• Title/Summary/Keyword: security risks

Search Result 478, Processing Time 0.024 seconds

A Quantitative Security Metric Based on MITRE ATT&CK for Risk Management (위험 관리를 위한 MITRE ATT&CK 기반의 정량적 보안 지표)

  • Haerin Kim;Seungwoon Lee;Su-Youn Hong
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.34 no.1
    • /
    • pp.53-60
    • /
    • 2024
  • Security assessment is an indispensable process for a secure network, and appropriate performance indicators must be present to manage risks. The most widely used quantitative indicator is CVSS. CVSS has a problem that it cannot consider context in terms of subjectivity, complexity of interpretation, and security risks. To compensate for these problems, we propose indicators that itemize and quantify four things: attackers, threats, responses, and assets, taking into account the security context of ISO/IEC 15408 documents. Vulnerabilities discovered through network scanning can be mapped to MITREATT&CK's technology by the connection between weaknesses and attack patterns (CAPEC). We use MITREATT&CK's Groups, Tactic, and Mitigations to produce consistent and intuitive scores. Accordingly, it is expected that security evaluation managers will have a positive impact on strengthening security such as corporate networks by expanding the range of choices among security indicators from various perspectives.

Market Reaction to IT Security Investment Announcements (기업의 정보보호 공시가 기업가치에 미치는 영향)

  • Park, Jaeyoung;Jung, Woo-Jin
    • Knowledge Management Research
    • /
    • v.20 no.4
    • /
    • pp.39-55
    • /
    • 2019
  • Although Firms have been increasing their information security significantly to handle increased security risks, the effects of information security were not well understood. This study aims to investigate the market value of information security by employing the event study methodology. Our research also explores how market responses vary depending on the type of information security announcements. We collected 177 firm-level information security announcements between 2001 and 2017 in South Korea. For all samples, our results indicate that the stock market positively reacts to information security announcements. We also conducted subsample analysis and found that while information security certification announcement has a positive impact on the stock market, information security activities (e.g. award, information security system) announcement had no impact on the stock market. Our study adopted a novel approach (i.e. event study) for investigating the effects of information security and found that information security investment positively affects firm value. Our results allow managers to measure the effects of information security investment and help them make right decisions on information security investment.

A Study on Data Security Control Model of the Test System in Financial Institutions (금융기관의 테스트시스템 데이터 보안통제 모델 연구)

  • Choi, Yeong-Jin;Kim, Jeong-Hwan;Lee, Kyeong-Ho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.6
    • /
    • pp.1293-1308
    • /
    • 2014
  • The cause of privacy extrusion in credit card company at 2014 is usage of the original data in test system. By Electronic banking supervision regulations of the Financial Supervisory Service and Information Security business best practices of Finance information technology (IT) sector, the data to identify the customer in the test system should be used to convert. Following this guidelines, Financial firms use converted customer identificaion data by loading in test system. However, there is some risks that may be introduced unintentionally by user mistake or lack of administrative or technical security in the process of testing. also control and risk management processes for those risks did not studied. These situations are conducive to increasing the compliance violation possibility of supervisory institution. So in this paper, we present and prove the process to eliminate the compliance violation possibility of supervisory institution by controlling and managing the unidentified conversion customer identification data and check the effectiveness of the process.

Factors to Affect Acceptance of Open Banking from Information Security Perspectives (정보보호 관점에서의 오픈뱅킹 수용도에 대한 영향요인)

  • Go, Jeunghyeun;Lee, Woonboo
    • Journal of Information Technology Services
    • /
    • v.20 no.6
    • /
    • pp.63-81
    • /
    • 2021
  • Joint financial network of Korea Financial Telecommunications and Clearings Institute, which is an essential facility with a natural monopoly, maintained its closedness as monopoly/public utility model, but it has evolved in the form of open banking in order to obtain domestic fintech competitiveness in the rapidly changing digital financial ecosystem such as the acceleration of Big Blur. In accordance with digital transformation strategy of financial institutions, various ICT companies are actively participating in the financial industries, which has been exclusive to banks, through the link technology called Open API. For this reason, there has been a significant change in the financial service supply chain in which ICT companies participate as users. The level of security in the financial service supply chain is determined based on the weakest part of the individual components according to the law of minimum. In addition, there is a perceived risk of personal information and financial information leakage among the main factors that affect users' intention to accept services, and appropriate protective measures against perceived security risks can be a catalyst, which increases the acceptance of open banking. Therefore, this is a study on factors affecting the introduction of open banking to achieve financial innovation by developing an open banking security control model for financial institutions, as a protective measures to user organizations, from the perspectives of cyber financial security and customer information protection, respectively, and surveying financial security experts. It is expected, from this study, that effective information protection measures will be derived to protect the rights and interests of financial customers and will help promote open banking.

