• ETRI Journal
• /
• v.44 no.6
• /
• pp.991-1003
• /
• 2022

Industrial control systems (ICSs) used to be operated in closed networks, that is, separated physically from the Internet and corporate networks, and independent protocols were used for each manufacturer. Thus, their operation was relatively safe from cyberattacks. However, with advances in recent technologies, such as big data and internet of things, companies have been trying to use data generated from the ICS environment to improve production yield and minimize process downtime. Thus, ICSs are being connected to the internet or corporate networks. These changes have increased the frequency of attacks on ICSs. Despite this increased cybersecurity risk, research on ICS security remains insufficient. In this paper, we analyze threats in detail using STRIDE threat analysis modeling and DREAD evaluation for distributed control systems, a type of ICSs, based on our work experience as cybersecurity specialists at a refinery. Furthermore, we verify the validity of threats identified using STRIDE through case studies of major ICS cybersecurity incidents: Stuxnet, BlackEnergy 3, and Triton. Finally, we present countermeasures and strategies to improve risk assessment of identified threats.

• Convergence Security Journal
• /
• v.10 no.4
• /
• pp.13-19
• /
• 2010

The flow of time, depending on the company's ongoing business link to guarantee the proportion of much greater importance, it in the organization as part of an enterprise-wide level, rather than acting on the information society has been considered as the topic of race. Information Security Governance, the integrity of the information, service continuity, the three kinds of information asset protection purpose begins. It is essential for corporate governance, transparency should be part, must be aligned with the IT framework. Existing information security governance framework that small businesses a wide range of governance issues and interests have never had. Therefore, we simplified the information security governance framework is proposed, and solve problems, and propose a framework for analysis of the safety and efficiency through the analysis of the effectiveness of the proposed method were discussed.

• Journal of the Korea Society of Computer and Information
• /
• v.23 no.12
• /
• pp.95-105
• /
• 2018

As the IT industry developed, the information held by the company soon became a corporate asset. As this information has value as an asset, the number and scale of various cyber attacks which targeting enterprises and institutions is increasing day by day. Therefore, research are being carried out to protect the assets from cyber attacks by using the attack graph to identify the possibility and risk of various attacks in advance and prepare countermeasures against the attacks. In the attack graph, security metric is used as a measure for determining the importance of each asset or the risk of an attack. This is a key element of the attack graph used as a criterion for determining which assets should be protected first or which attack path should be removed first. In this survey, we research trends of various security metrics used in attack graphs and classify the research according to application viewpoints, use of CVSS(Common Vulnerability Scoring System), and detail metrics. Furthermore, we discussed how to graft the latest security technologies, such as MTD(Moving Target Defense) or SDN(Software Defined Network), onto the attack graphs.

• Convergence Security Journal
• /
• v.22 no.1
• /
• pp.113-120
• /
• 2022

Despite the limitations of existing security policies due to technological development, companies are unable to actively respond to changes by maintaining a closed security policy. This study classified information security policy into three types: regulatory type policy, advisory type policy, and informative type policy. For each classified policy type, the effect on the information security policy compliance behavior of organizational members was investigated by applying the extended theory of planned behavior, and the moderating effect of information security stress was investigated. SmartPLS 2.0 and SPSS 21.0, which are structural equation modeling techniques, were used to analyze the relationship affecting each factor. As a result of the study, regulatory type, advisory type, and informative type security policies affected organizational members' information security policy compliance behavior, and security stress had an effect on information security compliance attitudes and subjective norms on information security, which are prerequisites for planned behavior theory. gave. This study suggests that various types of corporate information security policies can be applied and that security stress can affect information security behaviors of members.

