1. 2 1 uv yo h
0 0S re nte
Ifr t nS c ry
nomai e ui
o t
(u i s)
B s es
n
E e ui u
x c teS mmay
v r
2. Contents
I. Introduction ······················································································································ 1
II. Information Security Infrastructures and Environments ············································· 3
1. Information Security Policy and Organization ···························································· 3
2. Information Security Awareness and Environments ··················································· 5
3. Information Security Training Implementation Status ················································ 7
4. Information Security Investment Status ········································································ 9
III. Information Security Measures ·················································································· 11
1. Status of Information Security System and Service Introduction ··························· 11
2. New Service Introduction and Security Measures ·················································· 14
3. Security Management ··································································································· 18
IV. Personal Information Security Measures ·································································· 22
1. Personal Information Security Policy ········································································· 21
2. Personal Information Processing System Management and Access Control ········· 29
3. Security Server Implementation and i-PIN Service Introduction ···························· 32
V. Incident Handling and SPAM Control ······································································ 36
1. Incident Handling ·········································································································· 36
2. SPAM Control ·············································································································· 42
VI. Incident Damages ······································································································· 46
1. Damage Status ············································································································ 46d
3. I. Introduction
Population: All nationwide businesses of which the employee count is 5 or more that
hold one or more network-connected computers
Sample Eligibility : Nationwide businesses with an employee count of 5 or more in 18
industrial fields out of 20 large categories of Korean Standard
Industrial Classification with an exception of the domestic services,
international and foreign organizations and automobile-related
wholesale ․ retail business (G50) (a total of 531,345 businesses)
that hold one or more network-connected computers (a total of
301,981 businesses)
Sample Size: 6,529 businesses
Data Collection: By calling on and interviewing persons in charge of electronic data
processing and general affairs
Fieldwork Period: Sep. 1, 2010 ~ Oct. 31, 2010
Sampling Method: Multi-stage stratified systematic sampling
- Businesses are stratified into two stages per industrial classification and scale.
Then, each business is lined up per region and systematic sampling is conducted.
Sampling Error: CISO appointment rate ±0.84%p (95% confidence level)
- 1 -
4. Glossary
P e rs o n a l In fo rm a tio n : A ll in fo rm a tio n in d ic a tin g fa c ts a b o u t a n in d iv id u a l's p h y s ic a l
in fo rm a tio n , a s s e ts, s o c ia l p o s itio n a n d s ta tu s a s w e ll a s ju d g m e n t a n d a s s e s s m e n t
o f th e fa c ts
C lo u d C o m p utin g Se rvice : T h is se rvic e allo w s a u ser to u se th e IT re so urce s o f hardw are
an d so ftw are a s m u ch as a nd w he n n ec e ssary by p ayin g fo r o n ly the am o u n t o f service
u se d . U se rs co n n e ct to a ce ntralize d co m pu te r u sin g Inte rn e t acc e ssin g d evic es an d can
h ave th e re qu ire d IT reso u rc e s pro vide d.
M o b ile O ffice : A n o ffice o n th e m o ve w h e re w o rk p ro ce ssin g is p o ssib le o n a re a l tim e
b a sis b o th in an d o u tsid e o f a n o ffice sp a ce b y u sin g a v arie ty o f IT d e vic e s, su ch as
la p to p c o m p u te r a n d sm art p h o n e
Se cu rity S e rve r: S e c u rity se rve r e n cry p ts a n d tran sm its p e rso n a l in fo rm a tio n in b e tw e e n
use r P C an d w e b serve r o n th e In te rn et. T h is se rve r valida te s th e e xiste nc e o f a co m pa ny
fo r e le ctro nic tran sa ctio n s an d en sures se cu re e lec tro n ic tran sac tio ns b y fo rm in g a se cu re
ch a n n e l th ro u g h e n cryp tio n / d e c ry p tio n o f d ata tran sm itte d b e tw e e n w e b b ro w se r a n d
w e b se rve r.
i-P IN (In te rn e t Pe rso n a l Id e n tific atio n N u m b e r): A s a m e an s o f u se r id e n tific a tio n u sin g
ID and passw ord in place of resident registration num ber when a user signs in for m em bership
an d u se s o th e r se rvic e s o n th e In te rn e t, I-P IN m in im ize s th e risk o f re sid e n t re g istra tio n
n u m b e r le ak a g e .
In fo rm atio n Se cu rity In ciden t: A ttack o n co m puter o r netw o rk that dam ages co nfide ntiality,
in te g rity o r a va ila b ility o f n e tw o rk d a ta o r sy ste m
- 2 -
5. II. Information Security Infrastructures and Environments
1. Information Security Policy and Organization
A. Status of Information Security Policy Establishment
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 25.8% had established the officially defined and documented
information security policies. This was an increase by 4.6%p from 2008.
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 25.5% had established and were implementing internal users'
information security guidelines for PC security. This was an increase by 2.9%p from 2008.
<Fig. 2-1> Status of Information Security Policy Establishment and User PC
(Unit: %)
Information Security Guidelines EstablishmentㆍImplementation
2008 2009
Establishment of information security policy 21.2 25.8
Establishment and implementation of
22.6 25.5
user PC information security guidelines
- 3 -
6. B. Information Security Personnel and Organization
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, it was found that 18.7% were explicitly appointing
CIO (chief information officer) and 14.5% were appointing CISO (chief information
security officer) pursuant to the organization rules, etc.
Of businesses collecting personal information through websites (with an employee count
of 5 or more and one or more network-connected computers), 44.8% were explicitly
appointing CPO (chief privacy officer).
<Fig. 2-8> Explicit Appointment of IT-related Officers (Unit: %)
2008 2009
Chief Information Officer (CIO) 18.6 18.7
Chief Information Security Officer
14.6 14.5
(CISO)
Chief Privacy Officer (CPO) 43.3 44.8
· Multiple responses per IT-related officer
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, it was found that 14.5% were officially installing and operating
information security handling teams. This was an increase by 6.2%p from 2008. In addition,
of businesses collecting personal information (with an employee count of 5 or more and one
or more network-connected computers), 37.2% were installing and operating personal information
security handling teams, which increased by 3.0%p from 2008.
<Fig. 2-10> Official Installation and Operation of IT Teams (Unit: %)
2008 2009
Information Security Team 8.3 14.5
Personal Information Security Team 29.7 32.7
- 4 -
7. 2. Information Security Awareness and Environments
A. Sources of Information Security Threats
A source of information security threats the businesses were most worried about was found
to be the 'computer criminals, such as illegal hackers (44.8%)'. It was followed by 'employees
that have resigned (19.1%)' and 'employees currently working in the company (14.9%)' (based
on the first choice).
