• 한국정보시스템학회지:정보시스템연구
• /
• 제22권4호
• /
• pp.49-69
• /
• 2013

Recently, enterprises have reinforced security control in order to prevent infringement of personal information and abuse of customer information by insiders. However, the reinforcement of security control by enterprises makes it difficult for internal users to perform business by using a business information system. There is, therefore, a need for research on various fields, which makes it possible to establish an appropriate security control policy while minimizing an impact on business. The present research verifies and analyzes an impact on difficulty in business of internal users using customer information, which is caused by security control performed by display restriction on customer information identifiers. The present research is intended to academically develop a technique for statistically analyzing an impact degree and a causal relationship between security control and an impact on business, which is a dichotomous variable, and to practically contribute to the establishment of an efficient security policy in consideration of an impact on business when an enterprise applies security control. A research target was internal business information systems of domestic securities enterprises, data was collected by questionnaire, and verification/analysis was performed by logistic regression analysis.

• 한국산학기술학회논문지
• /
• 제11권2호
• /
• pp.703-708
• /
• 2010

정보원천의 다양화와 정보시스템 취약성의 증가는 비즈니스 위험을 증가시킨다. 성공적인 비즈니스는 적정한 비즈니스 위험관리를 통해서 가능하다. 그러나 비즈니스 위험관리는 재무적 관점에서 시행되고 있고, 정보보호관리제도는 정보보호의 관점에서만 이루어져 통합적인 비즈니스 위험관리를 수행하기에 부적절하다. 본 연구는 통합적인 비즈니스 위험관리기법을 개발하기 위하여 정보보호관리제도인 ISMS, EA, ISO27001, COBIT, SPICE, 정보시스템감리, SSE-CMM 등을 비즈니스 위험관리관점에서 분석하였다. 본 연구에서 분석된 정보보호관리제도는 비즈니스 위험관리를 위한 원천으로 활용가능하다.

• 경영정보학연구
• /
• 제14권3호
• /
• pp.131-141
• /
• 2012

IT 고도화에 따라 정보 유출 및 침해 사고가 날로 증가하고 있다. 이에 따라 대다수의 기업들은 보안 위한 투자를 확대하고 있지만, 여전히 정보 유출의 취약점에 노출되어 있다. 소규모 IT 서비스 기업은 대기업에 비하여 상대적으로 한정된 자원과 인력으로 기업 활동을 수행하고 있으며, 실제 가치를 창출하는 방법에 따라 SI/SM, DB, IR, IP 업종으로 분류되고 있다. 그러나 현재까지 소규모 IT 서비스 기업을 위한 보안관리에 관한 연구는 소규모라는 기업규모와 IT 서비스라는 비즈니스 특성을 고려한 핵심 정보자산식별에 머물러 있는 상황이다. 따라서 본 연구에서는 소규모 IT 서비스 기업의 보안대책 수립을 위한 보안관리 모델을 설계하였다. 그리고 설계된 보안관리 모델에 대해 비즈니스 특성을 고려한 소규모 IT 서비스 기업을 대상으로 실증분석을 수행하고 분석된 결과를 바탕으로 추진전략을 제시하였다.

• Journal of Information Technology Applications and Management
• /
• 제16권3호
• /
• pp.73-86
• /
• 2009

To establish an effective security strategy, business enterprises need a security benchmarking tool. The strategy helps to lessen an impact and a damage in any threat. This study analyses many aspects of information security management and suggests a way to deal with security investments by considering important factors that affect security manager's decision. To address the different threats resulting from a major cause of accidents inside an enterprise, we investigate an approach that followed ISO17799. We unfold a criminology theory that has designated many measures against the threat as suggested by General Deterrence Theory. The study proposes a coherent model of the theory to improve the security measures especially in handling and protecting company assets and human lives as well.

• 정보보호학회논문지
• /
• 제24권4호
• /
• pp.669-679
• /
• 2014

본 연구에서는 스마트금융 서비스를 위한 서버 측 보안 프레임워크를 제안한다. 국내 금융기관의 전자금융서비스를 제공하는 서버 측 프레임워크 구조를 살펴보면 대부분 서비스제공위주의 구조를 가지고 있다. 따라서, 보안관련 요구사항들은 비즈니스 로직들에 같이 포함되어 있는 경우가 대부분이기 때문에 보안 사고에 효과적으로 대응하기 어렵다. 본 논문에서는 전자금융서비스시 보안영역을 비즈니스영역과 분리하여 업무에 대한 의존도(Dependency) 없이 보안 정책을 실시간으로 적용할 수 있는 프레임워크를 제안한다. 이를 통하여 보안관련 위협에 대한 신속하고 효과적인 대응기반을 제시한다. 또한 현재 서비스하고 있는 시스템구조에서도 시스템의 큰 변경없이 제안 프레임워크를 적용할 수 있는 방안을 제시한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제5권6호
• /
• pp.1192-1213
• /
• 2011

Information security management systems (ISMSs) are used to manage information about their customers and themselves by governments or business organizations following advances in e-commerce, open networks, mobile networks, and Internet banking. This paper explains the existing ISMSs and presents a comparative analysis. The discussion deals with different types of ISMSs. We addressed issues within the existing ISMSs via analysis. Based on these analyses, then we proposes the development of an information security management evaluation system (ISMES). The method can be applied by a self-evaluation of the organization and an evaluation of the organization by the evaluation committee. The contribution of this study enables an organization to refer to and improve its information security levels. The case study can also provide a business organization with an easy method to build ISMS and the reduce cost of information security evaluation.

