Search of SECURITY Level of National Industrial Complex in Republic of KOREA : Focusing on Gumi Area

Son Man-sik,Kim Dong-je,Jo Sung-gu J-INSTITUTE 2016 Protection Convergence Vol.1 No.2

The Republic of Korea is now a global economic power and reached worldwide level in IT, shipbuilding, steel and automobile industries and is investing huge money in research and development of cutting-edge technolo-gies every year and is requesting a high level security on the company’s core technologies accordingly. However, in spite of the request of a high level security of companies, the cases of core technology leakage in domestic companies are increasing every year. 73% of the technology leakage occur in small and medium com-panies. In addition, though the technology leakage crime is on the increase, the level of legal punishment is low, so the problem is pointed out that the punishment has little efficiency in crime prevention. The purpose of this study is to look at the security level of the National Industrial Complex in Gumi where majority of typical IT companies are located and to search for the security level difference between the large companies and the small & medium companies. To meet the purpose of this research, technology statistics of quantitative research and narrative research of qualitative research were carried out according to the link model of Mixed Methods by Creswell(2003). The result showed high difference between the large and small & medium companies in security level of Gumi National Industrial Complex. In case of the large companies, the answers to the security level of the large companies showed 63 peo-ple(43.1%) of ‘Very high’, 52 people(35.6%) of ‘High’, 23 people(15.7%) of ‘Normal’, 5 people(3.4%) of ‘Low’ and 3 people(2.0%) of ‘Very low’ out of 146 respondents, which showed that the large companies have built up generally satisfactory level of security systems. Meanwhile, the answers to the security level of the small & medium companies showed 1 person(0.6%) of ‘Very high’, 4 people(2.7%) of ‘High’, 33 people(22.6%) of ‘Normal’, 61 people(41.7%) of ‘Low’ and 47 peo-ple(32.1%) of ‘Very low’ out of 146 respondents, which showed that the small & medium companies have built up generally poor level of security systems.

쌍대비교를 활용한 기업 유형 분류에 따른 보안 전략 우선순위 결정

김희올(Hee-Ohl Kim),백동현(Dong-Hyun Baek) 한국산업경영시스템학회 2016 한국산업경영시스템학회지 Vol.39 No.4

As information system is getting higher and amount of information assets is increasing, skills of threatening subjects are more advanced, so that it threatens precious information assets of ours. The purpose of this study is to present a strategic direction for the types of companies seeking access to information security. The framework classifies companies into eight types so company can receive help in making decisions for the development of information security strategy depending on the type of company it belongs to. Paired comparison method survey conducted by a group of information security experts to determine the priority and the relative importance of information security management elements. The factors used in the security response strategy are the combination of the information security international certification standard ISO 27001, domestic information protection management system certification K-ISMS, and personal information security management system certification PIMS. Paired comparison method was then used to determine strategy alternative priorities for each type. Paired comparisons were conducted to select the most applicable factors among the 12 strategic factors. Paired comparison method questionnaire was conducted through e-mail and direct questionnaire survey of 18 experts who were engaged in security related tasks such as security control, architect, security consulting. This study is based on the idea that it is important not to use a consistent approach for effective implementation of information security but to change security strategy alternatives according to the type of company. The results of this study are expected to help the decision makers to produce results that will serve as the basis for companies seeking access to information security first or companies seeking to establish new information security strategies.