<Fig. 2-14> Sources of Information Security Threats (Unit: %)
First Choice +
Type First Choice
Second Choice
Computer criminals, such as illegal
44.8 61.7
hackers
Employees that have resigned 19.1 35.7
Employees currently working in the
14.9 24.3
company
Competing companies, industrial spies 9.9 28.1
Organized criminals, such as cyber
6.0 25.7
terrorists
Others 0.7 1.5
None 4.6 4.6
· Multiple responses on two items in the order of importance
- 5 -
8. B. Information Security Awareness
Businesses with an employee count of 5 or more and one or more network-connected computers
as of December 2009 were assessed in terms of the level of considering information security
when the management, such as CEO, established management plans and it was found that
most businesses recognized it as an important factor in establishing management plans
63.4% responded that 'it is considered important (4 points + 5 points)', which is significantly
higher than the percentage of responses that 'it is considered not important (1 point + 2 points)'.
The level of considering information security when the management, such as CEO, establishes
management plans was assessed in a scale of 5 points and the average point was found to
be 3.9.
<Fig. 2-16> Degree of Awareness of the Importance of Information Security
(Unit: %)
by the Management
Importance Point Percentage
Absolutely not important 1 1.8
Not important 2 6.5
So-so 3 28.3
Important 4 30.9
Very important 5 32.5
Mean: 3.9 points Important: 63.4%
- 6 -
9. Businesses with an employee count of 5 or more and one or more network-connected computers
as of December 2009 were questioned on the degree of their employees' recognition of the
importance of information security and the results showed that most employees recognized
information security to be important.
The percentage of responses that 'it is considered important (4 points + 5 points)' was 61.3%,
which was higher than the percentage of responses that 'it is not considered important (1
point + 2 points)'. The level of employees' recognition of the importance of information security
was assessed in a scale of 5 points and the average point was found to be 3.8. This was
slightly lower than the degree of recognition of the importance of information security by
the management.
<Fig. 2-17> Employees' Recognition of the Importance of Information Security (Unit: %)
Importance Score Percentage
Absolutely not important 1 1.6
Not important 2 7.4
So-so 3 29.7
Important 4 31.0
Very important 5 30.3
Mean: 3.8 scores Important: 61.3%
3. Information Security Training Implementation Status
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 18.4% were found to be implementing information security
training for their employees including commissioned training.
<Fig. 2-18> Status of Information Security Training Implementation
(Unit: %)
(Commissioned Training Included)
Not Implemented Implemented
Status of Information Security
81.6 18.4
Training Implementation
- 7 -
10. Businesses implementing information security training (with an employee count of 5 or more
and one or more network-connected computers) as of December 2009 were questioned on
the status of information security training implementation per program. The results indicated
that 'basic information security training for general employees' was most frequently implemented.
The percentage of personal information collecting businesses (with an employee count of 5
or more and one or more network-connected computers) implementing 'personal information
security training for personal information security managers' was found to be high at 60.5%
(mandatory training + selective training when necessary).
<Fig. 2-21> Status of Information Security Training Program Implementation (Unit: %)
Selective Not
Mandatory
Training when Implemente N/A
Training
Necessary d
Information security
awareness and
management training 32.5 20.0 47.5
for the management
including the CEO
Information security
management training
for information 33.2 19.4 21.4 26.0
security handling
officers
Practical information
security training for
the IT and 32.8 18.7 19.7 28.8
information security
staffs
Basic information
security training for 50.3 32.1 17.6
general public that
use computers
Personal information
security training for 40.9 19.6 39.5
personal information
security managers
· Multiple responses per information security training program
· Basis of Personal Information Security Training Responses by Personal Information Security Managers:
Personal information collecting businesses
- 8 -
11. 4. Information Security Investment Status
Businesses with an employee count of 5 or more and one or more network-connected computers
over the course of one year in 2009 were questioned on the percentage of investment in
information security to overall information investment. For this question, 63.5% of the businesses
responded that they had 'no information security expenses'.
<Fig. 2-25> Percentage of Information Security Investment to Overall
(Unit: %)
Information Investment
Percentage of Information Security Investment to
2010
Overall Information Investment
No information security expenses 63.5
Less than 1% 17.9
1% ~ less than 3% 7.9
Invested in information security 3% ~ less than 5% 4.7
(36.5%) 5% ~ less than 7% 2.7
7% ~ less than 10% 2.3
10% or higher 1.0
Don't know/ no response -
· Information Investment: Cost of purchasing, maintaining and repairing hardware, software and network
for internal information system establishment
· Information Security Investment: As a part of information expenses, information security investment
refers to cost of purchasing, maintaining and repairing firewall, intrusion detection
system, intrusion prevention system, virus vaccine and security services.
- 9 -
12. Of 10 businesses that made information security investments over the course of one year
in 2009 (with an employee count of 5 or more and one or more network-connected computers),
8 (77.7%) were found not to have fluctuations in the information security investment amounts.
19.9% of the businesses responded that their information security investments had increased
from 2008. This was higher than 2.4% of businesses responding that the investments had
decreased from 2008.
<Fig. 2-28> Information Security Investment Fluctuations (Unit: %)
Investment Scale Fluctuation
50% or more 0.6
40 ~ 50% 0.2
30 ~ 40% 0.6
20 ~ 30% 1.3
10 ~ 20% 4.2
~ 10% 13.0
~ -10% 1.4
-10 ~ -20% 0.4
-20 ~ -30% 0.2
-30 ~ -40% 0.1
-40 ~ -50% 0.1
-50% or less 0.2
Increase No Change Decrease
19.9 77.7 2.4
- 10 -
13. III. Information Security Measures
1. Status of Information Security System and Service Introduction
A. Information Security System Introduction
Of business with an employee count of 5 or more and one or more network-connected computers
as of December 2009, 81.7%, the highest percentage, were currently using 'virus vaccine'
of the 'anti-virus' products. It was followed by 49.7% using 'PC firewall' of 'intrusion prevention
system' products.
<Fig. 3-2> Information Security Products Use: All Businesses (Unit: %)
Name Percentage
Virus Vaccine 81.7
PC Firewall 49.7
Network (System) Firewall 29.1
Anti Spyware 29.1
Anti-SPAM S/W 22.1
Anti Phishing 18.0
PC Security (Information Leakage Prevention) 15.2
Unified Threat Management (UTM) 12.3
Intrusion Prevention System (IPS) 11.4
Secure OS 9.6
Security Smart Card 9.3
Security USB 8.9
Enterprise Security Management (ESM) 8.3
One Time Password (OTP) 7.2
- 11 -
14. <Fig. 3-2> Information Security Products Use: All Businesses(con) (Unit: %)
Name Percentage
Intrusion Detection System (IDS) 6.5
Virtual Private Network (VPN) 5.9
Log Management/ Analysis Tool 5.7
Patch Management System (PMS) 5.3
Resources Management System (RMS) 4.4
Threat Management System (TMS) 3.7
Extranet Access Management (EAM) 2.8
Biometrics 2.7
H/W Token (HSM) 2.6
Integrated Account Management (IM/ IAM) 2.3
Vulnerability Analysis Tool 2.1
Digital Rights Management (DRM) 2.1
Public Key Infrastructure (PKI) 2.0
Single Sign on (SSO) 1.6
- 12 -
15. Of businesses that have servers (with an employee count of 5 or more and one or more
network-connected computers) as of December 2009, 76.0%, the highest percentage, were
found to be currently using 'web firewall' of the 'intrusion prevention system' products. In
addition, the percentages of using 'DDoS blocking system' of the 'intrusion prevention system'
products and of using 'DB security' of 'DB/ contents security' products were found to be 30.1%
and 28.6% respectively.
