2010 survey on information security business

2010Surveyonthe

InformationSecurity

(Business)

ExecutiveSummary

Contents

I. Introduction ······················································································································ 1

II. Information Security Infrastructures and Environments ············································· 3

1. Information Security Policy and Organization ···························································· 3

2. Information Security Awareness and Environments ··················································· 5

3. Information Security Training Implementation Status ················································ 7

4. Information Security Investment Status ········································································ 9

III. Information Security Measures ·················································································· 11

1. Status of Information Security System and Service Introduction ··························· 11

2. New Service Introduction and Security Measures ·················································· 14

3. Security Management ··································································································· 18

IV. Personal Information Security Measures ·································································· 22

1. Personal Information Security Policy ········································································· 21

2. Personal Information Processing System Management and Access Control ········· 29

3. Security Server Implementation and i-PIN Service Introduction ···························· 32

V. Incident Handling and SPAM Control ······································································ 36

1. Incident Handling ·········································································································· 36

2. SPAM Control ·············································································································· 42

VI. Incident Damages ······································································································· 46

1. Damage Status ············································································································ 46d

- 1 -

I. Introduction

Population: All nationwide businesses of which the employee count is 5 or more that

hold one or more network-connected computers

Sample Eligibility : Nationwide businesses with an employee count of 5 or more in 18

industrial fields out of 20 large categories of Korean Standard

Industrial Classification with an exception of the domestic services,

international and foreign organizations and automobile-related

wholesale ․ retail business (G50) (a total of 531,345 businesses)

that hold one or more network-connected computers (a total of

301,981 businesses)

Sample Size: 6,529 businesses

Data Collection: By calling on and interviewing persons in charge of electronic data

processing and general affairs

Fieldwork Period: Sep. 1, 2010 ~ Oct. 31, 2010

Sampling Method: Multi-stage stratified systematic sampling

- Businesses are stratified into two stages per industrial classification and scale.

Then, each business is lined up per region and systematic sampling is conducted.

Sampling Error: CISO appointment rate ±0.84%p (95% confidence level)

- 2 -

Glossary

P e rso n a l In fo rm a t io n : A l l in fo rm a t io n in d ic a t in g fa c ts a b o u t a n in d iv id u a l's p h y s ic a l

in fo rm a t io n , a s s e ts , s o c ia l p o s it io n a n d s ta tu s a s w e ll a s ju d g m e n t a n d a s s e s sm e n t

o f th e fa c ts

C loud Com putin g Se rv ice : Th is se rvic e a llow s a u ser to u se th e IT re so urce s o f ha rdw are

and so ftw are a s m u ch as a nd w hen n ece ssa ry by p ay in g fo r on ly the am oun t o f serv ice

u sed . U se rs connect to a cen tra lized com pu te r u sin g In te rn e t acce ss in g d ev ic es and can

h ave th e requ ired IT resou rce s p ro v ided .

M ob ile O ff ice : A n o ff ice on th e m o ve w he re w o rk p ro ce ss in g is p o ss ib le on a rea l tim e

b a s is b o th in an d o u ts id e o f a n o ff ice sp a ce b y u s in g a v a r ie ty o f IT d ev ic e s , su ch as

la p to p com pu te r a nd sm art p ho ne

Se cu r ity S e rve r : S e cu r ity se rve r e n cryp ts a nd tran sm its p e rso n a l in fo rm a tio n in b e tw e en

use r P C and w eb serve r on th e In te rn et. Th is se rve r va lida te s th e e x is tence o f a com pany

fo r e le ctro n ic tran sa ction s and en sures se cu re e lec tron ic tran sac tio ns b y fo rm ing a se cu re

ch anne l th rou gh en cryp t io n / d ec ryp tio n o f d a ta tran sm it ted b e tw een w eb b row se r a nd

w eb se rve r .

i-P IN (In te rn e t Pe rso n a l Id en tific a t io n N um be r) : A s a m ean s o f u se r id en t ific a tio n u s in g

ID and password in place of resident registration number when a user signs in for m em bersh ip

and u se s o th e r se rv ic e s o n th e In te rn e t, I-P IN m in im ize s th e risk o f re s id en t reg is t ra tio n

n um be r le akag e .

In fo rm ation Secu rity In ciden t: A ttack on com puter o r netw o rk tha t dam ages con fidentia lity ,

in teg r ity o r a va ila b ility o f n e tw o rk d a ta o r sy s tem

- 3 -

II. Information Security Infrastructures and Environments

1. Information Security Policy and Organization

A. Status of Information Security Policy Establishment

Of businesses with an employee count of 5 or more and one or more network-connected

computers as of December 2009, 25.8% had established the officially defined and documented

information security policies. This was an increase by 4.6%p from 2008.


computers as of December 2009, 25.5% had established and were implementing internal users'

information security guidelines for PC security. This was an increase by 2.9%p from 2008.

<Fig. 2-1> Status of Information Security Policy Establishment and User PC

Information Security Guidelines EstablishmentㆍImplementation (Unit: %)

2008 2009

Establishment of information security policy 21.2 25.8

Establishment and implementation of

user PC information security guidelines22.6 25.5

- 4 -

B. Information Security Personnel and Organization


computers as of December 2009, it was found that 18.7% were explicitly appointing

CIO (chief information officer) and 14.5% were appointing CISO (chief information

security officer) pursuant to the organization rules, etc.

Of businesses collecting personal information through websites (with an employee count

of 5 or more and one or more network-connected computers), 44.8% were explicitly

appointing CPO (chief privacy officer).

<Fig. 2-8> Explicit Appointment of IT-related Officers (Unit: %)

2008 2009

Chief Information Officer (CIO) 18.6 18.7

Chief Information Security Officer

(CISO)14.6 14.5

Chief Privacy Officer (CPO) 43.3 44.8

· Multiple responses per IT-related officer


computers as of December 2009, it was found that 14.5% were officially installing and operating

information security handling teams. This was an increase by 6.2%p from 2008. In addition,

of businesses collecting personal information (with an employee count of 5 or more and one

or more network-connected computers), 37.2% were installing and operating personal information

security handling teams, which increased by 3.0%p from 2008.

<Fig. 2-10> Official Installation and Operation of IT Teams (Unit: %)

2008 2009

Information Security Team 8.3 14.5

Personal Information Security Team 29.7 32.7

- 5 -

2. Information Security Awareness and Environments

A. Sources of Information Security Threats

A source of information security threats the businesses were most worried about was found

to be the 'computer criminals, such as illegal hackers (44.8%)'. It was followed by 'employees

that have resigned (19.1%)' and 'employees currently working in the company (14.9%)' (based

on the first choice).