정보보호 관점의 기업 유형 분류 프레임워크 개발에 관한 연구

김희올(Hee-Ohl Kim),백동현(Dong-Hyun Baek) 한국산업경영시스템학회 2016 한국산업경영시스템학회지 Vol.39 No.3

For most organizations, a security infrastructure to protect company’s core information and their technology is becoming increasingly important. So various approaches to information security have been made but many security accidents are still taking place. In fact, for many Korean companies, information security is perceived as an expense, not an asset. In order to change this perception, it is very important to recognize the need for information security and to find a rational approach for information security. The purpose of this study is to present a framework for information security strategies of companies. The framework classifies companies into eight types so company can receive help in making decisions for the development of information security strategy depending on the type of company it belongs to. To develope measures to classify the types of companies, 12 information security professionals have done brainstorming, and based on previous studies, among the factors that have been demonstrated to be able to influence the information security of the enterprise, three factors have been selected. Delphi method was applied to 29 security experts in order to determine sub items for each factor, and then final items for evaluation was determined by verifying the content validity and reliability of the components through the SPSS analysis. Then, this study identified characteristics of each type of eight companies from a security perspective by utilizing the developed sub items, and summarized what kind of actual security accidents happened in the past.

건강신념모델을 이용한 기업 정보보안 행동에 관한 연구

조성배 ( Sung Bae Cho ),권두순 ( Do Soon Kwon ),이미영 ( Mi Young Lee ) 한국중소기업학회 2014 中小企業硏究 Vol.36 No.2

최근 IT 비즈니스 환경의 급격한 성장과 아울러 정보 보안에 관한 이슈가 대두되고 있다. 특히 오늘날의 보안 위험은 특정 대상을 목표로 은밀하게 오랜 기간을 통해 이루어지고 있으며, 이는 기업 이미지 훼손 및 금전적 손실 등의 심각한 결과를 초래할 가능성이 있다. 이에 각종 보안위험에 대한 예방 및 대응을 위하여 정부는 금융, 통신, 의료 등 각 분야에 다양한 정보보안 규제 강화를 하고 있다. 이와 관련하여 각 기업에서도 정보보호 전담조직을 구성하여 전사적 측면의 보안정책을 수립하고 정보보호시스템을 도입하는 등 다양한 정보보안 활동을 수행하고 있다. 하지만 분산서비스거부공격(DDoS : Distributed Denial of Service)이나 지능형 지속 위협 공격(APT : Advanced Persistent Threat) 그리고 내부 직원에 의한 정보유출 등으로 인해 전산망이 마비되거나 기업 내고객정보 및 중요정보가 유출되는 등의 각종 보안사고가 지속적으로 발생하고 있는 실정이다. 본 연구는 국내 기업의 정보보안 행동에 영향을 미치는 영향요인들을 파악하고 이들 요인이 기업의 정보보안 행동에 어떠한 영향을 미치는지 실증 검증하고자 한다. 기업의 정보보안 활동을 촉진할 수 있는 요인들을 찾아내기 위해 건강신념모델을 이용하여 연구모형을 제시하였다. 연구모형을 실증적으로 검증하기 위해 국내 기업의 정보보안 실무 담당자들을 대상으로 설문조사를 실시하였으며, 설문조사를 통해 총 107부의 표본을 수집하였다. 또한, 요인들 간의 관계를 분석하기 위해 경로분석을 실시하였다. 경로분석결과 건강신념모델의 지각된 심각성, 지각된 개연성, 지각된 장애를 통해 매개변수인 대응성에 유의한 영향을 미치고 종속변수인 기업 정보보안 행동에 유의한 영향을 미치는 것으로 나타났다. 이를 통해 기업에서는 보안위험에 대한 예방 및 대응을 위해서 관련 보안규정 및 지침을 수립하고 정보보안 솔루션 도입을 지원해야 하는 것은 물론 직원들의 정보보안 인식을 향상시키기 위한 노력을 해야 할 것이다. The rapid growth of IT business environment incurs the issues of information security recently. Especially, today`s attack on information security progresses on a specific target for a long period of time and this may result in serious outcomes such as damage on company`s reputation or financial loss. Therefore, to prevent and respond to different kinds of security risks, the government reinforces various security risk regulations on such areas as finance, communication, or medicine. In this regard, companies are forming information security organizations, establishing company-wide security policies, and introducing information security systems. However, the reality still struggles with unceasing security accidents of different kinds, like computer network paralysis or customer/important information spills, due to DDoS (Distributed Denial of Service) or APT (Advanced Persistent Threat) and information spills by the insiders. The purpose of the study is to figure out major factors that influence the information security behaviors of Korean companies and empirically verify the effects of these factors on companies` information security behaviors. A research model is proposed based on Health Belief Model, which is expected to influence the companies` information security behaviors and emphasizes the promotion of company information security behaviors. The total of 107 samples are collected through the questionnaires which are conducted on the Korean companies` information security staff. The path analysis is performed to analyze the relationships among the factors and find that the perceived severity, probability, and barriers of Health Belief Model significantly affect the behaviors of corporate information security via the parameter of responsiveness. Based on the results, companies should establish rules and guidelines on information security and adopt information security solutions for the prevention of and coping with the information security risks and also make efforts to improve the employees` information security awareness.