<Fig. 3-3> Information Security Products Use: Businesses with Servers (Unit: %)
Wireless
Network
DDoS LAN
Web DB Access
Name Blocking DB Security Authenticati
Firewall Encryption Control
System on
(NAC)
(WLAS)
Ratio 76.0 30.1 28.6 22.8 22.5 20.2
· Multiple responses per the status of using products
B. Information Security Operation Outsourcing Status
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, it was found that 9.6%, an increase by 0.2%p from
2008, were outsourcing information security operation to outside companies.
<Fig. 3-5> Information Security Operation Outsourcing Status (Unit: %)
2008 2009
Organization Specializing in
9.4 9.6
Information Security Operation
- 13 -
16. 2. New Service Introduction and Security Measures
A. SNS Utilization and Security Measures
Businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009 were questioned on the status of using social network
service (SNS). The results indicated that 9.0% were utilizing SNS (corporate SNS
implemented and used in internal communication: 6.0%/ company's official SNS account
operated and utilized in marketing: 3.0%). On the other hand, 64.7%, the highest
percentage, responded that 'SNS is not necessary due to characteristics of work'. In
addition, percentage of businesses 'not using SNS (25.0%)' or 'blocking SNS access
through internal network (3.3%)' was also found to be high.
<Fig. 3-8> SNS Utilization (Unit: %)
SNS Utilization 2009
SNS not necessary due to characteristics of work 64.7
Not utilizing SNS 25.0
Corporate SNS implemented and used in internal
6.0
communication
Blocking SNS access through internal network 3.3
Operating the company's official SNS account and utilizing
3.0
it in marketing, etc.
· Social Network Service (SNS): Service to assist in the formation of human network among people who
share the same interests through online channels (Cyworld, Twitter, Face Book)
· Multiple responses per type of SNS utilization
- 14 -
17. Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 6.5% were found to have established security policy and
guidelines for SNS utilization by internal employees.
<Fig. 3-9> Establishment of Security Policy and Guidelines for SNS Utilization (Unit: %)
Establishment of Security Policy and Guidelines for SNS
2009
Utilization
Established 6.5
Not established 93.5
B. Wireless LAN Utilization and Security Measures
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 22.8% were found to have implemented an
environment for wireless LAN use. In addition, it was found that 2.5% of the
businesses were politically banning wireless Internet use.
<Fig. 3-10> Wireless LAN Environment Implementation (Unit: %)
Wireless LAN Environment Implementation 2009
Implemented 22.8
Not implemented 74.7
Politically banning wireless Internet use 2.5
· Wireless LAN (WLAN): Environment for wireless Internet service use where Internet service is accessed by
installing wireless connection devices, such as wireless router, etc.
- 15 -
18. Of businesses that had implemented environments for wireless LAN use (with an employee
count of 5 or more and one or more network-connected computers) as of December 2009,
46.6% had established and were operating security policy in relation to wireless LAN use.
<Fig. 3-13> Establishment and Operation of Wireless LAN Security Policy (Unit: %)
Establishment and Operation of Wireless LAN Security Policy 2009
Wireless LAN security policy established 46.6
Wireless LAN security policy not established 53.4
C. Cloud Computing Service Utilization and Security Measures
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, it was found that 4.3% were using cloud computing service
and 3.8% were planning to use the service in 1 ~ 2 years' time.
<Fig. 3-17> Cloud Computing Service Utilization (Unit: %)
Cloud Computing Service Utilization 2009
Current using the service 4.3
Planning to use the service in 1 ~ 2 years 3.8
Using the company's own cloud computing service 1.0
No intention of use 90.9
· Cloud Computing Service: This service allows a user to use the IT resources of hardware and software as
much as and when necessary by paying for only the amount of service used. Users connect to a
centralized computer using Internet accessing devices and can have the required IT resources provided.
The previously used services, such as web mail, blog, web hard and web hosting services provided by web
portals, are excluded.
- 16 -
19. Of businesses using or planning to use cloud computing service as of December 2009, 41.9%
were found to have established security measures in relation to cloud computing service use.
<Fig. 3-18> Establishment of Cloud Computing Service Security Measures (Unit: %)
Establishment of Cloud Computing Service Security Measures 2009
Cloud computing service security measures established 41.9
Cloud computing service security measures not established 58.1
D. Mobile Office Implementation, Operation and Security Measures
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 5.3% responded that they had implemented and were in
the process of operating mobile office. 4.7% responded that they had plans to implement
mobile office system in 1 ~ 2 years' time.
<Fig. 3-20> Mobile Office Implementation and Operation (Unit: %)
Mobile Office Implementation and Operation 2009
Mobile office implemented and operated 5.3
Planing to implement and operate mobile office in
4.7
1 ~ 2 years
Not implemented 90.0
· Mobile Office: An office on the move where work processing is possible on a real time basis both in
and outside of an office space by using a variety of IT devices, such as laptop computer and smart
phone
- 17 -
20. Of businesses that have implemented and are operating mobile office or that are planning
to implement mobile office in the future (with an employee count of 5 or more and one
or more of network-connected computers), 40.3% have established appropriate security measures
for the introduction of mobile office system.
<Fig. 3-23> Establishment of Mobile Office Security Measures (Unit: %)
Establishment of Mobile Office Security Measures 2009
Mobile office security measures established 40.3
Mobile office security measures not established 59.7
3. Security Management
A. Periodic Security Check Implementation
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 49.3%, an increase by 10.9%p from 2008, were administering
security check on a regular basis.
<Fig. 3-25> Periodic Security Check Implementation (Unit: %)
2008 2009
Periodic security check
38.4 49.3
implementation
- 18 -
21. B. Internal Information System User Authentication Method
Businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009 were questioned on the internal information system
user authentication techniques. The results indicated that a majority of businesses were
using the authentication method of 'user ID/ password (73.4%)'. On the other hand, as
many as 15.1% of businesses responded that they were using 'none' of the internal
information system user authentication techniques.
<Fig. 3-32> Internal Information System User Authentication Method (Unit: %)
Authentication Method Percentage
User ID/ password 73.4
Software token (public key certificate, etc.) 11.4
OTP (one time password) 9.1
Biometrics 2.2
Hardware token (HSM, hardware security module) 2.1
Others 0.5
None 15.1
· Multiple responses per information system user authentication method
- 19 -
22. C. Security Patch Application Method
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 40.6%, the highest percentage, responded that they were
'maintaining the latest state of security patch of client PC at all times by automatic update
setup'.
