• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.15 no.6
• /
• pp.283-290
• /
• 2015

As society has evolved to the knowledge and information society, the importance of internal information of the company has increased gradually. Especially in financial institutions which must maintain the trust of customers, the disclosure of inside information is a big problem beyond the a company's business information disclosure level to break down sales-based businesses because it contains personal or financial transaction information. Recently, since massive outflow of internal information are occurring in several enterprises, many companies including financial companies have been working a lot in order to prevent the leakage of customer information. This paper describes the internal information leakage incidents occurred in the finance companies, the PC security vulnerabilities exists despite the main security system and internal information leakage prevention and suggests countermeasures against increasing cyber infringement threats.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.2
• /
• pp.1-8
• /
• 2016

A convergence of finance and information technology brought a remarkable development in Fin-Tech industry. On the other hand, currently existing laws seemed inappropriate to address the liability of financial institutions, Fin-tech enterprises and consumers in case of financial accidents due to its ambiguity. The minimum insurance obligation by financial institutions specified under the Electronic Financial Transaction Act 2006 is not keeping with current reality, considering transaction volume, frequency of incidents, and security investments. This paper aims to lay stress on the need of cyber liability insurance by understanding the domestic financial incidents and management, and the limit of existing insurance policy.

• Korean System Dynamics Review
• /
• v.16 no.4
• /
• pp.31-50
• /
• 2015

The purpose of this research is to understand a structural relationship between financial regulations and security industry based on the systems thinking perspective using causal loop analysis. As a result, the positive regulations on security technology against finance security incidents shrink the autonomy of the security industry and will deteriorate the competitiveness of the security industry through the unknown feedback loop. The conclusion provides the direction that policy makers understand causal loop diagram related current regulations and open enough to the consideration of the negative regulations.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2019.05a
• /
• pp.10-14
• /
• 2019

The number of security incidents is increasing as the Internet of Things(IoT) is distributed widely. The security incidents of IoT can cause financial damages. Moreover, It can become direct threats to humans. In order to prevent these problems, the security installation for IoT devices is important. This paper describes the definition of IoT devices, security incident case, architecture, and the security threats that can occur when a device is connected to network without security installation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.343-361
• /
• 2015

The financial industry in South Korea has witnessed a paradigm shift from selling traditional loan/deposit products to diversified consumption channels and financial products. Consequently, personification of financial services has accelerated and the value of finance-related personal information has risen rapidly. As seen in the 2014 card company information leakage incident, most of major finance-related information leakage incidents are caused by personnel with authorized access to certain data. Therefore, it is strongly required to confirm whether there are problems in the existing access control policy for personnel who can access a great deal of data, and to complement access control policy by considering risk factors of information security. In this paper, based on information of IT personnel with access to sensitive finance-related data such as job, position, sensitivity of accessible data and on a survey result, we will analyze influence factors for personnel risk measurement and apply data access control policy reflecting the analysis result to an actual case so as to introduce measures to minimize IT personnel risk in financial companies.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.6
• /
• pp.1605-1618
• /
• 2016

In recent years, security incidents - such as personal information leakage, homepage hacking, DDoS and etc. - targeting finance companies(banks, securities companies, credit card companies, insurance companies and etc.) have increased steadily. In this paper, we analyze problems of information security management level in the existing electronic financial infrastructure from perspective of compliance and information security certification system and propose improvements to enable sustainable high level of information security activities under a comprehensive management system for the financial sector characteristics using ISMS, SECU-STAR and CNIVAM system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.6
• /
• pp.1513-1526
• /
• 2016

Since finance companies started e-banking services, those services have been diversified and use of them has continued to increase. Finance companies are implementing financial security policy for safe e-banking services, but e-Banking incidents are continuing to increase and becoming more intelligent. Along with the rise of internet banks and boosting Fintech industry, financial supervisory institutes are not only promoting user convenience through improving e-banking regulations such as enforcing Non-face-to-face real name verification policy and abrogating mandatory use of public key certificate or OTP(One time Password) for e-banking transactions, but also recommending the prevention of illegal money transfer incidents through upgrading FDS(Fraud Detection System). In this study, we assessed a blacklist based auto detection method suitable for overall situations for finance company, a real-time based suspicious transaction detection method linking with blacklist statistics model by each security level, and an alternative FDS model responding to typical transaction patterns of which information were collected from previous e-Banking incidents.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.4
• /
• pp.669-679
• /
• 2014

This study introduces server-side security-oriented framework for smart financial service. Most of domestic financial institutions providing e-banking services have employed server-side framework which implement service-oriented architecture. Because such architecture accommodates business and security requirements at the same time, institutions are struggling to cope with the security incidents efficiently. The thesis suggests that separating security areas from business areas in the frameworks makes users to be able to apply security policies in real time without considering how these policies may affect business transactions. Security-oriented frameworks support rapid and effective countermeasures against security threats. Furthermore, plans to avoid significant changes on existing system when institutions implement these frameworks are discussed in the report.

• Journal of Information Technology Services
• /
• v.15 no.3
• /
• pp.51-69
• /
• 2016

Recently, many Korean firms have suffered financial losses and damaged firm's trust due to information security incidents. Hence, a lot of firms have realized the importance of the information security. In particular, the demand for information security certification has increased. This study examined the effect of information security certification using the event study methodology. Our research shows that the announcement of the information security certification significantly influences the market value of the corresponding firm. The certified firms rise, on average, o.4993% (-2 day), 0.5462% (+1 day) of their market value. Further, we found that the financial sector in our data showed a 1.4% higher abnormal returns than the nonfinancial sector. On the other hand, whether a firm first acquired the information security certification is not significant. Our paper presents that it is possible to analyze the effect of the information security certification using the event study. We are expected to be used in making a decision for the investment of information security. Also, our results indicate that the firm which have acquired the information security certification should actively announce that fact.

• Information Systems Review
• /
• v.18 no.4
• /
• pp.17-42
• /
• 2016

Information security incidents caused by authorized insiders are increasing in financial firms, and this increase is particularly increased by outsourced contractors. With the increase in outsourcing in financial firms, outsourced contractors having authorized right has become a threat and could violate an organization's information security policy. This study aims to analyze the differences between own employees and outsourced contractors and to determine the factors affecting the violation of information security policy to mitigate information security incidents. This study examines the factors driving employees to violate information security policy in financial firms based on the theory of planned behavior, general deterrence theory, and information security awareness, and the moderating effects of employee type between own employees and outsourced contractors. We used 363 samples that were collected through both online and offline surveys and conducted partial least square-structural equation modeling and multiple group analysis to determine the differences between own employees (246 samples, 68%) and outsourced contractors (117 samples, 32%). We found that the perceived sanction and information security awareness support the information security policy violation attitude and subjective norm, and the perceived sanction does not support the information security policy behavior control. The moderating effects of employee type in the research model were also supported. According to the t-test result between own employees and outsourced contractors, outsourced contractors' behavior control supported information security violation intention but not subject norms. The academic implications of this study is expected to be the basis for future research on outsourced contractors' violation of information security policy and a guide to develop information security awareness programs for outsourced contractors to control these incidents. Financial firms need to develop an information security awareness program for outsourced contractors to increase the knowledge and understanding of information security policy. Moreover, this program is effective for outsourced contractors.