• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.817-839
• /
• 2021

To manage software safely, the military acquires and manages products in accordance with the RMF A&A. RMF A&A is standard for acquiring IT products used in the military. And it covers the requirements, acquisition through evaluation and maintenance of products. According to the RMF A&A, product development activities should reflect the risks of the military. In other words, developers have mitigated the risks through security by design and supply chain security. And they submit evidence proving that they have properly comply with RMF A&A's security requirements, and the military will evaluate the evidence to determine whether to acquire IT product. Previously, case study of RMF A&A have been already conducted. But it is difficult to apply in real-world, because it only address part of RMF A&A and detailed information is confidential. In this paper, we propose the evidence fulfilling method that can satisfy the requirements of the RMF A&A. Furthermore, we apply the proposed method to real-world drone system for verifying our method meets the RMF A&A.

• Journal of Digital Convergence
• /
• v.17 no.8
• /
• pp.105-113
• /
• 2019

The purpose of this study is to analyze cyber security risk modeling of critical infrastructure, draw out limitations and improvement measures. This paper analyzed cyber security risk modeling of national critical infrastructure like as electricity sector, nuclear power plant, SCADA. This paper analyzed the 26 precedent research cases of risk modeling in electricity sector, nuclear power plant, SCADA. The latest Critical Infrastructure is digitalized and has a windows operating system. Critical Infrastructure should be operated at all times, it is not possible to patch a vulnerability even though find vulnerability. This paper suggest the advanced cyber security modeling characteristic during the life cycle of the critical infrastructure and can be prevented.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1449-1461
• /
• 2018

As the number of software vulnerabilities grows year by year, attacks on software are also taking place a lot. As a result, the security administrator must identify and patch vulnerabilities in the software. However, it is important to prioritize the patches because patches for all vulnerabilities are realistically hard. In this paper, we propose a scoring system that expands the scale of risk assessment metric by taking into consideration attack patterns or weaknesses cause vulnerabilities with the vulnerability information provided by the NIST(National Institute of Standards and Technology). The proposed scoring system is expanded based on the CWSS and uses only public vulnerability information to utilize easily for any company. In this paper, we applied the automated scoring system to software vulnerabilities, and showed the expanded metrics with consideration for influence of attack pattern and weakness are meaningful.

• Journal of Korean Society of Disaster and Security
• /
• v.5 no.1
• /
• pp.43-47
• /
• 2012

The asset management of infra facilities is a total framework for finally supporting a safe and comfortable service, which includes functions of supporting evaluation of condition and performance of infrastructures, making the decision method of repair or rehabilitation of deteriorated facilities, and lengthening the life cycle of structure through the decision of adequate cost and time of repair or reinforcement. In the range of the asset management, organization, human, the target, and information & data of company are included. Therefore, in this paper, appling the method of asset management analysis to the infra structures, the process of the risk assesment using BRE (Business Risk Exposure) and the basis of consisting ORDM (Optimized Renewal Decision-Making) are expressed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.323-333
• /
• 2024

Recently, Syntheic data has been in the spotlight as a technology that can protect personal information while maintaining the patterns and characteristics of actual data. Accordingly, technical and institutional research on synthetic data is actively being conducted, but it is difficult to actively use synthetic data due to the lack of clear standards and guidelines. This study is a preliminary study for quantifying the disclosure risk of synthetic data, and derives a privacy disclosure risk index through statistical methodology and suggests specific application measures to comply with the General Data Protection Regulation(GDPR). It is expected that the disclosure risk and the balance of data utility can be controlled through the privacy disclosure risk index of this study in an open data environment.

• Nuclear Engineering and Technology
• /
• v.51 no.1
• /
• pp.138-145
• /
• 2019

With the application of digital technology to safety-critical infrastructures, cyber-attacks have emerged as one of the new dangerous threats. In safety-critical infrastructures such as a nuclear power plant (NPP), a cyber-attack could have serious consequences by initiating dangerous events or rendering important safety systems unavailable. Since a cyber-attack is conducted intentionally, numerous possible cases should be considered for developing a cyber security system, such as the attack paths, methods, and potential target systems. Therefore, prior to developing a risk-informed cyber security strategy, the importance of cyber-attacks and significant critical digital assets (CDAs) should be analyzed. In this work, an importance analysis method for cyber-attacks on an NPP was proposed using the probabilistic safety assessment (PSA) method. To develop an importance analysis framework for cyber-attacks, possible cyber-attacks were identified with failure modes, and a PSA model for cyber-attacks was developed. For case studies, the quantitative evaluations of cyber-attack scenarios were performed using the proposed method. By using quantitative importance of cyber-attacks and identifying significant CDAs that must be defended against cyber-attacks, it is possible to develop an efficient and reliable defense strategy against cyber-attacks on NPPs.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.4
• /
• pp.973-983
• /
• 2016

