Journal of the Society of Disaster Information (한국재난정보학회 논문집)

The Korean Society of Disaster Information (한국재난정보학회)
권호 표지
DOI QR코드

DOI QR Code

Cyber Risk Management of SMEs to Prevent Personal Information Leakage Accidents

개인정보유출 사고 방지를 위한 중소기업의 사이버 위험관리

  • So, Byoung-Ki (Department of Disaster and Safety Management, Soongsil University) ;
  • Cheung, Chong-Soo (Department of Disaster and Safety Management, Soongsil University)
  • Received : 2021.05.20
  • Accepted : 2021.06.25
  • Published : 2021.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Purpose: Most of cybersecurity breaches occur in SMEs. As the existing cybersecurity framework and certification system are mainly focused on financial and large companies, it is difficult for SMEs to utilize it due to lack of cybersecurity budget and manpower. So it is necessary to come up with measures to allow SMEs to voluntarily manage cyber risks. Method: After reviewing Cybersecurity market, cybersecurity items of financial institutions, cybersecurity framework comparison and cybersecurity incidents reported in the media, the criticality of cybersecurity items was analyzed through AHP analysis. And cybersecurity items of non-life insurers were also investigated and made a comparison between them. Result: Cyber risk management methods for SMEs were proposed for 20 major causes of cyber accidents. Conclusion: We hope that the cybersecurity risk assessment measures of SMEs in Korea will help them assess their risks when they sign up for cyber insurance, and that cyber risk assessment also needs to be linked to ERM standardization.

연구목적: 사이버보안 침해사고의 대부분은 중소기업에서 발생하고 있는데, 기존 사이버보안 프레임워크(Framework)와 인증체계 등은 주로 금융권이나 대기업에 초점이 맞추어져 있어 정보보안 예산과 인력이 부족한 중소기업이 활용하기에는 어려움이 많아 중소기업이 자율적으로 사이버위험관리를 할 수 있는 방안을 마련할 필요가 있다. 연구방법: 사이버보안 시장, 금융기관 사이버보안 항목, 사이버보안 프레임워크 비교, 언론에 보도된 사이버보안사고 등을 통해 사이버보안에 중요한 항목을 도출하고 이를 AHP 분석을 통하여 그 중요도를 분석하고, 손해보험사의 사이버보안 항목을 조사·비교 하였다. 연구결과: 주요한 사이버사고 원인 20가지에 대한 중소기업의 사이버위험관리 방안을 제시하였다. 결론: 본 연구에서 도출된 국내 중소기업의 사이버보안 위험평가방안이 향후 중소기업이 사이버보험 가입 시 그 기업의 위험평가에 도움이 되길 바라고 사이버 위험평가도 ERM 규격화의 한 부분에 포함되기를 희망해 본다.

Keywords

Acknowledgement

본 연구는 행정안전부의 재난안전 분야 전문 인력 양성사업을 통해 지원받아 수행된 연구의 결과이며, 이에 감사드립니다.

