• Convergence Security Journal
• /
• v.17 no.5
• /
• pp.19-25
• /
• 2017

Public institutions invest about half of the information protection budget annually to introduce information security products and information protection services in order to prevent cyber terrorism and establish organizational security. However, research on whether introduced information security products has a positive influence on improving the information security level of the actual institution is in an incomplete state, and accordingly, There are problems such as the measurement of the investment effect of the information security product introduced in the organization and the difficulty in selecting the optimum information security product that the agency actually needs. In this paper, prior research will conduct research on the influence of the introduction of information security products on the improvement of information security level of organization through analysis of operational data of inadequate information security products, and based on the research results, It would be useful to use it for information security practices such as optimal product selection and internal security policy formulation through validation of the introduction of information security products of public institutions.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.969-974
• /
• 2014

CC (Common Criteria) requires collecting vulnerability information and analyzing them by using penetration testing for evaluating IT security products. Under the time limited circumstance, developers cannot help but apply vulnerability analysis at random to the products. Without the systematic vulnerability analysis, it is inevitable to get the diverse vulnerability analysis results depending on competence in vulnerability analysis of developers. It causes that the security quality of the products are different despite of the same level of security assurance. It is even worse for the other IT products that are not obliged to get the CC evaluation to be applied the vulnerability analysis. This study describes not only how to apply vulnerability taxonomy to IT security vulnerability but also how to manage security quality of IT security products practically.

• Convergence Security Journal
• /
• v.6 no.3
• /
• pp.135-144
• /
• 2006

Until now, most of the evaluation systems have performed evaluation with an emphasis on in-formation security products. However, evaluating information security level for an enterprise needs analysis of the whole enterprise organization, and a synthetic and systematic evaluation system based on it. In this study we subdivided the information security elements of the whole enterprise such as planning, environment, support, technology, and management; developed indices based on them; finally, made the information security level of the whole enterprise organization possible to be measured. And we tried to grasp the information security level of the whole enterprise organization and develop an evaluation system of information security level for suggesting a more developing direction of information security.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.15 no.2
• /
• pp.53-61
• /
• 2019

In this paper, we propose 'a self - conformance system of convergence security provider' to provide basic data for security and reliability of convergence industrial technology, system and service. It is difficult to evaluate convergence security systems, limited to information and communication service providers, unable to check convergence security items, burden of submission documents, difficulty in measuring convergence security service level and we will summarize product and service-based requirements that can be integrated and systematically measure the level of convergence security and define renewed life cycle-based convergence security information and content security and assurance requirements. On the basis of this, each convergence security company declares conformity with the standard itself without the certification of the certification body, and introduces the provider conformity certification system which can manufacture and sell. This will enable the company to strengthen its competitiveness through timely launch and implementation of products and services and cost reduction.

• Convergence Security Journal
• /
• v.12 no.4
• /
• pp.25-31
• /
• 2012

The SSE-CMM model is how to verify the level of information protection as a process-centric information security products, systems and services to develop the ability to assess the organization's development. The CMM is a model for software developers the ability to assess the development of the entire organization, improving the model's maturity level measuring. However, this method of security engineering process improvement and the ability to asses s the individual rather than organizational level to evaluate the ability of the processes are stopped. In this research project based on their existing research information from the technical point of view is to define the maturity level of protection. How to diagnose an information security vulnerabilities, technical security system, verification, and implementation of technical security shall consist of diagnostic status. The proposed methodology, the scope of the work place and the current state of information systems at the level of vulnerability, status, information protection are implemented to assess the level of satisfaction and function. It is possible that measures to improve information security evaluation based on established reference model as a basis for improving information security by utilizing leverage.

