• Journal of Information Processing Systems
• /
• 제16권1호
• /
• pp.61-82
• /
• 2020

The security risk management used by some service providers is not appropriate for effective security enhancement. The reason is that the security risk management methods did not take into account the opinions of security experts, types of service, and security vulnerability-based risk assessment. Moreover, the security risk assessment method, which has a great influence on the risk treatment method in an information security risk assessment model, should be security risk assessment for fine-grained risk assessment, considering security vulnerability rather than security threat. Therefore, we proposed an improved information security risk management model and methods that consider vulnerability-based risk assessment and mitigation to enhance security controls considering limited security budget. Moreover, we can evaluate the security cost allocation strategies based on security vulnerability measurement that consider the security weight.

• 한국IT서비스학회지
• /
• 제10권2호
• /
• pp.293-308
• /
• 2011

The preliminary security assessment is an information security process to analyze security weaknesses before beginning of services. Discovering security weakness through preliminary security assessment is highly required because it costs much when security incident occur in the middle of service operation. However, this assessment is not widely spread in the online game service domain yet. In this paper, we summarize the security risk existed in the online game service, and we classify the security requirements related to the each risk. Also, through the case study, we evaluated the effectiveness of preliminary security assessment in this domain. In addition, we suggest checklists that should be reviewed once in game-client side, network-side and game-server side for the purpose of security enhancement.

• 한국정보통신학회:학술대회논문집
• /
• 한국정보통신학회 2021년도 춘계학술대회
• /
• pp.635-637
• /
• 2021

사이버 보안성 평가란 위협 및 취약성 분석을 통해 시스템의 위험 수준을 평가하여 적절한 보안조치를 취하기 위한 과정이다. 최근 증가하고 있는 사이버 공격과 지속적으로 개발되는 지능형 보안 위협에 대비하기 위해 정확한 보안 평가 모델이 필요하다. 따라서 보안 장비와 구간, 취약점마다 가중치를 할당하여 점수화하는 매트릭 기반 보안 평가 모델 분석을 통해 위험도 평가 모델을 제시한다. 사이버 보안성 평가 시 필요한 요소들을 간략화하고 기업 환경에 맞춰 평가가 가능하다. 보안 장비별 평가를 통하여 기업 환경에 더 적합한 평가를 시행하여 추후 사이버 보안 평가 연구에 도움이 될 것으로 기대된다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제15권12호
• /
• pp.4531-4544
• /
• 2021

Because the traditional network information security vulnerability risk assessment method does not set the weight, it is easy for security personnel to fail to evaluate the value of information security vulnerability risk according to the calculation value of network centrality, resulting in poor evaluation effect. Therefore, based on the network security data element feature system, this study designed a quantitative assessment method of network information security vulnerability detection risk under single transmission state. In the case of single transmission state, the multi-dimensional analysis of network information security vulnerability is carried out by using the analysis model. On this basis, the weight is set, and the intrinsic attribute value of information security vulnerability is quantified by using the qualitative method. In order to comprehensively evaluate information security vulnerability, the efficacy coefficient method is used to transform information security vulnerability associated risk, and the information security vulnerability risk value is obtained, so as to realize the quantitative evaluation of network information security vulnerability detection under single transmission state. The calculated values of network centrality of the traditional method and the proposed method are tested respectively, and the evaluation of the two methods is evaluated according to the calculated results. The experimental results show that the proposed method can be used to calculate the network centrality value in the complex information security vulnerability space network, and the output evaluation result has a high signal-to-noise ratio, and the evaluation effect is obviously better than the traditional method.

• Journal of Information Processing Systems
• /
• 제12권2호
• /
• pp.226-233
• /
• 2016

Cloud computing is a distributed computing model that has lot of drawbacks and faces difficulties. Many new innovative and emerging techniques take advantage of its features. In this paper, we explore the security threats to and Risk Assessments for cloud computing, attack mitigation frameworks, and the risk-based dynamic access control for cloud computing. Common security threats to cloud computing have been explored and these threats are addressed through acceptable measures via governance and effective risk management using a tailored Security Risk Approach. Most existing Threat and Risk Assessment (TRA) schemes for cloud services use a converse thinking approach to develop theoretical solutions for minimizing the risk of security breaches at a minimal cost. In our study, we propose an improved Attack-Defense Tree mechanism designated as iADTree, for solving the TRA problem in cloud computing environments.