<Fig. 3-28> Security Patch Application Method: Client PC (Unit: %)
Application Method Percentage
Maintaining the latest state at all times by automatic
40.6
update setup
Manual update by periodically obtaining patch information 8.1
Update only when problems occur 12.2
Patch almost or absolutely not updated 38.5
No security patch applied 0.6
Of businesses possessing both PCs and servers (with an employee count of 5 or more and
one or more network-connected computers) as of December 2009, 29.1%, a relatively higher
percentage, responded that they were 'maintaining the latest state of security patch in the externally
disclosed network server (e-mail server, web server), at all times by automatic update setup'.
<Fig. 3-29> Security Patch Application Method: Externally Disclosed Network Server (Unit: %)
Application Method Percentage
Maintaining the latest state at all times by automatic
29.1
update setup
Manual update by periodically obtaining patch information 10.6
Update only when problems occur 13.2
Patch almost or absolutely not updated 20.2
N/A (externally disclosed network server not in possession) 26.9
- 20 -
23. Of businesses operating both PCs and servers (with an employee count of 5 or more and
one or more network-connected computers) as of December 2009, 34.3%, the highest percentage,
responded that they were 'maintaining the latest state of security patch in the internally used
local server (file server, print server), at all times by automatic update setup'.
<Fig. 3-30> Security Patch Application Method: Internally Used Local Server (Unit: %)
Application Method Percentage
Maintaining the latest state at all times by automatic
34.3
update setup
Manual update by periodically obtaining patch information 10.8
Update only when problems occur 15.4
Patch almost or absolutely not updated 18.3
N/A (local server not in possession) 21.2
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 40.4%, the highest percentage, responded that they were
'maintaining the latest state of security patch, such as information security system (firewall,
IPS), at all times by automatic update setup'.
<Fig. 3-31> Security Patch Application Method: Information Security System (Unit: %)
Application Method Percentage
Maintaining the latest state at all times by automatic
40.4
update setup
Manual update by periodically obtaining patch information 6.8
Update only when problems occur 12.0
Patch almost or absolutely not updated 12.7
N/A (information security product/ system not in possession) 28.1
- 21 -
24. IV. Personal Information Security Measures
1. Personal Information Security Policy
A. Status of Disclosure per Personal Information Handling Policy
Businesses collecting and therefore utilizing or providing users' personal information
online (with an employee count of 5 or more and one or more of network-connected
computer) as of December 2009 were questioned about the items of personal
information handling policy disclosed to users. The results indicated that 67.7% of
businesses, the highest percentage, disclosed 'purpose of personal information collection
and utilization, items of personal information collected and the collection method'. It
was followed by 'names of persons to which personal information is provided in case of
personal information provision to a third party as well as purpose of utilization of the
persons to which personal information was provided and items of personal information
provided to a third party (45.0%)', 'name, telephone number and contact information of
CPO or personal information handling division (39.3%)' and 'period of personal
information possession and utilization, procedures and method of personal information
destruction (37.6%)'.
<Fig. 4-1> Status of Disclosure per Personal Information Handling Policy (Unit: %)
Percentage of
Handling Policy
Disclosure
Purpose of personal information collection and utilization, items of personal
information collected, collection method
67.7
For provision of personal information to a third party, names of the
persons to which personal information is provided, purpose of utilization
of persons to which personal information is provided, items of personal 45.0
information provided to a third party
Name, telephone number and contact information of CPO or personal
information handling division 39.3
Period of personal information possession and utilization, procedures and
method of personal information destruction
37.6
Contents of personal information handling consignment and the
consignee
29.9
Details relating to installation and operation of automatic personal
information collection device and rejection to the installation and 27.3
operation
Rights of users and their legal representatives and the method of
exercising the rights
25.7
· Multiple responses per personal information handling policy
- 22 -
25. B. Securing of Users' Consents to Personal Information Collection, Utilization and
Provision
Businesses collecting personal information of users online (with an employee count of 5
or more and one or more network-connected computers) as of December 2009 were
found to disclose and obtain users' consents to mainly the 'items of personal information
collected (71.7%)' and 'purpose of personal information collection and utilization
(60.3%)' when intending to collect and therefore to utilize and provide users' personal
information online. In addition, 37.8% of the businesses were found to disclose and
obtain users' consents to the 'period of personal information possession and utilization'.
<Fig. 4-2> Securing of Users' Consents to Collection, Utilization and Provision
(Unit: %)
of Personal Information
Item Percentage
Items of personal information collected 71.7
Purpose of collecting and utilizing personal
60.3
information
Period of personal information possession and
37.8
utilization
· Multiple responses per personal information disclosure/ consent
- 23 -
26. C. Provision to a Third Party/ Consignment of Handling of the Personal Information
Collected
Of businesses collecting personal information of users online (with an employee count
of 5 or more and one or more network-connected computers) as of December 2009,
7.2% were found to provide the personal information of users to a third party or
consigned handling of the personal information.
<Fig. 4-3> Provision to a Third Party/ Consignment of Handling of the
(Unit: %)
Personal Information Collected
2009 2010
Provision to a third party/ consignment of
7.3 7.2
handling of the personal information collected
D. Types of Personal Information Provision to a Third Party/ Personal Information
Handling Consignment
As a result of investigating the types of personal information provision by businesses
providing personal information to a third party or consigning the provision to other
businesses, it was found that 67.0% of the businesses 'provided personal information
collected to a third party for the purpose of affiliate marketing and tele-marketing' and
37.6% of the businesses 'consigned handling of the personal information collected'.
<Fig. 4-4> Types of Personal Information Provision to a Third Party/Personal
(Unit: %)
Information Handling Consignment
Type 2008 2009
Personal information provided to a third party for the
57.1 67.0
purpose of affiliate marketing and tele-marketing
Consignment of personal information handling 54.4 37.6
· Multiple responses per type
- 24 -
27. E. Notice and Consent Securing at the Time of Personal Information Provision to a
Third Party
Of businesses collecting and therefore utilizing or providing personal information (with
an employee count of 5 or more and one or more network-connected computers), most
businesses providing personal information to a third party (94.9%) were found to notify
the information of 'persons to which personal information is provided/ purpose of using
personal information of the persons to which personal information is provided/ personal
information items provided/ period of personal information possession and utilization by
the persons to which personal information is provided' to the personal information
providers and to obtain consents from them when providing the users' personal
information collected to a third party.
F. Notice and Consent Securing at the Time of Consignment for Personal Information
Handling
It was found that most businesses consigning handling of personal information collected
through websites (94.0%) notified the 'details of work consigned for handling' to the
'consignees of personal information handling' and obtained consents from personal
information providers.