• Proceedings of the KAIS Fall Conference
• /
• 2005.05a
• /
• pp.108-110
• /
• 2005

Most of the evaluation systems have performed evaluation with an emphasis on information security products so far. However, evaluating information security level for an enterprise needs analysis of the whole enterprise organization, and a synthetic and systematic evaluation system based on it. This study has tried to grasp the information security level of the whole enterprise organization, and develop an evaluation system of information security level for suggesting a more developing direction of information security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.821-834
• /
• 2019

As cyber security threats increase, there is a growing demand for highly reliable systems. Common Criteria, an international standard for evaluating information security products, requires formal specification and verification of the system to ensure a high level of security, and more and more cases are being observed. In this paper, we propose highly reliable drone systems that ensure high level security level and trust. Based on the results, we use formal methods especially Z/EVES to improve the system model in terms of scheduling in the system kernel.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1225-1241
• /
• 2014

Recently, Financial companies implement DLP(Data Leaks Prevention) security products and enforce internal controls to prevent customer information leaks. Accidental data leaks in financial business increase more and more because internal controls are insufficient. Security officials and IT operation staffs struggle to plan countermeasures to respond to all kinds of accidental data leaks. It is difficult to prevent data leaks and to control information flow in business without research applications that handle business and privacy information. Therefore this paper describes business and privacy information flow on applications and how to plan and deploy security container based OS-level and Hypervisor virtualization technology to enforce internal controls for applications. After building security container, it was verified to implement internal controls and to prevent customer information leaks. With security policies additional security functions was implemented in security container and With recycling security container costs and time of response to security vulnerabilities was reduced.

• International Journal of Computer Science & Network Security
• /
• v.21 no.6
• /
• pp.312-318
• /
• 2021

Lack of knowledge and digital skills is a threat to the information security of the state and society, so the formation and development of organizational culture of information security is extremely important to manage this threat. The purpose of the article is to assess the state of information security of the state and society. The research methodology is based on a quantitative statistical analysis of the information security culture according to the EU-27 2019. The theoretical basis of the study is the theory of defense motivation (PMT), which involves predicting the individual negative consequences of certain events and the desire to minimize them, which determines the motive for protection. The results show the passive behavior of EU citizens in ensuring information security, which is confirmed by the low level of participation in trainings for the development of digital skills and mastery of basic or above basic overall digital skills 56% of the EU population with a deviation of 16%. High risks to information security in the context of damage to information assets, including software and databases, have been identified. Passive behavior of the population also involves the use of standard identification procedures when using the Internet (login, password, SMS). At the same time, 69% of EU citizens are aware of methods of tracking Internet activity and access control capabilities (denial of permission to use personal data, access to geographical location, profile or content on social networking sites or shared online storage, site security checks). Phishing and illegal acquisition of personal data are the biggest threats to EU citizens. It have been identified problems related to information security: restrictions on the purchase of products, Internet banking, provision of personal information, communication, etc. The practical value of this research is the possibility of applying the results in the development of programs of education, training and public awareness of security issues.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.909-928
• /
• 2020

From the early 1970s, the US government began to recognize that penetration testing could not assure the security quality of products. Results of penetration testing such as identified vulnerabilities and faults can be varied depending on the capabilities of the team. In other words none of penetration team can assure that "vulnerabilities are not found" is not equal to "product does not have any vulnerabilities". So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed systematically and strictly. Therefore, the US government began to publish various standards related to the development methodology and evaluation procurement system embedding "security-by-design" concept from the 1980s. Security-by-design means reducing product's complexity by considering security from the initial phase of development lifecycle such as the product requirements analysis and design phase to achieve trustworthiness of product ultimately. Since then, the security-by-design concept has been spread to the private sector since 2002 in the name of Secure SDLC by Microsoft and IBM, and is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the actual field because the standard or guidelines related to Secure SDLC contain only abstract and declarative contents. Therefore, in this paper, we present the new framework in order to specify the level of Secure SDLC desired by enterprises. Our proposed CIA (functional Correctness, safety Integrity, security Assurance)-level-based security-by-design framework combines the evidence-based security approach with the existing Secure SDLC. Using our methodology, first we can quantitatively show gap of Secure SDLC process level between competitor and the company. Second, it is very useful when you want to build Secure SDLC in the actual field because you can easily derive detailed activities and documents to build the desired level of Secure SDLC.