A study on the impact analysis of security flaws between security controls: An empirical analysis of K-ISMS using case-control study

Research output: Contribution to journalArticle

Abstract

The measurement of information security levels is a very important but difficult task. So far, various measurement methods have studied the development of new indices. Note, however, that researches have focused on the problem of attaining a certain level but largely neglecting research focused on the issue of how different types of possible flaws in security controls affect each other and which flaws are more critical because of these effects. Furthermore, applying the same weight across the board to these flaws has made it difficult to identify the relative importance. In this paper, the interrelationships among security flaws that occurred in the security controls of K-ISMS were analyzed, and the relative impact of each security control was measured. Additionally, a case-control study was applied using empirical data to eliminate subjective bias as a shortcoming of expert surveys and comparative studies. The security controls were divided into 2 groups depending on whether or not a security flaw occurs. The experimental results show the impact relationship and the severity among security flaws. We expect these results to be applied as good reference indices when making decisions on the removal of security flaws in an enterprise.

Original languageEnglish
Pages (from-to)4588-4608
Number of pages21
JournalKSII Transactions on Internet and Information Systems
Volume11
Issue number9
DOIs
Publication statusPublished - 2017 Sep 30

Fingerprint

Defects
Security of data
Decision making
Industry

Keywords

  • Case-control study
  • Information security management
  • ISMS
  • Risk management
  • Security

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications

Cite this

@article{099e86b09fd545ffbb8b231617c2d3c5,
title = "A study on the impact analysis of security flaws between security controls: An empirical analysis of K-ISMS using case-control study",
abstract = "The measurement of information security levels is a very important but difficult task. So far, various measurement methods have studied the development of new indices. Note, however, that researches have focused on the problem of attaining a certain level but largely neglecting research focused on the issue of how different types of possible flaws in security controls affect each other and which flaws are more critical because of these effects. Furthermore, applying the same weight across the board to these flaws has made it difficult to identify the relative importance. In this paper, the interrelationships among security flaws that occurred in the security controls of K-ISMS were analyzed, and the relative impact of each security control was measured. Additionally, a case-control study was applied using empirical data to eliminate subjective bias as a shortcoming of expert surveys and comparative studies. The security controls were divided into 2 groups depending on whether or not a security flaw occurs. The experimental results show the impact relationship and the severity among security flaws. We expect these results to be applied as good reference indices when making decisions on the removal of security flaws in an enterprise.",
keywords = "Case-control study, Information security management, ISMS, Risk management, Security",
author = "Hwankuk Kim and Lee, {Kyung Ho} and Lim, {Jong In}",
year = "2017",
month = "9",
day = "30",
doi = "10.3837/tiis.2017.09.022",
language = "English",
volume = "11",
pages = "4588--4608",
journal = "KSII Transactions on Internet and Information Systems",
issn = "1976-7277",
publisher = "Korea Society of Internet Information",
number = "9",

}

TY - JOUR

T1 - A study on the impact analysis of security flaws between security controls

T2 - An empirical analysis of K-ISMS using case-control study

AU - Kim, Hwankuk

AU - Lee, Kyung Ho

AU - Lim, Jong In

PY - 2017/9/30

Y1 - 2017/9/30

N2 - The measurement of information security levels is a very important but difficult task. So far, various measurement methods have studied the development of new indices. Note, however, that researches have focused on the problem of attaining a certain level but largely neglecting research focused on the issue of how different types of possible flaws in security controls affect each other and which flaws are more critical because of these effects. Furthermore, applying the same weight across the board to these flaws has made it difficult to identify the relative importance. In this paper, the interrelationships among security flaws that occurred in the security controls of K-ISMS were analyzed, and the relative impact of each security control was measured. Additionally, a case-control study was applied using empirical data to eliminate subjective bias as a shortcoming of expert surveys and comparative studies. The security controls were divided into 2 groups depending on whether or not a security flaw occurs. The experimental results show the impact relationship and the severity among security flaws. We expect these results to be applied as good reference indices when making decisions on the removal of security flaws in an enterprise.

AB - The measurement of information security levels is a very important but difficult task. So far, various measurement methods have studied the development of new indices. Note, however, that researches have focused on the problem of attaining a certain level but largely neglecting research focused on the issue of how different types of possible flaws in security controls affect each other and which flaws are more critical because of these effects. Furthermore, applying the same weight across the board to these flaws has made it difficult to identify the relative importance. In this paper, the interrelationships among security flaws that occurred in the security controls of K-ISMS were analyzed, and the relative impact of each security control was measured. Additionally, a case-control study was applied using empirical data to eliminate subjective bias as a shortcoming of expert surveys and comparative studies. The security controls were divided into 2 groups depending on whether or not a security flaw occurs. The experimental results show the impact relationship and the severity among security flaws. We expect these results to be applied as good reference indices when making decisions on the removal of security flaws in an enterprise.

KW - Case-control study

KW - Information security management

KW - ISMS

KW - Risk management

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85030839368&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030839368&partnerID=8YFLogxK

U2 - 10.3837/tiis.2017.09.022

DO - 10.3837/tiis.2017.09.022

M3 - Article

AN - SCOPUS:85030839368

VL - 11

SP - 4588

EP - 4608

JO - KSII Transactions on Internet and Information Systems

JF - KSII Transactions on Internet and Information Systems

SN - 1976-7277

IS - 9

ER -