<Fig. 4-5> Notice and Consent Securing at the Time of Personal Information
(Unit: %)
Provision to a Third Party
2008 2009
Notice and consent securing at the time of
93.8 94.9
personal information provision to a third party
Notice and consent securing at the time of
76.3 94.0
consignment for personal information handling
- 25 -
28. G. Availability of Guidelines on the Procedures and Methods of Personal Information
Destruction
As of 2009, of the businesses collecting users' personal information online (with an
employee count of 5 or more and one or more of network-connected computers), the
percentage of businesses that have secured guidelines on the procedures and methods of
personal information destruction (membership cancellation (withdrawal of consent to the
utilization and provision of personal information), for request to delete or destroy
personal information by the information holder, fulfillment of the objectives of personal
information collection, termination of the term of information possession and utilization
to which consent was obtained at the time of collection, business closing, etc.) was
found to be 71.8%.
<Fig. 4-7> Availability of Guidelines on the Procedures and Methods of
(Unit: %)
Personal Information Destruction
Not Available Available
Guidelines on the procedures and methods of
28.2 71.8
personal information destruction
- 26 -
29. H. Measures to Prevent Personal Information Security Incidents and Follow-up Measures
Businesses collecting personal information through websites as of December 2009 (with
an employee count of 5 or more and one or more network-connected computers) were
questioned on the policies for prevention of users'/ customers' personal information
security incidents and follow-up measures and 38.4%, the highest percentage, responded
that 'manuals for prevention of personal information security incidents have been
established'.
<Fig. 4-8> Measures to Prevent Personal Information Security Incidents and
(Unit: %)
Follow-up Measures
Type Percentage
Establishing manuals for prevention of personal information
38.4
security incidents
Establishing policy for personal information security incidents
32.4
follow-up measures
Personal information backup 32.0
Establishing internal handling and reporting system upon
22.9
occurrence of incidents
Establishing procedures to check damages caused by and to
21.4
collect evidences for personal information security incidents
Drawing up and managing a list of signs indicating the
21.2
occurrence of personal information security incidents
Maintaining network of emergency contacts to utilize outside
12.9
experts
Notifying occurrence of damages by personal information
security incidents to the related organizations, such as Personal
12.6
Information Dispute Mediation Committee and Privacy Violation
Report Center
Special measures not implemented 23.0
· Multiple responses per incident prevention and follow-up measure
- 27 -
30. I. Management Status of Personal Information Printing/ Copy into Portable Storage
Media
Businesses collecting users' personal information online (with an employee count of 5 or
more and one or more network-connected computers) as of December 2009 were found
to record 'time of printing · copying (36.1%)', 'serial numbers of printed · copied
information (33.9%)' and 'positions and names of the persons who printed · copied
information (28.2%)' when printing users' personal information or copying it into
portable storage media, such as USB and compact disk.
<Fig. 4-9> Management Status of Personal Information Printing/ Copy into
(Unit: %)
Portable Storage Media
Item Percentage
Time of printing or copying 36.1
Serial numbers of the printed or copied information 33.9
Positions and names of the persons who printed or
28.2
copied information
Purpose of printing or copying 26.1
Format of printed or copied information 22.8
Time at which printed or copied information was
16.4
destroyed
Persons to which the printed or copied information is to
14.9
be transmitted
Persons in charge of destroying the printed or copied
12.2
information
· Multiple responses per management status
- 28 -
31. 2. Personal Information Processing System Management and Access Control
A. Personal Information Processing System Operation and Management Status
Of businesses collecting users' personal information online (with an employee count of 5
or more and one or more network-connected computers) as of December 2009, 44.3%
were operating and managing database system (personal information processing system)
configured to systematically process the operations of personal information input, storage,
editing, search, deletion and printing.
<Fig. 4-10> Personal Information Processing System Operation and
(Unit: %)
Management Status
Not Operated/
Operated/ Managed
Managed
Personal information processing system
55.7 44.3
operation and management status
· Personal Information Processing System: Database system configured for systematic processing of personal
information
- 29 -
32. B. Technical Measures for Secure Processing of Personal Information
Of businesses operating personal information processing system, 77.0%, the highest
percentage, were 'encrypting personal information in storage' as a technical measure for
secure processing of users' personal information. It was followed by 'application of
keyboard hacking prevention solution (51.8%)', 'ID control and password security
validation (48.0%)' and 'saving DB access log (44.5%)'.
<Fig. 4-11> Technical Measures for Secure Processing of Personal Information (Unit: %)
Type Percentage
Encrypting personal information in storage 77.0
Applying keyboard hacking prevention solution 51.8
ID control and password security validation 48.0
Saving DB access log 44.5
Applying function to prevent exposure of personal
39.1
information while being entered
Statistics on USB/ portable storage devices 28.2
Authentication with electronic signature 27.6
Personal information file control 26.3
Setting password in CD/ DVD or encrypting password 23.8
Laptop computer and PDA control 19.0
Applying function to prevent C/S application screen
15.2
capture
Applying function to prevent web application screen
14.0
capture
- 30 -
33. C. Personal Information Encryption Items within Personal Information Processing System
Of businesses operating and managing personal information processing system, those
encrypting users' personal information stored in the personal information processing
system were questioned on the items of encryption. 57.3%, the highest percentage,
responded that 'resident registration No.' was encrypted. It was followed by 'password
(51.1%)', 'account No. (33.6%)' and 'credit card No. (29.0%)'.
<Fig. 4-12> Personal Information Encryption Items within Personal Information
(Unit: %)
Processing System
Item Percentage
Resident registration No. 57.3
Password 51.1
Account No. 33.6
Credit card No. 29.0
Bio information 7.0
- 31 -
34. 3. Security Server Implementation and i-PIN Service Introduction
A. Security Server Introduction
Businesses collecting users' personal information online (with an employee count of 5 or
more and one or more network-connected computers) as of December 2009 were
questioned on the intention to introduce security server for personal information security.
As a result, it was found that 44.9%, the highest percentage, had 'introduced security
server to all websites to which personal information is entered'. It was followed by
'security server not introduced (34.4%)' and 'security server introduced to some of the
websites to which personal information is entered (20.7%)'.
<Fig. 4-13> Security Server Introduction (Unit: %)
Item 2008 2009
Introduced to all websites to which personal
39.9 44.9
information is entered
Introduced to some of the websites to which
16.6 20.7
personal information is entered
Not introduced 41.5 34.4
· Security Server: When personal information is entered into a website, this web server encrypts the
personal information entered from PC into an unidentifiable format and securely transmits the
information to website so that it is not exposed to others.
- 32 -
35. B. Security Server Implementation Method
Businesses that had introduced security server to all or partial websites (with an
employee count of 5 or more and one or more network-connected computers) were
questioned on the security server implementation method. As a result, it was found that
26.8%, the highest percentage, used 'SSL certificate (domestic)' followed by 'SSL
certificate (foreign) (6.2%)' and 'application program (5.3%)'.
