Int'l Conf.
Security and Management | SAM'17 |
A Study on Korea's Information Security Management
System: An Insider Threat Perspective
Ran Kyoung Park1, Jong In Lim1, Hun Yeong Kwon1, and Jin-Young Choi1
1
Graduate School of Information Security, Korea University, Seoul, Seoul, Korea
Abstract - Insider threats pose a significant information
security challenge to organizations. Surveys have shown that
over half of all security incidents are caused by insiders and
that attacks by insiders have more serious consequences than
those by external attackers. Information security management
systems such as ISO/IEC 27001 and K-ISMS are centered on
attacks from outside the security perimeter by external
attackers. Improvements to these management systems are
urgently needed to increase their robustness against insider
threats. In this study, we analyze the best practices to mitigate
insider threats provided by the CERT Guide and the
corresponding security controls in the US standard NISP SP
800-53. We propose extending Korea’s K-ISMS based on
these best practices and related security controls. These
extensions are designed to make the information security
management systems of K-ISMS robust against insider threats.
Keywords: insider threat, information security management
system, insider threat management, best practice, security
control
1 Introduction
In August 2016, North Korea hacked into South Korea's
defense network and may have gained access to confidential
military plans [1]. According to an investigation, this involved
a typical scenario in which an insider threat was exploited by
an external hacker [1, 2, 3]. The incident was comparable in
scale to Snowden’s release of NSA material, which is called
one of the most significant leaks in the US history [4].
An insider is someone who has or had authorized access
to an organization’s network, systems, or data as a current or
former employee, contractor, or business partner. They may
be classified as either malicious or unintentional, depending
on their motivation. Malicious insiders intentionally use their
access rights in a way that negatively affects the
confidentiality, integrity, or availability of the organization’s
information or information systems. Unintentional insiders do
the same thing but without deliberate intent. There has been a
substantial increase in the probability of serious harm arising
from intentional or unintentional breaches by insiders. The
damage caused by malicious insiders includes destruction of
information technology, theft of intellectual property, and
fraud. That caused by unintentional insiders includes
ISBN: 1-60132-467-7, CSREA Press ©
61
accidental disclosure of information, phishing/social
engineering, degradation of physical records, and loss or theft
of equipment [5].
The threat of attack from insiders is real and substantial.
The 2015 U.S. State of Cybercrime Survey found that 23% of
electronic crime events were suspected or known to have been
caused by insiders. It also reported that 45% of respondents
believed that damage from insider attacks was more severe
than that from outsider attacks [5, 6]. The outside attacker
would use insider threats to either originate or receive
cooperation from insiders within an organization. In a survey
by the Forrester of firms that had experienced a breach in
2015, it was observed that internal incidents were the leading
cause, more than 50% of which were due to inadvertent
misuse or user error. The culprits were classified as
“accidental insiders” [7]. Recently, 39% of breaches the last
12 months resulted from an internal incident. Of these, 26%
were deliberate abuses or done with malicious intent, 56%
were inadvertent, and 18% were a combination [8]. The
biggest threats to company security therefore come from
insiders and are the ones against which businesses feel least
prepared [9]. Abuse by insiders is difficult to detect [10].
While the level of threat has been increasing, most commonly
involving the theft of authentication credentials, intellectual
property, corporate financial data, and personally identifiable
information (PII), 70% organizations still give higher priority
to maintaining traditional perimeter defenses than to insider
threat management [11].
Since most organizations are reluctant to disclose the
fact of an accident, little insider threat analysis has been
conducted in Korea, making it difficult to understand the
nature of such threats. The CERT Guide produced by the
Carnegie Mellon University's Software Engineering Institute
(SEI) has analyzed over 1,000 cases and presents 20 best
practices based on this analysis. We used this as the best
guideline on insider threats [5].
An information security management system (ISMS) is
the default approach to minimizing risk and ensuring business
continuity by proactively limiting the impact of security
incidents. An ISMS can improve the information security
level of an organization by introducing a set of policies and
procedures for systematically managing the organization’s
sensitive data. Given the severity of insider threats, ISMS
62
would be improved by providing a framework for insider
threat management. The Korean government runs a domestic
ISMS certification system (K-ISMS) to support organizational
information security [12]. K-ISMS, like other ISMSs, is
designed around the perceived threat of external hacking.
Given the increasing scale and severity of damage caused by
insider threats, urgent improvement of existing information
security management systems is needed, including K-ISMS.
