Many-Sided Self Risk Analysis Model for Information Asset to Secure Stability of the Information and Communication Service

Information and communication service providers (ICSP) that are significant in size and provide Internet-based services take administrative, technical, and physical protection measures via the information security check service (ISCS). These protection measures are the minimum action necessary to secure the stability and continuity of the information and communication services (ICS) that they provide. Thus, information assets are essential to providing ICS, and deciding the relative importance of target assets for protection is a critical procedure. The risk analysis model designed to decide the relative importance of information assets, which is described in this study, evaluates information assets from many angles, in order to choose which ones should be given priority when it comes to protection. Many-sided risk analysis (MSRS) grades the importance of information assets, based on evaluation of major security check items, evaluation of the dependency on the information and communication facility (ICF) and influence on potential incidents, and evaluation of major items according to their service classification, in order to identify the ISCS target. MSRS could be an efficient risk analysis model to help ICSPs to identify their core information assets and take information protection measures first, so that stability of the ICS can be ensured.




References:
[1] Korea National Statistical Office, Statistical Information System, "Size of
e-Commerce, number of Internet banking accounts, and online stocking
trade in Korea", http://kosis.nso.go.kr
[2] Korea Information Security Agency, Korea Internet Security Center,
"Monthly report on hacking virus statistics and analysis,
http://www.krcert.or.kr
[3] J. H. Shin, "ISCS (Information Security Check Service) for the Safety and
Reliability of Communications", WEC ICIS 2005 Proceeding, June 2005.
[4] Korea Information Security Agency, "Vulnerability Analysis &
Assessment Methodology version", 2002.
[5] NIST, "Risk Management Guide for Information Technology Systems"
2001.
[6] J. Heo, "Risk Analysis Methodology for New IT Service", 18th Annual
FIRST Conference, June 2006.