• Journal of Digital Contents Society
• /
• v.19 no.8
• /
• pp.1515-1525
• /
• 2018

Security threats in the 4th Industrial Revolution have expanded to the issue of safety, but the environment for information security of domestic companies is still at a low level. This study aims to propose policy implications by empirically analyzing factors affecting investment intention. We investigated the state of information security and protection behavior and expanded UTAUT to investigate correlations. The results showed that information assets affect facilitating conditions, and perceived and new concerns have impacts on social influence. Social influence affect experience and habits, but the impact on security investment intentions was rejected. Facilitation conditions, previous experiences and habits have great influences on investment intention, new service security investment intention. The influence of perceived and new concern are low or rejected. There are moderating effects between types of business, size, security organization, experience of infringement, security personnel ratio, and personal information collection. This study will help to establish policies for enhancing the level of information security.

• Information Systems Review
• /
• v.22 no.2
• /
• pp.201-217
• /
• 2020

Information security is an essential element not only to ensure the operation of the company and trust with customers but also to mitigate uncertain damage by preventing information data breach. Therefore, It is important to select appropriate information security countermeasures and determine the appropriate level of investment. This study presents a decision support model for the appropriate investment amount for each countermeasure as well as an optimal portfolio of information countermeasures within a limited budget. We analyze statistics on the types of information security breach by industry and derive an optimal portfolio of information security countermeasures by using genetic algorithms. The results of this study suggest guidelines for investing in information security countermeasures in various industries and help to support objective information security investment decisions.

• Journal of Intelligence and Information Systems
• /
• v.26 no.3
• /
• pp.37-50
• /
• 2020

Information security has become an important issue in the world. Various information and communication technologies, such as the Internet of Things, big data, cloud, and artificial intelligence, are developing, and the need for information security is increasing. Although the necessity of information security is expanding according to the development of information and communication technology, interest in information security investment is insufficient. In general, measuring the effect of information security investment is difficult, so appropriate investment is not being practice, and organizations are decreasing their information security investment. In addition, since the types and specification of information security measures are diverse, it is difficult to compare and evaluate the information security countermeasures objectively, and there is a lack of decision-making methods about information security investment. To develop the organization, policies and decisions related to information security are essential, and measuring the effect of information security investment is necessary. Therefore, this study proposes a method of constructing an investment portfolio for information security measures using game theory and derives an optimal defence probability. Using the two-person game model, the information security manager and the attacker are assumed to be the game players, and the information security countermeasures and information security threats are assumed as the strategy of the players, respectively. A zero-sum game that the sum of the players' payoffs is zero is assumed, and we derive a solution of a mixed strategy game in which a strategy is selected according to probability distribution among strategies. In the real world, there are various types of information security threats exist, so multiple information security measures should be considered to maintain the appropriate information security level of information systems. We assume that the defence ratio of the information security countermeasures is known, and we derive the optimal solution of the mixed strategy game using linear programming. The contributions of this study are as follows. First, we conduct analysis using real performance data of information security measures. Information security managers of organizations can use the methodology suggested in this study to make practical decisions when establishing investment portfolio for information security countermeasures. Second, the investment weight of information security countermeasures is derived. Since we derive the weight of each information security measure, not just whether or not information security measures have been invested, it is easy to construct an information security investment portfolio in a situation where investment decisions need to be made in consideration of a number of information security countermeasures. Finally, it is possible to find the optimal defence probability after constructing an investment portfolio of information security countermeasures. The information security managers of organizations can measure the specific investment effect by drawing out information security countermeasures that fit the organization's information security investment budget. Also, numerical examples are presented and computational results are analyzed. Based on the performance of various information security countermeasures: Firewall, IPS, and Antivirus, data related to information security measures are collected to construct a portfolio of information security countermeasures. The defence ratio of the information security countermeasures is created using a uniform distribution, and a coverage of performance is derived based on the report of each information security countermeasure. According to numerical examples that considered Firewall, IPS, and Antivirus as information security countermeasures, the investment weights of Firewall, IPS, and Antivirus are optimized to 60.74%, 39.26%, and 0%, respectively. The result shows that the defence probability of the organization is maximized to 83.87%. When the methodology and examples of this study are used in practice, information security managers can consider various types of information security measures, and the appropriate investment level of each measure can be reflected in the organization's budget.

