Browse > Article

A Risk Management Model for Efficient Domestic Information Technology Security  

Ahn, Choon-soo (Department of Industrial Engineering, Dongguk University)
Cho, Sung-Ku (Department of Industrial Engineering, Dongguk University)
Publication Information
Journal of Korean Institute of Industrial Engineers / v.28, no.1, 2002 , pp. 44-56 More about this Journal
Abstract
For the risk analysis and risk assessment techniques to be effectively applied to the field of information technology (IT) security, it is necessary that the required activities and specific techniques to be applied and their order of applications are to be determined through a proper risk management model. If the adopted risk management model does not match with the characteristics of host organization, an inefficient management of security would be resulted. In this paper, a risk management model which can be well adapted to Korean domestic IT environments is proposed for an efficient security management of IT. The structure and flow of the existing IT-related risk management models are compared and analysed, and their common and/or strong characteristics are extracted and incorporated in the proposed model in the light of typical threat types observed in Korean IT environments.
Keywords
risk management; risk analysis&assessment; information technology security management;
Citations & Related Records
연도 인용수 순위
  • Reference
1 CCTA. (1998), The CCTA Risk Analysis and Management Method, CRAMM, Central Computer and Telecommunications Agency, Great Britain
2 Kang, D-S. (1998), Risk Analysis and Management in Public Project Selection, The Journal of Information. 5(1), 16-29
3 NCA. (1998), A Study on Audit Guideline for the Information Systems Management, IV-AUER-98061, National Computerization Agency, Gyonggi-do, Korea
4 NIST. (1990), U.S. Department of Justice Simplified Risk Analysis Guidelines, NISTlR 4387, National Institute of Standards Technology, Washington, USA.
5 NIST. (1994), Guidelines for the Analysis of Local Area Network Security, FIPS PUB 191, National Institute of Standards Technology, Washington, USA
6 Vlasta Molak. (1997), Fundamental of Risk Analysis and Risk Management, CRC Lewis, New York, USA
7 Lee, Y-H. and Lee, N-Y. (1999), The Study for Security Engineering Methodology, Korea Institute of Information Security & Cryptology Review, 9(2), 69-81
8 NIST.(1999), An Introduction to Computer Security: The NIST Handbook, NIST Special Publication 800-12, National Institute of Standards Technology, Washington, USA
9 NCA.(1996), Development of Automated Risk Analysis Software (V. 1.0) for Information Systems Security, NCA III-RER-9653, National Computerization Agency, Gyonggi-do, Korea
10 CSI (2001), CSI/FBI Computer Crime & Security Survey Analysis, Computer Security Issues&Trends, V1(1), San Francisco, USA
11 ISO/lEC. (2000), Information Technology-Guidelines for the Management of IT security-Part 4, ISO/lEC 1R 13335-4, ISO/IEC, Switzerland
12 BSI. (1998), Guide to Risk Assessment and Risk Management, BS7799, British Standard Institute, Great Britain
13 Ahn, J-H. (1998), Information System for Management Hongmoonsa, Seoul, Korea
14 ISO/lEC. (1997), Information Technology-Guidelines for the Management of IT security-Part 2, ISO/lEC 1R 13335-2, ISO/IEC, Switzerland
15 KISA. (2000),. Information Dysfunction Analysis of The Year 2000, Korea Information Security Agency, Seoul, Korea
16 KISA. (1999),Information Dysfunction Analysis of The Year 1999, Korea Information Security Agency, Seoul, Korea
17 Sergio B. Guarro. (1987), Principles and Procedures of the LRAM Approach to Information System Risk Analysis and Management, Computers & Security, 6, 493-504
18 Kim, Y-C. and Nam, G-H. (1993),Information System Security and Auditing Mechanisms, Korea Institute of Information Security & Cryptology Review, 3(3),67-79
19 NCA. (1996), Analysis of Computer Crime and Misuse Cases, NCA III-RER-96099, National Computerization Agency, Gyonggi-do, Korea
20 NIST. (1989), DoE Risk Assessment Instruction, National Institute of Standards Technology, Washington, USA
21 KISA. (1998), Information Dysfunction Analysis in the First Quarter of The Year 1998, Korea Information Security Agency, Seoul, Korea
22 TTA. (2000), Risk Analysis and Management Standards for Public Information System Security-Risk Analysis Methodology Model, TTA KO-12.0007, Telecommunications Techoology Association, Seoul, Korea
23 ISO/IEC. (1996), Information Technology-Guidelines for the Management of IT security-Part 1, ISO/lEC 1R 13335-1, ISO/lEC, Switzerland
24 ISO/lEC. (1998), Information Technology-Guidelines for the Management of IT security-Part 3, ISO/lEC 1R 13335-3, ISO/IEC, Switzerland