• Convergence Security Journal
• /
• v.5 no.3
• /
• pp.67-73
• /
• 2005

Security requirements must be defined well to reduce software vulnerabilities in requirement specification phase. In this paper, we show how to specify security requirements in structured manner for object-oriented development methodology. Our method specifies security requirements through four phases: defining security objectives, identifying the threat, construct attack tree, and specifying security function. This method would help developers to specify security requirements and functions which software have to possess clearly and systematically.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.3
• /
• pp.85-100
• /
• 2004

All information system is information security system that enforced security function. To improve qualify of information security system, suity requirement analysis and specification must be Performed by consistently and typically at early requirement analysis step. In this paper, we propose a security requirements analysis and specification model and process by using Misuse Case Model that extends UML's Use Case Model. And, we propose a cost-effective security product selection algorithm that security product is sufficient of all constructed security functional requirements. It may raise quality of information security system that developed through proposed model and process.

• KIPS Transactions on Computer and Communication Systems
• /
• v.10 no.5
• /
• pp.145-154
• /
• 2021

Recently, the introduction of Cloud Managing Security Services System to respond to security threats in cloud computing environments is increasing. Accordingly, it is necessary to analyze the security requirements for the Cloud Managing Security Services System. However, the existing research has a problem that does not reflect the virtual environment of the cloud and the data flow of the Cloud Managing Security Services System in the process of deriving the requirements. To solve this problem, it is necessary to identify the information assets of the Cloud Managing Security Services System in the process of threat modeling analysis, visualize and display detailed components of the cloud virtual environment, and analyze the security threat by reflecting the data flow. Therefore, this paper intends to derive the security requirements of the Cloud Managing Security Services System through threat modeling analysis that is an improved existing research.

• Journal of Korea Society of Industrial Information Systems
• /
• v.21 no.6
• /
• pp.109-123
• /
• 2016

This study investigates the importance of government's support for logistics security assurance through certification programs. First, the study analyzed priorities among the requirements of logistics firms through Analytic Hierarchy Process(AHP) and Quality Function Deployment(QFD) approaches. For this process we invited 21 logistics experts to assess the relationships between logistic firms' requirements and government policies regarding logistics security using the house of quality, a set of matrices of QFD. The results of this phase of the study revealed the priorities of logistics firms' goals regarding the diffusion of the government security certification program as follows: integrated logistics security systems(40.3%), strengthening government support systems(32.4%), and operational effectiveness of logistics security certification(27.2%). Second, a relative weights applied QFD method based on AHP was applied to determined the expected outcome of the logistics security certification program. The results indicated as follows: productivity improvement(28.4%), improved level of service(26.7%), logistics cost reduction(21.6%), advanced information systems(19.7%), and improved environmental protection(3.6%). The results of this study provide new insights concerning logistics firms' requirements for supply chain security and the importance of government's support policies through logistics security certification programs.

• Journal of Information Processing Systems
• /
• v.20 no.1
• /
• pp.38-52
• /
• 2024

The 5G is the 5th generation mobile network that provides enhanced mobile broadband, ultra-reliable & low latency communications, and massive machine-type communications. New services can be provided through multi-access edge computing, network function virtualization, and network slicing, which are key technologies in 5G mobile communication. However, these new technologies provide new attack paths and threats. In this paper, we analyzed the overall threats of 5G mobile communication through a literature review. First, defines 5G mobile communication, analyzes its features and technology architecture, and summarizes possible security issues. Addition, it presents security threats from the perspective of user devices, radio access network, multi-access edge computing, and core networks that constitute 5G mobile communication. After that, security requirements for threat factors were derived through literature analysis. The purpose of this study is to conduct a fundamental analysis to examine and assess the overall threat factors associated with 5G mobile communication. Through this, it will be possible to protect the information and assets of individuals and organizations that use 5G mobile communication technology, respond to various threat situations, and increase the overall level of 5G security.