In this study, we analyze the insider threat cases reported
in the CERT Guide and discuss extensions to K-ISMS based
on the best practices for mitigating insider threats and the
security controls of NIST SP 800-53 [5, 13]. We also analyze
the hacking of the Korean military defense network and
consider the lessons that can be applied to extend K-ISMS to
insider threat management.
The remainder of this paper is structured as follows.
Section II introduces K-ISMS. Section III summarizes the
Korean military hacking incident. In Section IV, based on the
best practices recommended in the CERT Guide and their
mapping to standards, amendments are proposed for security
controls to extend K-ISMS to insider threats. The proposed
extensions are then applied to the defense network hacking
incident to demonstrate their effectiveness. Finally, Section V
presents our conclusions and suggestions for future work.
2 Overview of Information Security
Management Systems
An ISMS is a comprehensive management system
covering the administrative, technical, and physical protection
measures needed to ensure the stability and reliability of an
information communication network [14]. It is a systematic
risk management system for an entire organization that takes
account of the proliferation of IT systems and the increase in
cyber infringements. The goal is to achieve continuous
management through a balanced and systematic response.
Major ISMSs include the ISO 27001 [15] and the Korean
domestic standard K-ISMS [12]. An ISMS is usually divided
into an information security management section responsible
for risk management and a security countermeasure
responsible for the security controls that the organization
implements. The security measures are applied universally
and based on best practice.
2.1 K-ISMS
K-ISMS is a regulatory and certification scheme that
examines whether an ISMS established, managed, and
operated by a domestic company meets certain standards. It
was introduced by the Korean government in 2002 and has
helped enterprises to establish and operate effective ISMSs.
K- ISMS offers information security management section and
security countermeasures. The management section covers
five levels of 12 controls. Countermeasures are specified in 13
fields, comprising a total of 92 controls. The security controls
ISBN: 1-60132-467-7, CSREA Press ©
Int'l Conf. Security and Management | SAM'17 |
were updated in 2013. Since 2013, the system has required
certain organizations to gain certification. These currently
include major internet service providers, internet data centers,
online shopping malls, internet portals, and so on.
Certification involves four phases: application, contract, audit,
and certification. Certification is valid three years and can be
renewed following a further examination. A total of 659
certificates have been issued to date, 477 of which have been
renewed [16]. In a survey conducted in 2016, companies
reported an improvement in the security awareness of
employees, reduction in infringements, improved management
understanding of information security, and better budgeting
for information security, after K-ISMS certification was
obtained [17].
3 Overview of the Korean Defense
Network Hacking Incident
3.1 Incident Sequence
A defense network hacking incident was first reported
following a parliamentary inspection of the National
Assembly for the Department of Defense [18]. A joint
investigation was then conducted, and pressed the results of
the investigation [19, 20, 22, 23, 24]. Based on the contents of
the report, the timeline was as follows [21, 25].
y August 04, 2016: First infiltration, malicious code log
introduced
y September 23, 2016: Intranet hacking traces found.
Department of Defense concludes that malicious code
was spread through an Internet vaccine relay server,
which plays a role of supplying vaccine programs to all
connected PCs. If it is infected with malicious code, all
the PCs connected to it are exposed to the risk of
infection. About 2,500 Internet computers and 700
intranet computers within the military were infected
with malicious code.
y September 30, 2016: A defense cyber joint
investigation team was formed and a joint investigation
was conducted over two months from September 30 to
November 30.
y October 06, 2016: It was found that the defense
networks are linked directly to the Internet. A survey
by the joint inspection team confirms that the military
intranet and the external Internet LAN card were used
at the same time in a server of the Kyeryong Defense
Integrated Data Center (DIDC). This was the
connection point through which a hacker had
penetrated the defense network.
y October 12, 2016: It was confirmed that internal data
had been leaked.
Int'l Conf. Security and Management | SAM'17 |
y December 08, 2016: Department of Defense
announced the results of the investigation.
y December 15, 2016: It was reported that seven officers
of the joint chiefs and special force had violated
security regulations by writing documents containing
confidential information on a “PC connected to the
defense network and the Internet.”
y December 23, 2016: The Department of Defense
prosecutor’s office established a task force team to
investigate the military, related organizations, and
private companies.
y May 02, 2017: Department of Defense prosecutors
announced the results of the investigation.
