Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

Incident Response Competence by The Security Types of Firms:Socio-Technical System Perspective

기업 보안 유형에 따른 보안사고 대응역량 : 사회기술시스템 이론 관점에서

  • 이정환 (한국외국어대학교 경영정보학과) ;
  • 정병호 (한국외국어대학교 경영정보학과) ;
  • 김병초 (한국외국어대학교 경영정보학과)
  • Received : 2012.10.27
  • Accepted : 2013.02.20
  • Published : 2013.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

This study proceeded to examine the cause of the continuous secret information leakage in the firms. The purpose of this study is to find out what type of security among administrative, technological and physical security would have important influence on firm's security performance such as the security-incident response competence. We established the model that can empirically verify correlation between those three types of security and the security-incident response competence. In addition, We conducted another study to look at relation between developing department of security in the firms and reaction ability at the accidents. According to the study, the administrative security is more important about dealing with the security-incident response competence than the rest. Furthermore, a group with department of security has better the security-incident response competence and shows higher competence in fixing or rebuilding the damage. Therefore, this study demonstrates that investing in administrative security will be effective for the firm security.

Keywords

References

  1. 미래포럼, "정보보호의 다음 단계는?", 전자신문, 2011.
  2. 중소기업청, "보안 컨설턴트용 실무가이드북", 중소기업기술정보진흥원, 2007.
  3. 한국인터넷진흥원, "2011년 정보보호 실태조사 : 기업편", 2012.
  4. 한국정보보호진흥원, "정보보호 관리체계 관리과정 가이드", 2004.
  5. Anderson E. E. and C. Joobin, "Enterprise information security strategies", Computers and Security, Vol.27, No.1/2,(2008), pp.22-29. https://doi.org/10.1016/j.cose.2008.03.002
  6. Barnea, A. and A, Rubin, "Corporate Social Responsibility as a Conflict Between Shareholders", Journal of Business Ethics, Vol. 97, No.1(2010), pp.71-86. https://doi.org/10.1007/s10551-010-0496-z
  7. Baron, R. M. and D. A. Kenny, "The moderator variable distintion in social psychological research : Conceptual, strategic, and statistical considerations", Journal of Personality and Social Psychology, Vol.51(1986), pp.1173-1182. https://doi.org/10.1037/0022-3514.51.6.1173
  8. Baskerville and R. M. Siponen, "An information security meta-policy for emergent organizations", Journal of Enterprise Information Management, Vol.15, No.5/6(2002), pp.337-346.
  9. Bharadwaj, A. and M. Keil, "The Effect of Information Technology Failures on the Market Value of Firms : An Empirical Examination", The Journal of Strategic Information Systems, Vol.18, No.2(2001).
  10. Boehmer, W., "Appraisal of the eectiveness and eciency of an Information Security Management System based on ISO 27001", Emerging Security Information, Systems and Technologies, SECURWARE, Second International Conference on, (2008), pp.224-231.
  11. Bostrom, R. P. and J. S. Heinen, "MIS Problems and Failures : A Socio-Technical Perspective", MIS Quarterly, Vol.1, No.4(1977), pp.11-28.
  12. Bowen, H., Social Responsibilities of the Businessman, New York, Haper and Row, 1953.
  13. Caralli, R. A., "Managing for Enterprise Security", Carnegie Mellon Software Engineering Institute, 2004.
  14. Caylor, J., M. E. Withman, P. Fendler, and D. Baker, "Rebuilding Human Firewall", ACM, InfoSecCD Proceedings of the 2nd annual conference on Information security curriculum development, (2005), p.1.
  15. Clegg, C. W., "Sociotechnical Principles for Systems Design", Applied Ergonomics, Vol.31(2000), pp.463-477. https://doi.org/10.1016/S0003-6870(00)00009-0
  16. CONsortium of CERT, "CONCERT SECURITY FORECAST 2012", 2012.
  17. Cyert, R. M. and J. G. March, "A behavioral theory of organizational objectives", Modern Organization Theory, (1996), pp.138-148.
  18. Deloitte, "Global Security Survey", 2008.
  19. Department of the Army, "Information Security Program", Vol.1, No.5200.01(2012).
  20. Dhillon, G. and J. Backhouse, "Current directions in IS security research : towards socio-organizational perspectives", Information Systems Journal, Vol.11, No.2(2001), pp.127-153. https://doi.org/10.1046/j.1365-2575.2001.00099.x
  21. Dyne, L. V., J. W. Graham, and R. M. Dienesch, "Organizational Citizenship Behavior : Construct Redefinition, Measurement, and Validation", The Academy of Management Journal, Vol.37, No.4(1994), pp.765-802. https://doi.org/10.2307/256600
  22. Ettredge, M. and V. Richardson, "Assessing the Risk of in E‐commerce", System Sciences, HICSS. Proceedings of the 35th Annual Hawaii International Conference on, (2002), p.11.
