• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1507-1517
• /
• 2017

Generally, information breach incidents are thought to be caused by external hackers. However, both direct and indirect information breach incidents by insiders are more frequent than by external hackers. It also accounts for more than half of the total information breach, so it should be prepared against insider breach. In this study, based on General Deterrence Theory(GDT) and Rational Choice Theory(RCT), we integrated the risk sensitivity and situational anxiety, which were studied in the field of traffic psychology to construct research model. Result of analysis shows that the impact of risk perceptions on the severity and certainty of perceived punishment was not statistically significant, but perceived benefits, situational anxiety, and severity and certainty of perceived punishment were found to influence the information breach intention.

• The Journal of Society for e-Business Studies
• /
• v.21 no.2
• /
• pp.81-96
• /
• 2016

This paper analyzes the impact of information breach on shareholder value by measuring the stock price reaction associated with the announcements of data breach. The breach firms in the sample lost, on average, 1.3% of their market value, amounting to 98.9 million won of loss within two-day of the event period after the announcement. We examine the abnormal returns in various categories (i.e., source, type, size, etc.) of information breach. Although the market does not react significantly to the announcements of outside breach, we find statistically significant market reactions to inside breach. We estimate abnormal returns over the following 60 days. The mean 60-day cumulative abnormal return and BHAR (buy-and-hold abnormal returns) are both significantly far from zero. We conclude that there is a coherent market reaction following the announcement. The difference between the market reactions to IT firms and Non-IT firms is statistically significant. But breach amount, firm size, and the year the breach occurred do not show to be significant variables.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.6
• /
• pp.1207-1217
• /
• 2013

This study utilizes raw data from "Research on the actual condition of firms' information security" of KISA (2010) and constructs panel dataset to analyze a causal relationship between information security investment and security breach. Using Difference in Difference estimation method we find the following results. First, while the usual causality that information security investment reduces security breach is not supported, the reverse causality that security breach increases information security investment is well explained. Second, contrary to the conventional wisdom, firms in the finance/insurance business sector show the most significant reverse causality pattern.

• Journal of Information Technology Services
• /
• v.15 no.1
• /
• pp.81-96
• /
• 2016

This study analyzes how breach fee under long-term contract and/or cap regulation on the breach fee can affect the impacts of "Mobile Device Distribution Improvement Act" on handset bundle price, average revenue per unit (ARPU), and social welfare. We conduct comparative analysis with an economic model of duopoly competition in price when users are under long-term contract and the breach fee can be regulated. The results show that the Act lowers the equilibrium prices, lower than incumbent price without the Act. Price of non-dominant Mobile Network Operator (MNO) can be lower than poaching price without the Act if significant portion of switching cost is breach fee or the market is significantly asymmetric. Under the significant circumstances, the Act can raise ARPU even though it improves social welfare. By contrast, the Act increases consumer surplus without affecting social welfare if breach fee is the only source of user's switching cost and is capped by the regulation, and more symmetric market and the stronger cap leads to higher consumer surplus.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.129-145
• /
• 2017

This study proposes a methodology to estimate the financial damages by personal information breach of a company and to analyse risk systematically through a case study of a company which experiences private information breach. Using FAIR(Factor Analysis of Information Risk) model, estimate the loss amount and to analyse risk objectively of a company by personal information breach. This study estimates adequacy and importance of corresponding factors applying AHP(Analytic Hierarchy Process) on each factors for assessing loss amount. By adopting proposed methodology in this study, the person in charge of actual work can assess and prove the loss amount though the latest risk estimation methodology. In addition, the person in charge can select the proper parameters for the corresponding company and can obtain the objective quantitative estimation. Hence it can be reported to the management by accurately assessing loss amount caused by personal information breach.

• Journal of Environmental Science International
• /
• v.16 no.4
• /
• pp.487-493
• /
• 2007

In this study is analysis which dams breach shapes are effect on peak discharge of dam-failure. The dam breach shapes and failure time are important peak discharge when dam failure. When dam failure times are 1hr, 2hr and 3hr condition for the ECRD and 0.1hr and 0.2hr for the CG and CFRD that breach shapes changed base length $B_b=1Hd,\;B_b=2Hd\;and\;B_b=3Hd$. As the results from DAMBRK(Dam Break model) peak discharge are increase base widths lengthen. As failure time is longer then peak discharge is decrease. So peak discharge is increase more short of dam failure time. Also peak discharge is increase become larger dam breach shapes.

• Journal of Digital Convergence
• /
• v.11 no.11
• /
• pp.1-13
• /
• 2013

Every big online security breach seems to end in a big lecture. Thus, although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this study is to explain why insiders breach security policy by applying the moral disengagement theory. There are no consistent, widely accepted theories or theoretical frameworks in the literatures as to why insiders breach of information security, and therefore no clear, effective guidance on what to do to prevent employees from violating information security policy in organization. To do this, we theorize that moral disengagement may play a mediating role connecting stable individual differences to intention to breach security policy, because of some of the individual differences. We found that policy awareness and perceived punishment have a negatively significant effect on moral disengagement. However, negative affectivity has a positively significant influence on moral disengagement. Furthermore, moral disengagement has a positive effect on intention to breach security policy. Conclusions and implications are discussed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.199-213
• /
• 2018

Since 2008, large-scale personal information breach incidents have occurred frequently. Even though national education, policy, and laws have been enacted and implemented to resolve the issue, personal information breaches still occur. Currently, individuals cannot confirm detailed information about what personal information has been affected, and they cannot respond to the breaches. Therefore, it is desirable to develop various methods for preventing and responding to personal information infringement caused by breach and leakage incidents and move to privacy protection behaviors. The purpose of this study is to create understanding of personal information security and information breach, to present services that can prevent breaches of personal information, to investigate the necessity of and analyze the potential public demand for such services, and to provide direction for future privacy-related information services.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.5
• /
• pp.169-179
• /
• 2011

Recent personal data breach incidences draw the public's attention to their privacy and personal rights. The new personal data protection law effective in September 2009 imposes additional legal responsibility on personal data controllers and processors. For instance, if a data breach occurs, this new law requires that the processors must notify individuals (data subjects) and data protection authorities of the nature of incidents. This research reviews the U.S. forty six state laws and related acts, and offers a framework for managing incidents. This framework includes five major components: (1) type of personal data required to be reported and notified, (2) the ultimate subject notifying data subjects, (3) event occurrence and notification time phases, (4) notification message details, and (5) direct/indirect communication media. Along with this framework, we also offer directions for effective/manageable guidelines on data breach notification act.

• Journal of Information Technology Services
• /
• v.15 no.4
• /
• pp.41-62
• /
• 2016

In Internet of Things (IoT) era, more diverse types of information are collected and the environment of information usage, distribution, and processing is changing. Recently, there have been a growing number of cases involving breach and infringement of personal information in IoT services, for examples, including data breach incidents of Web cam service or drone and hacking cases of smart connected car or individual monitoring service. With the evolution of IoT, concerns on personal information protection has become a crucial issue and thus the risk analysis and management method of personal information should be systematically prepared. This study shows risk factors in IoT regarding possible breach of personal information and infringement of privacy. We propose "a risk analysis framework of protecting personal information in IoT environments" consisting of asset (personal information-type and sensitivity) subject to risk, threats of infringement (device, network, and server points), and social impact caused from the privacy incident. To verify this proposed framework, we conducted risk analysis of IoT services (smart communication device, connected car, smart healthcare, smart home, and smart infra) using this framework. Based on the analysis results, we identified the level of risk to personal information in IoT services and suggested measures to protect personal information and appropriately use it.