3차원 벡터 시각화를 활용한 효과적인 위험 수준 평가

Lee, Ju-young;Cho, In-hyun;Lee, Jae-hee;Lee, Kyung-ho

  • 투고 : 2015.09.30
  • 심사 : 2015.10.23
  • 발행 : 2015.12.31


위험분석은 위험을 허용 가능한 수준으로 관리하기 위한 방안을 수립하는 데 활용된다. 이러한 위험관리 의사결정에 있어서 위험의 시각화는 중요하다. 그러나 기존의 위험 시각화 방식은 위험의 요소들을 고려하여 입체적으로 위험을 시각화하는 데 있어서 한계를 지닌다. 본 논문에서는 기밀성, 무결성, 가용성 측면에서 개별적 혹은 종합적으로 위험을 표현할 수 있는 개선된 위험도 3차원 시각화 방법을 제시한다. 제안된 방법을 기업의 위험분석 평가에 적용하여 유효성을 검증한다. 제안된 시각화 방법은 내부통제를 위한 정보보호 의사결정 과정에 효과적으로 활용될 수 있다.


Risk Analysis;Information Security Decision Making;3-dimensional Visualization


  1. ISACA (2006), "CISA Review Manual 2006. Information Systems Audit and Control Association," p. 85. ISBN 1-933284-15-3.
  2. ISO/IEC 13335-1 : 1996, "Guidelines for the Management of Security - Part 1 : Concepts and Models of IT Security," 1996.
  3. Artur Rot, "IT Risk Assessment: Quantitative and Qualitive Approach," Proceedings of the World Congress on Engineering and Computer Science, Oct 22-24, 2008, San Francisco, USA
  4. Christopher Alberts, Audrey Dorofee, James Stevens and Carol Woody, "Introduction to the OCTAVE(R)," Aug. 2003.
  5. Yazar and Zeki, "A qualitative risk analysis and management tool-CRAMM," SANS InfoSec Reading Room White Paper (2002).
  6. Boritz and J. Efrim, "IS Practitioners' Views on Core Concepts of Information Integrity," International Journal of Accounting Information Systems. Elsevier. Retrieved 12, Aug. 2011.
  8. Loukas, G. and Oke, G., (September 2010) [August 2009]. "Protection Against Denial of Service Attacks: A Survey," Comput. J. 53 (7): 1020-1037. doi:10.1093/comjnl/bxp078.
  9. ISO 7498-2, Information processing Systems - Open Systems Interconnection - Basic Reference Model -Part 2 : Security Architecture
  10. NIST SP. "800-33, Underlying Technical Models for Information Technology Security." National Institute for Standards and Technology (2001)
  11. Rainer Jr, Rex Kelly, Charles A. Snyder, and Houston H. Carr., "Risk analysis for information technology," Journal of Management Information Systems (1991): 129-147.
  12. Cox Jr and Louis Anthony Tony. "Some limitations of "Risk= Threat$\times$ Vulnerability$\times$ Consequence" for risk analysis of terrorist attacks." Risk Analysis 28.6 (2008): 1749-1761.
  13. Sung won Kim, Hui young Kim, Young chan Kwon, Ho sang Yun and Chul ho Kim, "Risk analysis and assessment Methodology Research for network based Real-time Risk Management," KCC, vol. 34, no. 1.
  14. Kwo-jean Farn et al., "A study on information security management system evaluation-assets, threat and vulnerability," Computer Standards & interfaces 26 (2004) 501-513.
  15. Hank Marquis, "10 Steps to Do It Yourself CRAMM," vol.4.50, December 17, 2008.
  16. Caralli and Richard A., et al., "Introducing octave allegro: Improving the information security risk assessment process," No. CMU/SEI-2007-TR-012. CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST, 2007.
  17. NIST, SP. "800-30 Risk Management Guide for Information Technology Systems," National Institute for Standards and Technology (2002).
  18. Ferson and Scott. "Bayesian methods in risk assessment," Technical report for the Waste and Storage Unit, Service Environnement & Procedes, Bureau de Recherches Geologiques et Minieres, France. Available at:, 2003.
  19. ISACA. "The it practitioner guide. Technical report," ISACA, USA, 2009
  20. Inhyun Cho and Jaehee Lee, "Study on scenario-based Personnel Risk Analysis," Research Briefs on Informaiton & Communication Technology Evolution (ReBICTE), Vol. 1, Article No. 12 (January 15, 2015)
  21. CSE, RCMP. "Harmonized Threat and Risk Assessment (TRA) Methodology," TRA-1 Date: October 23 (2007).
  22. ISO27k implementer's forum,"Matrices for Asset Valuation and Risk Analysis,", 2009.
  23. Christopher Alberts and Audrey Dorofee, "OCTAVESM*Threat Profiles," Software Engineering Institute Carnegie Mellon University's White Paper.
  24. "Threat risk assessment working guide," 1999, Government of Canada, Communications Security Establishment, p 73.
  25. British Standards Institute (BSI), "Information security management systems - part 3: Guidelines for information security risk management," BSI Standard 7799-3:2006, 2006.
  26. Brewer and David. "An Introduction to ISO/IEC 27001: 2013," London: Bristish Standards (2013).
  27. Chung, Yoon Jung, et al. "Security risk vector for quantitative asset assessment," Computational Science and Its Applications-ICCSA 2005. Springer Berlin Heidelberg, 274-283.
  28. Eppler, Martin J., and Markus Aeschimann. "A systematic framework for risk visualization in risk management and communication," Risk Management 11.2 (2009): 67-89.
  29. Lipkus, Isaac M., and J. G. Hollands. "The visual communication of risk," Journal of the National Cancer Institute. Monographs 25 (1998): 149-163.
  30. Smerecnik, Chris MR, et al. "Understanding the positive effects of graphical risk information on comprehension: measuring attention directed to written, tabular, and graphical risk information," Risk analysis 30.9 (2010): 1387-1398.
  31. Dezfuli, Homayoon, et al. "NASA Risk Management Handbook. Version 1.0," (2011).


연구 과제 주관 기관 : 한국인터넷진흥원