<Fig. 2-14> Sources of Information Security Threats (Unit: %)

Type First ChoiceFirst Choice +

Second Choice

Computer criminals, such as illegal hackers

44.8 61.7

Employees that have resigned 19.1 35.7

Employees currently working in the company

14.9 24.3

Competing companies, industrial spies 9.9 28.1

Organized criminals, such as cyber terrorists

6.0 25.7

Others 0.7 1.5

None 4.6 4.6

· Multiple responses on two items in the order of importance

- 6 -

B. Information Security Awareness

Businesses with an employee count of 5 or more and one or more network-connected computers

as of December 2009 were assessed in terms of the level of considering information security

when the management, such as CEO, established management plans and it was found that

most businesses recognized it as an important factor in establishing management plans

63.4% responded that 'it is considered important (4 points + 5 points)', which is significantly

higher than the percentage of responses that 'it is considered not important (1 point + 2 points)'.

The level of considering information security when the management, such as CEO, establishes

management plans was assessed in a scale of 5 points and the average point was found to

be 3.9.

<Fig. 2-16> Degree of Awareness of the Importance of Information Security

by the Management (Unit: %)

Importance Point Percentage

Absolutely not important 1 1.8

Not important 2 6.5

So-so 3 28.3

Important 4 30.9

Very important 5 32.5

Mean: 3.9 points Important: 63.4%

- 7 -


as of December 2009 were questioned on the degree of their employees' recognition of the

importance of information security and the results showed that most employees recognized

information security to be important.

The percentage of responses that 'it is considered important (4 points + 5 points)' was 61.3%,

which was higher than the percentage of responses that 'it is not considered important (1

point + 2 points)'. The level of employees' recognition of the importance of information security

was assessed in a scale of 5 points and the average point was found to be 3.8. This was

slightly lower than the degree of recognition of the importance of information security by

the management.

<Fig. 2-17> Employees' Recognition of the Importance of Information Security (Unit: %)

Importance Score Percentage

Absolutely not important 1 1.6

Not important 2 7.4

So-so 3 29.7

Important 4 31.0

Very important 5 30.3

Mean: 3.8 scores Important: 61.3%

3. Information Security Training Implementation Status


computers as of December 2009, 18.4% were found to be implementing information security

training for their employees including commissioned training.

<Fig. 2-18> Status of Information Security Training Implementation

(Commissioned Training Included) (Unit: %)

Not Implemented Implemented

Status of Information Security

Training Implementation81.6 18.4

- 8 -

Businesses implementing information security training (with an employee count of 5 or more

and one or more network-connected computers) as of December 2009 were questioned on

the status of information security training implementation per program. The results indicated

that 'basic information security training for general employees' was most frequently implemented.

The percentage of personal information collecting businesses (with an employee count of 5

or more and one or more network-connected computers) implementing 'personal information

security training for personal information security managers' was found to be high at 60.5%

(mandatory training + selective training when necessary).

<Fig. 2-21> Status of Information Security Training Program Implementation (Unit: %)

Mandatory Training

Selective Training when

Necessary

Not Implemente

dN/A

Information security awareness and management training for the management including the CEO

32.5 20.0 47.5

Information security management training for information security handling officers

33.2 19.4 21.4 26.0

Practical information security training for the IT and information security staffs

32.8 18.7 19.7 28.8

Basic information security training for general public that use computers

50.3 32.1 17.6

Personal information security training for personal information security managers

40.9 19.6 39.5

· Multiple responses per information security training program

· Basis of Personal Information Security Training Responses by Personal Information Security Managers:

Personal information collecting businesses

- 9 -

4. Information Security Investment Status


over the course of one year in 2009 were questioned on the percentage of investment in

information security to overall information investment. For this question, 63.5% of the businesses

responded that they had 'no information security expenses'.

<Fig. 2-25> Percentage of Information Security Investment to Overall

Information Investment (Unit: %)

Percentage of Information Security Investment to

Overall Information Investment2010

No information security expenses 63.5

Invested in information security

(36.5%)

Less than 1% 17.9

1% ～ less than 3% 7.9

3% ～ less than 5% 4.7

5% ～ less than 7% 2.7

7% ～ less than 10% 2.3

10% or higher 1.0

Don't know/ no response -

· Information Investment: Cost of purchasing, maintaining and repairing hardware, software and network

for internal information system establishment

· Information Security Investment: As a part of information expenses, information security investment

refers to cost of purchasing, maintaining and repairing firewall, intrusion detection

system, intrusion prevention system, virus vaccine and security services.

- 10 -

Of 10 businesses that made information security investments over the course of one year

in 2009 (with an employee count of 5 or more and one or more network-connected computers),

8 (77.7%) were found not to have fluctuations in the information security investment amounts.

19.9% of the businesses responded that their information security investments had increased

from 2008. This was higher than 2.4% of businesses responding that the investments had

decreased from 2008.

<Fig. 2-28> Information Security Investment Fluctuations (Unit: %)

Investment Scale Fluctuation

50% or more 0.6

40 ~ 50% 0.2

30 ~ 40% 0.6

20 ~ 30% 1.3

10 ~ 20% 4.2

~ 10% 13.0

~ -10% 1.4

-10 ~ -20% 0.4

-20 ~ -30% 0.2

-30 ~ -40% 0.1

-40 ~ -50% 0.1

-50% or less 0.2

Increase No Change Decrease

19.9 77.7 2.4

- 11 -

III. Information Security Measures

1. Status of Information Security System and Service Introduction

A. Information Security System Introduction

Of business with an employee count of 5 or more and one or more network-connected computers

as of December 2009, 81.7%, the highest percentage, were currently using 'virus vaccine'

of the 'anti-virus' products. It was followed by 49.7% using 'PC firewall' of 'intrusion prevention

system' products.

