부의 노력이 함께 이루어져야 하는데, 각 관점에서 중요하게 여기는 변수가 다르다는 것을 검증한 것이다. 본 연구가 SBOM의 발전과 도입에 기여하길 바라는 바이다.

Keywords

References

  1. J.M. Kim, S.S. Wee, N.I. Kim, and N.I. Kim, "A Study on Cyber Security Policy for S/W Supply Chain Security in Korea", The Journal of Society for e-Business Studies, Vol. 28, No. 1, pp. 29-53, February 2023. DOI:10.7838/jsebs.2023.28.1.029
  2. Y.P. Rhee, "A Study on the Relationships among ICT Capability, Global Orientation and Export Marketing in Korean SMEs", Korea Trade Review, Vol. 42, No. 2, pp. 251-276, April 2017
  3. National Cyber Security Center, Security patch recommended for Apache 'Log4j' vulnerability, Available from https://www.ncsc.go.kr:4018/main/PageLink.do (accessed February 10, 2024)
  4. S. Kumar, and R.R. Mallipeddi, "Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions", Production and Operations Management, Vol. 31, No. 12, pp. 4488-4500, September 2022. DOI:10.1111/poms.13859
  5. L.H. Newman, Apple's ransomware mess is the future of online extortion, Available fromhttps://www.wired.com/story/apple-mac-lockbit-ransomware-samples/ (accessed May 1, 2023)
  6. R. Anderson, Why information security is hard-an economic perspective, Seventeenth Annual Computer Security Applications Conference, New Orleans, LA, USA, pp. 358-365, December 2001. DOI:10.1109/ACSAC.2001.991552
  7. S. Carmody, A. Coravos, G. Fahs, G. Fahs, A. Hatch, J. Medina, B. Woods, and J. Corman, "Building resilient medical technology supply chains with a software bill of materials", npj Digital Medicine, Vol. 4, No. 1, pp. 34, February 2021
  8. H.Y. Noh, and S.B. Lee, "The Effects of information security perceptions of collaborative system managers on intention to use SBOM(Software Bill Of Materials) : Focusing on the Theory of Planned Behavior", The International Promotion Agency of Culture Technology, Vol. 9, No. 5, pp. 463-474, July 2023. DOI:10.17703/JCCT.2023.9.5.463
  9. R. Schmidt and T. Duffy, Non-interfering software distribution, Paris: Data Systems in Aerospace-DASIA, Vol. 97, No. 409, PP. 351-358, May 1997.
  10. P.M. Fangman, L.H. Gerhardstein and B.J. Homer, Federal Emergency Management Information System (FEMIS): Bill of Materials (BOM) for FEMIS (version 1.4.5. No. PNL10689-Ver. 1.4.5.), Richland, WA: Pacific Northwest National Laboratory, June 1998. DOI:10.2172/663230
  11. A. Arora, V. Wright, and C. Garman, "Strengthening the Security of Operational Technology: Understanding Contemporary Bill of Materials", JCIP The Journal of Critical Infrastructure Policy, Vol. 3, No. 1, pp. 111, Spring/Summer 2022. DOI:10.18278/jcip.3.1.8
  12. Federal Register, Improving the Nation's Cybersecurity A Presidential Document by the Executive Office of the President on 05/ 17/ 2021, Available from https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity (accessed February 10, 2024)
  13. N. Zahan, E. Lin, M. Tamanna, and M. Tamanna, "Software Bills of Materials Are Required. Are We There Yet?", IEEE Security & Privacy, Vol. 21, No. 2, pp. 81-88, April 2023. DOI:10.1109/MSEC. 2023.3237100
  14. D.F. Kuratko, R. V. Montagno, and J.S. Hornsby, "Developing an Intrapreneurial Assessment Instrument for an Effective Corporate Entrepreneurial Environment", Strategic Management Journal, Vol. 11, No. Special Issue, pp. 49-58, Summer 1990
  15. J.S. Hornsby, D.F. Kuratko, and S.A. Zahra, "Middle managers' perception of the internal environment for corporate entrepreneurship: assessing a measurement scale", Journal of Business Venturing, Vol. 17, No. 3, pp. 253-273, May 2002. DOI:10.1016/S0883-9026(00)00059-8
  16. S.A. Zahra, H.J. Sapienza, and P. Davidsson, "Entrepreneurship and Dynamic Capabilities: A Review, Model and Research Agenda", Journal of Management studies, Vol. 43, No. 4, pp. 917-955, May 2006. DOI:10.1111/j.1467-6486.2006.00616.x
  17. I.C. Macmillan, Z. Block, and P.N. Narasimha, "Corporate venturing: alternatives, obstacles encountered, and experience effects", J ournal of Business Venturing, Vol. 1, No. 2, pp. 177-191, April 1986. DOI:10.1016/0883-9026(86)90013-3
