Tae-hoi Huh,Sangho Lee,Woo-Young Chang

DOI: https://doi.org/10.1177/223386590701000112

2007-03-01

International Area Review

Abstract:with rapid development of science and technology and the evolution of information revolution, International security environment is being reshaped. Important factors that determine national security competence—military operations, intelligence information on advanced weapons and enemy forces, economic activities that form the poles of national power, government's major systems—are exposed to hostile cyber attacks or accidental intrusions. Therefore, protecting information systems has emerged as an urgent national security issue. In particular, in waging wars, the concept of electronic/communications war that seek destruction of enemy command and control system, has been transformed into a more comprehensive and proactive concept of information warfare by the introduction of the cyber war doctrine. Information warfare encompasses pursuit of paralysis and destruction of a nation's all social infrastructure system and military control power. The existing concept of security strategy, which is a passive concept devised for protection of national information and information system, has been replaced by the proactive and aggressive concept of information warfare strategy. Information warfare seek early and effective victory by cyber attacks that can destroy the enemy's war capability and morale. Korea, which is a leader in information technology as well as a country vulnerable to attacks challenging information security, should prepare for information warfare of the twenty first century. Provision of more systematic and detailed measures—new response strategies, the establishment of national information security response system, creation or reorganization of institutions, and training of human resources—to cope with changes in international information security environment is called for. In addition, the private, public, and military organizations should work together to introduce joint defense strategies and organizations. As an organic integrated defense system has to be established, the government has to establish a governmental system for systematic system for threat assessment, judgment, and response. In particular, the role and responsibilities of the NSC should be upgraded. The government has been tilted toward domestic security and social issues as it responded to cyber crimes and terrors. Such tendency should be guarded against.

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Mikko Siponen,Robert Willison

DOI: https://doi.org/10.1016/j.im.2008.12.007

2009-06-01

Abstract:International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

information science & library science,management,computer science, information systems

Sungjin Park,Jong-in Lim

Abstract:In our current information focused society, information is regarded as a core asset and the leakage of customers' information has emerged as a critical issue, especially in financial companies. It is very likely that the technology that safeguards which is currently in commercial use is not focused at an enterprise level but is fragmented by function or by only guards portions of a customer's personal information. Therefore, It is necessary to study the systems which monitor the indicators of access at an enterprise level in order to preemptively prevent the compromise of such data. This study takes an enterprise perspective on such systems for a financial company. I will focus on examination of the methods of implementation of the monitoring system, the application of pattern analysis and examination of Security Risk Indicators (SRI). A trial of the monitoring system provided security managers and related departments with proper screening capabilities of information. Therefore, it is possible to establish a systemic counter-plans based on detectable patterns.

Computer Science,Business

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Sung-Bou Kim,Dongwook Kim

DOI: https://doi.org/10.3390/su12083421

IF: 3.9

2020-04-22

Sustainability

Abstract:Technological advancement and globalization have led modern economic growth and social development in many parts of the world. Governments are also increasingly adopting new technology to uphold public safety and to protect its citizens. In particular, customs administrations have been adopting digital customs and risk management frameworks to promote free trade and traveling while preventing cross-border transport of dangerous goods and individuals. This study proposes an up-to-date dynamic information and communications technology (ICT) implementation stage model that accounts for new modern technology and transformative public organizations. An in-depth case study approach is employed by using the example of the customs services in South Korea. Specifically, this study describes how the Korea Customs Service developed its digital customs system in tandem with risk management guidelines and practices and presents quantitative data on customs and risk management outcomes.

environmental sciences,environmental studies,green & sustainable science & technology

Nan Sun,Chang-Tsun Li,Hin Chan,Md Zahidul Islam,Md Rafiqul Islam,Warren Armstrong

DOI: https://doi.org/10.1109/ACCESS.2022.3187211

2022-03-05

Abstract:Cyber assurance, which is the ability to operate under the onslaught of cyber attacks and other unexpected events, is essential for organizations facing inundating security threats on a daily basis. Organizations usually employ multiple strategies to conduct risk management to achieve cyber assurance. Utilizing cybersecurity standards and certifications can provide guidance for vendors to design and manufacture secure Information and Communication Technology (ICT) products as well as provide a level of assurance of the security functionality of the products for consumers. Hence, employing security standards and certifications is an effective strategy for risk management and cyber assurance. In this work, we begin with investigating the adoption of cybersecurity standards and certifications by surveying 258 participants from organizations across various countries and sectors. Specifically, we identify adoption barriers of the Common Criteria through the designed questionnaire. Taking into account the seven identified adoption barriers, we show the recommendations for promoting cybersecurity standards and certifications. Moreover, beyond cybersecurity standards and certifications, we shed light on other risk management strategies devised by our participants, which provides directions on cybersecurity approaches for enhancing cyber assurance in organizations.

