• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.4
• /
• pp.135-141
• /
• 2008

The risk enlargement of cyber infringement and hacking is one of the latest hot issues. To solve the problem, the research for Security Risk Analysis, one of Information Security Technique, has been activating. However, the evaluation for Security Risk Analysis has many burdens; evaluation cost, long period of the performing time, participants’ working delay, countermeasure cost, Security Management cost, etc. In addition, pre-existing methods have only treated Analyzing Standard and Analyzing Method, even though their scale is so large that seems like a project. the Analyzing Method have no option but to include assessors’ projective opinion due to the mixture using that both qualitative and quantitative method are used for. Consequently, in this paper, we propose the Security Risk Analysis Methodology which manage the quantitative evaluation as a project and use Case-Based Reasoning Algorithm for define the period of the performing time and for select participants.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.12
• /
• pp.4531-4544
• /
• 2021

Because the traditional network information security vulnerability risk assessment method does not set the weight, it is easy for security personnel to fail to evaluate the value of information security vulnerability risk according to the calculation value of network centrality, resulting in poor evaluation effect. Therefore, based on the network security data element feature system, this study designed a quantitative assessment method of network information security vulnerability detection risk under single transmission state. In the case of single transmission state, the multi-dimensional analysis of network information security vulnerability is carried out by using the analysis model. On this basis, the weight is set, and the intrinsic attribute value of information security vulnerability is quantified by using the qualitative method. In order to comprehensively evaluate information security vulnerability, the efficacy coefficient method is used to transform information security vulnerability associated risk, and the information security vulnerability risk value is obtained, so as to realize the quantitative evaluation of network information security vulnerability detection under single transmission state. The calculated values of network centrality of the traditional method and the proposed method are tested respectively, and the evaluation of the two methods is evaluated according to the calculated results. The experimental results show that the proposed method can be used to calculate the network centrality value in the complex information security vulnerability space network, and the output evaluation result has a high signal-to-noise ratio, and the evaluation effect is obviously better than the traditional method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1595-1606
• /
• 2015

Risk analysis is utilized in devising measures to manage information security risk to an acceptable level. In this risk management decision-making, the visualization of risk is important. However, the pre-existing risk visualization method is limited in visualizing risk factors three-dimensionally. In this paper, we propose an improved risk visualization method which can facilitate the identification of risk from the perspective of confidentiality, integrity, and availability respectively or synthetically. The proposed method is applied to an enterprise's risk analysis in order to verify how effective it is. We argue that through the proposed method risk levels can be expressed three-dimensionally, which can be used effectively for information security decision-making process for internal controls.

• Journal of KIISE:Computer Systems and Theory
• /
• v.34 no.7
• /
• pp.282-287
• /
• 2007

Information society is dramatically developing in the various areas of finance, trade, medical service, energy, and education using information system. Evaluation for risk analysis should be done before security management for information system and security risk analysis is the best method to safely prevent it from occurrence, solving weaknesses of information security service. In this paper, Modeling it did the evaluation-base CBD function it will be able to establish the evaluation plan of optimum. Evaluation-based CBD(case-based reasoning) functions manages a security risk analysis evaluation at project unit. it evaluate the evaluation instance for beginning of history degree of existing. It seeks the evaluation instance which is similar and Result security risk analysis evaluation of optimum about under using planning.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1281-1291
• /
• 2015

Compared to the past, people can control end devices via open channel. Although this open channel provides convenience to users, it frequently turns into a security hole. In this paper, we propose a new human-centered security risk analysis method that puts weight on the relationship between end devices. The measure derives from the concept of entropy rate, which is known as the uncertainty per a node in a network. As there are some limitations to use entropy rate as a measure in comparing different size of networks, we divide the entropy rate of a network by the maximum entropy rate of the network. Also, we show how to avoid the violation of irreducible, which is a precondition of the entropy rate of a random walk on a graph.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.1179-1189
• /
• 2019

