Due to the rapid growth of the Internet and IT environment, various industry environments have undergone rapid change caused by informatization. Accordingly, as an adverse effect thereof, problems such as information leakage have occurred. Also, the advent of new hacking techniques and viruses, security risks caused by insiders, physical security risks, and the like are on the increase.
Conventional risk measurement systems are vulnerability analysis and evaluation systems configured to check known vulnerabilities inherent on the network or information system and compute the degree of vulnerability of the network or system, but cannot analyze all of threats and vulnerabilities relevant to information security to compute an information security risk index.
Meanwhile, in general, each person has a different standard for evaluation of value. Particularly, due to organic correlation of information, it is difficult to simply measure a present value of single information. Therefore, it is necessary to evaluate the value of information in an integrated manner and appropriately control information security based on the result of evaluation.
In this regard, Korean Patent Laid-open Publication No. 10-2002-0064639 (entitled “Information risk analysis method using integrated approach of case based reasoning and structured analysis methodology”) suggests of a method of rapidly analyzing an information security risk by automatically providing the result of risk analysis evaluation of a new organization using the previous most similar risk analysis case.
However, this is an analysis method using attribute information of a specific organization, but cannot produce a risk index by computing the degree of information security risk of each organization and industry field in a broad range such as a country.
That is, in order to compute an information security risk index in a broad range, similar organization analysis experience and knowledge of the past on the basis of a specific organization are reused without consideration of information technology environments of organizations by industry and size and between organizations.