조선기업출입보안관리 발전을 위한 시론적 연구: 융합보안적 접근

최관 ( Kwan Choi ),김민지 ( Min Chi Kim ) 한국시큐리티융합경영학회 2015 한국융합과학회지 Vol.4 No.2

Pupose: The purpose of present study is to better understand a access control security management system (below ACSMS) of shipbuilding company for industry security crime prevention. Methods: The research method for present study is an review methodology using secondary data. The paper consist of four parts to explore the ACSMS. Section two highlights the definition of security management, and an relationship between shipbuilding industry and security management. Section three provides an access security on the land and access security on the harbour and bay for better exploring ACSMS of shipbuilding company. Conclusion: The present study is primary research in terms of ACSMS of shipbuilding company and provides two key finding. Firstly, a group system for managing an industry security need to develop. The key important thing to solve some industry control issues such as security leaks is how systematic issues of security management organisation can be structured. security group has to understand a nature of shipbuilding company as distinct from general manufacture company. Second, present study highlights that responsibility and role of industry security manager are reinforced. Minimum report line and decision making for security management need to between security group and board of directors. Besides, regulation for shipbuilding industry security grab some legal article relating safety culture settlement of industry security, training for industry technique protection, and implementation situation checking.

기계경비업체의 보안업무 영역 분석

주일엽 한국경호경비학회 2022 시큐리티연구 Vol.- No.73

This study analyzed the security business areas of major electronic security companies by conducting a qualitative research centered on literature research on business reports, investment prospects, and website data of major electronic security companies. Specific research results are as follows. First, in the security business area of S1, 'physical security' can be divided into SECOM/ CCTV, integrated security solution, vehicle operation management, etc., 'Information protection' can be classified as information security, and 'other' can be classified as real estate comprehensive service. Second, KT Telecop's security business areas can be divided into 'physical security', such as dispatch security, access security, video security, integrated security, security solution, and security equipment. Third, in the security business area of SK Shielders, ‘physical security’ can be divided into home security, physical security, care service(1), package product(1), etc. ‘information protection’ can be divided into cybersecurity and care service(2), ‘convergence security’ can be divided into convergence security, and ‘others’ can be classified as package products(2). 본 연구는 기계경비업체의 보안업무 영역을 분석하기 위하여 주요 기계경비업체의 사업보고서, 투자설명서와 홈페이지 자료를 기초로 문헌연구 중심의 질적 연구(Qualitative Research)를 실시하였다. 구체적인 연구결과는 다음과 같다. 첫째, ㈜에스원의 보안업무 영역은 ‘물리보안’은 세콤/CCTV, 통합보안솔루션, 차량운행관리 등으로 구분할 수 있으며, ‘정보보호’는 정보보안으로 구분할 수 있고, ‘기타’는 부동산종합서비스로 구분할 수 있다. 둘째, ㈜KT텔레캅의 보안업무 영역은‘물리보안’은 출동보안, 출입보안, 영상보안, 통합보안, 보안솔루션, 보안장비 등으로구분할 수 있다. 셋째, ㈜SK쉴더스는 ‘물리보안’은 홈보안, 물리보안, 케어서비스(1), 패키지 상품(1) 등으로 구분할 수 있으며, ‘정보보호’는 사이버보안, 케어서비스(2) 등으로 구분할 수 있고, ‘융합보안’은 융합보안으로 구분할 수 있으며, ‘기타’는 패키지상품(2)으로 구분할 수 있다. 이와 같은 연구결과에 따른 학문적, 실무적인 제언은 다음과 같다. 첫째, 경비업법에서 정의한 주요 경비업무는 보안업무 중 물리보안에 속하며, 정보보호, 융합보안 등에 대한 영역 확대가 필요하다. 둘째, 기계경비업체는 물리보안, 정보보호, 융합보안을 수행할 수 있도록 회사사업 영위의 근거가 되는 법률을 보다구체적으로 명시하여야 한다. 셋째, 기계경비업체는 4차산업과 연계한 경비 및 보안업무를 확대 실시하여야 한다.