3.2 Incident
The outline of the hacking incident shown in Fig 1 is
based on the findings of the Department of Defense
prosecutors. The figure was adapted from [25].
Fig. 1 Presumed North Korea Hacking Attack on Defense
Network
£G Presumed North Korea hacker: The Department of
Defense prosecutors concluded that the hack was linked
to North Korea, as some of the IP addresses used were
located in Shenyang, China. The malicious code
resembled that known to have been used by North Korea
before.
¤G Internet Relay Server Infection: The hacker penetrated
an Internet relay server by exploiting the vulnerability of
the military vaccine system. In February 2015, National
Police Agency notified the vaccine vendor to hacking
incident that North Korea hacker had infiltrated the
vaccine vendor, stolen the certificate and source code.
ISBN: 1-60132-467-7, CSREA Press ©
63
The vendor did not report Department of Defense to the
hacking incident and did not change the update key. The
hacker infiltrated the relay server, and spread the
malicious code through the server and connected PCs.
¥G The penetration was made through the connection point
between the external Internet and the military intranet.
Two years earlier, when the DIDC was established,
outsourced staff used LAN card to install programs and
did not remove it.
¦ Some vulnerable PCs on the defense network stored
confidential data entered by military officers who had
failed to observe security regulations, prohibiting the
storing of secret documents on personal computers.
3.3 Conclusions
The following conclusions were drawn regarding the
defense network hacking case [24].
y Management of the Internet vaccine system had been
neglected. The hacker exploited this vulnerability to
attack the relay server and spread the malicious code.
y Network separation failed. While installing software, the
outsourcer had, for convenience, connected the defense
network to the Internet. The responsible manager and
security inspector had failed to check this. The security
supervisor in Korean Army Security Command checked
and twice pointed out the need for network separation.
However, DIDC did not respond to this feedback.
y Confidential data were stored on networked PCs, in
breach of security regulations. Data that had been stored
on an infected PC then leaked.
4 Cause of Incident and Analysis of
Information Security Management
System
4.1 Analysis on the Incident Cause and Insider Threat
Pattern
Insider Analysis: Major insiders in the defense network
hacking case included the vaccine vendor, the outsourced
DIDC partner, the inspector who oversaw the outsourcer
when the DIDC was under construction, the server and
network administrators in DIDC, the security checkers and
supervisors, and the military officers who violated the security
regulations. It was not revealed whether these insiders had
acted maliciously or intentionally. We assume them to be
unintentional insiders.
Analysis of the Type of Insider Threat Damage: The
external attacker exploited vulnerability in the vaccine system.
64 Int'l Conf. Security and Management | SAM'17 |

The vaccine vendor concealed the fact that the vaccine TABLE 1 Best Practices Mapped to Standards, NIST SP 800-
certificate and source code had been stolen. The vaccine 53 and K-ISMS
vendor was an unintentional insider. Though, the damage can
Best Practice NIST SP 800-53 K-ISMS
be classified as an “act of information technology destruction”
CP-2(8) Contingency
caused by an intentional insider. In contrast, the insiders who Plan | Identify Critical 2.2 Roles and Responsibilities
violated the requirement on network separation and Assets 4.1 Information Asset
management of confidential documents acted unintentionally. CM-2 Baseline Identification & Responsibility
This can be classified as “accidental information disclosure.” Configuration 4.2.1 Classification of
CM-8 Information Information Asset and its
1. Know and
System Component Treatment
protect your
4.2 Limitations of K-ISMS critical assets
Inventory 13.1 IT Disaster Recovery
PM-5 Information System Construction
Insiders - employees, contractors, consultants, and System Inventory 13.2 Recovery Measures
suppliers - are as much of a threat to the security of an PM-8 Critical Implementation
Infrastructure Plan N/A (A.17.2.1)
organization as outsiders. For instance, an Advanced RA-2 Security N/A (CM-2, PM-5, PM-8)
Persistent Threat (APT) attack, which is the biggest threat to Categorization
an organization’s information security, makes use of insider 1.1 Security Policies Approval
threats. To achieve its security goals, an ISMS must reflect the and Publication
real security threats an organization is facing. The 1.3 Security Policies
4. Beginning PS-1 Personnel
maintenance and management
organization must therefore implement policies, procedures, with the Security Policies and
2.2 Role and Responsibility
tools, or strategies to effectively respond to insider threats. hiring Procedures
5.1 Review compliance with
process, PS-2 Position Risk
However, the ISMSs do not assess how effectively an monitor and Designation
legal requirements
organization responds to and manages insider threats, and (management section)
respond to PS-3 Personnel
6.1 Information Security Role
even ISMS-certified organizations rarely implement such suspicious or Screening
Responsibility
policies, procedures, or tools. This leads to insider breaches disruptive PS-8 Personnel
6.2 Personnel Policies
behavior. Sanctions
of information systems and information leakages. An 11.1.1 Establishment of
organization must apply risk assessment, develop strategies to Operating Procedures
N/A (PS-2)
address insider threats, and incorporate those strategies into
each area of the ISMS. As long as ISMSs such as K-ISMS fail
Appendix C of the Guide provides a mapping between best
to consider insider threats, organizations must act on their
practices and the security controls of NIST SP 800-53 [5].