• 한국멀티미디어학회논문지
• /
• 제17권12호
• /
• pp.1494-1502
• /
• 2014

Since smartphones are utilized in the ranges from personal usages to governmental data exchanges, known but not patched vulnerabilities in smartphone operating systems are considered as major threats to the public. To minimize potential security breaches on smartphones, it is necessary to estimate possible security threats. So far, there have been numerous studies conducted to evaluate the security risks caused by mobile devices qualitatively, but there are few quantitative manners. For a large scale risk evaluation, a qualitative assessment is a never ending task. In this paper, we try to calculate relative risk levels triggered by software vulnerabilities from unsecured smartphone operating systems (Android and iOS) among 51 Asian countries. The proposed method combines widely accepted risk representation in both theory and industrial fields. When policy makers need to make a strategic decision on mobile security related agendas, they might find the presented approach useful.

• Industrial Engineering and Management Systems
• /
• 제13권1호
• /
• pp.87-100
• /
• 2014

Risk management is recognized as a significant element in Information Security Management while the failure mode and effects analysis (FMEA) is widely used in risk analysis in manufacturing industry. This paper aims to present the development work of the Information Security FMEA Circle (InfoSec FMEA Circle) which is used to support the risk management framework by modifying traditional FMEA methodologies. In order to demonstrate the "appropriateness" of the InfoSec FMEA Circle for the purposes of assessing information security, a case study at Hong Kong Science and Technology Parks Corporation (HKSTP) is employed. The "InfoSec FMEA Circle" is found to be an effective risk assessment methodology that has a significant contribution to providing a stepwise risk management implementation model for information security management.

• 대한산업공학회지
• /
• 제28권1호
• /
• pp.44-56
• /
• 2002

For the risk analysis and risk assessment techniques to be effectively applied to the field of information technology (IT) security, it is necessary that the required activities and specific techniques to be applied and their order of applications are to be determined through a proper risk management model. If the adopted risk management model does not match with the characteristics of host organization, an inefficient management of security would be resulted. In this paper, a risk management model which can be well adapted to Korean domestic IT environments is proposed for an efficient security management of IT. The structure and flow of the existing IT-related risk management models are compared and analysed, and their common and/or strong characteristics are extracted and incorporated in the proposed model in the light of typical threat types observed in Korean IT environments.

• 한국방재학회:학술대회논문집
• /
• 한국방재학회 2008년도 정기총회 및 학술발표대회
• /
• pp.629-632
• /
• 2008

Risk-based security impact evaluation may be affected by various factors according to numerous combinations of explosive devices, cutting devices, impact vehicles, and specific attack location to consider. Presently, in planning and design phases, designers are still often uncertain of their responsibility, lack of information and training of security. Therefore, designers are still failing to exploit the potential to reduce threats on site. In this study, the concept of security impact assessment is introduced in order to derive the performing design for safety in design phase. For this purpose, a framework for security impact assessment model using risk-based approach for bridge structures is suggested. The suggested model includes of information survey, classification of terror threats, and quantitative estimation of severity and occurrence.

• 한국재난관리표준학회지
• /
• 제1권1호
• /
• pp.63-67
• /
• 2008

본 연구는 위험성 분석 기법을 통해 화학 산업 시설에서 발생 가능한 화학 테러에 대한 원인 을 규명하고, 기존의 테러 대응 방법에 대한 분석 및 평가를 함으로써 효과적 대응 개선 방안을 마련하기 위 한 프로그램 개발이다 테러 위험성 평가 프로그램은 자산 분석(Asset Characterization), 위협 평가(Threat Assessment), 취약성 분석(Vulnerability Analysis), 위험성 평가(Risk Assessment), 대응책 제시(New Countermeasure)의 총 5단계의 순차적 알고리즘으로 구성되어 있다. 개발된 프로그램을 항만에 위치한 석유 저장 및 정제 공정에 적용하여 테러 위험성과 그 원인을 분석함으로써 위험성 평가 프로그램의 효용성과 신뢰성을 검증하였다. 화학 산업 시설에서의 보안 및 테러리즘에 대한 문제성 제기를 통해 그 해결책을 제시하고 테러의 취약점과 원인을 규명함으로써 테러나 재해(extreme event) 발생 시 효과적인 대응책 마련이나 대응 전략 수립에 기여하고자 개발된 프로그램이다.