<Fig. 3-2> Information Security Products Use: All Businesses (Unit: %)

Name Percentage

Virus Vaccine 81.7

PC Firewall 49.7

Network (System) Firewall 29.1

Anti Spyware 29.1

Anti-SPAM S/W 22.1

Anti Phishing 18.0

PC Security (Information Leakage Prevention) 15.2

Unified Threat Management (UTM) 12.3

Intrusion Prevention System (IPS) 11.4

Secure OS 9.6

Security Smart Card 9.3

Security USB 8.9

Enterprise Security Management (ESM) 8.3

One Time Password (OTP) 7.2

- 12 -

<Fig. 3-2> Information Security Products Use: All Businesses(con) (Unit: %)

Name Percentage

Intrusion Detection System (IDS) 6.5

Virtual Private Network (VPN) 5.9

Log Management/ Analysis Tool 5.7

Patch Management System (PMS) 5.3

Resources Management System (RMS) 4.4

Threat Management System (TMS) 3.7

Extranet Access Management (EAM) 2.8

Biometrics 2.7

H/W Token (HSM) 2.6

Integrated Account Management (IM/ IAM) 2.3

Vulnerability Analysis Tool 2.1

Digital Rights Management (DRM) 2.1

Public Key Infrastructure (PKI) 2.0

Single Sign on (SSO) 1.6

- 13 -

Of businesses that have servers (with an employee count of 5 or more and one or more

network-connected computers) as of December 2009, 76.0%, the highest percentage, were

found to be currently using 'web firewall' of the 'intrusion prevention system' products. In

addition, the percentages of using 'DDoS blocking system' of the 'intrusion prevention system'

products and of using 'DB security' of 'DB/ contents security' products were found to be 30.1%

and 28.6% respectively.

<Fig. 3-3> Information Security Products Use: Businesses with Servers (Unit: %)

NameWeb

Firewall

DDoS Blocking System

DB Security

Wireless LAN

Authentication

(WLAS)

DB Encryption

Network Access Control (NAC)

Ratio 76.0 30.1 28.6 22.8 22.5 20.2

· Multiple responses per the status of using products

B. Information Security Operation Outsourcing Status


computers as of December 2009, it was found that 9.6%, an increase by 0.2%p from

2008, were outsourcing information security operation to outside companies.

<Fig. 3-5> Information Security Operation Outsourcing Status (Unit: %)

2008 2009

Organization Specializing in

Information Security Operation9.4 9.6

- 14 -

2. New Service Introduction and Security Measures

A. SNS Utilization and Security Measures

Businesses with an employee count of 5 or more and one or more network-connected

computers as of December 2009 were questioned on the status of using social network

service (SNS). The results indicated that 9.0% were utilizing SNS (corporate SNS

implemented and used in internal communication: 6.0%/ company's official SNS account

operated and utilized in marketing: 3.0%). On the other hand, 64.7%, the highest

percentage, responded that 'SNS is not necessary due to characteristics of work'. In

addition, percentage of businesses 'not using SNS (25.0%)' or 'blocking SNS access

through internal network (3.3%)' was also found to be high.

<Fig. 3-8> SNS Utilization (Unit: %)

SNS Utilization 2009

SNS not necessary due to characteristics of work 64.7

Not utilizing SNS 25.0

Corporate SNS implemented and used in internal

communication 6.0

Blocking SNS access through internal network 3.3

Operating the company's official SNS account and utilizing

it in marketing, etc.3.0

· Social Network Service (SNS): Service to assist in the formation of human network among people who

share the same interests through online channels (Cyworld, Twitter, Face Book)

· Multiple responses per type of SNS utilization

- 15 -


computers as of December 2009, 6.5% were found to have established security policy and

guidelines for SNS utilization by internal employees.

<Fig. 3-9> Establishment of Security Policy and Guidelines for SNS Utilization (Unit: %)

Establishment of Security Policy and Guidelines for SNS

Utilization2009

Established 6.5

Not established 93.5

B. Wireless LAN Utilization and Security Measures


computers as of December 2009, 22.8% were found to have implemented an

environment for wireless LAN use. In addition, it was found that 2.5% of the

businesses were politically banning wireless Internet use.

<Fig. 3-10> Wireless LAN Environment Implementation (Unit: %)

Wireless LAN Environment Implementation 2009

Implemented 22.8

Not implemented 74.7

Politically banning wireless Internet use 2.5

· Wireless LAN (WLAN): Environment for wireless Internet service use where Internet service is accessed by

installing wireless connection devices, such as wireless router, etc.

- 16 -

Of businesses that had implemented environments for wireless LAN use (with an employee

count of 5 or more and one or more network-connected computers) as of December 2009,

46.6% had established and were operating security policy in relation to wireless LAN use.

<Fig. 3-13> Establishment and Operation of Wireless LAN Security Policy (Unit: %)

Establishment and Operation of Wireless LAN Security Policy 2009

Wireless LAN security policy established 46.6

Wireless LAN security policy not established 53.4

C. Cloud Computing Service Utilization and Security Measures


computers as of December 2009, it was found that 4.3% were using cloud computing service

and 3.8% were planning to use the service in 1 ~ 2 years' time.

<Fig. 3-17> Cloud Computing Service Utilization (Unit: %)

Cloud Computing Service Utilization 2009

Current using the service 4.3

Planning to use the service in 1 ~ 2 years 3.8

Using the company's own cloud computing service 1.0

No intention of use 90.9

· Cloud Computing Service: This service allows a user to use the IT resources of hardware and software as

much as and when necessary by paying for only the amount of service used. Users connect to a

centralized computer using Internet accessing devices and can have the required IT resources provided.

The previously used services, such as web mail, blog, web hard and web hosting services provided by web

portals, are excluded.

- 17 -

Of businesses using or planning to use cloud computing service as of December 2009, 41.9%

were found to have established security measures in relation to cloud computing service use.

<Fig. 3-18> Establishment of Cloud Computing Service Security Measures (Unit: %)

Establishment of Cloud Computing Service Security Measures 2009

Cloud computing service security measures established 41.9

Cloud computing service security measures not established 58.1

D. Mobile Office Implementation, Operation and Security Measures


computers as of December 2009, 5.3% responded that they had implemented and were in

the process of operating mobile office. 4.7% responded that they had plans to implement

mobile office system in 1 ~ 2 years' time.

<Fig. 3-20> Mobile Office Implementation and Operation (Unit: %)

Mobile Office Implementation and Operation 2009

Mobile office implemented and operated 5.3

Planing to implement and operate mobile office in

1 ~ 2 years4.7

Not implemented 90.0

· Mobile Office: An office on the move where work processing is possible on a real time basis both in

and outside of an office space by using a variety of IT devices, such as laptop computer and smart

phone

- 18 -

Of businesses that have implemented and are operating mobile office or that are planning

to implement mobile office in the future (with an employee count of 5 or more and one

or more of network-connected computers), 40.3% have established appropriate security measures

for the introduction of mobile office system.

<Fig. 3-23> Establishment of Mobile Office Security Measures (Unit: %)

Establishment of Mobile Office Security Measures 2009

Mobile office security measures established 40.3

Mobile office security measures not established 59.7

3. Security Management

A. Periodic Security Check Implementation


computers as of December 2009, 49.3%, an increase by 10.9%p from 2008, were administering

security check on a regular basis.