It's been almost 6 years since PIA was implemented based on legislation. So I analyzed problems of PIA from the perspective of ITSM 3 elements. I mainly took account of quality improvement of the report when I assessed systems processing personal informations. So, I propose in terms of logical validity improvement of assessment report. The improvements on 4 different outputs for each phase are many cases that I assessed systems processing personal informations. And I propose improvements on qualified assessors having capability of GRC and on process for managing the assessment system. To settle down PIA system as the reasonable and effective assessment system even after 2016, the statutory deadline for completion of PIA, assessors and appointed assessment firms and authorities should cooperate to complete the assessment system.

• Journal of Korean Society of Disaster and Security
• /
• v.12 no.1
• /
• pp.45-56
• /
• 2019

In this study, the seismic risk has been evaluated by setting the bedrock acceleration to 0.154g which, was taking into consideration that the earthquake return period for the buried electric power tunnels in the metropolitan area to be 1,000 years. In this case, the risk assessment during the earthquake was carried out in three stages. In the first stage, the site classification was performed based on the site investigation data of the target area. Then, the LPI(Liquefaction Potential Index) was applied using the site amplification factor. After, candidates were selected using a hazard map. In the second stage, risk assessment analysis of seismic response are evaluated thoroughly after the recalculation of the LPI based on the site characteristics from the boring logs around the electric power area that are highly probable to be liquefied in the first stage. The third Stage visited the electric power tunnels that are highly probable of liquefaction in the second stage to compensate for the limitations based on the borehole data. At this time, the risk of liquefaction was finally evaluated based off of the reinforcement method used at the time of construction, the application of seismic design, and the condition of the site.

• Ocean Systems Engineering
• /
• v.4 no.2
• /
• pp.137-150
• /
• 2014

In the marine industry although there has been significant growth towards safety, security and risk assessments or risk-based strategies such as marine insurance and regulations to avoid the risks of damage to properties and the environment or the prospect of premature death caused by accidents etc, the moves toward managing the risks which are linked directly to the business functions and decision making processes have been very slow. Furthermore in the marine industry most perceptions, methodologies and frameworks of dealing with hazards, risks, safety and security issues are for their assessment rather than their management. This trend reveals the fact that in different marine industry sectors such as logistics and shipping there is a lack of coherent risk management framework or methodology from which to understand the risk-based decisions especially for the purpose of design, construction, operation, management and even decommissioning of the marine related applications. On the other hand risk management is not yet viewed holistically in the marine industry in order to, for example, assign a right person, i.e. risk manager, who can act as a coordinator and advisor with responsibilities that are only specific to risk management. As a result this paper, by examining the present physical borders and risk-based activities in the marine industry, aims to propose an appropriate risk management methodology in addition to the emergent role of risk managers which will enable the industry users initially to become familiar with the concept of risk management at its holistic level. In the later stages this eventually can lead to development of risk management capabilities at an exclusive level and its integration into the marine industry functions in future.

• Journal of Korean Society of Disaster and Security
• /
• v.7 no.1
• /
• pp.43-50
• /
• 2014

Based on the reliability theory, the risk assessment of steel beams is performed by the determination of failure probability. In the calculation, bending, shearing and combined (bending + shearing) modes are examined. The resistance and the loads on the beam are assumed to be normal distribution. To investigate the failure probability changes, total load applied at the mid span of beam is divided into 1 to 1 and 1 to 2 ratio and then these divided loads are placed on the trisected points on beam. The change of boundary conditions at beam ends are also included in the investigation. It shows that failure is governed by the combined mode for the present beams and the second order bound analysis of failure probability is not crucial. On the whole failure probability decreases with increasing end restraints at the beam ends with some exception.