<Fig. 4-16> Security Server Implementation Method (Unit: %)
Type Percentage
SSL certificate (domestic) 26.8
SSL certificate (foreign) 6.2
Application program 5.3
Don't know 65.6
· Multiple responses per implementation method
C. Plans to Introduce and Expand Security Server
Businesses that had partially introduced or not introduced security server (with an
employee count of 5 or more and one or more network-connected computers) were
questioned on the plans to introduce security server or to expand the introduction to all
websites. As a result, it was found that 47.3%, the largest percentage, had 'plans to
introduce/ expand security server'. It was followed by 'decision to be made considering
cost (27.4%)' and 'have plans to introduce security server on a long-term basis (19.0%)'.
<Fig. 4-17> Plans to Introduce and Expand Security Server (Unit: %)
Item Percentage
No plans to introduce/ expand security server 47.3
Plans to introduce/ expand security server on a long term basis 19.0
Plans to introduce/ expand security server within one year 4.0
To be decided considering cost 27.4
Others 2.3
- 33 -
36. D. Methods of User Identification in Websites
Businesses collecting users' personal information online (with an employee count of 5 or
more and one or more network-connected computers) as of December 2009 were
questioned on the methods of user identification and it was found that the highest
percentage used the method of 'identification with resident registration No. only
(46.3%)'. It was followed by 'identification with both resident registration No. and
alternatives to resident registration No. (30.6%)' and 'identification with alternative means
other than resident registration No. (i-PIN, public key certificate) (22.7%)'.
<Fig. 4-18> Methods of User Identification in Websites (Unit: %)
Type Percentage
Identification with resident registration No. only 46.3
Identification with both resident registration No. and
30.6
alternatives to resident registration No.
Identification with alternative means other than resident
22.7
registration No. (i-PIN, public key certificate)
Identification methods not used 0.4
E. Status of Using Resident Registration No. Alternatives on the Internet
Businesses using alternatives to resident registration No. for user identification in
websites (with an employee count of 5 or more and one or more network-connected
computers) were questioned on the status of using resident registration No. alternatives
on the Internet. As a result, it was found that 51.2%, the highest percentage, were
using 'public key certificate' followed by 'others (mobile phone No., credit card No.,
account No.) (49.1%)' and 'i-PIN (20.4%)'.
<Fig. 4-21> Status of Using Resident Registration No. Alternatives on the Internet (Unit: %)
Type Percentage
Public key certificate 51.2
Others (mobile phone No., credit card No., account No.) 49.1
i-Pin 20.4
· Multiple responses per resident registration No. alternative
- 34 -
37. F. I-PIN Service Awareness
Of businesses using resident registration No. only for user identification on the Internet
(with an employee count of 5 or more and one or more network-connected computers),
47.1% were aware of i-PIN (Internet personal identification number) service, an
alternative to resident registration No. to be used on the Internet.
<Fig. 4-22> i-PIN Service Awareness (Unit: %)
Not Aware Aware
i-PIN service awareness 52.9 47.1
G. Intention to Use i-PIN Service in the Future
Of businesses using resident registration No. only for user identification on the Internet
(with an employee count of 5 or more and one or more network-connected computers),
30.1% responded that they had an 'intention to use' services (i-PIN service) to securely
replace resident registration No. in the future. 47.5% responded that they would 'make a
decision considering cost'.
<Fig. 4-23> Intention to Use i-PIN Service in the Future (Unit: %)
Item Percentage
Intention to use service 30.1
To be decided considering cost 47.5
No intention to use service 22.4
38. V. Incident Handling and SPAM Control
1. Incident Handling
A. Activities for Information Security Incident Handling
Businesses possessing both PCs and servers (with an employee count of 5 or more and
one or more network-connected computers) as of December 2009 were questioned on
the activities performed for information security incident handling. The results showed
that a large number of businesses had 'established incident handling plans (16.7%)' and
'implemented a network of emergency contacts for handling upon occurrence or
detecting signs of occurrence of incidents (15.2%)'.
<Fig. 5-1> Activities for Information Security Incident Handling (Unit: %)
Item Percentage
Established incident handling plans 16.7
Implemented a network of emergency contacts for handling upon
15.2
occurrence or detecting signs of occurrence of incidents
Commissioned incident handling to outside specializing agency 10.9
Organized incident recovery team 10.2
CERT (computer emergency response team) 10.0
Others 1.1
No special activities performed 43.9
· Multiple responses per information security incident handling activity
- 36 -
39. B. Currently Implemented Information Security Assessment Measures
As a result of questioning businesses engaged in activities to handle information security
incidents on the information security assessment measures, it was found that 59.8%, the
highest percentage, were conducting 'security audit by internal staffs' followed by
'security audit by external agencies (28.2%)', 'automation tools (21.2%)', 'web monitoring
(21.0%)' and 'e-mail monitoring (18.0%)'.
<Fig. 5-2> Currently Implemented Information Security Assessment Measures (Unit: %)
Type Percentage
Security audit by internal staffs 59.8
Security audit by external agencies 28.2
Automation tools 21.2
Web monitoring 21.0
E-mail monitoring 18.0
Penetration test by internal staffs (hacking simulation, etc.) 15.2
Penetration test by external agencies (hacking simulation, etc.) 10.3
Others 0.3
No special activities performed 9.7
· Multiple responses per information security assessment measure
- 37 -
40. C. Outside Cooperation Channels for Incident Handling/ Problem Solving
Businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2012 were questioned on the outside cooperation channels
most frequently contacted for information sharing and problem solving in relation to the
occurrence of incidents. As a result, it was found that 14.2%, the highest percentage,
contacted 'internal system development companies' followed by 'security companies (Ahn
Lab, Hauri) (12.6%)' and 'ISP companies (KT, SK Broadband, LG U+) (10.6%)' (based
on the first choice).
On the other hand, 7 out of 10 businesses responded that they had 'none' of the outside
cooperation channels for problem solving and information sharing at incident occurrence
(74.7%).
<Fig. 5-3> Outside Cooperation Channels for Incident Handling/ Problem Solving (Unit: %)
First Choice +
Type First Choice Second
Choice
Internal system development companies 10.7 14.2
Security companies (Ahn Lab, Hauri) 6.6 12.6
ISP companies (KT, SK Broadband, LG U+) 5.7 10.6
Incident response teams known (CERT) 4.6 7.1
Korea Internet Security Agency (KISA) 4.1 5.7
Others 1.6 2.0
None 66.7 74.7
· Multiple responses on two items in the order of importance
- 38 -
41. D. Insurance for Cyber Security Incidents
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 3.6% had insurances in preparation for cyber security
incidents.
<Fig. 5-4> Insurance for Cyber Security Incidents (Unit: %)
No Insurance Insurance
Insurance for cyber security incidents 96.4 3.6
E. Reporting Cyber Security Incidents
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 16.0% responded that they 'reported (report incidents
always + usually report incidents) cyber security incidents to the related agencies.