own initiative.
Appendix H of NIST SP 800-53 provides a mapping between
NIST SP 800-53 and ISO 27001 [13]. The two mappings were
4.3 Extension of K-ISMS to Insider Threats sequentially used to link the best practices, NIST SP 800-53
security controls, and K-ISMS controls. The notation “N/A
4.3.1 ISMS Extension Strategy for Insider Threats (control name)” in the table indicates that no security control
When considering the extension of K-ISMS to insider corresponds to the “control name” belonging to the reference
threats, we referred to the CERT Guide, NIST Special domain. BP 1 “Know and protect your critical assets”
Publication 800-53, and ISO/IEC 27001:2013 [5, 13, 15]. The corresponds to the security controls CP-2 (8), CM-2, CM-8,
CERT Guide provides a mapping from best practices to the PM-5, PM-8, and RA-2 of NIST SP 800-53. CP-2 is mapped
security controls of NIST SP 800-53. It is one of seven NIST to A.6.1.1, A.17.1.1, and A.17.2.1 of ISO 27001 [13]. The
special publications supporting the FISMA, which is the security control A.6.1.1 “Information security roles and
national standard for ISMSs in the U.S.. It provides a mapping responsibilities” of ISO 27001 is mapped to 2.2 “Roles and
of security controls to ISO 27001, which are in part similar or responsibilities” of K-ISMS, and A.17.1.1 “Planning
identical to those in K-ISMS. K-ISMS certification therefore information security continuity” is mapped to 13.1 “IT disaster
omits 50 redundant items to avoid duplication of auditing with recovery system construction” and 13.2 “Recovery measures
ISO 27001 [27]. To derive extensions to the K-ISMS implementation.” There are no security controls within K-
certification criteria, we compared its security controls with ISMS that map to A.17.2.1 “Availability of information
the best practices against insider threats from the CERT Guide processing facilities” or to CM-2, PM-5, or PM-8. For BP 4
and the security controls of NIST SP 800-53. “Beginning with the hiring process, monitor, and respond to
4.3.2 Comparative Analysis: Insider Threat Best suspicious or disruptive behavior,” there is no security control
Practice Mapped to Security Controls of K-ISMS mapped to PS-2. If the same procedure is applied
Best Practices (BP) are mapped to security controls in NIST to all 20 BPs, it is possible to derive all the security controls of
SP 800-53. The security controls derived from the mapping NIST SP 800-53 that concern insider threats. It also becomes
were then mapped to those of ISO 27001 and K-ISMS, possible to exhaustively list the security controls that are
respectively. Some of these mappings are presented in Table 1. missing from K-ISMS.

ISBN: 1-60132-467-7, CSREA Press ©

Int'l Conf. Security and Management | SAM'17 | 65

4.3.3 Derivation of Security Controls to Extend K-ISMS amendment to K-ISMS. Security countermeasure 5
Appendix G of NIST SP 800-53 provides information “Information Security Training” was amended by NIST
security programs with control and supplementary guide [13]. control AT-3*, and 6 “Human Security” by PS-2. 8 “System
We next compared them with the control objectives of K- Development Security” was amended by many controls in
ISMS. Since the K-ISMS certification system is operated NIST and ISO 27001, which should be considered when
separately from the cloud services security certification system, developing and operating configuration management and
BP 16 “Define explicit security agreements for any cloud information system integrity.
service, especially access restrictions and monitoring
capabilities” was excluded from the analysis. Table 2 shows 5 Analysis and Evaluation
part of the security controls that are absent from K-ISMS or
that require amendment when implementing the 19 BPs. An 5.1 Comparison of the Defense Network Hacking
asterisk (*) indicates a security control that is absent from K- Incident with Best Practice
ISMS and its corresponding ISO control does not fully satisfy
the NIST security control. The causes of the hacking incident can be classified into
four security failures: supply chain assurance, network access,
TABLE 2 Best Practice and K-ISMS Amendment Security security awareness, and monitoring and audit. In each security
Controls area, insider threats and BP for mitigating them were analyzed.