<Fig. 3-25> Periodic Security Check Implementation (Unit: %)

2008 2009

Periodic security check

implementation 38.4 49.3

- 19 -

B. Internal Information System User Authentication Method


computers as of December 2009 were questioned on the internal information system

user authentication techniques. The results indicated that a majority of businesses were

using the authentication method of 'user ID/ password (73.4%)'. On the other hand, as

many as 15.1% of businesses responded that they were using 'none' of the internal

information system user authentication techniques.

<Fig. 3-32> Internal Information System User Authentication Method (Unit: %)

Authentication Method Percentage

User ID/ password 73.4

Software token (public key certificate, etc.) 11.4

OTP (one time password) 9.1

Biometrics 2.2

Hardware token (HSM, hardware security module) 2.1

Others 0.5

None 15.1

· Multiple responses per information system user authentication method

- 20 -

C. Security Patch Application Method


computers as of December 2009, 40.6%, the highest percentage, responded that they were

'maintaining the latest state of security patch of client PC at all times by automatic update

setup'.

<Fig. 3-28> Security Patch Application Method: Client PC (Unit: %)

Application Method Percentage

Maintaining the latest state at all times by automatic update setup

40.6

Manual update by periodically obtaining patch information 8.1

Update only when problems occur 12.2

Patch almost or absolutely not updated 38.5

No security patch applied 0.6

Of businesses possessing both PCs and servers (with an employee count of 5 or more and

one or more network-connected computers) as of December 2009, 29.1%, a relatively higher

percentage, responded that they were 'maintaining the latest state of security patch in the externally

disclosed network server (e-mail server, web server), at all times by automatic update setup'.

<Fig. 3-29> Security Patch Application Method: Externally Disclosed Network Server (Unit: %)



29.1




N/A (externally disclosed network server not in possession) 26.9

- 21 -

Of businesses operating both PCs and servers (with an employee count of 5 or more and

one or more network-connected computers) as of December 2009, 34.3%, the highest percentage,

responded that they were 'maintaining the latest state of security patch in the internally used

local server (file server, print server), at all times by automatic update setup'.

<Fig. 3-30> Security Patch Application Method: Internally Used Local Server (Unit: %)



34.3




N/A (local server not in possession) 21.2


computers as of December 2009, 40.4%, the highest percentage, responded that they were

'maintaining the latest state of security patch, such as information security system (firewall,

IPS), at all times by automatic update setup'.

<Fig. 3-31> Security Patch Application Method: Information Security System (Unit: %)



40.4




N/A (information security product/ system not in possession) 28.1

- 22 -

IV. Personal Information Security Measures

1. Personal Information Security Policy

A. Status of Disclosure per Personal Information Handling Policy

Businesses collecting and therefore utilizing or providing users' personal information

online (with an employee count of 5 or more and one or more of network-connected

computer) as of December 2009 were questioned about the items of personal

information handling policy disclosed to users. The results indicated that 67.7% of

businesses, the highest percentage, disclosed 'purpose of personal information collection

and utilization, items of personal information collected and the collection method'. It

was followed by 'names of persons to which personal information is provided in case of

personal information provision to a third party as well as purpose of utilization of the

persons to which personal information was provided and items of personal information

provided to a third party (45.0%)', 'name, telephone number and contact information of

CPO or personal information handling division (39.3%)' and 'period of personal

information possession and utilization, procedures and method of personal information

destruction (37.6%)'.

<Fig. 4-1> Status of Disclosure per Personal Information Handling Policy (Unit: %)

Handling Policy Percentage of

DisclosurePurpose of personal information collection and utilization, items of personal information collected, collection method

67.7

For provision of personal information to a third party, names of the persons to which personal information is provided, purpose of utilization of persons to which personal information is provided, items of personal information provided to a third party

45.0

Name, telephone number and contact information of CPO or personal information handling division 39.3

Period of personal information possession and utilization, procedures and method of personal information destruction

37.6

Contents of personal information handling consignment and the consignee

29.9

Details relating to installation and operation of automatic personal information collection device and rejection to the installation and operation

27.3

Rights of users and their legal representatives and the method of exercising the rights

25.7

· Multiple responses per personal information handling policy

- 23 -

B. Securing of Users' Consents to Personal Information Collection, Utilization and

Provision

Businesses collecting personal information of users online (with an employee count of 5

or more and one or more network-connected computers) as of December 2009 were

found to disclose and obtain users' consents to mainly the 'items of personal information

collected (71.7%)' and 'purpose of personal information collection and utilization

(60.3%)' when intending to collect and therefore to utilize and provide users' personal

information online. In addition, 37.8% of the businesses were found to disclose and

obtain users' consents to the 'period of personal information possession and utilization'.

<Fig. 4-2> Securing of Users' Consents to Collection, Utilization and Provision

of Personal Information (Unit: %)

Item Percentage

Items of personal information collected 71.7

Purpose of collecting and utilizing personal information

60.3

Period of personal information possession and utilization

37.8

· Multiple responses per personal information disclosure/ consent

- 24 -

C. Provision to a Third Party/ Consignment of Handling of the Personal Information

Collected

Of businesses collecting personal information of users online (with an employee count

of 5 or more and one or more network-connected computers) as of December 2009,

7.2% were found to provide the personal information of users to a third party or

consigned handling of the personal information.

<Fig. 4-3> Provision to a Third Party/ Consignment of Handling of the

Personal Information Collected (Unit: %)

2009 2010

Provision to a third party/ consignment of

handling of the personal information collected7.3 7.2

D. Types of Personal Information Provision to a Third Party/ Personal Information

Handling Consignment

As a result of investigating the types of personal information provision by businesses

providing personal information to a third party or consigning the provision to other

businesses, it was found that 67.0% of the businesses 'provided personal information

collected to a third party for the purpose of affiliate marketing and tele-marketing' and

37.6% of the businesses 'consigned handling of the personal information collected'.

<Fig. 4-4> Types of Personal Information Provision to a Third Party/Personal

Information Handling Consignment (Unit: %)

Type 2008 2009

Personal information provided to a third party for the

purpose of affiliate marketing and tele-marketing 57.1 67.0

Consignment of personal information handling 54.4 37.6

· Multiple responses per type

- 25 -

E. Notice and Consent Securing at the Time of Personal Information Provision to a

Third Party

Of businesses collecting and therefore utilizing or providing personal information (with

an employee count of 5 or more and one or more network-connected computers), most

businesses providing personal information to a third party (94.9%) were found to notify

the information of 'persons to which personal information is provided/ purpose of using

personal information of the persons to which personal information is provided/ personal

information items provided/ period of personal information possession and utilization by

the persons to which personal information is provided' to the personal information

providers and to obtain consents from them when providing the users' personal

information collected to a third party.