• Convergence Security Journal
• /
• v.15 no.5
• /
• pp.29-35
• /
• 2015

The network security encryption type is divided into two, one is point-to-point, second method is link type. The level of security quality attributes are a system security quality requirements in a networked environment. Quality attributes can be observed and should be able to be measured. If the quality requirements can be presented as exact figures, quality requirements are defined specifically setting quality objectives. Functional requirements in the quality attribute is a requirement for a service function which can be obtained through the encryption. Non-functional requirements are requirements of the service quality that can be obtained through the encryption. Encryption quality evaluation system proposed in this study is to derive functional requirements and non-functional requirements 2 groups. Of the calculating measure of the evaluation index in the same category, the associated indication of the quality measure of each surface should be created. The quality matrix uses 2-factor analysis of the evaluation for the associated surface quality measurements. The quality requirements are calculated based on two different functional requirements and non-functional requirements. The results are calculated by analyzing the trend of the average value assessment. When used this way, it is possible to configure the network security encryption based on quality management.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1425-1435
• /
• 2019

The expanded application of digital controls has raised the issue of cyber security for nuclear facilities. To cope with this, the cyber security technical standard RS-015 for Korean nuclear facilities requires nuclear system developers to apply security functions, analyze known vulnerabilities, and test and evaluate security functions. This requires the development of procedures and methods for testing the suitability of security functions in accordance with the nuclear cyber security technical standards. This study derived the security requirements required at the device level by classifying the details of the technical, operational and administrative security controls of RS-015 and developed procedures and methods to test whether the security functions implemented in the device meet the security requirements. This paper describes the process for developing security function compliance test procedures and methods and presents the developed test cases.

• Journal of Information Technology Services
• /
• v.7 no.1
• /
• pp.117-130
• /
• 2008

Multi-attribute risk assessments provide a useful framework for systematic quantitative risk assessment that the security manager can use to prioritize security requirements and threats. In the first step, the security managers identify the four significant outcome attributes(lost revenue, lost productivity, lost customer, and recovery cost). Next. the security manager estimates the frequency and severity(three points estimates for outcome attribute values) for each threat and rank the outcome attributes according to AHP(Analytic Hierarchy Process). Finally, we generate the threat index by using muiti-attribute function and make sensitivity analysis with simulation package(Crystal Ball). In this paper, we show how multi-attribute risk analysis techniques from the field of security risk management can be used by security managers to prioritize their organization's threats and their security requirements, eventually they can derive threat index. This threat index can help security managers to decide whether their security investment is consistent with the expected risks. In addition, sensitivity analysis allows the security manager to explore the estimates to understand how they affect the selection.

• Journal of the Korea Society of Computer and Information
• /
• v.19 no.7
• /
• pp.87-93
• /
• 2014

TIn analysis as the first step of S/W development, security requirements of identification and authentication, ID and password management, authentication process, authentication method, ete. should be defined. Identification is to uniquely identify certain users and applications running on a certain system. Authentication means the function to determine true or false users and applications in some cases. This paper is to suggest the security requirements for identification and authentication in analysis step. Firstly, individual ID should be uniquely identified. The second element is to apply the length limitations, combination and periodic changes of passwords. The third should require the more reinforced authentication methods besides ID and passwords and satisfy the defined security elements on authentication process. In this paper, the security requirements for the step of identification and authentication have been explained through several practical implementation methods.

• ETRI Journal
• /
• v.45 no.2
• /
• pp.346-357
• /
• 2023

Hardware security primitives, also known as physical unclonable functions (PUFs), perform innovative roles to extract the randomness unique to specific hardware. This paper proposes a novel hardware security primitive using a commercial off-the-shelf flash memory chip that is an intrinsic part of most commercial Internet of Things (IoT) devices. First, we define a hardware security source model to describe a hardware-based fixed random bit generator for use in security applications, such as cryptographic key generation. Then, we propose a hardware security primitive with flash memory by exploiting the variability of tunneling electrons in the floating gate. In accordance with the requirements for robustness against the environment, timing variations, and random errors, we developed an adaptive extraction algorithm for the flash PUF. Experimental results show that the proposed flash PUF successfully generates a fixed random response, where the uniqueness is 49.1%, steadiness is 3.8%, uniformity is 50.2%, and min-entropy per bit is 0.87. Thus, our approach can be applied to security applications with reliability and satisfy high-entropy requirements, such as cryptographic key generation for IoT devices.