References

  1. AON (2016). Cyber, the Fast Moving Target. (http://www.aon.com/attachments/risk-services/cyber/2016-CaptiveCyber-Survey-Interactive.pdf)
  2. Australian Small Business and Family Enterprise Ombudsman (2017) Cybersecurity: The Small Business Best Practice Guide (https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-research-report.pdf)
  3. Cho, B.-J., Yun, J.-H., Lee, K.-H. (2015). "Study of effectiveness for the network separation policy of financial companies." Journal of The Korea Institute of Information Security & Cryptology, Vol. 25, No. 1, pp. 181-195. https://doi.org/10.13089/JKIISC.2015.25.1.181
  4. Cho, S.-K., Jun, M.-S. (2012). "Privacy leakage monitoring system design for privacy protection." Journal of The Korea Institute of Information Security & Cryptology, Vol. 22, No. 1, pp. 99-106. https://doi.org/10.13089/JKIISC.2012.22.1.99
  5. Deloitte (2017). Cybersecurity and the Role of Internal Audit.
  6. Financial Services Commission (2019). Regulation of Supervision on Electronic Financial.
  7. International Security Exhibition & Conference (2019). Exhibition items for participation in the International Security Exhibition(Cybersecurity Field). (https://www.seconexpo.com/2019/kor/exhibit/sub02.asp)
  8. Jeong, Y.-C. (2018). "Finance industry and cybersecurity policy." Journal of Financial Regulation and Supervision, Vol. 5, No. 2, pp. 89-122.
  9. Jung, H.-C. (2017). A Study on Security Technology for Enhancing Security of Small and Medium Enterprises by using Open Source. Master Thesis, Soongsil University.
  10. Kim, D.-C., Kim, I.-S. (2018). "A study on cybersecurity regulation for financial sector: Policy suggestion based on New York's cybersecurity regulation(23 NYCRR 500)." Journal of Society for e-Business Studies, Vol. 23, No. 4, pp. 87-107. https://doi.org/10.7838/JSEBS.2018.23.4.087
  11. Kim, H.-W., Lee, K.-S., Kim, S.-H. (2005). "Website security evaluation for electronic commerce." Joint Spring Conference between The Korean Operations Research and Management Science Society/Korean Institute of Industrial Engineers, Chungbuk University, pp. 340-347.
  12. Kim, J-G., Lee, D-S., Cho, J-Y., Han, S-G., Kim, T-H. (2016). "Introduction of perpcetion on ICT to respond social disaster." Journal of The Korea Society of Disaster Inforrmation, Vol. 12, No. 3, pp. 249-260. https://doi.org/10.15683/kosdi.2016.9.30.249
  13. Kim, J.-H., Cho, J.-H. (2010). "Security threats in cyber environments." Journal of The Korea Institute of Information Security & Cryptology, Vol. 20, No. 4, pp. 11-20.
  14. Kim, K.-C., Kim, S.-J. (2012). "Evaluation criteria for Korean smart grid based on K-ISMS." Journal of The Korea Institute of Information Security & Cryptology, Vol. 22, No. 6, pp. 1375-1391. https://doi.org/10.13089/JKIISC.2012.22.6.1375
  15. Kim, K.-R. (2019). A Study on the Cyber Risk Item Disclosure for Cyber Insurance Subsidiary. Master Thesis, Sangmyung University.
  16. Kim, K.-Y. (1997). "Risk management and crisis management: Disaster recovery for information system." Journal of Risk Management, pp. 291-315.
  17. Kim, S.-H. (2019). A Study on the Improvement of Vulnerability Checklist for Enhanced PC Security. Master Thesis, Konkuk University
  18. Kim, S.-J., Kim, J.-D. (2017). "A study on developing assessment indicators for cyber resilience." Journal of Digital Convergence, Vol. 15, No. 8, pp.137-144. https://doi.org/10.14400/JDC.2017.15.8.137
  19. Kim, S.-Y. (2009). Korea Financial Telecommunications & Clearings Institute, Payment, Clearance and Information Technology, Vol. 38, pp. 34-62.
  20. Kinosita, E., Ooya, T. (Kwon, J.-H., Trans.) (2012) Strategic Decision Making Techniques, AHP. Cheongram Press, Seoul, Korea.
  21. Korea Communications Commission & KISA (2010). Guide for Information Security Management System.
  22. Korea Information Security Agency (2003). A Study on the Development of Certification System for Information Protection Management System.
  23. Korea Internet & Security Agency (2012). Information Security Guide for Small and Medium IT Service Companies(III), Information Security management for working-level officials.