Cyber security evaluation is a series of processes that estimate the level of risk of assets and systems through asset analysis, threat analysis and vulnerability analysis and apply appropriate security measures. In order to prepare for increasing cyber attacks, systematic cyber security evaluation is required. Various indicators for measuring cyber security level such as CWSS and CVSS have been developed, but the quantitative method to apply appropriate security measures according to the risk priority through the standardized security evaluation result is insufficient. It is needed that an Scoring system taking into consideration the characteristics of the target assets, the applied environment, and the impact on the assets. In this paper, we propose a quantitative risk assessment model based on the analysis of existing cyber security scoring system and a method for quantification of assessment factors to apply to the established model. The level of qualitative attribute elements required for cyber security evaluation is expressed as a value through security requirement weight by AHP, threat influence, and vulnerability element applying probability. It is expected that the standardized cyber security evaluation system will be established by supplementing the limitations of the quantitative method of applying the statistical data through the proposed method.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.12
• /
• pp.541-552
• /
• 2013

Recently software security of the smart phone is an important issue in the field of information science and technology due to fast propagation of smart technology in our life. The smart phone as the security critical systems which are utilizing in terminal systems of the banking, ubiquitous home management, airline passengers screening, and so on are related to the risk of costs, risk of loss, risk of availability, and risk by usage. For the security issues, software hazard analysis of smart phone is the key approaching method by use of observed failures. In this paper, we propose an efficient integrative framework for software security analysis of the smart phone using Fault Tree Analysis (FTA) and Failure Mode Effect Analysis (FMEA) to gain a convergence security and reliability analysis technique on hand handle devices. And we discuss about that if a failure mode effect analysis performs simpler, not only for improving security but also reducing failure effects on this smart device, the proposed integrative framework is a key solution.

• Journal of Korea Multimedia Society
• /
• v.17 no.12
• /
• pp.1494-1502
• /
• 2014

Since smartphones are utilized in the ranges from personal usages to governmental data exchanges, known but not patched vulnerabilities in smartphone operating systems are considered as major threats to the public. To minimize potential security breaches on smartphones, it is necessary to estimate possible security threats. So far, there have been numerous studies conducted to evaluate the security risks caused by mobile devices qualitatively, but there are few quantitative manners. For a large scale risk evaluation, a qualitative assessment is a never ending task. In this paper, we try to calculate relative risk levels triggered by software vulnerabilities from unsecured smartphone operating systems (Android and iOS) among 51 Asian countries. The proposed method combines widely accepted risk representation in both theory and industrial fields. When policy makers need to make a strategic decision on mobile security related agendas, they might find the presented approach useful.

• Nuclear Engineering and Technology
• /
• v.44 no.8
• /
• pp.919-928
• /
• 2012

The applications of computers and communication system and network technologies in nuclear power plants have expanded recently. This application of digital technologies to the instrumentation and control systems of nuclear power plants brings with it the cyber security concerns similar to other critical infrastructures. Cyber security risk assessments for digital instrumentation and control systems have become more crucial in the development of new systems and in the operation of existing systems. Although the instrumentation and control systems of nuclear power plants are similar to industrial control systems, the former have specifications that differ from the latter in terms of architecture and function, in order to satisfy nuclear safety requirements, which need different methods for the application of cyber security risk assessment. In this paper, the characteristics of nuclear power plant instrumentation and control systems are described, and the considerations needed when conducting cyber security risk assessments in accordance with the lifecycle process of instrumentation and control systems are discussed. For cyber security risk assessments of instrumentation and control systems, the activities and considerations necessary for assessments during the system design phase or component design and equipment supply phase are presented in the following 6 steps: 1) System Identification and Cyber Security Modeling, 2) Asset and Impact Analysis, 3) Threat Analysis, 4) Vulnerability Analysis, 5) Security Control Design, and 6) Penetration test. The results from an application of the method to a digital reactor protection system are described.

• Convergence Security Journal
• /
• v.15 no.5
• /
• pp.9-15
• /
• 2015

Cloud computing has emerged with promise to decrease the cost of server additional cost and expanding the data storage and ease for computer resource sharing and apply the new technologies. However, Cloud computing also raises many new security concerns due to the new structure of the cloud service models. Therefore, several cloud service certification system were performed in the world in order to meet customers need which is the safe and reliable cloud service. This paper we propose the new risk analysis method different compare with existing method for secure the reliability of certification considering public IaaS(Infrastructure as a Service) cloud service properties.