• 한국IT서비스학회:학술대회논문집
• /
• 2003.11a
• /
• pp.550-557
• /
• 2003

최근 정보보호의 중요성에 대한 인식이 확산되고 있음에도 불구하고 정보보호에 관한 적절한 투자가 이루어지지 못하고 있다. 이는 전 세계적인 경제 불황이라는 원인도 있겠지만, 정보보호 예산 편성에 대찬 제도적 장치 및 절차가 미흡하여 정보보호에 대한 요구사항이 적절하게 반영되지 못하는 구조적인 문제를 가지고 있다. 미 정부에서는 정보보호 예산편성을 체계적으로 수립하도록 여러 법규와 지침이 작성되어 현재 수행 중에 있는 반면, 국내에서는 예산편성지침에 정보보호 관련 예산편성에 대한 지시는 있으나 구체적인 방법 제시나 지침이 존재하지 않고 있다. 본 연구에서는 미국의 전자정부의 출범에 따른 정보기술 예산 편성과 관련된 미 연방정부정보보호관리법(FISMA) 및 관련 법규를 검토하고 자본계획 및 투자통제프로세스를 통한 정보보호 예산 편성 과정을 분석하고자 한다. 또한 국내 정부의 예산편성 과정을 미국의 경우와 비교 분석함으로써 보다 효과적인 정보보호 예산 반영을 위한 제도적 방안 및 지침 수립을 위한 시사점을 제공하고자 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.919-929
• /
• 2014

Recently, organizational efforts to adopt ISMS(Information Security Management System) have been increasingly mandated and demanded due to the rising threat and the heavier cost of security failure. However there is a serious gap between awareness and investment of information security in a company, hence it is very important for the company to control effectively a variety of information security threats within a tight budget. To phase the ISMS, this study suggests the priorities based on evaluating the Importance of 13 areas for the ISMS by the information security experts and then we attempt to see the difference between importance and investment through the assessment of the actual investment in each area. The research findings show that intrusion incident handling is most important and IT disaster recovery is the area that is invested the most. Then, information security areas with the considerable difference between priorities of importance and investment are cryptography control, information security policies, education and training on information security and personnel security. The study results are expected to be used in making a decision for the effective investment of information security when companies with a limited budget are considering to introduce ISMS or operating it.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.6
• /
• pp.261-270
• /
• 2010

As the usage of social network service(SNS) increases recently, great attention has been shown to the information security in SNS. However, there has been little investment in SNS environment for security while preferential investment to attract subscribers has been made so far. Moreover, there is still a lack of confidence for investment effect and an absence of framework to analyze the threat factors of information security in SNS. In this paper, we propose to model for decision-making standard of SNS information security investment by the AHP. The result shows that 'service image' is the most important criterion for the decision of SNS information security. It also shows that 'Profile-squatting and reputation slander through ID thefts' and 'Corporate espionage' are important threat factors in SNS information security.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2007.05a
• /
• pp.1125-1128
• /
• 2007

보안 취약성이 끊임없이 보고되고 있다. 이는 보안솔루션의 초기 효과수준을 유지하기 위해서는, 새로운 취약성이 보고되면 즉시 대처하는 지속적 관리활동이 필요함을 뜻한다. 한편 기업성과 개선을 위한 IT투자성과관리가 강조되는 가운데, 정보보호 솔루션 도입 시 재무적 타당성 증명이 요구되고 있다. 이를 위해 여러 형태의 ROSI(Security ROI)가 제시되었으나, 지속적 보호활동에 따른 관리비용이 중요하게 다루어져야 함에도 불구하고 비용에 대한 고려가 적고 효과산정에만 치우쳐, 경영자의 의사 결정을 지원하는 실제적인 재무 성과지표로 활용될 수 없었다. 이에 본 논문은 조직수준의 비용효과 최적화를 추구하는 정보보호 관리체계에 기반을 두어 효과를 산정하고, 비용 산정은 지속적 관리활동이라는 특징을 반영하여 TCO에 기반을 둔 개선된 ROSI를 제안한다. 또한, 제안한 ROSI를 활용한 보안솔루션 평가사례를 제시한다. 증명이 어려운 정보보호 분야 투자타당성 증명은 물론 보안솔루션 선택 시 실제적인 의사결정 판단근거로서 활용될 수 있다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2018.10a
• /
• pp.304-307
• /
• 2018