A Study on the Security Management of Instant Messengers (인터넷 메신저의 보안 체계에 대한 연구)

  • Kim Sang-Kyun;Lee Hong-Joo
    • Journal of Internet Computing and Services
    • /
    • v.7 no.3
    • /
    • pp.93-105
    • /
    • 2006
  • The instant messenger is not only a wonderful tool for individuals. It is also a great tool which provides real-time dialogue and file transfers for individuals via the Internet and improves an enterprise productivity. However, it has many security risks that may have significant impact in corprate environments. This paper provides an overview of the security risks of the instant messenger with a risk analysis method and the controls that can be used to make it secure. It's hard to eliminate the instant messenger from enterprise environments because of its benefits. If we cannot avoid using it, we must make it secure and reap the full benefits of it.

  • PDF

Towards Cyber Security Risks Assessment in Electric Utility SCADA Systems

  • Woo, Pil Sung;Kim, Balho H.;Hur, Don
    • Journal of Electrical Engineering and Technology
    • /
    • v.10 no.3
    • /
    • pp.888-894
    • /
    • 2015
  • This paper presents a unified model based assessment framework to quantify threats and vulnerabilities associated with control systems, especially in the SCADA (Supervisory Control and Data Acquisition) system. In the past, this system was primarily utilized as an isolated facility on a local basis, and then it started to be integrated with wide-area networks as the communication technology would make rapid progress. The introduction of smart grid, which is an innovative application of digital processing and communications to the power grid, might lead to more and more cyber threats originated from IT systems. However, an up-to-date power system often requires the real-time operations, which clearly implies that the cyber security would turn out to be a complicated but also crucial issue for the power system. In short, the purpose of this paper is to streamline a comprehensive approach to prioritizing cyber security risks which are expressed by the combination of threats, vulnerabilities, and values in the SCADA components.

Analysis of Security Vulnerabilities and Personal Resource Exposure Risks in Overleaf

  • Suzi Kim;Jiyeon Lee
    • Journal of the Korea Society of Computer and Information
    • /
    • v.29 no.7
    • /
    • pp.109-115
    • /
    • 2024
  • Overleaf is a cloud-based LaTeX editor, allowing users to easily create and collaborate on documents without the need for separate LaTeX installation or configuration. Thanks to this convenience, users from various fields worldwide are writing, editing, and collaborating on academic papers, reports, and more via web browsers. However, the caching that occurs during the process of converting documents written on Overleaf to PDF format poses risks of exposing sensitive information. This could potentially lead to the exposure of users' work to others, necessitating the implementation of security measures and vigilance to caution against such incidents. This paper delves into an in-depth analysis of Overleaf's security vulnerabilities and proposes various measures to enhance the protection of intellectual property.

Trusted Certificate Validation Scheme for Open LBS Application Based on XML Web Services

  • Moon, Ki-Young;Park, Nam-Je;Chung, Kyo-Il;Sohn, Sung-Won;Ryou, Jae-Cheol
    • Journal of Information Processing Systems
    • /
    • v.1 no.1 s.1
    • /
    • pp.86-95
    • /
    • 2005
  • Location-based services or LBS refer to value-added service by processing information utilizing mobile user location. With the rapidly increasing wireless Internet subscribers and world LBS market, the various location based applications are introduced such as buddy finder, proximity and security services. As the killer application of the wireless Internet, the LBS have reconsidered technology about location determination technology, LBS middleware server for various application, and diverse contents processing technology. However, there are fears that this new wealth of personal location information will lead to new security risks, to the invasion of the privacy of people and organizations. This paper describes a novel security approach on open LBS service to validate certificate based on current LBS platform environment using XKMS (XML Key Management Specification) and SAML (Security Assertion Markup Language), XACML (extensible Access Control Markup Language) in XML security mechanism.

A Measures to Converge Manage an Efficient Information Security Management System for Information Security Experts Manpower (정보보호 인력양성을 위한 효율적인 정보보호관리체계의 융합 관리 방안)

  • Lee, Keun-Ho
    • Journal of the Korea Convergence Society
    • /
    • v.5 no.4
    • /
    • pp.81-86
    • /
    • 2014
  • The development in IT technology has brought about various services that are on offer based on a new service model. But such new services have increased security risks. The government is operating a program to foster experts in information security to protect assets from the threat of such risks, too. Society's awareness on the importance of information security has also grown, leading to various courses to train such personnel, including membership clubs for the fostering of such specialists. This study seeks to suggest a method that efficiently manages the convergence of running a curriculum on ISMS(information security management systems) and a club that focuses on information protection. Such converged information security courses are expected to contribute to a safer IT-based society.