Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Practical Security Risk Analysis Process and Tool for Information System

  • Chung, Yoon-Jung (Electronics and Telecommunications Research Institute) ;
  • Kim, In-Jung (Electronics and Telecommunications Research Institute) ;
  • Lee, Do-Hoon (Electronics and Telecommunications Research Institute)
  • Published : 2006.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

While conventional business administration-based information technology management methods are applied to the risk analysis of information systems, no security risk analysis techniques have been used in relation to information protection. In particular, given the rapid diffusion of information systems and the demand for information protection, it is vital to develop security risk analysis techniques. Therefore, this paper will suggest an ideal risk analysis process for information systems. To prove the usefulness of this security risk analysis process, this paper will show the results of managed, physical and technical security risk analysis that are derived from investigating and analyzing the conventional information protection items of an information system.

Keywords

References

  1. ISO/IEC JTC 1/SC27, Information technology - Security technique Guidelines for the management of IT security (GMITS) -Part 3: Techniques for the management of IT security, ISO/IEC JTC1/SC27 N1845, 1997. 12. 1
  2. BSI, BS7799 - Code of Practice for Information Security Management, British Standards Institute, 1999
  3. CSE, Threat and Risk Assessment Working Guide, Government of Canada, Communications Security Establishment, 1999
  4. Staker, 'Use of Baysian belief networks in the analysis of information system network risk,' Information, Decision and Control, pp. 145-150, Feb. 1999
  5. NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems. August 2001
  6. GAO, Information Security Risk Assessment - Practices of Leading Organizations, Exposure Draft, U.S. General Accounting Office, August 1999
  7. Solm, R., Guidelines to The Management of Information Technology Security, Vol.6, No.5, 1998, pp.221-223 https://doi.org/10.1108/EUM0000000004542
  8. Ministry of Finance and Economy Republic of Korea, Security Guide of Information Communication Infrastructure for the MOFE association organization, 2002. 11
  9. http://www.sans.org/top20
  10. Hamoud, Chen, Bradley, 'Risk Assessment of Power systems SCADA', Power Engineering Society General Meeting, pp. 764 vol 2, July 2003
  11. Zorkadis, Karras, 'Security modeling of electronic commerce infrastructure,' EUROCOMM2000, pp. 340-344, MAY 2000