KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Impact Analysis of Security Flaws between Security Controls: An Empirical Analysis of K-ISMS using Case-Control Study

  • Kim, Hwankuk (Security R&D Team, Korea Internet & Security Agency (KISA)) ;
  • Lee, Kyungho (Graduate School of Information Security, Korea University) ;
  • Lim, Jongin (Graduate School of Information Security, Korea University)
  • Received : 2016.10.03
  • Accepted : 2017.05.02
  • Published : 2017.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

The measurement of information security levels is a very important but difficult task. So far, various measurement methods have studied the development of new indices. Note, however, that researches have focused on the problem of attaining a certain level but largely neglecting research focused on the issue of how different types of possible flaws in security controls affect each other and which flaws are more critical because of these effects. Furthermore, applying the same weight across the board to these flaws has made it difficult to identify the relative importance. In this paper, the interrelationships among security flaws that occurred in the security controls of K-ISMS were analyzed, and the relative impact of each security control was measured. Additionally, a case-control study was applied using empirical data to eliminate subjective bias as a shortcoming of expert surveys and comparative studies. The security controls were divided into 2 groups depending on whether or not a security flaw occurs. The experimental results show the impact relationship and the severity among security flaws. We expect these results to be applied as good reference indices when making decisions on the removal of security flaws in an enterprise.

