• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.1
• /
• pp.141-154
• /
• 2022

In the data economy era, various policies are being implemented to create an active data distribution environment. In South Korea, the formation of a big data distribution platform and data trading began with the launch of the Financial Data Exchange under public data governance. In the case of major advanced countries in the data field, they have built a data distribution environment based on the data broker industry for decades and have strengthened national data competitiveness through added values generated from the industry. However, behind the active data distribution through data brokers, there are numerous information security issues, which have resulted in various privacy issues and national security threats. These problems can occur sufficiently in the process of domestic financial data exchange. In our study, we analyzed various information security issues of data trading caused by data brokers and derived information security requirements to be considered when trading data. We verified whether information security requirements are well reflected in the information security policy for each transaction stage of the domestic financial data exchange. Based on the verification, measurements to strengthen information security for financial data exchange are presented in our paper.

• Journal of information and communication convergence engineering
• /
• v.18 no.1
• /
• pp.16-21
• /
• 2020

Owing to the convergence of the communication network with the control system and public network, security threats, such as information leakage and falsification, have become possible through various routes. If we examine closely at the security type of the current control system, the operation of the security system focuses on the threats made from outside to inside, so the study on the detection system of the security threats conducted by insiders is inadequate. Thus, this study, based on "Spotting the Adversary with Windows Event Log Monitoring," published by the National Security Agency, found that event logs can be utilized for the detection and maneuver of threats conducted by insiders, by analyzing the validity of detecting insider threats to the control system with the list of important event logs.

• Asia pacific journal of information systems
• /
• v.22 no.1
• /
• pp.79-101
• /
• 2012

This study expands the current body of research by exploring multiple scenarios of insufficient and excessive IT security investments caused by interdependent risks and the interplay between IT security investments and cyber insurance. A key finding is that organizations experiencing interdependent risks with different types of cyber attacks (i.e., targeted and untargeted attacks) use different strategies in making IT security investment decisions and in purchasing cyber insurance policies for their information security risk management than firms that are facing independent risks. The study further provides an economic rationale for employing insurance mechanisms as a risk management solution for information security.

• Journal of Information Technology Applications and Management
• /
• v.16 no.3
• /
• pp.73-86
• /
• 2009

To establish an effective security strategy, business enterprises need a security benchmarking tool. The strategy helps to lessen an impact and a damage in any threat. This study analyses many aspects of information security management and suggests a way to deal with security investments by considering important factors that affect security manager's decision. To address the different threats resulting from a major cause of accidents inside an enterprise, we investigate an approach that followed ISO17799. We unfold a criminology theory that has designated many measures against the threat as suggested by General Deterrence Theory. The study proposes a coherent model of the theory to improve the security measures especially in handling and protecting company assets and human lives as well.

• International Journal of Computer Science & Network Security
• /
• v.22 no.1
• /
• pp.199-205
• /
• 2022

The main purpose of the study is to analyze the main aspects of the impact of information and communication technologies on the economic security system in the context of a pandemic situation. The new realities of the modern turbulent world require a new approach to the issues of ensuring economic security, in which information and communication technologies and information security are beginning to play an increasingly important role. As a result of a detailed analysis of the further functioning of all components of economic security in the context of the existence of the consequences of the COVID-19 pandemic.

• International Journal of Computer Science & Network Security
• /
• v.22 no.6
• /
• pp.19-24
• /
• 2022

The main purpose of the study is to analyze the current state of the organization's information security system in the context of COVID-19 on the basis of public-private partnership. The development of public-private interaction in information security is one of the priorities of the state policy of many estates. Among the priorities of public-private partnership in cybersecurity and information security, there is an expansion of interaction between government agencies and private scientific institutions, public associations and volunteer organizations, including in training, as well as increasing the digital literacy of citizens and the security culture in cyberspace. As a result of the study, the foundations of the organization's information security system in the context of COVID 19 were formed on the basis of public-private partnership.

• Korean Management Science Review
• /
• v.31 no.4
• /
• pp.1-13
• /
• 2014

This study aims to expand the future study methodology and to develop a methodology of future-oriented curriculum analysis with future skills needs derived from patent analysis. With the case of information security, the methodology is applied to the 16 universities, which have information security department in undergraduate course. From the results, the followings are suggested : 1) for the increasing importance area including hacking, infiltration and PC security, a practical exercise should be emphasized; 2) for the convergence area including security policy, security legislation and OS security, proper faculties should be filed with recruiting field-based experts; 3) for the increasing importance area including professional area including security audit and information security protocol, the advanced curriculum related to graduate level should be provided.