F. Notice and Consent Securing at the Time of Consignment for Personal Information

Handling

It was found that most businesses consigning handling of personal information collected

through websites (94.0%) notified the 'details of work consigned for handling' to the

'consignees of personal information handling' and obtained consents from personal

information providers.

<Fig. 4-5> Notice and Consent Securing at the Time of Personal Information

Provision to a Third Party (Unit: %)

2008 2009

Notice and consent securing at the time of

personal information provision to a third party93.8 94.9

Notice and consent securing at the time of

consignment for personal information handling 76.3 94.0

- 26 -

G. Availability of Guidelines on the Procedures and Methods of Personal Information

Destruction

As of 2009, of the businesses collecting users' personal information online (with an

employee count of 5 or more and one or more of network-connected computers), the

percentage of businesses that have secured guidelines on the procedures and methods of

personal information destruction (membership cancellation (withdrawal of consent to the

utilization and provision of personal information), for request to delete or destroy

personal information by the information holder, fulfillment of the objectives of personal

information collection, termination of the term of information possession and utilization

to which consent was obtained at the time of collection, business closing, etc.) was

found to be 71.8%.

<Fig. 4-7> Availability of Guidelines on the Procedures and Methods of

Personal Information Destruction (Unit: %)

Not Available Available

Guidelines on the procedures and methods of

personal information destruction 28.2 71.8

- 27 -

H. Measures to Prevent Personal Information Security Incidents and Follow-up Measures

Businesses collecting personal information through websites as of December 2009 (with

an employee count of 5 or more and one or more network-connected computers) were

questioned on the policies for prevention of users'/ customers' personal information

security incidents and follow-up measures and 38.4%, the highest percentage, responded

that 'manuals for prevention of personal information security incidents have been

established'.

<Fig. 4-8> Measures to Prevent Personal Information Security Incidents and

Follow-up Measures (Unit: %)

Type Percentage

Establishing manuals for prevention of personal information

security incidents38.4

Establishing policy for personal information security incidents

follow-up measures32.4

Personal information backup 32.0

Establishing internal handling and reporting system upon

occurrence of incidents22.9

Establishing procedures to check damages caused by and to

collect evidences for personal information security incidents 21.4

Drawing up and managing a list of signs indicating the

occurrence of personal information security incidents 21.2

Maintaining network of emergency contacts to utilize outside

experts12.9

Notifying occurrence of damages by personal information security incidents to the related organizations, such as Personal Information Dispute Mediation Committee and Privacy Violation Report Center

12.6

Special measures not implemented 23.0

· Multiple responses per incident prevention and follow-up measure

- 28 -

I. Management Status of Personal Information Printing/ Copy into Portable Storage

Media

Businesses collecting users' personal information online (with an employee count of 5 or

more and one or more network-connected computers) as of December 2009 were found

to record 'time of printing · copying (36.1%)', 'serial numbers of printed · copied

information (33.9%)' and 'positions and names of the persons who printed · copied

information (28.2%)' when printing users' personal information or copying it into

portable storage media, such as USB and compact disk.

<Fig. 4-9> Management Status of Personal Information Printing/ Copy into

Portable Storage Media (Unit: %)

Item Percentage

Time of printing or copying 36.1

Serial numbers of the printed or copied information 33.9

Positions and names of the persons who printed or

copied information28.2

Purpose of printing or copying 26.1

Format of printed or copied information 22.8

Time at which printed or copied information was

destroyed 16.4

Persons to which the printed or copied information is to

be transmitted14.9

Persons in charge of destroying the printed or copied

information12.2

· Multiple responses per management status

- 29 -

2. Personal Information Processing System Management and Access Control

A. Personal Information Processing System Operation and Management Status

Of businesses collecting users' personal information online (with an employee count of 5

or more and one or more network-connected computers) as of December 2009, 44.3%

were operating and managing database system (personal information processing system)

configured to systematically process the operations of personal information input, storage,

editing, search, deletion and printing.

<Fig. 4-10> Personal Information Processing System Operation and

Management Status (Unit: %)

Not Operated/

ManagedOperated/ Managed

Personal information processing system

operation and management status55.7 44.3

· Personal Information Processing System: Database system configured for systematic processing of personal

information

- 30 -

B. Technical Measures for Secure Processing of Personal Information

Of businesses operating personal information processing system, 77.0%, the highest

percentage, were 'encrypting personal information in storage' as a technical measure for

secure processing of users' personal information. It was followed by 'application of

keyboard hacking prevention solution (51.8%)', 'ID control and password security

validation (48.0%)' and 'saving DB access log (44.5%)'.

<Fig. 4-11> Technical Measures for Secure Processing of Personal Information (Unit: %)

Type Percentage

Encrypting personal information in storage 77.0

Applying keyboard hacking prevention solution 51.8

ID control and password security validation 48.0

Saving DB access log 44.5

Applying function to prevent exposure of personal

information while being entered39.1

Statistics on USB/ portable storage devices 28.2

Authentication with electronic signature 27.6

Personal information file control 26.3

Setting password in CD/ DVD or encrypting password 23.8

Laptop computer and PDA control 19.0

Applying function to prevent C/S application screen

capture15.2

Applying function to prevent web application screen

capture14.0

- 31 -

C. Personal Information Encryption Items within Personal Information Processing System

Of businesses operating and managing personal information processing system, those

encrypting users' personal information stored in the personal information processing

system were questioned on the items of encryption. 57.3%, the highest percentage,

responded that 'resident registration No.' was encrypted. It was followed by 'password

(51.1%)', 'account No. (33.6%)' and 'credit card No. (29.0%)'.

<Fig. 4-12> Personal Information Encryption Items within Personal Information

Processing System (Unit: %)

Item Percentage

Resident registration No. 57.3

Password 51.1

Account No. 33.6

Credit card No. 29.0

Bio information 7.0

- 32 -

3. Security Server Implementation and i-PIN Service Introduction

A. Security Server Introduction


more and one or more network-connected computers) as of December 2009 were

questioned on the intention to introduce security server for personal information security.

As a result, it was found that 44.9%, the highest percentage, had 'introduced security

server to all websites to which personal information is entered'. It was followed by

'security server not introduced (34.4%)' and 'security server introduced to some of the

websites to which personal information is entered (20.7%)'.

<Fig. 4-13> Security Server Introduction (Unit: %)

Item 2008 2009

Introduced to all websites to which personal

information is entered39.9 44.9

Introduced to some of the websites to which

personal information is entered16.6 20.7

Not introduced 41.5 34.4

· Security Server: When personal information is entered into a website, this web server encrypts the

personal information entered from PC into an unidentifiable format and securely transmits the

information to website so that it is not exposed to others.