과거부터 기업의 정보보호 위험 관리에 대한 중요성은 계속해서 강조되었고 많은 투자도 이루어졌지만 RRO(투자 대비 위험 감소)에 대한 효과가 미흡한 주된 이유는 기술적, 물리적, 관리적 정보보호가 융합되지 못하는 것이다. 정보보호 프레임워크는 개별 정보보호 활동에 대한 공유로서 세 가지 정보보호 요소를 융합할 수 있는 환경을 제공하고 기업 환경에서 발생하는 위험 요소를 시각적으로 표현함으로써 체계적인 정보보호 위험 관리 활동을 장려한다. 본 논문에서는 이러한 환경을 구현하기 위한 필수 요소인 프레임워크 내 데이터 구조에 관한 연구를 통해 효율적인 정보보호 프레임워크를 구성하려는 기업들에 방향성을 제시한다.

• Information Systems Review
• /
• v.25 no.4
• /
• pp.27-45
• /
• 2023

The importance of information security has grown alongside the development of information and communication technology. However, companies struggle to select suitable countermeasures within their limited budgets. Sönmez and Kılıç (2021) proposed a model using AHP and mixed integer programming to determine the optimal investment combination for mitigating information security breaches. However, their model had limitations: 1) a lack of objective measurement for countermeasure efficacy against security threats, 2) unrealistic scenarios where risk reduction surpassed pre-investment levels, and 3) cost duplication when using a single countermeasure for multiple threats. This paper enhances the model by objectively quantifying countermeasure efficacy using the beta probability distribution. It also resolves unrealistic scenarios and the issue of duplicating investments for a single countermeasure. An empirical analysis was conducted on domestic SMEs to determine investment budgets and risk levels. The improved model outperformed Sönmez and Kılıç's (2021) optimization model. By employing the proposed effectiveness measurement approach, difficulty to evaluate countermeasures can be quantified. Utilizing the improved optimization model allows for deriving an optimal investment portfolio for each countermeasure within a fixed budget, considering information security costs, quantities, and effectiveness. This aids in securing the information security budget and effectively addressing information security threats.

• Proceedings of the KAIS Fall Conference
• /
• 2010.05b
• /
• pp.720-723
• /
• 2010

정보기술에 대한 투자규모는 날로 증가하고 있다. 국내 공공 부문의 경우에도 전자정부 구현 등을 위한 다양한 사업으로 인해 투자가 지속적으로 증가하고 있다. 이런 정보화 투자의 증대에도 불구하고 정보화의 효과에 대해서는 아직도 많은 의문이 제기되고 있다. 특히 S/W 취약성으로 인해 보안 침해사고가 발생하고, 정보화 관련 법제도 미흡으로 보안강화 노력이 강구되지 못하였으며 국가정보화의 새로운 틀이 마련되는 시점에서 법제도의 정비가 필요해졌다. 이러한 부분을 보완하고자 정보보호관리(Information Security Management : ISM)라는 제도를 분석한 프레임워크가 개발되었고, 본 논문은 이를 활용하여 국외 정보보호관리 제도 및 정책을 분석하고자 한다. ISM은 주체별로 역할과 책임을 명확하게 하고, 정보화의 목표를 조직목표에의 기여로 정하여 체계적으로 추진하되, 정보보호 보안 프로그램의 적합성과 구현 및 평가/개선을 하려는 핵심추진 노력이 필요하고, 아울러 이런 노력은 현재의 모습에 만족하지 말고 보다 나은 대안과 효과적 수단을 지속적으로 강구하려는 자세 등이 주요한 특징에 속한다. 본 논문을 통하여 분석된 국외 정보보호관리 제도 및 정책은 향후 우리나라의 정보보호관리 제도 및 정책에 상당한 영향을 미칠 것으로 기대된다.