산업보안 기술보호활동이 보안인식과 보안성과에 미치는 영향: 해외진출기업(베트남)을 중심으로

이대권,양정훈,강원선,박준석 한국산업보안연구학회 2021 한국산업보안연구 Vol.11 No.1

Technology protection for domestic SMEs(Small-Medium sized Enterprises) is also important, but the technology protection system of SMEs entering overseas is inferior. In the situation of overseas companies that do not have professional manpower and support system related to technology protection, overseas companies are easily targeting technology leakage. In order to reinforce the competitiveness of overseas companies, protection activities for possessed technologies and information are most important, and for this purpose, it is necessary to provide various technology protection information and securitypersonnel to local companies. This study aims to present a plan to prevent technology leakage and improve security awareness and security performance based on the reality of SMEs that have entered Vietnam. This study was to investigate the actual level of technology protection activities for local business managers in Vietnam, measure the technology protection competency score, security awareness and security performance, and analyze how technology protection activities impact security awareness and security performance. As a result of the study, asset classification and management security had apositive (+) effect on security performance, and security policy, management security, and technical security had a positive (+) effect on security awareness. Security awareness was found to have a positive (+) effect on security performance. It was found that security awareness is mediated in the relationship between technology protection activities and security performance. Finally, it was found that there are differences in technology protection activities, security awareness, and security performance according to the presence or absence of a security officer and whether it is legal-know. Therefore, it is necessary to newly build a security infrastructure such as providing regionally tailored technology protection policies, technology protection education, security personnel, and support services suitable for the local situation in Vietnam. 국내 중소기업에 대한 기술보호도 여전히 중요하지만 해외진출기업의 기술보호시스템은 열악한 실정이다. 기술보호 관련 전문인력과 지원제도가 미흡한 해외진출기업은 손쉽게 기술탈취의 표적으로 일삼아지고 있다. 해외진출기업의 경쟁력을 강화하기 위해서는 보유기술 및 경영정보에 대한 보호활동이 무엇보다 필요하며 현지기업에 다양한 기술보호서비스와 보안인력을 제공할 필요가 있다. 이에 본 연구는 베트남의 해외진출기업을 중심으로 기술유출을 예방하고 보안인식 및 보안성과를 제고하기 위한 방안을 제시하고자 하였다. 베트남 현지 기업의 대표자 및 관리자들을 대상으로 기술보호활동 실태수준을 조사하고 기술보호역량점수와 보안인식 및 보안성과를 측정함으로써 기술보호활동(보안정책, 자산분류, 관리보안, 물리보안, 기술보안)이 보안인식과 보안성과에 어떠한 영향을 미치는 가를 분석하고자 하였다. 연구결과, 자산분류와 관리보안은 보안성과에 정(+)의 영향을 미치는 것으로 나타났으며 보안정책과 관리보안, 기술보안은 보안인식에 정(+)의 영향을 미치는 것으로 나타났다. 보안인식은 보안성과에 정(+)의 영향을 미치는 것으로 나타났으며 기술보호활동과 보안성과의 관계에서 매개하는 것으로 나타났다. 마지막으로 보안담당자의 유무와 법률인지에 따라 기술보호활동과 보안인식, 보안성과에 차이가 있는 것으로 나타났다. 따라서 베트남 현지 상황에 맞는 지역맞춤형 기술보호정책과 기술보호교육, 보안인력, 지원서비스를 제공하는 등의 보안인프라를 새롭게 구축하는 등의 노력과 정책이 마련되어야 한다.