Cryptography and Security

Adam Janovsky,Jan Jancar,Petr Svenda,Łukasz Chmielewski,Jiri Michalik,Vashek Matyas

DOI: https://doi.org/10.1016/j.cose.2024.103895

2024-07-02

Abstract:Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at <a class="link-external link-https" href="https://seccerts.org" rel="external noopener nofollow">this https URL</a>

Cryptography and Security

Yanghoon Kim,Hangbae Chang

DOI: https://doi.org/10.1007/s10845-012-0651-8

IF: 8.3

2012-05-25

Journal of Intelligent Manufacturing

Abstract:Since organizations have recognized needs for industrial technique leakage prevention, they tend to construct industrial security system causing huge consumption of budget, yet many of them are not affordable to organize industrial security team to operate integrated industrial security management system with consistent investment and maintenance. It is fact that there only occur instant introductions of certain system. In this study, we designed industrial security management model for organizations’ industrial technology leakage prevention which is differentiated from those of large enterprises based on current status of small and medium-sized organizations’ industrial technology leakage. Specifically we analyzed current status and vulnerability of organizations’ industrial technique leakage and we designed industrial technique leakage prevention management system for organizations. Then we applied Delphi method to validate appropriateness of study result. We strongly believe that organizations may estimate an appropriate level of investment on industrial security and develop countermeasures for control by utilizing this study result.

engineering, manufacturing,computer science, artificial intelligence

Junghyun Lee,Jinyeub Jung,Seok J Yoon,Sang-Hoon Byeon

DOI: https://doi.org/10.1016/j.shaw.2020.08.008

Abstract:Background: According to the previous studies, the work-related accident rate decreased in Korea after the introduction of occupational health and safety management system (OHSMS), but there were several disasters in Korea such as subway worker's death at Guui station in 2016 and the Taean thermal power plant accident in 2018, which escalated the social demand for safety. In 2018, OHSMS became an international standard, as ISO45001 was announced. Methods: A survey was conducted to research the implementation status of OHSMS and changes in people's perception, and the results were compared with those of a past survey. Results: Enhanced social demand and various stakeholders' (not only buyer) needs, and social responsibility are perceived as the motivation for the introduction of OHSMS rather than legal compliance or customer demand. In the questionnaire about problems with the implementation of OHSMS, the factors with higher response rate in 2018 than 2004 were "excessive cost" and "complicated documentation management." In the questionnaire about how to promote OHSMS in organizations, most people answered "reduction of workers' compensation insurance rate" in 2004, but most people answered "exemption from health and safety supervision" in 2018. Conclusion: For the effective implementation of ISO45001, emphasis is placed on social demand, training to recognize health and safety as a part of management, and the reduction of certification and consulting costs to promote the introduction of OHSMS. Incentives such as insurance premium cuts and exemptions from health and safety supervision are needed.

Thamer Alhussain,Ahmad Ali AlZubi,Osama AlFarraj,Salem Alkhalaf,Musab S. Alkhalaf

DOI: https://doi.org/10.1007/978-3-030-44041-1_108

2020-01-01

Abstract:This article proposes an information security management system (ISMS) model for automated data processing systems of critical applications (ADPS-CAs). The model allows users to carry out an assessment of the risk level for information security (IS) purposes and provides support for decision-making related to countering unauthorized access to the information circulating in an ADPS-CA. Further, this article analyzes the effect of a control parameter on the probability of launching an information integrity monitoring service (IMS) during a procedure that launches a typical ADPS-CA and its IS subsystem. The results present system quality indicators for protecting information from unauthorized access. The simulation was performed in relation to automated workstations as part of the ADPS-CA of a large enterprise.

Ju Ho Lee,

DOI: https://doi.org/10.14251/jscm.2023.7.1

2023-07-31

Abstract:This study aims to strengthen and improve the evaluation system for national critical infrastructure protection by considering the importance of such infrastructure and the key feature of interdependency. This research analyzed the changing trends of the national critical infrastructure protection plan in the United States (NIPP-2006, NIPP-2009, NIPP-2013) to derive implications and propose a plan for developing the evaluation system for national infra protection. As a result of the analysis, the problems of Korean NIPP are as follows; First, the national goal of protecting national critical infrastructure is unclear. Second, understanding of the interdependence and independence of the national critical infrastructure is relatively weak due to the lack of national infra protection goals. Third, it is a matter of utilizing the evaluation results of the National Critical Infrastructure Protection Plan. Therefore, it is judged that it is time to consider changing the fundamental approach to the national critical infrastructure protection system and resetting the direction of the protection plan.