- 33 -

B. Security Server Implementation Method

Businesses that had introduced security server to all or partial websites (with an

employee count of 5 or more and one or more network-connected computers) were

questioned on the security server implementation method. As a result, it was found that

26.8%, the highest percentage, used 'SSL certificate (domestic)' followed by 'SSL

certificate (foreign) (6.2%)' and 'application program (5.3%)'.

<Fig. 4-16> Security Server Implementation Method (Unit: %)

Type Percentage

SSL certificate (domestic) 26.8

SSL certificate (foreign) 6.2

Application program 5.3

Don't know 65.6

· Multiple responses per implementation method

C. Plans to Introduce and Expand Security Server

Businesses that had partially introduced or not introduced security server (with an

employee count of 5 or more and one or more network-connected computers) were

questioned on the plans to introduce security server or to expand the introduction to all

websites. As a result, it was found that 47.3%, the largest percentage, had 'plans to

introduce/ expand security server'. It was followed by 'decision to be made considering

cost (27.4%)' and 'have plans to introduce security server on a long-term basis (19.0%)'.

<Fig. 4-17> Plans to Introduce and Expand Security Server (Unit: %)

Item Percentage

No plans to introduce/ expand security server 47.3

Plans to introduce/ expand security server on a long term basis 19.0

Plans to introduce/ expand security server within one year 4.0

To be decided considering cost 27.4

Others 2.3

- 34 -

D. Methods of User Identification in Websites


more and one or more network-connected computers) as of December 2009 were

questioned on the methods of user identification and it was found that the highest

percentage used the method of 'identification with resident registration No. only

(46.3%)'. It was followed by 'identification with both resident registration No. and

alternatives to resident registration No. (30.6%)' and 'identification with alternative means

other than resident registration No. (i-PIN, public key certificate) (22.7%)'.

<Fig. 4-18> Methods of User Identification in Websites (Unit: %)

Type Percentage

Identification with resident registration No. only 46.3

Identification with both resident registration No. and

alternatives to resident registration No.30.6

Identification with alternative means other than resident

registration No. (i-PIN, public key certificate)22.7

Identification methods not used 0.4

E. Status of Using Resident Registration No. Alternatives on the Internet

Businesses using alternatives to resident registration No. for user identification in

websites (with an employee count of 5 or more and one or more network-connected

computers) were questioned on the status of using resident registration No. alternatives

on the Internet. As a result, it was found that 51.2%, the highest percentage, were

using 'public key certificate' followed by 'others (mobile phone No., credit card No.,

account No.) (49.1%)' and 'i-PIN (20.4%)'.

<Fig. 4-21> Status of Using Resident Registration No. Alternatives on the Internet (Unit: %)

Type Percentage

Public key certificate 51.2

Others (mobile phone No., credit card No., account No.) 49.1

i-Pin 20.4

· Multiple responses per resident registration No. alternative

F. I-PIN Service Awareness

Of businesses using resident registration No. only for user identification on the Internet

(with an employee count of 5 or more and one or more network-connected computers),

47.1% were aware of i-PIN (Internet personal identification number) service, an

alternative to resident registration No. to be used on the Internet.

<Fig. 4-22> i-PIN Service Awareness (Unit: %)

Not Aware Aware

i-PIN service awareness 52.9 47.1

G. Intention to Use i-PIN Service in the Future

Of businesses using resident registration No. only for user identification on the Internet

(with an employee count of 5 or more and one or more network-connected computers),

30.1% responded that they had an 'intention to use' services (i-PIN service) to securely

replace resident registration No. in the future. 47.5% responded that they would 'make a

decision considering cost'.

<Fig. 4-23> Intention to Use i-PIN Service in the Future (Unit: %)

Item Percentage

Intention to use service 30.1

To be decided considering cost 47.5

No intention to use service 22.4

- 36 -

V. Incident Handling and SPAM Control

1. Incident Handling

A. Activities for Information Security Incident Handling

Businesses possessing both PCs and servers (with an employee count of 5 or more and

one or more network-connected computers) as of December 2009 were questioned on

the activities performed for information security incident handling. The results showed

that a large number of businesses had 'established incident handling plans (16.7%)' and

'implemented a network of emergency contacts for handling upon occurrence or

detecting signs of occurrence of incidents (15.2%)'.

<Fig. 5-1> Activities for Information Security Incident Handling (Unit: %)

Item Percentage

Established incident handling plans 16.7

Implemented a network of emergency contacts for handling upon

occurrence or detecting signs of occurrence of incidents 15.2

Commissioned incident handling to outside specializing agency 10.9

Organized incident recovery team 10.2

CERT (computer emergency response team) 10.0

Others 1.1

No special activities performed 43.9

· Multiple responses per information security incident handling activity

- 37 -

B. Currently Implemented Information Security Assessment Measures

As a result of questioning businesses engaged in activities to handle information security

incidents on the information security assessment measures, it was found that 59.8%, the

highest percentage, were conducting 'security audit by internal staffs' followed by

'security audit by external agencies (28.2%)', 'automation tools (21.2%)', 'web monitoring

(21.0%)' and 'e-mail monitoring (18.0%)'.

<Fig. 5-2> Currently Implemented Information Security Assessment Measures (Unit: %)

Type Percentage

Security audit by internal staffs 59.8

Security audit by external agencies 28.2

Automation tools 21.2

Web monitoring 21.0

E-mail monitoring 18.0

Penetration test by internal staffs (hacking simulation, etc.) 15.2

Penetration test by external agencies (hacking simulation, etc.) 10.3

Others 0.3

No special activities performed 9.7

· Multiple responses per information security assessment measure

- 38 -

C. Outside Cooperation Channels for Incident Handling/ Problem Solving


computers as of December 2012 were questioned on the outside cooperation channels

most frequently contacted for information sharing and problem solving in relation to the

occurrence of incidents. As a result, it was found that 14.2%, the highest percentage,

contacted 'internal system development companies' followed by 'security companies (Ahn

Lab, Hauri) (12.6%)' and 'ISP companies (KT, SK Broadband, LG U+) (10.6%)' (based

on the first choice).

On the other hand, 7 out of 10 businesses responded that they had 'none' of the outside

cooperation channels for problem solving and information sharing at incident occurrence

(74.7%).

