This application claims the priority of Korean Patent Application No. 10-2004-0079857, filed on Oct. 7, 2004, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
1. Field of the Invention
The present invention relates to a method for analyzing a security grade of an information property, and more particularly, to a method by which a security grade (a risk degree in security) is analyzed objectively and quantitatively such that risk degree management of an information property can be efficiently performed.
2. Description of the Related Art
Thanks to recent rapid development of network and communications infrastructure, active utilization of information systems by public organizations as well as private companies has been rapidly increasing. In relation to this, there is a possibility that risk or weak points in security that can occur in a network environment or on the Internet can be misused by inside or outside malicious attackers.
Accordingly, there arises a necessity for identifying the possibility of this damage beforehand by accurately analyzing the risk degree of an information property in security, and for securing security to the maximum by preparing a preventive measure. However, at present when safeguards are applied, there are no accurate determination criteria on how high the security grade of a network is (AS-IS) and how high the security grade should be enhanced by applying safeguards (TO-BE).
With the risk degree analysis and weak point analysis methods suggest and performed so far, it is difficult to analyze a risk degree considering the technological area, the managerial area, and the physical area all together. When the number of properties is big, much time may be consumed for actual inspection of so many information properties, and there is a drawback that it is difficult to manage separately a part desired by an organization.
That is, when a predetermined company desires to intensively manage a technological weak point, if a risk analysis method is applied with collectively calculating physical and/or managerial risk degrees all together, the calculating and risk analysis evaluation time takes long each time, and there is a drawback that immediacy cannot be maintained. In particular, when a safeguard for information security is first applied, in many cases, it is difficult to evenly improve security in all aspects covering managerial, physical, and technological aspects. Accordingly, there arises a need for enabling selection of a security area regarded with higher importance by stage when a safeguard is employed.