• 융합보안논문지
• /
• 제9권2호
• /
• pp.7-21
• /
• 2009

정보 시스템 보안 체계를 보다 체계적으로 구축하고 효율적으로 운영하기 위해서는 보안에도 전략이 도입되어야 한다. 또한, 전략이 구현되어 성공적으로 작동하기 위해서는 조직 차원의 참여가 필수적이다. 하지만, 조직의 정보 시스템 보안 전략에 관한 연구는 아직까지 전략적 사고에 의한 보안 체계의 배치와 운영에 초점이 맞추어져 있어, 조직 전체를 움직이고 이끌기 위한 총체적 프레임에 관한 연구는 부족한 실정이다. 따라서 본 논문에서는 조직 차원의 보안 전략 수립에 활용할 수 있는 프레임워크를 연구한다. 이를 위하여 조직 차원의 전략 수립이라는 측면에서 총괄 전략의 개념을 도입하였으며, 총괄 전략이 갖는 4차원적 특성을 기반으로 정보 시스템 보안 총괄 전략을 구성하기 위한 프레임워크를 제시한다.

• Journal of Information Technology Applications and Management
• /
• 제16권3호
• /
• pp.73-86
• /
• 2009

To establish an effective security strategy, business enterprises need a security benchmarking tool. The strategy helps to lessen an impact and a damage in any threat. This study analyses many aspects of information security management and suggests a way to deal with security investments by considering important factors that affect security manager's decision. To address the different threats resulting from a major cause of accidents inside an enterprise, we investigate an approach that followed ISO17799. We unfold a criminology theory that has designated many measures against the threat as suggested by General Deterrence Theory. The study proposes a coherent model of the theory to improve the security measures especially in handling and protecting company assets and human lives as well.

• 융합보안논문지
• /
• 제7권3호
• /
• pp.15-24
• /
• 2007

정보보안의 중요성에 관한 인식이 증가함에 따라 다양한 보안대책이 조직에 도입되고 있다. 하지만 대부분의 경우 이들 보안대책은 전략적으로 운영되지 않고 있다. 따라서 본 논문은 조직에서의 정보보안 전략은 무엇인가에 대해 개념적으로 연구한다. 이를 위하여 다양한 문헌에서 정보보안 전략이 어떻게 소개되었으며, 어떠한 전략이 제시되어 왔는지 연구한다. 본 논문은 조직의 정보보안에 있어서의 전략 자체에 초점을 맞추어, 개념을 정립하고, 지금까지 제시되어 온 다양한 전략을 식별하여 체계적으로 분류하였다는데 의의가 있다.

• Journal of Information Technology Applications and Management
• /
• 제23권1호
• /
• pp.79-96
• /
• 2016

As numerous security breaches on a variety of information assets such as personal information, corporate secrets, computer servers, and networks have occurred, information security has emerged as a critical social issue. However, researches on economically rational information security decision-making have been few. Such researches are especially rare in South Korea where information security is considered to be a discipline of engineers. This study aims to identify the preferred themes and methodologies of information security economics research in the field of information systems by reviewing papers published in Management Information Systems Quarterly (MISQ), Information Systems Research (ISR), European Journal of Information Systems (EJIS), Management Science (MS), and Information and Management (I&M). We hope that the results of the study will be helpful in rational managerial or policy decision-making for practitioners and suggest future research topics for researchers.

