• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.6
• /
• pp.1261-1266
• /
• 2021

Existing information security risk assessment methods focus on evaluating the vulnerability of information assets. However, when the form of information assets changes and new types of information assets emerge, there is a limitation in that the evaluation standards for them are also added or deleted. Existing methods have insufficient research on the path through which cyber threats are introduced. In particular, there is very little research on blocking the inflow path for web-based information systems with public IPs. Therefore, this paper introduces the main research contents of the BDLA (Blockade and Defense Level Analysis)-based information security risk assessment model. In addition, by applying the BDLA-based information security risk assessment model, the information security risk level was studied by measuring the blockade level and security equipment level of 17 public institutions.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.5
• /
• pp.161-170
• /
• 2008

Despite the recent growth in size and frequency of damages caused by illegal information breaches, current business counter-measures and precautionary systems are greatly limited. Some major companies have developed Information Security Management Systems (ISMS) to safeguard their vital information; however, such measures are largely based on the ISO27001 and lacks in many aspects to grasp the holistic corporate security level and reinforce precautionary measures. The information protection level evaluation model introduced in this paper is a pragmatic evaluative tool that can be utilized to devise effective corporate information security precautionary measures and countermeasures, based on the BSC (Balanced ScoreCard) method for an actual and realistic corporate information security level evaluation possible.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.855-861
• /
• 2017

Gordon & Loeb[1] suggested that the optimal level of investment decision of an enterprise is the point that the marginal benefit(MB) of information security investment is equal to the marginal cost(MC). However, many companies suffering from information security incidents are not aware of the fact that they are experiencing information security accidents and can not measure how much they are affected. In this paper, I propose a model of information security investment decision making under the incomplete information situation by modifying the Gordon & Loeb[1] model and compare the differences in investment level. Under the incomplete information situation the expected return from the information security investment tends to be lower than that of actual information security investment, and the level of investment is also less. This shows that if a third party such as the government gives accurate information such as the rate of incidents of information security accidents and the amount of damages, companies can expand their investment in information security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.821-834
• /
• 2019

As cyber security threats increase, there is a growing demand for highly reliable systems. Common Criteria, an international standard for evaluating information security products, requires formal specification and verification of the system to ensure a high level of security, and more and more cases are being observed. In this paper, we propose highly reliable drone systems that ensure high level security level and trust. Based on the results, we use formal methods especially Z/EVES to improve the system model in terms of scheduling in the system kernel.

• Journal of Advanced Navigation Technology
• /
• v.13 no.1
• /
• pp.113-119
• /
• 2009

In this study we analyzed and gauged the information security needs for the new IT service which will be proceeding. Then we designed Information Security Rank Authentication System to raise the level of information security. To achieve this study, we analyzed rank authentication system of the inside and outside of the country and developed the practical propulsive system and the evaluation model which reflects IT service's own feature differing from the general evaluation of IS information security. The result of this study can be utilized to assess the level of domestic IT service information security objectively, and it can be applied as the means of rational decisionmaking for establishing a policy to raise degree of information security of corporations providing IT service.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2001.11a
• /
• pp.102-110
• /
• 2001

대부분의 해킹 공격은 공격 대상 프로그램의 소스코드 보안취약점에 의해서 발생하지만 프로그램 개발시에 소스코드 보안성에 대해서는 고려되지 않았다. 이러한 문제점으로 인하여 해킹 공격의 근본적인 원인을 해결할 수 없었다. 본 논문에서는 취약점의 원인이 되는 코드를 컴파일시 생성된 어셈블리 코드 수준에서 탐지하는 방법을 제시하고자 한다. 취약한 코드를 컴파일러 수준에서 점검하는 것보다 어셈블리 코드 수준에서 점검하는 것은 어느 정도의 메모리 영역까지 점검할 수 있어 더 정확하다.

• Review of KIISC
• /
• v.11 no.5
• /
• pp.63-77
• /
• 2001

최근 인테넷을 이용한 각종 해킹 및 사이버 범죄가 크게 증가하고 있으나, 아직까지 공격의 주범인 해커들의 수준을 파악하지 못한 상황이다. 과거에 해커 분류를 시도한 경우가 있었지만 적용한 분류 기준은 대부분 해커들의 행동 양식이었다. 이에 본 문서에서는 해킹 수행 코드(exploit code)를 작성할 수 있는 가의 여부를 바탕으로 해커의 능력을 분류하고 그들이 사용할 수 있는 해킹 기법과 그 수준을 확인해 보도록 한다. 이러한 해커의 수준에 따른 해킹 기법 분류를 기반으로 내부망의 보안성 평가에 활용할 수 있을 것이다.

• Journal of the Korea Computer Industry Society
• /
• v.3 no.9
• /
• pp.1315-1328
• /
• 2002

Recently there has been increasing demand on developing methodologies and tools for measuring the information security level of organizations for the efficient security management, as the growth of security incidents. However, most methodologies from foreign countries are not realistic in constructing the checklists, moreover their tools provide neither the ease of use nor the inexpensiveness, and most domestic works are not properly considering the characteristics of the organizations. In this study, based on the recently developed standard for information security management, an information security levelling tool is designed and implemented which can be used before building an information security management system while considering the characteristics of organizations more efficiently. The efficiency comes from applying multiple variable weights for security levelling according to the characteristics of organizations.

• Journal of Korean Society of Forest Science
• /
• v.105 no.4
• /
• pp.472-485
• /
• 2016

The main purpose of this research was to develop a multi-level evaluation framework for the management effectiveness of the Forest Genetic Resources Reserve (FGRR) at both the system level and the site level. The initial system level Management Effectiveness Evaluation (MEE) framework for FGRR was developed based on the MEE Framework designed by IUCN WCPA and MEE framework for Korean National Parks that was designed jointly by IUCN, the Korean Ministry of Environment, and the Korea National Park Service. Several indicators were added or modified considering characteristics of the FGRR. The final system level MEE frameworks consisted of 6 categories with total of 39 criteria and 42 indicators based on expert survey results. The initial site-level MEE framework was developed based on the site level MEE framework for Korean National Parks that was designed jointly by IUCN, the Korean Ministry of Environment, and the Korea National Park Service. The final site level MEE framework consisted of 6 categories with total of 16 criteria and 40 indicators based on both an expert survey and an intensive workshop with the officers in charge of managing the FGRR from the Korea Forest Service and local governments.

• Convergence Security Journal
• /
• v.20 no.4
• /
• pp.187-196
• /
• 2020

In order to manage information security risk, various information security level evaluation and information security management system certification have been conducted on a larger scale than ever. However, there are continuous cases of infringement of information protection for companies with excellent information security evaluation and companies with excellent information security management system certification. The existing information security risk management methodology identifies and analyzes risks by identifying information assets inside the information system. Existing information security risk management methodology lacks a review of where cyber threats come from and whether security devices are properly operated for each route. In order to improve the current risk management plan, it is necessary to look at where cyber threats come from and improve the containment level for each inflow section to absolutely reduce unnecessary cyber threats. In addition, it is essential to measure and improve the appropriate configuration and operational level of security equipment that is currently overlooked in the risk management methodology. It is necessary to block and enter cyber threats as much as possible, and to detect and respond to cyber threats that inevitably pass through open niches and use security devices. Therefore, this paper proposes additional evaluation items for evaluating the containment level against cyber threats in the ISMS-P authentication items and vulnerability analysis and evaluation items for major information and communication infrastructures, and evaluates the level of security equipment configuration for each inflow.