<Fig. 5-5> Reporting Cyber Security Incidents (Unit: %)
Item Percentage
Don't report incidents at all 63.8
Don't report incidents always 16.9
Usually report incidents 10.9
Report incidents always 5.1
No incidents so far 3.3
- 39 -
42. F. Reasons for Not Reporting Cyber Security Incidents
Businesses not reporting cyber security incidents to the related agencies (don't report
incidents at all + don't report incidents always) were questioned on the reasons for not
reporting incidents and the responses were made in the order of 'because it is better to
resolve it independently (69.8%)' and 'because of not knowing the related agencies
(11.7%)'.
<Fig. 5-6> Reasons for Not Reporting Cyber Security Incidents (Unit: %)
Item Percentage
Because it is better to resolve it independently 69.8
Because of not knowing the related agencies 11.7
Because of the reflective interests to competing
1.5
companies (or your organization)
Because of damage to stock price or company image (of
1.0
your organization)
Others 15.4
None 0.6
- 40 -
43. G. Establishment and Implementation of Emergency Recovery Plans
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, 10.3% 'have established and are implementing
emergency recovery plans for disasters and incidents'. 3.5% responded that they 'have
established and are implementing emergency recovery plans for disasters'. The percentage
of businesses responding that they 'have established and are implementing emergency
recovery plans for incidents' was also 3.5%. About 8 out of 10 businesses responded
that they had 'no emergency recovery plans for disasters and incidents' (82.7%).
<Fig. 5-7> Establishment and Implementation of Emergency Recovery Plans (Unit: %)
Item Percentage
Have established and are implementing emergency recovery
10.3
plans for disasters and incidents
Have established and are implementing emergency
3.5
recovery plans for disasters
Have established and are implementing emergency
3.5
recovery plans for incidents
No emergency recovery plans for disasters and incidents 82.7
- 41 -
44. 2. SPAM Control
A. E-mail Server Implementation and Operation
Of businesses with an employee count of 5 or more and one or more network-connected
computers as of December 2009, it was found that 21.1% had implemented and were
operating e-mail servers.
<Fig. 5-8> E-mail Server Implementation and Operation (Unit: %)
Not Implemented ․ Not Implemented and
Operated Operated
E-mail server implementation
78.9 21.1
and operation
B. Methods for Secure E-mail Transmission and Reception
Businesses that had implemented and were operating e-mail servers were questioned on
the methods they were using for secure e-mail transmission and reception. The results
showed that the most frequently used method was 'SPAM filtering or blocking (45.8%)'.
It was followed by 'blocking or quarantining e-mail attachments (42.7%)' and 'virus
scanning in Internet gateway (33.2%)'.
<Fig. 5-9> Methods for Secure E-mail Transmission and Reception (Unit: %)
Type Percentage
Filtering or blocking SPAM 45.8
Blocking or quarantining e-mail attachments 42.7
Virus scanning in Internet gateway 33.2
Restricting employees' e-mail use 25.5
Policy on appropriate amount of use 24.8
No security control measures 16.5
· Multiple responses per e-mail transmission and reception method
- 42 -
45. C. E-mail SPAM Control Measures
Businesses that were filtering or blocking SPAM for secure e-mail transmission and
reception were questioned on the SPAM control measures used. The highest percentage
of businesses were 'installing and using commercial anti-SPAM solution (63.9%)'
followed by 'setting user authentication function (SMTP-AUTH) (23.0%)', 'applying
real-time SPAM blocking list (RBL) provided by KISA (15.7%)' and 'applying e-mail
sender authentication technique (SPF, DKIM (14.5%)'.
<Fig. 5-10> E-mail SPAM Control Measures (Unit: %)
Type Percentage
Installing and using commercial anti-SPAM solution 63.8
Setting user authentication function (SM TP-AUTH) 23.0
Applying real-time SPAM blocking list (RBL) provided by KISA 15.7
Applying e-mail sender authentication technique (SPF, DKM) 14.5
Participating in KISA's white domain registration program 10.0
· Multiple responses per SPAM control measure
D. Web Board Service Operation
Businesses that had implemented websites or were utilizing SNS in marketing (an
employee count of 5 or more and one or more network-connected computers) as of
December 2009 were questioned on the status of web board service operation. The
results showed that 30.1% were operating web board service and 69.9% were not
operating web board service.
<Fig. 5-11> Web Board Service Operation (Unit: %)
Not Operated Operated
Web board service operation 69.9 30.1
- 43 -
46. E. SPAM in Web Board
Of businesses operating public web board service that were questioned on the status
SPAM posting in the web board, 48.0%, the highest percentage, responded that 'SPAM
is not posted'. The percentage of response that SPAM is '30% or less of all postings'
was the highest at 41.4%. It was followed by '30 ~ 60% of all postings (6.4%)', '60 ~
90% of all postings (2.8%)' and '90% or more of all postings (1.4%)'.
<Fig. 5-12> SPAM in Web Board (Unit: %)
Item Percentage
30% or less of all postings 41.4
30~60% of all postings 6.4
60~90% of all postings 2.8
90% or more of all postings 1.4
No SPAM posted in web board 48.0
- 44 -
47. F. Web Board SPAM Handling
Businesses subject to SPAM posting in their public web boards were questioned on the
anti-SPAM measures. As a result, 43.1%, the highest percentage, responded that they
were 'utilizing monitoring staffs'. It was followed by 'filtering SPAM through system
(technical blocking) (32.7%)', 'notifying legal measures for SPAM posting in the web
board (18.8%)' and 'using commercial anti-SPAM solution (16.0%)'.
<Fig. 5-13> Web Board SPAM Handling (Unit: %)
Type Percentage
Using monitoring staffs 43.1
Filtering SPAM through system (technical blocking) 32.7
Notifying legal measures for SPAM posting in the web
18.8
board
Using commercial anti-SPAM solution 16.0
Taking legal actions (reporting to illegal SPAM report center) 10.8
Others 6.6
Not taking measures 15.3
· Multiple responses per handling measure
48. VI. Incident Damages
1. Damage Status
A. Experiences of Damage by Information Security Incidents and Frequency of Damage
① Attack by Computer Virus, Worm and Trojan
Over the course of one year in 2009, 9.8% of businesses (with an employee count of 5
or more and one or more network-connected computers) experienced substantial losses
or cost-incurring damages due to computer virus, worm and Trojan attack (Once: 2.8%,
Two ~ Three Times: 4.1%, Four ~ Five Times: 1.8%, Six ~ Nine Times: 0.4%, Ten
Times or More: 0.7%). On an average, the businesses experienced damage by 0.3 times.