• Proceedings of the KIEE Conference
• /
• 2003.07d
• /
• pp.2747-2749
• /
• 2003

Security is concerned with the protection of assets from threats, where threats are categorised as the potential for abuse of protected assets. All categories of threats should be considered, but in the domain of security greater attention is given to those threats that are related to malicious or other human activities ISO/IEC 15408 requires the TOE(Target of Evaluation) Security Environment section of a Protection Profile(PP) or Security Target(ST) to contain a list of threats about the TOE security environment or the intended usage of the TOE. This paper presents a specific physical threats should be considered in the smart card PP which developers of smart card PP must consider.

• Asia pacific journal of information systems
• /
• v.22 no.1
• /
• pp.53-77
• /
• 2012

Financial firms, especially large scaled firms such as KB bank, NH bank, Samsung Card, Hana SK Card, Hyundai Capital, Shinhan Card, etc. should be securely dealing with the personal financial information. Indeed, people have tended to believe that those big financial companies are relatively safer in terms of information security than typical small and medium sized firms in other industries. However, the recent incidents of personal information privacy invasion showed that this may not be true. Financial firms have increased the investment of information protection and security, and they are trying to prevent the information privacy invasion accidents by doing all the necessary efforts. This paper studies how effectively a financial firm will be able to avoid personal financial information privacy invasion that may be deliberately caused by internal staffs. Although there are several literatures relating to information security, to our knowledge, this is the first study to focus on the behavior of internal staffs. The big financial firms are doing variety of information security activities to protect personal information. This study is to confirm what types of such activities actually work well. The primary research model of this paper is based on Theory of Planned Behavior (TPB) that describes the rational choice of human behavior. Also, a variety of activities to protect the personal information of financial firms, especially credit card companies with the most customer information, were modeled by the four-step process Security Action Cycle (SAC) that Straub and Welke (1998) claimed. Through this proposed conceptual research model, we study whether information security activities of each step could suppress personal information abuse. Also, by measuring the morality of internal staffs, we checked whether the act of information privacy invasion caused by internal staff is in fact a serious criminal behavior or just a kind of unethical behavior. In addition, we also checked whether there was the cognition difference of the moral level between internal staffs and the customers. Research subjects were customer call center operators in one of the big credit card company. We have used multiple regression analysis. Our results showed that the punishment of the remedy activities, among the firm's information security activities, had the most obvious effects of preventing the information abuse (or privacy invasion) by internal staff. Somewhat effective tools were the prevention activities that limited the physical accessibility of non-authorities to the system of customers' personal information database. Some examples of the prevention activities are to make the procedure of access rights complex and to enhance security instrument. We also found that 'the unnecessary information searches out of work' as the behavior of information abuse occurred frequently by internal staffs. They perceived these behaviors somewhat minor criminal or just unethical action rather than a serious criminal behavior. Also, there existed the big cognition difference of the moral level between internal staffs and the public (customers). Based on the findings of our research, we should expect that this paper help practically to prevent privacy invasion and to protect personal information properly by raising the effectiveness of information security activities of finance firms. Also, we expect that our suggestions can be utilized to effectively improve personnel management and to cope with internal security threats in the overall information security management system.

• The Journal of the Korea Contents Association
• /
• v.17 no.4
• /
• pp.596-605
• /
• 2017

Recently, it has been pointed out that the lack of professional ethics of computer and security experts is serious as college students majoring in information security and insiders who are in charge of security work are involved in crimes after being tempted to cyber crimes. In this paper, we investigate and analyze the security ethics awareness and education situation of college students majoring in information security, and examine the security ethics education method for human resource development with personality and qualities. As the information society becomes more widespread, the ethics and occupational consciousness of the university students who are majoring in information security are recognized as lack of awareness and education about security ethics, As a solution to solve these problems, it is expected that it will be possible to nurture security experts who are aware of their vocation through the educational plan to enhance the security ethics of the information security major college students. According to the security ethics education system proposed in the paper, the security ethical consciousness of the group that received education was remarkably improved.