• International Area Studies Review
• /
• v.22 no.3
• /
• pp.201-219
• /
• 2018

This paper suggested a theoretical model, in which a security-based(secured loan, non-secured loan) credit agreement determines the form of corporate cost function through a loaning company's cost minimization in the light of a company which behaves monopolistically in product markets. Also, this paper analyzed the influence of a corporate credit agreement on market equilibrium, and economic welfare in product markets. As a result, it was found that in case a company, whose equity capital is small, implements borrowing based on a secured loan from a financial institution, the company comes to face borrowing restraints, in which the company has no choice but to get a loan within the scope of securities. When a company offers its capital goods, i.e. a production factor, as a security, there occurs a distortion to the production factor input ratio. Meanwhile, when a company comes to get a loan based on an unsecured loan, for which the interest rate is high, marginal cost rises; accordingly, the company comes to choose a credit agreement aiming at maximizing its profits. However, a company's choice of a credit agreement is not quite desirable from a consumer's viewpoint, and from the whole economic point of view; overall, such a choice is likely to aggravate economic welfare.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.5
• /
• pp.1083-1095
• /
• 2021

With the recent increase in users' dependence on the Internet and the spread of various IT devices, the influence of information security on the users' has expanded compared to the past. Therefore, it is expected to have an increased influence on information security in personal life. In addition, as the intrusion factors that threaten security continue to become more advanced and diversified (eg., fake news, cyberbullying, identity theft), the need for nurturing information security experts is increasing. Furthermore, not only corporate information security workers, but also all individuals, cannot be free from the threat of information security. Therefore, it is necessary to prepare various information security education to improve information security awareness and induce proactive information security behaviors. In this study, characteristics of domestic and foreign information security education courses are analyzed and provide a standardized framework for information security education applicable to the domestic environment.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.1
• /
• pp.131-138
• /
• 2003

With the Internet winning a huge popularity, there rise urgent problems which are related to Network Security Managements such as Protecting Network and Communication from un-authorized user. Accordingly, Using Security equipments have been common lately such as Intrusion Detection Systems, Firewalls and VPNs. Those systems. however, operate in individual system which are independent to me another. Their usage are so limited according to their vendors that they can not provide a corporate Security Solution. In this paper, we present a Hierarchical Security Management Model which can be applicable to a Network Security Policies consistently. We also propose a Policy Negotiation Mechanism and a Prototype which help us to manage Security Policies and Negotiations easier. The results of this research also can be one of the useful guides to developing a Security Policy Server or Security Techniques which can be useful in different environments. This study also shows that it is also possible to improve a Security Characteristics as a whole network and also to support Policy Associations among hosts using our mechanisms.

• Convergence Security Journal
• /
• v.16 no.7
• /
• pp.69-75
• /
• 2016

The government is to prevent technology leakage in 2007, the Industrial Technology Protection Act was enacted and encouraging deployment of security equipment. in this study, corporate security equipment for the tried to determine the cause. In contrast to quantitative research, which is an existing research method, Barney G. Glaser & Anselm L. Strauss used a grounded theory as a kind of qualitative methodology in social science. As a result, it was found that the higher the government subsidy, the request from the representative or the client, the higher the efficiency through the prevention of technology leakage, the higher the sales increase, In the United States.

• Journal of Korean Society of Industrial and Systems Engineering
• /
• v.33 no.3
• /
• pp.1-9
• /
• 2010

To protect information resources, many organizations including private corporate and government employ integrated information security systems which provide the functions of intrusion detection, firewall, and virus vaccine. So, in order to develop a reliable integrated information security system during the development life cycle, the managers in charge of the development of the system must effectively distribute the development resources to the quality factors of an integrated information security system. This study suggests a distribution methodology that minimizes the total cost with satisfying the minimum quality level of an integrated information security system by appropriately assigning development resources to quality factors considered. To achieve this goal, we identify quality factors of an integrated information system and then measure the relative weights among the quality factors using analytic hierarchy process (AHP). The suggested distribution methodology makes it possible to search an optimal solution which minimizes the total cost with satisfying the required quality levels of processes by assigning development resources to quality factors during the development life cycle.

• Journal of Korea Society of Industrial Information Systems
• /
• v.26 no.5
• /
• pp.69-77
• /
• 2021

This study aims to identify security-based threat information for an organization. This is because protecting the threat for IT systems plays an important role for an corporate's intangible assets. Security monitoring systems determine and consequently respond threats by analyzing them in a real time situation, focusing on events and logs generated by security protection programs. The security monitoring task derives priority by dividing threat information into reputation information and analysis information. Reputation information consisted of Hash, URL, IP, and Domain, while, analysis information consisted of E-mail, CMD-Line, CVE, and attack trend information. As a result, the priority of reputation information was relatively high, and it is meaningful to increase accuracy and responsiveness to the threat information.