The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

An Ex Ante Evaluation Method for Assessing a Government Enforced Security Measure

정부의 정보 보안 대책 법제화의 사전 효과성 분석 방법

  • Shim, Woohyun (Department of Information Engineering and Computer Science, University of Trento)
  • Received : 2015.10.14
  • Accepted : 2015.11.24
  • Published : 2015.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

In order to ensure that all firms are cyber-secure, many governments have started to enforce the implementation of various security measures on firms. Prior to the implementation, however, it is vague whether government enforced security measures will be effective for mitigating cyber-security risks. By applying a method for estimating the effectiveness of a mandatory seatbelt law in reducing fatalities from motor vehicle accidents, this study develops an ex ante evaluation method that can approximate the effectiveness of a government enforced security measure in reducing country-wide or industry-wide cyber-security risks. Using data obtained from the Korean Internet and Security Agency, this study then explores how to employ the developed method to assess the effectiveness of a specific security measure in mitigating cyber-security risks, if enforced by the government, and compares the effectiveness of various security measures. The comparison shows that compulsory security training has the highest effectiveness.

기업의 정보 보안을 보장하기 위해, 많은 정부가 다양한 보안 관련 대책을 의무화해오고 있다. 하지만 이러한 보안 대책의 실행에 앞서, 이의 잠재적 효과성을 분석하는 연구는 부족한 실정이다. 본 연구는 안전벨트의 착용 법제화가 자동차 사고 사망자 감소에 미치는 효과에 대한 연구를 응용하여, 정부의 다양한 보안 대책의 사전 효과성 평가가 가능한 모형을 개발하는 것을 목적으로 한다. 또한, 인터넷 진흥원의 정보보호실태조사(기업편) 데이터를 개발된 모형에 적용하여 어떠한 보안대책의 법제화가 사회 및 산업 전반의 보안위험을 줄이는데 효과적인지 사전평가를 시행하였다. 그 결과 보안교육의 법제화가 다른 보안대책에 비해 효과적임을 확인하였다.

Keywords

References

  1. Bort, J., "Security Blogger Brian Krebs Is Trying To Track Down The Target Hacker By Talking To Suspected Credit Card Thieves," in Business Insider, ed. New York, NY: Business Insider Inc., 2013.
  2. Bratus, S., "Hacker curriculum: How hackers learn networking," IEEE Distributed Systems Online, Vol. 10, p. 2, 2007.
  3. Chipman, M. L., Li, J., and Hu, X., "The effectiveness of safety belts in preventing fatalities and major injuries among school-aged children," in Annual proceedings of the Association for the Advancement of Automotive Medicine, 1995, pp. 133-145.
  4. Colwill, C., "Human factors in information security: The insider threat-Who can you trust these days?," Information security technical report, Vol. 14, No. 4, pp. 186-196, 2009. https://doi.org/10.1016/j.istr.2010.04.004
  5. D'Arcy, J., Hovav, A., and Galletta, D., "User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach," Information Systems Research, Vol. 20, No. 1, pp. 79-98, 2009. https://doi.org/10.1287/isre.1070.0160
  6. Eminagaoglu, M., Ucar, E., and Eren, S., "The positive outcomes of information security awareness training in companies-A case study," information security technical report, Vol. 14, No. 1, pp. 223-229, 2009. https://doi.org/10.1016/j.istr.2010.05.002
  7. Evans, L., "Double pair comparison-a new method to determine how occupant characteristics affect fatality risk in traffic crashes," Accident Analysis & Prevention, Vol. 18, No. 3, pp. 217-227, 1986. https://doi.org/10.1016/0001-4575(86)90006-0
  8. Evans, L., "The effectiveness of safety belts in preventing fatalities," Accident Analysis & Prevention, Vol. 18, No. 3, pp. 229-241, 1986. https://doi.org/10.1016/0001-4575(86)90007-2
  9. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Sohail, T., "The impact of the Sarbanes-Oxley Act on the corporatedisclosures of information security activities," Journal of Accounting and Public Policy, Vol. 25, No. 5, pp. 503-530, 2006. https://doi.org/10.1016/j.jaccpubpol.2006.07.005
  10. Hoo, K. J. S., "How much is enough? A risk management approach to computer security," Consortium for Research on Information Security Policy (CRISP) Working Paper, Stanford University, 2000.
  11. Johnson, V. R., "Cybersecurity, Identity Theft, and the Limits of Tort Liability," South Carolina Law Review, Vol. 57, pp. 255-311, 2005.
  12. Kim, R., "Card firms may see over W1 tril. in losses," in The Korea Times, ed. Seoul, Korea: The Korea Times, 2014.
  13. KISA, "2007 Korean Information Security Survey," Korean Internet & Security Agency, Seoul, Korea, 2007.
  14. KISA, "2008 Korean Information Security Survey," Korean Internet & Security Agency, Seoul, Korea, 2008.
  15. Lee, C.-S. and Park, W., "Enhancing industrial security management system for multimedia environment," Forthcoming in Multimedia Tools and Applications.
  16. Merete Hagen, J., Albrechtsen, E., and Hovden, J., "Implementation and effectiveness of organizational information security measures," Information Management & Computer Security, Vol. 16, No. 4, pp. 377-397, 2008. https://doi.org/10.1108/09685220810908796
  17. Reich, P. C., "Cybercrime, Cybersecurity, and Financial Institutions Worldwide," in Cyberlaw for Global E-business: Finance, Payments and Dispute Resolution, Kubota, T., Ed., ed Hershey, PA: IGI Global, 2008.
  18. Robertson, L. S., "Estimates of motor vehicle seat belt effectiveness and use: implications for occupant crash protection," American Journal of Public Health, Vol. 66, No. 9, pp. 859-864, 1976. https://doi.org/10.2105/AJPH.66.9.859
  19. Schneier, B., "Computer security: It's the economics, stupid," in 1st Workshop on Economics of Information Security, Barkeley, CA, 2002.
  20. Shim, W., "Analysis of the Impact of Security Liability and Compliance on a Firm's Information Security Activities," The Journal of Society for e-Business Studies, Vol. 16, No. 4, pp. 53-73, 2011. https://doi.org/10.7838/jsebs.2011.16.4.053
  21. Varian, H., "Managing online security risks," in New York Times, ed. New York, N.Y., 2000.
  22. Yonhap News, "Personal data of 12 million KT customers stolen: police," in Yonhap News, ed. Seoul, Korea: Yonhap News Agnecy, 2014.

Cited by

  1. Security Standardization for Social Welfare in the Presence of Unverifiable Control vol.22, pp.2, 2017, https://doi.org/10.7838/jsebs.2017.22.2.099