• 산업경영시스템학회지
• /
• 제39권4호
• /
• pp.97-105
• /
• 2016

As information system is getting higher and amount of information assets is increasing, skills of threatening subjects are more advanced, so that it threatens precious information assets of ours. The purpose of this study is to present a strategic direction for the types of companies seeking access to information security. The framework classifies companies into eight types so company can receive help in making decisions for the development of information security strategy depending on the type of company it belongs to. Paired comparison method survey conducted by a group of information security experts to determine the priority and the relative importance of information security management elements. The factors used in the security response strategy are the combination of the information security international certification standard ISO 27001, domestic information protection management system certification K-ISMS, and personal information security management system certification PIMS. Paired comparison method was then used to determine strategy alternative priorities for each type. Paired comparisons were conducted to select the most applicable factors among the 12 strategic factors. Paired comparison method questionnaire was conducted through e-mail and direct questionnaire survey of 18 experts who were engaged in security related tasks such as security control, architect, security consulting. This study is based on the idea that it is important not to use a consistent approach for effective implementation of information security but to change security strategy alternatives according to the type of company. The results of this study are expected to help the decision makers to produce results that will serve as the basis for companies seeking access to information security first or companies seeking to establish new information security strategies.

• 융합보안논문지
• /
• 제8권3호
• /
• pp.101-106
• /
• 2008

조직의 정보시스템 보안을 향상시키기 위해서는 전략의 도입이 필수적이다. 그리고, 이들 전략을 조직내에 성공적 효율적으로 구현하기 위해서는 전략의 특성 중 전략의 구현에 영향을 주는 요인들을 고려하여야 한다. 본 논문에서는 전략의 여러 특성들 중 이러한 특성들을 연구하였다.

• Journal of Information Technology Applications and Management
• /
• 제16권2호
• /
• pp.23-43
• /
• 2009

For reliability and confidentiality of information security systems, the security engineering methodologies are accepted in many organizations. To improve the effectiveness of security engineering, this paper suggests a security methodology ISEM, which considers both product assurance and production processes, takes advantages in terms of quality and cost. To verify the effectiveness of ISEM, this paper introduces the concepts of quality loss, and compares the development costs and quality losses between ISEM and CC through the development of VPN system.

• 산업경영시스템학회지
• /
• 제38권4호
• /
• pp.193-201
• /
• 2015

Corporation's valuable intelligent asset is being threatened from the skills of threatening subject that has been evolved along with the growth of the information system and the amount of the information asset. Domestically, attempts of various private information attacks, important information extortion, and information damage have been detected, and some of them have abused the vulnerability of security of information system, and have become a severe social problem that generates security incident. When accessing to the security, most of companies used to establish a strategy with a consistent manner and a solution plan. However, this is not a proper way. The order of priorities vary depending on the types of business. Also, the scale of damage varies significantly depending on the types of security incidents. And method of reaction and critical control point vary depending on the types of business and security incidents. In this study, I will define the security incidents by their types and preponderantly examine how one should react to those security incidents. In this study, analyzed many types of security accidents that can occur within a corporation and an organization considering various factors. Through this analysis, thought about factors that has to be considered by corporations and organizations when they intend to access to the information security. This study focuses on the response methodology based on the analysis of the case analysis of the leakage of industrial secret and private secret other than the conceptual response methodology that examines the way to prevent the leakage of the industry security systems and the industry information activities. And based on these factors, want to be of help for corporations to apply a reasonable approach when they establish a strategy to information security.

• Journal of Information Technology Applications and Management
• /
• 제23권3호
• /
• pp.61-69
• /
• 2016

Growing information threats have threatened organization to lose information security controls in these days. Many organizations have accepted the various information security management systems does mention necessity of a continuous evaluation process for the executions of information security management in a theoretical aspect. This study suggests a continuous evaluation process for information security management reflecting the real execution of managers and employees in organizations.

• Journal of Information Technology Applications and Management
• /
• 제27권6호
• /
• pp.89-99
• /
• 2020

Cloud computing is rapidly increasing for achieving comfortable computing. Cloud computing has essentially security vulnerability of software and hardware. For achieving secure cloud computing, the vulnerabilities of cloud computing could be analyzed in a various and systematic approach from perspective of the service designer, service operator, the designer of cloud security and certifiers of cloud systems. The paper investigates the vulnerabilities and security controls from the perspective of administration, and systems. For achieving the secure operation of cloud computing, this paper analyzes technological security vulnerability, operational weakness and the security issues in an enterprise. Based on analysis, the paper suggests secure establishments for cloud computing.