Keywords

References

  1. S. Jang, "Analysis of International and Korea trend ralated to Information Security Level Assessment," IITP Weekly Report, pp. 15-22, Decemver 2011.
  2. K. Yoon, "Developing Policy Alternatives to Improve information security system in public sector," Korea Institute of Public Administration, 2013.
  3. Y. Back, "A Study on Inspection Method of Vulnerability related to Information Systems in the Public Sector," Audit and Inspection Research Institute, April 2015.
  4. W. H. Baker and L. Wallace, "Is Information Security under control?: Investing Quality in Information Security Management," IEEE Security & Privacy, vol. 5, no. 1, pp. 36-44, 2007. https://doi.org/10.1109/MSP.2007.11
  5. H. Lee and J. Lim, "A Study on the development of corporate information security level assessment models," Journal of The Korea Institute of Information Security and Cryptology, vol. 18, no. 5, pp. 161-170, October 2008.
  6. M. Ko and T. Kim, "Using a Balanced Scorecard Framework to Evaluate Corporate Information Security Level," in Proc. of the conference AMCIS, 2009.
  7. C. W. Hsu, "Frame Misalignment: Interpreting the Implementation of Information Systems Security Certification in and Organization," European Journal of Information Systems, vol. 18, no. 2, pp. 140-150, March 2009. https://doi.org/10.1057/ejis.2009.7
  8. K. Kim and S. Kim, "Evaluation Criteria for Korean Smart Grid based on K-ISMS," Journal of The Korea Institute of Information Security and Cryptology, vol. 22, no. 6, pp. 1375-1391, December 2012.
  9. K. Kim, O. Heo and S. Kim, "A Security Evaluation Criteria for Korean Cloud Computing Service," Journal of The Korea Institute of Information Security and Cryptology, vol. 23, no. 2, pp. 3-17, April 2013. https://doi.org/10.13089/JKIISC.2013.23.1.003
  10. C. Lee, J. Kim and C. Lee, "A comparative study on the priorities between perceived importance and investment of the areas for Information Security Management System," Journal of The Korea Institute of Information Security & Cryptology, vol. 24, no. 5, pp. 919-929, October 2014. https://doi.org/10.13089/JKIISC.2014.24.5.919
  11. A. R. Otero, "An information security control assessment methodology for organizations' financial information," International Journal of Accounting Information Systems, vol. 18, pp. 26-45, September 2015. https://doi.org/10.1016/j.accinf.2015.06.001
  12. L. A. Gordon and M. P. Loeb, "The economics of information security investment," ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457, Nov. 2012.
  13. A. Gupta and R. Hammond, "Information Systems Security Issues and Decisions for Small Business: An Empirical Examinations," Information Management & Computer Security, vol. 13, no. 4, pp. 297-310, 2005. https://doi.org/10.1108/09685220510614425
  14. S. Jang, S. Lee and B. Noh, "The effects of the operation of an information security management system on the performance of information security," Journal of The Korea Institute of Information Security & Cryptology, vol. 22, no. 5, pp. 1123-1132, October 2012.
  15. K. Kong, S. Jung and S. Yeon, "Information Security and Organizational Performance: Empirical Study of Korean Securities Industry," ETRI Journal, vol. 37, no. 2, pp. 428-437, April 2015. https://doi.org/10.4218/etrij.15.0114.1042
  16. S. Ransbotham and S. Mitra, "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, vol. 20, no. 1, pp. 121-139, 2009. https://doi.org/10.1287/isre.1080.0174
  17. H. Jo, S. Kim and D. Won, "Advanced Information Security Management Evaluation System," KSII Transactions on Internet and Information Systems, vol. 5, no. 6, pp. 1192-1213, June 2011. https://doi.org/10.3837/tiis.2011.06.006
  18. S. R. Boss, L. J. Kirsch, I. Angermeier, R. A. Shingler and R. W. Boss, "If Someone is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security," European Journal of Information Systems, vol. 18, no. 2, pp. 151-164, 2009. https://doi.org/10.1057/ejis.2009.8
  19. B. Bulgurcu, H. Cavusoglu and I. Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality based Beliefs and Information Security Awareness," MIS Quartely, vol. 34, no. 3, pp. 523-548, 2010. https://doi.org/10.2307/25750690
  20. J. H. Hall, S. Sarkani and T. A. Mazzuchi, "Impacts of organizational capabilities in information security," Information Management & Computer Security, vol. 19, no. 3, pp. 155-176, 2011. https://doi.org/10.1108/09685221111153546
  21. S. Kim, K. Yang and S. Park, "An Integrative Behavioral Model of Information Security Policy Compliance," The Scientific World Journal, vol. 2014, pp. 1-12, 2009.
  22. J. L. Spears and H. Barki, "User Participation in Information Systems Security Risk Management," MIS Quartely, vol. 34, no. 3, pp. 503-522, 2010. https://doi.org/10.2307/25750689
  23. H. Kim, K. Lee and J. Lim, "A Study of K-ISMS Fault Analysis for Constructing Secure Internet of Things Service," International Journal of Distributed Sensor Networks, vol. 11, no. 9, pp. 1-12, September 2015.
  24. KISA, "The Guide of Information Security Management System in Korea(K-ISMS)," Korea Information&Security Agency, 2014.
  25. ISO/IEC JTC1 SC27, "ISO 27001:2013 Information technology - Information Security Management System," ISO/IEC, 2013.
  26. NIST, "SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations," National Institute of Standards and Technology, December 2014.
  27. M. Siponen and R. Willison, "Information security management standards: Problems and solutions," Information & Management, vol. 46, no. 5, pp. 267-270, June 2009. https://doi.org/10.1016/j.im.2008.12.007
  28. ISM3 Consortium, "ISM3: Information Security Management Maturity Model," Open Group, 2009.
  29. Virtual Corporation, "BCMM: Business Continity Maturity Model," Virtual Corporation, 2007.
  30. ISO/IEC JTC1 SC27, "ISO 27004: ISMS Measurement," ISO/IEC, 2009.
  31. Wikipedia, "Case-Control Study," [Online]. Available: .
  32. H. Kang, "Statistical Consideration in Meta-Analysis," Hangyang Medical Reviews, pp. 23-26, 2015.
  33. R. Robert and R. B. Donald, "Comparing effect sizes of idependent studies," Psychological Bulletin, vol. 92, no. 2, pp. 500-504, September 1982. https://doi.org/10.1037/0033-2909.92.2.500
  34. J. P. Higgins, S. G. Thompson, J. J. Deeks and D. G. Altman, "Measuring inconsistency in meta-analyses," British Medical Journal, vol. 327, no. 7414, pp. 557-560, September 2003. https://doi.org/10.1136/bmj.327.7414.557
  35. J. Lau, J. PA and C. HS, "Quantit ativ e Synth esis in Sy st emic Reviews," Annals of Int ern al Medicine, vol. 127, no. 9, pp. 820-826, 1997. https://doi.org/10.7326/0003-4819-127-9-199711010-00008

Cited by

  1. 정보보호 관리체계를 위한 주요 통제영역 연구: 금융 관련 조직을 중심으로 vol.19, pp.6, 2017, https://doi.org/10.7472/jksii.2018.19.6.9