민간경비조직 구성원의 조직공정성이 조직시민행동 및 조직성과에 미치는 영향

조철규 ( Cheolkyu Cho ) 사단법인 아시아문화학술원 2021 인문사회 21 Vol.12 No.6

본 연구는 민간경비조직 구성원의 조직공정성이 조직시민행동 및 조직성과에 미치는 영향을 살펴보고 조직성과를 높이는 방안을 제시하는데 목적을 두고 있다. 이를 위하여 2021년 6월~8월까지 서울·인천·경기 소재 민간경비업에 종사하고 있는 민간경비원을 표본대상으로 설정하였으며, 그 중 시설경비원, 기계경비원, 특수경비원을 한정하여 모집단으로 선정하였다. 분석결과 첫째, 민간경비조직 구성원의 조직공정성은 조직시민행동의 모든 요인에 유의미한 정(+) 영향을 미치는 것으로 나타났다. 둘째, 민간경비조직 구성원의 조직공정성은 조직성과의 모든 요인에 유의미한 정(+) 영향을 미치는 것으로 나타났다. 셋째, 민간경비조직 구성원의 조직시민행동은 조직성과의 모든 요인에 유의미한 정(+) 영향을 미치는 것으로 나타났다. 따라서 민간경비업무는 인적의존도가 매우 높은 산업으로서 구성원의 특성에 따른 체계적인 관리가 중요하다고 생각되며, 조직 내부의 구성원들은 업무 역량에 있어 능동적이고 공동체 의식을 강화해 나간다면 조직성과는 더욱 더 높아질 것으로 사료된다. This study aims not only to observe how organizational justice of members working for private security companies affects organizational citizenship behavior and organizational performance but also to offer measures to improve organizational performance. In order to achieve the research goals, the study was carried out from June to August of 2021 targeting private security guards involved in the private security business in Seoul, Incheon and Gyeonggi province as research objects, and of those objects, a population was limited to facility security guards, electronic security guards and special security guards. The result said that to begin with, organizational justice of members working for private security companies has a significant positive (+) effect on all those factors in organizational citizenship behavior. Second, organizational justice of members of private security companies turned out to have a signifiant positive (+) influence on all the factors in organizational performance. Third, organizational citizenship behavior of private security companies' members is believed to have a significant positive (+) impact on all the factors in organizational performance. Considering what has been found in the study, it is assumed that as a business of a high degree of human resource dependence, private security work should be followed by systematic management that would focus on features of members. On top of that, it is believed that organizational performance will be enhanced even more as long as members of the companies are willing to show initiative in competency as strengthening sense of community.