• 한국정보시스템학회지:정보시스템연구
• /
• 제14권3호
• /
• pp.1-8
• /
• 2005

This paper formally defines a role-driven security and access control model of a business process in order eventually to provide a theoretical basis for realizing the secured business process management systems. That is, we propose a graphical representation and formal description of the mechanism that generates a set of role-driven security and access control models from a business process modeled by the information control net(ICN) modeling methodology that is a typical business process modeling approach for defining and specifying business processes. Based upon the mechanism, we are able to design and accomplish a secured business process management system that provides an unified resource access control mechanism of the business process management engine domain's and the application domain's. Finally, we strongly believe that the secured access control policies from the role-driven security and access control model can be easily transformed into the RBAC(Role-based Access Control) model that is a standardized security technology for computer and communications systems of commercial and civilian government organizations.

• Journal of Information Processing Systems
• /
• 제12권4호
• /
• pp.688-710
• /
• 2016

Our approach permits to capitalize the expert's knowledge as business rules by using an agent-based platform. The objective of our approach is to allow experts to manage the daily evolutions of business domains without having to use a technician, and to allow them to be implied, and to participate in the development of the application to accomplish the daily tasks of their work. Therefore, the manipulation of an expert's knowledge generates the need for information security and other associated technologies. The notion of cryptography has emerged as a basic concept in business rules modeling. The purpose of this paper is to present a cryptographic algorithm based approach to integrate the security aspect in business rules modeling. We propose integrating an agent-based approach in the framework. This solution utilizes a security agent with domain ontology. This agent applies an encryption/decryption algorithm to allow for the confidentiality, authenticity, and integrity of the most important rules. To increase the security of these rules, we used hybrid cryptography in order to take advantage of symmetric and asymmetric algorithms. We performed some experiments to find the best encryption algorithm, which provides improvement in terms of response time, space memory, and security.

• 정보보호학회논문지
• /
• 제24권6호
• /
• pp.1225-1241
• /
• 2014

고객정보 유출 방지를 위해 금융기관은 DLP(Data Leaks Prevention) 관련 정보보호 제품을 도입하고 내부통제 정책을 강화하고 있다. 그러나 정보의 수집, 제공, 이용, 저장 과정의 핵심적 역할을 담당하는 응용프로그램에 대한 관리 및 기술적 통제는 매우 미흡한 실정이며, 응용프로그램을 통한 정보유출 사고를 예방하거나 대책 마련을 위한 내부통제 정책의 이행에 어려움을 겪고 있다. 본 논문에서는 금융기관의 개인정보 취급 및 주요 유통 경로 현황 분석을 통해 문제점을 제기하고 정보유출 방지를 위한 효율적인 내부통제 보안기술의 필요성을 제시하였다. 이에 따라 가상화 및 모바일 분야에서 부분적으로 사용되고 있는 컨테이너 기술을 응용하여 클라이언트 PC 응용프로그램의 보안 취약점을 보완하고 정보유출 방지 기능을 제공하는 새로운 보안 컨테이너를 설계 구현하였으며, 실제 금융기관 업무시스템에 적용하여 정보유출 방지 및 IT 컴플라이언스 내부통제와 관련된 정책 수행능력의 효과성을 검증하였다. 또한 정책 설정을 통해 보안 컨테이너에 추가 보안 기능을 제공하고 보안 컨테이너를 재사용함으로써 보안 취약점 대응 비용 및 시간을 줄여 IT 컴플라이언스 규제 준수를 위한 보안 컨테이너의 효용 가치를 높였다.

• Asia pacific journal of information systems
• /
• 제30권2호
• /
• pp.308-327
• /
• 2020

The importance of information security is increasing, and various efforts are being made to improve users' information security behaviors. Among these various efforts, information security education is mainly aimed at providing users with information security knowledge and improving information security awareness. This study classified the types of information security education into offline and online to examine the effects of each education method on attitudes toward information security (perceived severity, vulnerability, self-efficacy and response-efficacy) and information security behaviors. A survey was conducted for users with information security education experiences. The results obtained by comparing the differences in the path coefficients of personal information security behaviors according to information security education experiences showed that security behaviors were more significant in the online experience group than the offline group. In addition, gender differences were analyzed, and it was found that females had a greater impact on information security attitudes than males. This study also found that among Internet users with online information security education experience, females tend to have more information security behavior than males, but there were contrasting results among users with offline information security education experiences. The results of this study finally address the necessity of reflecting users' personalities in the systematic design of information security education in the future. Furthermore, the results of this study support the need for an appropriate education system that sufficiently understands education types to maximize the effects of information security education.