Best Practice K-ISMS Amendment The BPs and corresponding K-ISMS amendments are
summarized in Table 4. These amendments extend K-ISMS to
4. Beginning with the hiring
process, monitor and respond to PS-2 Position Risk Designation
deal with insider threats.
suspicious or disruptive behavior.
6. Consider threats from insiders TABLE 4 Extended K-ISMS Based on Defense Network
RA-3* Risk Assessment
and business partners in
enterprise-wide risk assessments.
PM-9 Risk Management Strategy Hacking Case
Security BP K-ISMS
Insider threat
Area No amendment
4.3.4 K-ISMS Extension
Vaccine vendor: concealed
Some of the security controls related to 19 BPs were vaccine hack and
mapped, as shown in Table 1. The mapping was used to derive Supply chain
vulnerabilities.
possible K-ISMS amendments from NIST SP 800-53 and ISO Employer of DIDC partner 6 RA-3, PM-9
assurance
(outsourcer): ignored security
27001. These are not currently included in K-ISMS, as shown or made mistakes, violating
in Table 2. The derived K-ISMS amendments were given a network access policy.
definition and implemented according to their own standards Outsourcer of DIDC: AC-16, AC-
[13, 15]. For extension to K-ISMS, the security controls have neglected change control 21, AC-22,
procedures CM-2, CM-6,
been arranged to match the relevant management section and Inspector of DIDC: 3, 8, CM-7, SC-4,
Network
TABLE 3 Positioning of Security Controls from NIST SP inspection or supervision 14, A.12.5.1*,
access
failed. 17, A.14.1.2,
800-53 and ISO 27001 as K-ISMS Amendments control
Server/network administrator 19 A.14.1.3,
of DIDC: knowingly left two A.14.2.2,
K-ISMS NIST SP 800-53 ISO 27001 networks connected. A.14.2.3,
5.Information Managers: supervision failed. A.14.2.4
AT-3* Role-Based All insiders: lack of security
Security Security
Security Training awareness/training or 4, 9 PS-2, AT-3*
Training awareness
6. Human PS-2 Position Risk expertise.
Security Designation Lack of system monitoring
A.14.1.2 Securing application and alerts.
CM-2 Baseline Monitoring Logging and reporting failed 12, AU-2, AU-7
services on public networks
Configuration and audit on network access control 13 A.14.1.2
A.14.1.3 Protecting
CM-6 Configuration and data leakage.
application services
Settings Audit failed.
transactions
8. System CM-7 Least
A.14.2.2 System change
Development Functionality
control procedures
Security SC-4 Information in
A.14.2.3 Technical review of
Shared Resource
SA-5 Information
applications after operating 5.2 Application to K-ISMS Extension of Defense
platform changes
System
A.14.2.4 Restrictions on Network Hacking Incident
Documentation
changes to software packages
The K-ISMS extension was applied to the defense
network hacking incident to test its effectiveness in insider
security countermeasure, as shown in Table 3. Table 3 shows threat management.
only three sets of countermeasures. An asterisk (*) indicates
that the security control should be partially considered as an

ISBN: 1-60132-467-7, CSREA Press ©

66
y Supply chain assurance: While conducting risk
assessment, the organization develops a comprehensive
strategy to manage risk to its operations and assets, to
individuals, and to other organizations (RA-3, PM-9). It
then implements a risk management strategy consistently
across the organization, and reviews and updates the
strategy as required, to address organizational change.