웹 기반 해운 선사 운영시스템 보안 요구사항 연구

정업,문종섭 한국인터넷정보학회 2022 인터넷정보학회논문지 Vol.23 No.1

해운 선사의 운영시스템은 주전산기를 이용한 단말기 접속 환경 또는 클라이언트/서버 구조의 환경을 유지하고 있는 경우가 아직많으며, 웹서버 및 웹 애플리케이션 서버를 이용한 웹 기반 환경으로의 전환을 고려하는 해운 선사가 증가하고 있다. 그런데 전환과정에서, 기존 구성 방식과 지식을 바탕으로 웹 기반 환경의 특성 및 해운 업무의 특성을 고려하지 않고 설계를 진행하는 경우, 다양한 보안상 취약점이 실제 시스템 운영 단계에서 드러나게 되고, 이는 시스템 유지보수 비용의 증가를 초래하게 된다. 그러므로웹 기반 환경으로의 전환 시에는, 시스템 안전성 확보 및 보안 관련 유지보수 비용 절감을 위해 설계 단계에서부터 반드시 보안을고려한 설계가 진행되어야 한다. 본 논문에서는 다양한 위협 모델링 기법의 특성을 살펴보고, 해운 선사 운영시스템에 적합한 모델링 기법을 선정한 후, 데이터 흐름도와 STRIDE 위협 모델링 기법을 해운 선사 업무에 적용하여, 데이터 흐름도의 각 구성 요소에서발생 가능한 보안 위협을 공격자 관점에서 도출하고, 공격 라이브러리 항목과의 매핑을 통해 도출된 위협의 타당성을 입증한다. 그리고, 이를 이용하여 공격자가 최종목표 달성을 위해 시도할 수 있는 다양한 공격 시나리오를 공격 트리로 나타내고, 보안 점검 사항과 관련 위협 및 보안 요구사항을 체크리스트로 구성한 후, 최종적으로 도출된 위협에 대응할 수 있는 23개의 보안 요구사항을 제시한다. 기존의 일반적인 보안 요구사항과는 달리, 본 논문에서 제시하는 보안 요구사항은 해운 선사의 실제 업무를 분석한 후, 여기에위협 모델링 기법을 적용하여 도출된 해운 업무 특성을 반영한 보안 요구사항이므로, 추후 웹 기반 환경으로의 전환을 추진하는 해운 선사들의 보안 설계에 많은 도움이 될 것으로 생각한다. The operation system of a shipping company is still maintaining the mainframe based terminal access environment or the client/server based environment. Nowadays shipping companies that try to migrate it into a web-based environment are increasing. However, in the transition, if the design is processed by the old configuration and knowledge without considering the characteristics of the web-based environment and shipping business, various security vulnerabilities will be revealed at the actual system operation stage, and system maintenance costs to fix them will increase significantly. Therefore, in the transition to a web-based environment, a security design must be carried out from the design stage to ensure system safety and to reduce security-related maintenance costs in the future. This paper examines the characteristics of various threat modeling techniques, selects suitable modeling technique for the operation system of a shipping company, applies data flow diagram and STRIDE threat modeling technique to shipping business, derives possible security threats from each component of the data flow diagram in the attacker's point of view, validates the derived threats by mapping them with attack library items, represents the attack tree having various attack scenarios that attackers can attempt to achieve their final goals, organizes into the checklist that has security check items, associated threats and security requirements, and finally presents 23 security requirements that can respond to threats. Unlike the existing general security requirements, the security requirements presented in this paper reflect the characteristics of shipping business because they are derived by analyzing the actual business of a shipping company and applying threat modeling technique. Therefore, I think that the presented security requirements will be of great help in the security design of shipping companies that are trying to proceed with the transition to a web-based environment in the future.

통합기술수용이론(UTAUT)을 기반으로 기업정보보호시스템의 특성요인이 사용자 기술수용의도에 미치는 영향 분석 - 반도체 제조 구성원의 혁신저항 조절효과를 중심으로 –

전우광,손승우 한국반도체디스플레이기술학회 2024 반도체디스플레이기술학회지 Vol.23 No.1

The purpose of this study is to identify the factors that impact the user’s intention to accept technology when Introducing new information security systems for the workers of a semiconductor company. The findings of this study were as follows. First, the factors of a company's information security systems, namely reliability, expertise, availability, security, and economic efficiency, all significantly and positively impacted performance expectations. Second, the performance expectation of introducing information security systems for a company significantly and positively impacted the intention to accept technology. Third, the social impact of introducing information security systems for a company had a significant and positive impact on technology acceptance intention. Fourth, the facilitating conditions for introducing a company's information security systems significantly and positively impacted technology acceptance intention. Fifth, as for the moderating effect of innovation resistance, the moderating effect was significant in the paths of [performance expectation -> technology acceptance intention], [social impact -> technology acceptance intention], and [facilitating conditions -> technology acceptance intention]. The implication of this study is that the factors to be considered when introducing information security systems were provided to companies that are the actors of their proliferation, providing the base data to lay the foundation for introducing security technologies and their proliferation.