• Journal of Information Processing Systems
• /
• 제16권1호
• /
• pp.61-82
• /
• 2020

The security risk management used by some service providers is not appropriate for effective security enhancement. The reason is that the security risk management methods did not take into account the opinions of security experts, types of service, and security vulnerability-based risk assessment. Moreover, the security risk assessment method, which has a great influence on the risk treatment method in an information security risk assessment model, should be security risk assessment for fine-grained risk assessment, considering security vulnerability rather than security threat. Therefore, we proposed an improved information security risk management model and methods that consider vulnerability-based risk assessment and mitigation to enhance security controls considering limited security budget. Moreover, we can evaluate the security cost allocation strategies based on security vulnerability measurement that consider the security weight.

• 디지털융복합연구
• /
• 제10권4호
• /
• pp.235-241
• /
• 2012

최근 교육 수월성 제고와 질적 수준 향상을 위해서 대학에서는 정보화를 추진하고 있으나 개인정보를 비롯한 학사행정과 관련된 중요 정보들이 학사 데이터베이스에 집적되어 있어 그에 따른 보호 대책이 필요하다. 이 논문에서는 학사 데이터베이스 구축에 사용되는 DBMS의 접근제어, 기밀성, 무결성 그리고 보안감사 등이 보장되도록 대학의 현실에 적합한 학사 데이터베이스 통합 보안 모델을 제안한다. 제안 모델은 상당 수 대학들이 데이터베이스 보안 제품을 활용하고 있지 못한 여건을 고려하여 DBMS가 제공하는 기능만으로 보안의 가장 핵심 요소인 기밀성 등을 구현하는 세부 방안을 제시하고 있다.

• 디지털융복합연구
• /
• 제10권10호
• /
• pp.31-46
• /
• 2012

보안 분위기에 대한 연구를 위해 안전 분위기에 관한 선행연구와 성과모델을 기반으로 본 연구는 정보보안 분위기 모델을 제안하였다. 연구모델은 정보보안 분위기, 보안 정책 준수 태도, 그리고 기회주의적 보안 행위로 구성되었다. 분석 결과 조직의 보안 분위기는 보안정책 준수태도에 영향을 미쳤으며, 태도는 기회주의적 보안 행위에 유의한 영향을 미치는 것으로 나타났다. 즉, 보안 분위기는 기회주의적 보안행위에 직접적인 영향을 미치기보다는 보안 정책 준수태도를 통해 간접 효과를 나타내는 것으로 나타났다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제12권10호
• /
• pp.4995-5014
• /
• 2018

As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.

• 융합보안논문지
• /
• 제10권3호
• /
• pp.9-14
• /
• 2010

본 논문에서는 디지털 콘텐츠에 대한 안전하고 신뢰성 있는 유통, 전달, 취약성 점검을 위한 정보보호의 자동분석 방법을 위한 네트워크 구조와 분석 모델을 제시한다. 제시된 네트워크에서는 firewall과 IDS(Intrusion Detection System)를 이용하며, 자체적인 위협을 평가하기 위한 에이전트를 활용하는 방안을 제시하며, 주요 기능으로는 보안 범위 선정, 관련 데이터 수집/분석, 수준평가 및 대책 제시 등을 포함한다. 효율적인 자동화 분석 모델을 개발하기 위해서는 콘텐츠의 상호 유통과 웹서버-사용자간 트래픽 분석에 기초한 네트워크의 설계와 정보보호 및 자동분석 알고리즘의 개발 그리고 효율적인 DRM/PKI 등의 도구 개발이 필요함을 알 수 있다.

• 한국컴퓨터정보학회논문지
• /
• 제20권8호
• /
• pp.35-43
• /
• 2015

Recently, internal information leaks is increasing rapidly by internal employees and authorized outsourcing personnel. In this paper, we propose a method to integrate internal control systems like system access control system and Digital Rights Managements and so on through expansion model of SIEM(Security Information Event Management system). this model performs a analysis step of security event link type and validation process. It develops unit scenarios to react illegal acts for personal information processing system and acts to bypass the internal security system through 5W1H view. It has a feature that derives systematic integration scenarios by integrating unit scenarios. we integrated internal control systems like access control system and Digital Rights Managements and so on through expansion model of Security Information Event Management system to defend leakage of internal information and customer information. We compared existing defense system with the case of the expansion model construction. It shows that expanding SIEM was more effectively.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제15권2호
• /
• pp.580-599
• /
• 2021

Software-Defined Networking (SDN) has three key features: separation of control and forwarding, centralized control, and network programmability. While improving network management flexibility, SDN has many security issues. This paper systemizes the security threats of SDN using spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE) model to understand the current security status of SDN. First, we introduce the network architecture and data flow of SDN. Second, we analyze security threats of the six types given in the STRIDE model, aiming to reveal the vulnerability mechanisms and assess the attack surface. Then, we briefly describe the corresponding defense technologies. Finally, we summarize the work of this paper and discuss the trends of SDN security research.

• Journal of applied mathematics & informatics
• /
• 제5권3호
• /
• pp.805-810
• /
• 1998

In this paper we set the stock price model in security market when the price process is a continuous semartingale and find a unigue solution of price process model.

• ETRI Journal
• /
• 제37권2호
• /
• pp.428-437
• /
• 2015

This study was conducted to analyze the effect of information security activities on organizational performance. With this in mind and with the aim of resolving transaction stability in the securities industry, using an organization's security activities as a tool for carrying out information security activities, the effect of security activities on organizational performance was analyzed. Under the assumption that the effectiveness of information security activities can be bolstered to enhance organizational performance, such effects were analyzed based on Herzberg's motivation theory, which is one of the motivation theories that may influence information protection activities. To measure the actual attributes of the theoretical model, an empirical survey of the securities industry was conducted. In this explorative study, the proposed model was verified using partial least squares as a structural equation model consisting of IT service, information security, information sharing, transaction stability, and organizational performance.

• 한국시뮬레이션학회논문지
• /
• 제10권4호
• /
• pp.51-64
• /
• 2001

It is quite necessary that an organization's information network should be equipped with a proper security system based on its scale and importance. One of the effective methods is to use the simulation model for deciding which security policy and mechanism is appropriate for the complex network. Our goal is to build a foundation of knowledge-based modeling and simulation environment for the network security. With this environment, users can construct the abstracted model of security mechanisms, apply various security policies, and quantitatively analyze their security performance against possible attacks. In this study, we considered security domain from several points of view and implemented the models based on a systematic modeling approach. We enabled the model to include knowledge in modular fashion and provided well-defined guidelines for transforming security policy to concrete rule set.