<Fig. 5-3> Outside Cooperation Channels for Incident Handling/ Problem Solving (Unit: %)

Type First Choice

First Choice +

Second

Choice

Internal system development companies 10.7 14.2

Security companies (Ahn Lab, Hauri) 6.6 12.6

ISP companies (KT, SK Broadband, LG U+) 5.7 10.6

Incident response teams known (CERT) 4.6 7.1

Korea Internet Security Agency (KISA) 4.1 5.7

Others 1.6 2.0

None 66.7 74.7

· Multiple responses on two items in the order of importance

- 39 -

D. Insurance for Cyber Security Incidents


computers as of December 2009, 3.6% had insurances in preparation for cyber security

incidents.

<Fig. 5-4> Insurance for Cyber Security Incidents (Unit: %)

No Insurance Insurance

Insurance for cyber security incidents 96.4 3.6

E. Reporting Cyber Security Incidents


computers as of December 2009, 16.0% responded that they 'reported (report incidents

always + usually report incidents) cyber security incidents to the related agencies.

<Fig. 5-5> Reporting Cyber Security Incidents (Unit: %)

Item Percentage

Don't report incidents at all 63.8

Don't report incidents always 16.9

Usually report incidents 10.9

Report incidents always 5.1

No incidents so far 3.3

- 40 -

F. Reasons for Not Reporting Cyber Security Incidents

Businesses not reporting cyber security incidents to the related agencies (don't report

incidents at all + don't report incidents always) were questioned on the reasons for not

reporting incidents and the responses were made in the order of 'because it is better to

resolve it independently (69.8%)' and 'because of not knowing the related agencies

(11.7%)'.

<Fig. 5-6> Reasons for Not Reporting Cyber Security Incidents (Unit: %)

Item Percentage

Because it is better to resolve it independently 69.8

Because of not knowing the related agencies 11.7

Because of the reflective interests to competing companies (or your organization)

1.5

Because of damage to stock price or company image (of your organization)

1.0

Others 15.4

None 0.6

- 41 -

G. Establishment and Implementation of Emergency Recovery Plans


computers as of December 2009, 10.3% 'have established and are implementing

emergency recovery plans for disasters and incidents'. 3.5% responded that they 'have

established and are implementing emergency recovery plans for disasters'. The percentage

of businesses responding that they 'have established and are implementing emergency

recovery plans for incidents' was also 3.5%. About 8 out of 10 businesses responded

that they had 'no emergency recovery plans for disasters and incidents' (82.7%).

<Fig. 5-7> Establishment and Implementation of Emergency Recovery Plans (Unit: %)

Item Percentage

Have established and are implementing emergency recovery plans for disasters and incidents

10.3

Have established and are implementing emergency recovery plans for disasters

3.5

Have established and are implementing emergency recovery plans for incidents

3.5

No emergency recovery plans for disasters and incidents 82.7

- 42 -

2. SPAM Control

A. E-mail Server Implementation and Operation


computers as of December 2009, it was found that 21.1% had implemented and were

operating e-mail servers.

<Fig. 5-8> E-mail Server Implementation and Operation (Unit: %)

Not Implemented ․ Not

Operated

Implemented and

Operated

E-mail server implementation

and operation 78.9 21.1

B. Methods for Secure E-mail Transmission and Reception

Businesses that had implemented and were operating e-mail servers were questioned on

the methods they were using for secure e-mail transmission and reception. The results

showed that the most frequently used method was 'SPAM filtering or blocking (45.8%)'.

It was followed by 'blocking or quarantining e-mail attachments (42.7%)' and 'virus

scanning in Internet gateway (33.2%)'.

<Fig. 5-9> Methods for Secure E-mail Transmission and Reception (Unit: %)

Type Percentage

Filtering or blocking SPAM 45.8

Blocking or quarantining e-mail attachments 42.7

Virus scanning in Internet gateway 33.2

Restricting employees' e-mail use 25.5

Policy on appropriate amount of use 24.8

No security control measures 16.5

· Multiple responses per e-mail transmission and reception method

- 43 -

C. E-mail SPAM Control Measures

Businesses that were filtering or blocking SPAM for secure e-mail transmission and

reception were questioned on the SPAM control measures used. The highest percentage

of businesses were 'installing and using commercial anti-SPAM solution (63.9%)'

followed by 'setting user authentication function (SMTP-AUTH) (23.0%)', 'applying

real-time SPAM blocking list (RBL) provided by KISA (15.7%)' and 'applying e-mail

sender authentication technique (SPF, DKIM (14.5%)'.

<Fig. 5-10> E-mail SPAM Control Measures (Unit: %)

Type Percentage

Installing and using commercial anti-SPAM solution 63.8

Setting user authentication function (SM TP-AUTH) 23.0

Applying real-time SPAM blocking list (RBL) provided by KISA 15.7

Applying e-mail sender authentication technique (SPF, DKM) 14.5

Participating in KISA's white domain registration program 10.0

· Multiple responses per SPAM control measure

D. Web Board Service Operation

Businesses that had implemented websites or were utilizing SNS in marketing (an

employee count of 5 or more and one or more network-connected computers) as of

December 2009 were questioned on the status of web board service operation. The

results showed that 30.1% were operating web board service and 69.9% were not

operating web board service.

<Fig. 5-11> Web Board Service Operation (Unit: %)

Not Operated Operated

Web board service operation 69.9 30.1

- 44 -

E. SPAM in Web Board

Of businesses operating public web board service that were questioned on the status

SPAM posting in the web board, 48.0%, the highest percentage, responded that 'SPAM

is not posted'. The percentage of response that SPAM is '30% or less of all postings'

was the highest at 41.4%. It was followed by '30 ~ 60% of all postings (6.4%)', '60 ~

90% of all postings (2.8%)' and '90% or more of all postings (1.4%)'.

<Fig. 5-12> SPAM in Web Board (Unit: %)

Item Percentage

30% or less of all postings 41.4

30~60% of all postings 6.4

60~90% of all postings 2.8

90% or more of all postings 1.4

No SPAM posted in web board 48.0

F. Web Board SPAM Handling

Businesses subject to SPAM posting in their public web boards were questioned on the

anti-SPAM measures. As a result, 43.1%, the highest percentage, responded that they

were 'utilizing monitoring staffs'. It was followed by 'filtering SPAM through system

(technical blocking) (32.7%)', 'notifying legal measures for SPAM posting in the web

board (18.8%)' and 'using commercial anti-SPAM solution (16.0%)'.