For supply chain assurance, DIDC should have
developed a strategy to manage the risk to critical assets
such as vaccine relay server and network separation. This
strategy would be applied to individuals, including the
outsourcer, security auditor, officers authorized to have
access to confidential information, and to business
partners such as the vaccine vendor.
y Network access control: Security attributes are typically
associated with the internal data structures of the
information system and are used to implement access
control and flow control policies. They control handling
and distribution or support other aspects of information
security policy (AC-16). The organization facilitates
information sharing by enabling authorized users to
determine whether the access authorization assigned to
the sharing partner match the access restrictions placed
on the information. Organization-defined automated
mechanisms or manual processes can be employed to
assist users in making decisions on information sharing
and collaboration (AC-21). In defense network hacking
incident, a confidential information with organization-
defined security associates can control the access and
information sharing of authorized users. The
organization develops, documents, and maintains under
configuration control. Separation of networks must be
highlighted in the baseline configuration (CM-2) and
configuration setting (CM-6) of all information systems
and interconnection of the networks prohibited or
restricted (CM-7). System change control procedures
(A.14.2.2), technical review of applications after
operating platform changes (A.14.2.3), restrictions on
changes to software packages (A.14.2.4) and installation
of software on operational system (A.12.5.1) reflect the
need for adjustment highlighted by the military case.
y Security awareness and training: The organization
assigns a risk designation to all positions and establishes
screening criteria for individuals filling those positions
(PS-2). Position risk designations guide and inform the
type of authorization an individual receives. Position
screening criteria include the explicit requirements for
appointment for information security role. In the case,
security role appointment of insiders - administrator of
DIDC, inspector, auditor - is not adequate for the
assigned roles. If position risk designation is managed
and employees are satisfied with the screening criteria,
then the timely response and behavior of insiders may
improve. The organization provides role-based security
training to personnel assigned security roles and
ISBN: 1-60132-467-7, CSREA Press ©
Int'l Conf. Security and Management | SAM'17 |
responsibilities before authorizing access to the
information system or allowing them to perform the
assigned duties (AT-3). The organization determines the
appropriate content of the security training, based on the
assigned role and responsibilities of each individual, and
on the specific security requirements. If DIDC had
provided adequate security-related training to insiders,
specifically tailored to their assigned duties, the
inadvertent security breaches could have been effectively
prevented.
y Audit and Monitoring: The organization determines the
auditable events and provides a rationale for deeming the
auditable events adequate to support investigations of
security incidents (AU-2). In the DIDC case, this would
have addressed the linking of the Internet and the
military intranet, and the use and sharing of confidential
information.
6 Conclusions and Further Work
We analyzed the defense network hacking incident to
identify the limitations of the existing ISMS. The incident
involved both insider threats and an APT attack by external
hackers. The ISMS was unable to counter the insider threats.
Very little information is available on domestic insider threat
incidents. We therefore identified BP for coping with insider
threats from the comparative analysis of over 1000 cases by
the Carnegie Mellon University's SEI. We derived an
exhaustive list of proposed amendments to security controls
for insider threat management from the controls in NIST SP
800-53 and the mapping between NIST and ISO 27001. We
proposed extensions to K-ISMS based on the security control
amendments identified and validated these by application to
the defense network hacking incident.
The security controls of K-ISMS can be improved by the
addition of these amendments. The control areas, control
objectives, control contents, and check items used to achieve
the control objectives can be re-specified for each area. The
proposed K-ISMS extensions can be applied directly to the
ISMS certification system, for implementation in a number of
industrial areas, particularly in financial and medical services.
The strategy detailed in this study can be extended to the
security management systems of cloud service providers.
7 References
[1] Lee Yong-soo, “N. Korea hacks into secret war plans,”
April 04, 2017, retrieved on Apr. 14, 2017 from
http://english.chosun.com/site/data/html_dir/2017/04/04/2017
040401234.html.
[2] Kang Jeong-gyu, “[Exclusive] Suspicious security
company employee. disappeared after hacking incident,”
Int'l Conf. Security and Management | SAM'17 |
April 10, 2017, Retrieved on Apr. 14, 2017 from
http://www.ytn.co.kr/_ln/0101_201704100506120939.
[3] Kim Seongju, “Analysis of the cause of the outbreak of
the military operation plan and measures to prevent
recurrence,” April 10, 2017, Retrieved on Apr. 14, 2017 from
http://amhoin.blog.me/220982023410.
[4] Glenn Greenwald, Ewen MacAskill, Laura Poitras.
"Edward Snowden. the whistleblower behind the NSA
surveillance revelations. (Guardian News and Media
Limited)." Retrieved on Apr. 14, 2017 from
https://www.theguardian.com/world/2013/jun/09/edward-
snowden-nsa-whistleblower-surveillance.