  24. Korea Internet & Security Agency (2020). Small and Medium Business Information Protection Practice Guide(1/2, 2/2).
  25. Korea Insurance Development Institute (2015). A Study on Introduction of Government Reinsurance System in Environment Impairment liability Insurance. Research & Service Report by Minister of Environment.
  26. Lee, K.-H. (2017). "A study on ERM standardization and insurance linkage scheme to promote corporate risk management." The Journal of Risk Management, Vol. 28, No. 3, pp. 43-79. https://doi.org/10.21480/tjrm.28.3.201709.002
  27. Lee, K.-H., Yoon, J.-D. (2008). "A study on the measurement methods and cases of personal information leakage risk in private enterprises." Journal of The Korea Institute of Information Security & Cryptology, Vol. 18, No. 3, pp. 92-100.
  28. Lee, K.-S. (2006). "The problem and policy alternatives for cyber security in the networking age." Journal of Korea Association for Regional Information Society, Vol. 9, No. 1, pp. 109-128.
  29. Min, B.-G., Lee, D.-H. (2006). "Research of improvement and system of the information security management evaluation." Journal of Convergence Security, Vol. 6, No. 4, pp. 101-112.
  30. Ministry of Knowledge Economy, IO Consulting Co., Ltd. (2010). Detailed Security Control Implementation Guidelines for Technology Protection for SMEs.
  31. Namu.Wiki (2021). (https://namu.wiki/w/개인정보%20유출사태)
  32. NASSTAR (2019). Cyber Security for SMEs: A Practical Guide to Protection Your Business. (https://www.nasstar.com/hubfs/Marketing-Material/white%20paper%20-%20cyber%20security.pdf)
  33. NIST (2016). NISTIR 7621, Small Business Information Security: The Fundamentals. (https://doi.org/10.6028/NIST.IR.7621r1)
  34. NIST CSF (2018). Framework for Improving Critical Infrastructure Cybersecurity.
  35. Oh, H.-G. (2019). "Countermeasure of Unmanned Aerial Vehicle(UAV) against terrorist's attacks in South Korea for the public crowded places." Journal of The Korea Society of Disaster Inforrmation, Vol. 12, No. 1, pp. 49-66.
  36. Park, J.-T. (2020). A Study on the Establishment of IT-based Joint Disaster Recovery Center for Business Continuity Management System of Small and Medium Business. Ph.D. Dissertation, Hansei University
  37. Park, J.-H., Cho, N.-W., Lee, K.-H., Choi, I.-H. (2008). " Development of Security System on Personal Information in custody internally in Corporates." Journal of The Korea Institute of Information Security & Cryptology, Vol. 18, No. 6, pp.28-34.
  38. Radanliev, P., De Roure, D., Nurse, J.R.C., Nicolescu, R., Huth, M., Cannady, S., Montalvo, R.M. (2019). Cyber Security Framework for the Internet-of-Things in Industry 4.0, University of Oxford, UK. (doi: 10.20944/preprints201903.0111.v1)
  39. Radanliev, P., De Roure, D., Cannady, S., Montalvo, R.M., Nicolescu, R., Huth, M. (2018). "Analysing IoT cyber risk for estimating IoT cyber insurance." IET Conference Proceeding. (doi: 10.1049/cp.2018.0003)
  40. Son, S.-S. (2014). The Study on the Improved Assessment Methodology for Information Security Level Using ISO 27001. Master Thesis, Sungkyunkwan University
  41. Song, E.-J., Bae, B.-H., Oh, N.-H. (2018). "A comparative analysis on the calculation method of domestic and foreign information security market." Institute for Information & Communications Technology Promotion, Weekly ICT Trends, Vol. 1860, pp. 17-26.
  42. Spinello, R. (2003). "Cyberethics: Morality and law in cyberspace." 2th Edition. Jones and Bartlett Learning, LLC., Jones and Bartlett Publishers, Inc, USA.
  43. Symantec (2018). Cybersecurity for SMEs, a lightweight cybersecurity framework for thorough protection. (https://www.smesec.eu/doc/SMESEC_Flyer_A5_V2_2018-05-03_Singlepages.pdf)
  44. Wikipedia, Korea (2021). (https://ko.wikipedia.org/wiki/대한민국의_정보_보안_사고_목록)
  45. Yang, D.-I. (2019). Introduction to Information Security(3rd E.). Hanbit Academy, Seoul, Korea.
  46. Yoon, J.-G. (1990). "Application of AHP and its limitation." Management & Economics review, Vol. 7, pp. 75-92.