  23. Fred, C., "Managing network security-Part 5 : Risk management or risk analysis", Network Security, Vol.1997, No.4(1997), pp.15-19.
  24. Gerber, M. and V. R. Solms, "From risk analysis to security requirements", Computers and Security, Vol.20, No.7(2001), pp. 577-584. https://doi.org/10.1016/S0167-4048(01)00706-4
  25. Goel, S. and S. I. N. Chengalur, "Metrics for Characterizing the Form of Security Policies", Journal of Strategic Information Systems, Vol.19(2010), pp.281-295. https://doi.org/10.1016/j.jsis.2010.10.002
  26. Goh, R., The Importance of the Human Element, Doctorial Dissertation, 2003.
  27. Gordon, L. A. and M. P. Loeb, "The economics of information security investment", ACM Transactions on Information and System Security, Vol.5, No.4(2002), pp.438-457. https://doi.org/10.1145/581271.581274
  28. Hagen, J. M. and E. Albrechtsen, "Implementation and effectiveness of organizational information security measures", Information Management and Computer Security, Vol. 16, No.4(2008).
  29. Hair, J. F., C. B. William, B. J. Babin, and R. E. Anderson, Multivariate Data Analysis (7th Edition), PEARSON, 2009.
  30. IDC, "2007 Global Security Survey", 2008.
  31. Karyda, M., E. Kiountouzis, and S. Kokolakis, "Information systems security policies : acontextual perspective", Computers and Security, Vol.24, No.3(2005), pp.246-260. https://doi.org/10.1016/j.cose.2004.08.011
  32. Kotulic, A. G. and J. G. Clark, "Why there aren't more information security research studies", Information and Management, Vol. 41, No.5(2004), pp.597-607. https://doi.org/10.1016/j.im.2003.08.001
  33. Land, F. F., Evaluation in a Socio-Technical Context, in Basskerville, R., Stage, J., and DeGross, J. I., Organizational and Social Perspectives on Information Technology, Boston, Kluwer Academic Publishers, (2000), pp.115-126.
  34. Leavitt, H. J., Applied Organisational Change in industry : Structural, Technological and Humanistic Approaches, Carnegie Institute of Technology, Graduate School of Industrial Administration, 1965.
  35. Maignan, I. and O. C. Ferrell, "Corporate Social Responsibility and Marketing : An Integrative Framework", Journal of the Academy of Marketing Science, Vol.32(2004), pp.3-19. https://doi.org/10.1177/0092070303258971
  36. Mattord, H. and M. Whitman, "Regulatory Compliance in Information Technology and Information Security", AMCIS Proceedings, (2007), p.357.
  37. Michael, R., Grimaila, and L. W. Fortson, "Towards an Information Asset-Based Defensive Cyber Damage Assessment Process", Computational Intelligence in Security and Defense Applications, CISDA IEE, (2007), pp.203-212.
  38. Mumford, E., "A socio-technical approach to systems design", Requirements Engineering, (2000), pp.59-77.
  39. NIST, Information Security Handbook : A Guide for Managers, 2006.
  40. Nosworthy, J. D., "Implementing information security in the 21 super(st) Century-do you have the balancing factors?", Computers and Security, Vol.19, No.4(2000), pp. 337-347. https://doi.org/10.1016/S0167-4048(00)04021-9
  41. Nunnally. J. C., Psychometric Theory 2th Edition, Mcgraw Hill, NewYork, 1978.
  42. Porter, M. E. and M. R. Kramer, "Creating Shared Value", Harvard Business Review, 2011.
  43. Post, G. and A. Kagan, "Management tradeoffs in anti-virus strategies", Information and Management, Vol.37(2000), pp.13-24. https://doi.org/10.1016/S0378-7206(99)00028-2
  44. Pugh, D. S. and D. J. Hickson, Writers on Organizations, Beverly Hills, Cal. : SAGE, 2007.
  45. Shin, S. C. and H. J. Wen, "Building E-enterprise security : a business view", Information Systems Security, Vol.13, No.4(2003), pp.44-56.
  46. Simon, H. A., "Rationality as Process and as Product of Thought", The American Economic Review, apers and Proceedings of the Ninetieth Annual Meeting of the American Economic Association, Vol.68, No.2 (1978), pp.1-16.
  47. Solms, B., "Corporate Governance and Information Security", Computers and Security, Vol.20(2001), pp.215-218. https://doi.org/10.1016/S0167-4048(01)00305-4
  48. Solms, B., "Information Security-The Fourth Wave?", Computers and Security, Vol.25 (2006), pp.165-168. https://doi.org/10.1016/j.cose.2006.03.004
  49. Stoneburner, G., A. Goguen, and A. Feringa, "Risk Management Guide for Information Technology Systems", NIST special publication, 2002.
  50. Trist, E., "The evolution of socio-technical systems", a conceptual framework and an action research program, Occasional paper, No.2(1981).
  51. Yeh, Q. J. and A. J. T. Chang, "Threats and countermeasures for information system security : a cross-industry study", Information and Management, Vol.44, No.5(2007), pp.480-491. https://doi.org/10.1016/j.im.2007.05.003