<Fig. 5-13> Web Board SPAM Handling (Unit: %)

Type Percentage

Using monitoring staffs 43.1

Filtering SPAM through system (technical blocking) 32.7

Notifying legal measures for SPAM posting in the web

board18.8

Using commercial anti-SPAM solution 16.0

Taking legal actions (reporting to illegal SPAM report center) 10.8

Others 6.6

Not taking measures 15.3

· Multiple responses per handling measure

- 46 -

VI. Incident Damages

1. Damage Status

A. Experiences of Damage by Information Security Incidents and Frequency of Damage

① Attack by Computer Virus, Worm and Trojan

Over the course of one year in 2009, 9.8% of businesses (with an employee count of 5

or more and one or more network-connected computers) experienced substantial losses

or cost-incurring damages due to computer virus, worm and Trojan attack (Once: 2.8%,

Two ~ Three Times: 4.1%, Four ~ Five Times: 1.8%, Six ~ Nine Times: 0.4%, Ten

Times or More: 0.7%). On an average, the businesses experienced damage by 0.3 times.

<Fig. 6-1> Attach by Computer Virus, Worm and Trojan (Unit: %)

Percentage 90.2 2.8 4.1 1.8 0.4 0.7

Count 0 Once 2~3 times 4~5 times 6~9 times10 times or

more

Mean: 0.3 times Damage Experience Rate: 9.8%

· Information Security Incident: Attack on computer or network that damages confidentiality, integrity or

availability of network data or system

- 47 -

② Unauthorized Access from Outside to Internal Data or Computer System (Hacking)



or cost-incurring damages due to hacking (Once: 1.4%, Two ~ Three Times: 0.9%, Four

~ Five Times: 0.3%, Six ~ Nine Times: 0.1%, Ten Times or More: 0.1%). On an

average, the businesses experienced damage by 0.1 times.

<Fig. 6-2> Unauthorized Access from Outside to Internal Data or Computer

System (Hacking) (Unit: %)

Percentage 97.2 1.4 0.9 0.3 0.1 0.1


more


③ DoS (Denial of Service) Attack



or cost-incurring damages due to DoS attack (Once: 1.0%, Two ~ Three Times: 0.8%,

Four ~ Five Times: 0.3%, Ten Times or More: 0.1%).

<Fig. 6-3> DoS (Denial of Service) Attack (Unit: %)

Percentage 97.8 1.0 0.8 0.3 0.0 0.1


more


- 48 -

④ DDoS (Distributed Denial of Service) Attack



or cost-incurring damages due to DDoS attack (Once: 1.2%, Two ~ Three Times: 0.8%,

Four ~ Five Times: 0.3%, Six ~ Nine Times: 0.1%, Ten Times or More: 0.1%).

<Fig. 6-4> DDoS (Distributed Denial of Service) Attack (Unit: %)

Percentage 97.4 1.2 0.8 0.3 0.1 0.2


more


⑤ Adware/ Spyware Infection



or cost-incurring damages due to adware/ spyware infection (Once: 1.9%, Two ~ Three

Times: 2.5%, Four ~ Five Times: 2.4%, Six ~ Nine Times: 0.6%, Ten Times or More:

1.2%).

<Fig. 6-5> Adware/ Spyware Infection (Unit: %)

Percentage 91.4 1.9 2.5 2.4 0.6 1.2


more


- 49 -

B. Routes of Information Security Incident Damages

Businesses that had experienced damages of information security incidents over the

course of one year in 2009 were questioned on the routes of incident damages. 60.7%,

the highest percentage, responded 'infection by programs downloaded on the Internet'. It

was followed by 'infection through e-mails (31.0%)', 'infection after visiting specific

websites (22.6%)' and 'infection through storage media, such as CD and USB (21.1%)'.

<Fig. 6-6> Routes of Information Security Incident Damages (Unit: %)

Type Percentage

Infection by programs downloaded through the Internet 60.7

Infection through e-mails 31.0

Infection after visiting specific websites 22.6

Infection through storage media, such as CD and USB 21.1

Infection by using shared folders and internal networks 18.6

Infection by forced virus infiltration (hacking) from outside 13.8

· Multiple responses per infection route

- 50 -

C. Fluctuations in the Count of Information Security Incident Damages

Businesses that had experienced information security incident damages over the course

of one year in 2009 were questioned on the fluctuations in the count of information

security incident damages in comparison to 2008 and 35.0% responded that the count of

damages had increased from the previous year.

<Fig. 6-7> Fluctuations in the Count of Information Security Incident Damages (Unit: %)


50% or more 1.0

40 ~ 50% 1.4

30 ~ 40% 2.2

20 ~ 30% 4.0

10 ~ 20% 11.0

~ 10% 15.4

~ -10% 4.3

-10 ~ -20% 3.0

-20 ~ -30% 1.5

-30 ~ -40% 1.4

-40 ~ -50% 0.7

-50% or less 0.7


35.0 53.4 11.6

- 51 -

D. Fluctuations in the Amount of Information Security Incident Damages

Businesses that had experienced information security incident damages over the course

of one year in 2009 were questioned on the fluctuations in the amount of information

security incident damages in comparison to 2008 and 26.2% responded that the amount

of damages had increased from the previous year.

<Fig. 6-8> Fluctuations in the Amount of Information Security Incident Damages (Unit: %)


50% or more 0.8

40 ~ 50% 0.8

30 ~ 40% 0.1

20 ~ 30% 3.5

10 ~ 20% 8.4

~ 10% 12.6

~ -10% 5.8

-10 ~ -20% 1.8

-20 ~ -30% 0.9

-30 ~ -40% 0.6

-40 ~ -50% 0.3

-50% or less 0.4


26.2 64.0 9.8

- 52 -

E. Frequency of Information Security Incident Damages per Target: Businesses Not

Collecting Personal Information

Assuming that the overall frequency of information security incident damages is 100%,

58.7%, the highest percentage, of businesses not collecting personal information through

websites that had experienced informations security incident damages over the course of

one year in 2009 experienced 'network delay' most frequently. It was followed by 'data

damages (20.2%)' and 'hardware damages (equipments, such as PC and server) (18.6%)'.

<Fig. 6-9> Frequency of Information Security Incident Damages per Target (Unit: %)

Type Percentage

Network delay 58.7

Data damages 20.2

Hardware damages (equipments, such as PC and server) 18.6

Others 2.5

F. Frequency of Information Security Incident Damages per Target: Businesses

Collecting Personal Information

Assuming that the overall frequency of information security incident damages is 100%,

45.0%, the highest percentage, of businesses collecting personal information through

websites that had experienced informations security incident damages over the course of

one year in 2009 experienced 'network delay' most frequently. It was followed by 'data

damages (24.0%)' and 'hardware damages (equipments, such as PC and server) (20.7%)'.

<Fig. 6-10> Frequency of Information Security Incident Damages per Target (Unit: %)

Type Percentage

Network delay 45.0

Data damages 24.0

Hardware damages (equipments, such as PC and server) 20.7

Personal information leakage ․ exposure 8.8

Mean _ others 1.5

2010 survey on information security business

Documents