  18. J.A. Pearce II, T.R. Kramer, and D.K. Robbins, "Effects of managers' entrepreneurial behavior on subordinates", J ournal of Business Venturing, Vol. 12, No. 2, pp. 147-160, June 1998. DOI:10.1016/S0883-9026(96)00066-3
  19. H.J. Yoon, A.R. Hong, and S.D. Jung, "The effects of R&Ds, technology innovation capability and the innovation support system of small- and medium-sized businesses on the company performance", Innovation studies, Vol. 13, No. 2, pp. 209-238, May 2018. DOI: 10.46251/INNOS.2018.05.13.2.209
  20. S.W. Kim, and K.H. Son , "SBOM trends for OSS traceability", Review of KIISC, Vol. 32, No. 5, pp. 53-66, October 2022
  21. Y.S. Choi, "U.S. software supply chain security policy trends: Focusing on the SBOM case", Review of KIISC, Vol. 32, No. 5, pp. 7-14, October 2022
  22. J.W. Lian, D.C. Yen, and Y.T. Wang, "An exploratory study to understand the critical factors affecting the decision to adopt cloud computing in Taiwan hospital", International Journal of Information Management, Vol. 34, No. 1, pp. 28-36, November 2014. DOI:10.1016/j.ijinfomgt.2013.09.004
  23. S.W. Lee, and H.S. Lee, "A Study on an Integrative Model for Big Data System Adoption : Based on TOE, DOI and UTAUT", Journal of Information Technology Applications and Management, Vol. 21, No. 4_Special Issue, pp. 463-483, December 2014. DOI:10.21219/jitam.2014.21.4_spc.463
  24. D.H. Kim, S.D. Park, S.J. Kim, and S.J. Kim, "A Study on Establishment of Cyber Threat Information Sharing System Focusing on U.S. Case", Convergence Security Journal, Vol. 17, No. 2, pp. 53-68, June 2017
  25. D.J. Yoon, Y.S. Jee, Y.S. Lee, and Y.S. Lee, "A Study on the Low Meaning and Improvement of Personal Information ADR(Alternative Dispute Resolution)", Journal of The Korea Society of Information Technology Policy & Management, Vol. 12, No. 1, pp. 1567-1574, November 2020
  26. W.H. DeLone, and E.R. McLean, "Information systems success revisited", Proceedings of the 35th annual Hawaii international conference on system sciences, IEEE, pp. 2966-2976, August 2022. DOI:10.1109/HICSS.2002.994345
  27. G. Premkumar, and M. Roberts, "Adoption of new information technologies in rural small businesses", Omega, Vol. 27, No. 4, pp. 467-484, June 1999. DOI:10.1016/S0305-0483(98)00071-1
  28. K. Zhu, S. Dong, S.X. Xu, and S.X. Xu, "Innovation diffusion in global contexts: determinants of post-adoption digital transformation of European companies", European journal of information systems, Vol. 15, pp. 601-616, December 2006
  29. S.H. Jang, W.S. Lee, D.H. Jun, and D.H. Jun, "A Study on Cloud-based Non-identification Processing Data Provision Platform(Focusing on Agriculture Bigdata)", Journal of The Korea Society of Information Technology Policy & Management, Vol. 12, No. 4, pp. 1883-1892, June 2020
  30. J.R. Bettman, and C.W. Park, "Effects of prior knowledge and experience and phase of the choice process on consumer decision processes: A protocol analysis", J ournal of consumer research, Vol. 7, No. 3, pp. 234-248, December 1980. DOI:10.1086/208812
  31. S.B. Choi, and S.D. Chang, "Middle-Level Managers' Perception of Corporate Entrepreneurship and Their Innovative Work Behaviors in SMEs", Journal of Human Resource Management Research, Vol. 20, No. 2, pp. 27-54, June 2013
  32. C.E. Lance, M.M. Butts, and L.C. Michels, "The sources of four commonly reported cutoff criteria: What did they really say?", Organizational research methods, Vol. 9, No. 2, pp. 202-220, April 2006. DOI:0.1177/1094428105284919 https://doi.org/10.1177/1094428105284919
  33. J. Hulland, "Use of partial least squares (PLS) in strategic management research: A review of four recent studies", Strategic management journal, Vol. 20, No. 2, pp. 195-204, February 1999. DOI:10.1002/(SICI)1097-0266(199902)20:2<195::AI D-SMJ13>3.0.CO;2-7
  34. C. Fornell, and D.F. Larcker, "Evaluating structural equation models with unobservable variables and measurement error", Journal of marketing research, Vol. 18, No. 1, pp. 39-50, February 1981. DOI:10.1177/002224378101800104
  35. Y.M. Oh, H.Y. Noh, "A study on the adoption of smart work for ICT companies : Focusing on the innovation resistance model", The Journal of the Convergence on Culture Technology (JCCT), Vol. 9, No. 5, pp. 649-659, September 2023