<Fig. 6-1> Attach by Computer Virus, Worm and Trojan (Unit: %)
Percentage 90.2 2.8 4.1 1.8 0.4 0.7
10 times or
Count 0 Once 2~3 times 4~5 times 6~9 times
more
Mean: 0.3 times Damage Experience Rate: 9.8%
· Information Security Incident: Attack on computer or network that damages confidentiality, integrity or
availability of network data or system
- 46 -
49. ② Unauthorized Access from Outside to Internal Data or Computer System (Hacking)
Over the course of one year in 2009, 2.8% of businesses (with an employee count of 5
or more and one or more network-connected computers) experienced substantial losses
or cost-incurring damages due to hacking (Once: 1.4%, Two ~ Three Times: 0.9%, Four
~ Five Times: 0.3%, Six ~ Nine Times: 0.1%, Ten Times or More: 0.1%). On an
average, the businesses experienced damage by 0.1 times.
<Fig. 6-2> Unauthorized Access from Outside to Internal Data or Computer
(Unit: %)
System (Hacking)
Percentage 97.2 1.4 0.9 0.3 0.1 0.1
10 times or
Count 0 Once 2~3 times 4~5 times 6~9 times
more
Mean: 0.1 times Damage Experience Rate: 2.8%
③ DoS (Denial of Service) Attack
Over the course of one year in 2009, 2.2% of businesses (with an employee count of 5
or more and one or more network-connected computers) experienced substantial losses
or cost-incurring damages due to DoS attack (Once: 1.0%, Two ~ Three Times: 0.8%,
Four ~ Five Times: 0.3%, Ten Times or More: 0.1%).
<Fig. 6-3> DoS (Denial of Service) Attack (Unit: %)
Percentage 97.8 1.0 0.8 0.3 0.0 0.1
10 times or
Count 0 Once 2~3 times 4~5 times 6~9 times
more
Mean: 0.1 times Damage Experience Rate: 2.2%
- 47 -
50. ④ DDoS (Distributed Denial of Service) Attack
Over the course of one year in 2009, 2.6% of businesses (with an employee count of 5
or more and one or more network-connected computers) experienced substantial losses
or cost-incurring damages due to DDoS attack (Once: 1.2%, Two ~ Three Times: 0.8%,
Four ~ Five Times: 0.3%, Six ~ Nine Times: 0.1%, Ten Times or More: 0.1%).
<Fig. 6-4> DDoS (Distributed Denial of Service) Attack (Unit: %)
Percentage 97.4 1.2 0.8 0.3 0.1 0.2
10 times or
Count 0 Once 2~3 times 4~5 times 6~9 times
more
Mean: 0.1 times Damage Experience Rate: 2.6%
⑤ Adware/ Spyware Infection
Over the course of one year in 2009, 8.6% of businesses (with an employee count of 5
or more and one or more network-connected computers) experienced substantial losses
or cost-incurring damages due to adware/ spyware infection (Once: 1.9%, Two ~ Three
Times: 2.5%, Four ~ Five Times: 2.4%, Six ~ Nine Times: 0.6%, Ten Times or More:
1.2%).
<Fig. 6-5> Adware/ Spyware Infection (Unit: %)
Percentage 91.4 1.9 2.5 2.4 0.6 1.2
10 times or
Count 0 Once 2~3 times 4~5 times 6~9 times
more
Mean: 0.3 times Damage Experience Rate: 8.6%
- 48 -
51. B. Routes of Information Security Incident Damages
Businesses that had experienced damages of information security incidents over the
course of one year in 2009 were questioned on the routes of incident damages. 60.7%,
the highest percentage, responded 'infection by programs downloaded on the Internet'. It
was followed by 'infection through e-mails (31.0%)', 'infection after visiting specific
websites (22.6%)' and 'infection through storage media, such as CD and USB (21.1%)'.
<Fig. 6-6> Routes of Information Security Incident Damages (Unit: %)
Type Percentage
Infection by programs downloaded through the Internet 60.7
Infection through e-mails 31.0
Infection after visiting specific websites 22.6
Infection through storage media, such as CD and USB 21.1
Infection by using shared folders and internal networks 18.6
Infection by forced virus infiltration (hacking) from outside 13.8
· Multiple responses per infection route
- 49 -
52. C. Fluctuations in the Count of Information Security Incident Damages
Businesses that had experienced information security incident damages over the course
of one year in 2009 were questioned on the fluctuations in the count of information
security incident damages in comparison to 2008 and 35.0% responded that the count of
damages had increased from the previous year.
<Fig. 6-7> Fluctuations in the Count of Information Security Incident Damages (Unit: %)
Investment Scale Fluctuation
50% or more 1.0
40 ~ 50% 1.4
30 ~ 40% 2.2
20 ~ 30% 4.0
10 ~ 20% 11.0
~ 10% 15.4
~ -10% 4.3
-10 ~ -20% 3.0
-20 ~ -30% 1.5
-30 ~ -40% 1.4
-40 ~ -50% 0.7
-50% or less 0.7
Increase No Change Decrease
35.0 53.4 11.6
- 50 -
53. D. Fluctuations in the Amount of Information Security Incident Damages
Businesses that had experienced information security incident damages over the course
of one year in 2009 were questioned on the fluctuations in the amount of information
security incident damages in comparison to 2008 and 26.2% responded that the amount
of damages had increased from the previous year.
<Fig. 6-8> Fluctuations in the Amount of Information Security Incident Damages (Unit: %)
Investment Scale Fluctuation
50% or more 0.8
40 ~ 50% 0.8
30 ~ 40% 0.1
20 ~ 30% 3.5
10 ~ 20% 8.4
~ 10% 12.6
~ -10% 5.8
-10 ~ -20% 1.8
-20 ~ -30% 0.9
-30 ~ -40% 0.6
-40 ~ -50% 0.3
-50% or less 0.4
Increase No Change Decrease
26.2 64.0 9.8
- 51 -
54. E. Frequency of Information Security Incident Damages per Target: Businesses Not
Collecting Personal Information
Assuming that the overall frequency of information security incident damages is 100%,
58.7%, the highest percentage, of businesses not collecting personal information through
websites that had experienced informations security incident damages over the course of
one year in 2009 experienced 'network delay' most frequently. It was followed by 'data
damages (20.2%)' and 'hardware damages (equipments, such as PC and server) (18.6%)'.
<Fig. 6-9> Frequency of Information Security Incident Damages per Target (Unit: %)
Type Percentage
Network delay 58.7
Data damages 20.2
Hardware damages (equipments, such as PC and server) 18.6
Others 2.5
F. Frequency of Information Security Incident Damages per Target: Businesses
Collecting Personal Information
Assuming that the overall frequency of information security incident damages is 100%,
45.0%, the highest percentage, of businesses collecting personal information through
websites that had experienced informations security incident damages over the course of
one year in 2009 experienced 'network delay' most frequently. It was followed by 'data
damages (24.0%)' and 'hardware damages (equipments, such as PC and server) (20.7%)'.
<Fig. 6-10> Frequency of Information Security Incident Damages per Target (Unit: %)
Type Percentage
Network delay 45.0
Data damages 24.0
Hardware damages (equipments, such as PC and server) 20.7
Personal information leakage ․ exposure 8.8
Mean _ others 1.5
- 52 -