[5] Matthew Collins, Michael Theis, Randall Trzeciak,
Jeremy Strozer, Jason Clark, Daniel Costa, Tracy Cassidy,
Michael Albrethsen, Andrew Moore, "Common sense guide
to mitigating insider threats", 5th Edition, TR, Dec. 2016,
http://resources.sei.cmu.edu/library/asset-
view.cfm?assetid=484738, checked on 2017/5/15.
[6] Price Waterhouse Cooper; CSO Magazine; U.S. Secret
Service; Deloitte; and Software Engineering Institute CERT
Division at Carnegie Mellon University. "Key Findings from
the 2015 U.S. State of Cybercrime Survey." 2015..
[7] Shey, Heidi. “Understand the state of data security and
privacy: 2015 To 2016.” Forrester Research, Inc., 8 Jan. 2016.
[8] Forrester Research, Inc. “Global business
technographics security survey, 2015.” July 2015.
[9] Forcepoint, "2016 Global Threat Report", 2016.
[10] Ponemon Institute LLC. “Ponemon study: The
unintentional insider risk in United States and German
organizations.” July 30, 2015.
[11] Forrester Research, Inc. “Global business
technographics devices and security workforce survey, 2015.”
August 2015.
[12] Korea Internet & Security Agency, “An introduction of
ISMS certification system,” retrieved on Apr. 14, 2017 from
https://isms.kisa.or.kr/main/isms/.
[13] Blank, R. M., P. D. Gallagher, and Joint Task Force
Transformation Initiative Interagency Working Group. “NIST
Special Publication 800-53, Security and Privacy Controls for
Federal Information Systems and Organizations, Revision 4.”
Washington, DC: National Institute of Standards and
Technology (NIST) (2013).
[14] Korea Internet & Security Agency, Information security
management system (isms) certification guideline (2013).
ISBN: 1-60132-467-7, CSREA Press ©
67
[15] ISO, "ISO/IEC 27001:2013(en)," Retrieved on April 14,
2017 from https://www.iso.org/obp/ui/#iso:std:iso-
iec:27001:ed-2:v1:en.
[16] Korea Internet & Security Agency, "Information security
management system (ISMS) certificate Issue, retrieved on
April 14, 2017, from https://isms.kisa.or.kr/main/isms/issue/.
[17] Kim Ki-hong, “Future creation science department,
information security management system certification system
development direction,” 2017 Information Security
Management System (ISMS), April 27, 2017.
[18] Kim Jin-pyo, National Assembly Member of Defense,
Department of Defense Parliamentary audit Press reference
materials, “Cybercommand hacked,” October 5, 2016.
[19] Department of Defense, Investigation findings regarding
military hacking incidents, December 6, 2016.
[20] Lee Cheolhee, Recording of National Defense
Committee Issue Question and Answer, Dec. 12, 2016,
retrieved on May 10, 2017 from
https://www.youtube.com/watch?v=K4DYYacmqx0&t=569s.
[21] Lee Daeyoung, “An overview and analysis of the Korea
military intranet hacking,” Dec. 7, 2016, retrieved on April 24,
2017 from http://www.itworld.co.kr/news/102451.
[22] Kim Kookbae, “Department of Defense concludes that
the defense network hacking incident was caused by North
Korea hacker ,” May 2, 2017,
http://news.inews24.com/php/news_view.php?g_serial=10211
70&g_menu=020200 , checked on 2017/5/15.
[23] Lee Chi-dong, “S. Korea military says N. Korea behind
last year's hacking attack,” 2 May 2017,
http://english.yonhapnews.co.kr/national/2017/05/02/0301000
000AEN20170502007600315.html, checked on 2017/5/15.
[24] Park Byungsoo, “Defense network hacking conclude
overall security hazard,” May 02, 2017, retrieved on May 15,
2017 from
http://www.hani.co.kr/arti/politics/defense/793223.html.
[25] Pan Jongbin, “Military intranet hacking connected
Shenyang, China, similar to malicious codes by North Korea,”
December 06, 2016, retrieved on May 15, 2017 from
http://www.yonhapnews.co.kr/bulletin/2016/12/06/020000000
0AKR20161206027151014.HTML.
[26] Korea Internet & Security Agency, Future Creation
Science Notice 2016-59, "[Attachment 4] Scope of the partial
omission of the information security management system
certification examination (related to Article 17)".