Hyun-Jung Lee,Kwangwoo Lee,Dongho Won

DOI: https://doi.org/10.1109/trustcom.2011.106

2011-11-01

Abstract:As cyber-crimes using personal information such as ID theft are increasing, there is a need for appropriate technology or law to protect privacy. To this end, the Korean Government established the Privacy Act on March 29th 2011. The Privacy Act prescribes a specification for dealing with privacy with the intention to protect personal information from being collected, leaked, misused, or abused so that it can improve rights and interests of the nation and eventually realize the dignity and value of man. The United States, Japan, Canada, and several countries of the EU have their own privacy law being established or revised. Although there must be differences depending on the circumstances of each country, the ultimate goal of the privacy law should be the same. Consequently, there might be the same or similar technical protection required by all these countries. Between the increasing interest in protecting personal information and the establishment of the Privacy Act, many industries are having relevant products released one after another. Customers without knowledge of the law and the product types cannot decide what they need. This paper intends to derive necessary security functions of a personal information security system based on the Common Criteria and analyze the limit of the products in order to make guidelines for privacy and information protection system.

Myeong-soo Jeong,Kyung-ho Lee

DOI: https://doi.org/10.13089/jkiisc.2015.25.3.691

2015-06-30

Journal of the Korea Institute of Information Security and Cryptology

Abstract:Recently, with the growing number of services using personal information, government offices&#x27; tasks have become more dependent to personal information. Various policies and systems have been made and managed for the safe use of personal information in the circumstances that inevitably require the use of personal information, but the personal information privacy incidents and their scale are on a constant increase. Thus, Korea has been implementing personal information protection management system since 2008 to examine whether public organizations observe the personal information protection act and to how well they manage the personal information, and to improve what is insufficient in the process. However, despite high scores of the outcomes of the system, questions about the effectiveness of the outcomes and about the actual manage level are being raised. Thus, this study seeks to analyze public organizations&#x27; activities to protect personal information and the effectiveness of their foundation efforts for them by using the DEA model, and to propose a new model to enhance the effectiveness of the outcomes of personal information protection management system by reflecting them into the outcomes of system, using the derived effectiveness.

English Else

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Nan Sun,Chang-Tsun Li,Hin Chan,Ba Dung Le,MD Zahidul Islam,Leo Yu Zhang,MD Rafiqul Islam,Warren Armstrong

DOI: https://doi.org/10.1109/ACCESS.2022.3168716

2022-04-02

Abstract:Advances of emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers' confidence and markets' trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security certification. In this paper, we conduct a systematic review of the CC standards and its adoptions. Adoption barriers of the CC are also investigated based on the analysis of current trends in security evaluation. Specifically, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project that promotes the CC among stakeholders in ICT security products related to specification, development, evaluation, certification and approval, procurement, and deployment. Best practices on developing Protection Profiles, recommendations, and future directions for trusted cybersecurity advancement are presented.

Cryptography and Security,Computers and Society

Sayed Amir Reza Mortazavi,Faramarz Safi-Esfahani

DOI: https://doi.org/10.1007/s41870-019-00302-0

2019-04-22

International Journal of Information Technology

Abstract:Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

Jin-ho Choi,Heiwon Kwon,Il-Gwang Kim

DOI: https://doi.org/10.14400/JDC.2016.14.6.547

2016-06-28

Abstract:The purpose of this research was to provide the information of mandatory regulation for Korean sports facilities and the preliminary data for building sport safety management manual through sports facilities abroad and system status. Futhermore, based on the information of sports facilities safety management, this research performed the benchmarking of each country sports facilities safety management system. As a result, in the U.S, Department of Homeland Security(DHS) leads effort to achieve a safe, secure, and resilient homeland. In Germany, law & regulations, sports facilities safety guideline and expert extension have been reviewed. Germany is more realistic and practical than other countries. In Australia, Major Hazard Facilities(MHF) is responsible for eliminating the risk of a major incident. Emergency Management System(EMS) should spontaneously respond when the alarm is raised as early detection and intervention are vital to ensuring that a small incident does not escalate to become a major disaster.

Engineering,Environmental Science

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P Syam

DOI: https://doi.org/10.48550/arXiv.1204.0240

2012-04-02

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security,Software Engineering