The rating model of corporate information for economic security activities
Industrial technology outflow incidents negatively affect corporations, the industry, and countries. Yet, corporate information security is weak, and there is low awareness of the issue’s seriousness. This study developed a rating model that can distinguish “importance” based on an objective standard. Fourteen components that can evaluate the importance of corporate information were derived from the related literature and verified for validity and reliability using factor analysis to organize final rating factors, such as Cost of Information Creation, Level of Information, Information Utilization, Effect of Internal Utilization, and Risk of External Leakage. A secondary survey targeted field experts to set the relative weights between five rating factors and give the relative weights for Effect of Internal Utilization Risk of External Leakage. A corporate information classification system was then designed to grades importance using the five factors. A final rating model of corporate information is suggested by defining security activity by level, granted by grade. This model is designed for corporate use and is expected to benefit economic security activity.
KeywordsIndustrial technology outflows Corporate information Rating model Economic usefulness Economical security activity
There has been an increase in the occurrence of industrial technology outflow incidents. Corporations that have been victims of technology leakages have suffered severe quantitative and qualitative damage (MOTIE 2015). South Korea alone witnesses over 100 outflow incidents of industrial technology occuring per year. Eighty-six percent of these incidents occur in small and medium-sized enterprises (SMEs). The rate of incidents has also increased since 2003—in fact, from 2013 to 2018, authorities registered 637 cases (NISC 2018). Notably, outflow incidents occur more frequently in SMEs with relatively weak security than in major businesses (Park 2016).
Industrial technology has many definitions; it involves technical information that is needed for development, production, supply, and use of products or services based on Korean law. An industrial technology outflow incident is generally an act of illegally disclosing an industrial technology to external parties (MTIE 2017). In this study, industrial technology is to be limited as an information being produced within a corporation, and consider it as critical information (henceforth “Corporate Information”).
Outflow incidents of corporate information negatively affect corporations, causing direct damage to the corporation, its employees, related industries, and to the country (Jo 2010; KAITS 2015a, b). Hwang and Lee (2016) notes that an outflow incidents of corporate information lowers most employees’ affinity toward the organization within the corporation, while Jeong (2009) states that it is directly connected to national competitiveness, leading to a negative effect on national security. An outflow incident of major information of a primary industry can not only weaken the competitiveness of related industries, but also destroy the business environment itself (Hyung 2005). Despite the severity of industrial technology, the security level of corporations (especially SMEs) is still low, and so is the awareness of this issue (Sungkyunkwan University Cooperation 2016; Lee and Kim 2015). Corporate information is produced continuously; if it is judged to have some value, it must be protected by security technologies (solutions) or security activity (KAITS 2013). However, increasing of security investment which includes increasing of security countermeasures, size of the security department etc. has become a burden for corporations (Kim et al. 2013). Eventually, the fundamental cause of weak security is that the security investment target is rapidly increasing due to the large amount of corporate information.
The fourth industrial revolution has led to a rapid increase in digital data (Tien 2013). After they are processed, data gain value as information, which propels the growth of corporate information (McAfee et al. 2012). Corporations that are unable to proactively catch up with these changes and manage corporate information with consistency and reliability will increase their consumption of human and physical resources, among others (Ko et al. 2014).
The increase of information also includes unimportant information. Thus, economic and effective return on investment requires efficient security activities to be conducted after autonomously distinguishing the importance of information within the corporation and only focusing on important information (Soonchunhyang University Cooperation 2010; Gordon and Loeb 2002; Moore et al. 2010).
Corporate information management: status quo
The purpose of grading corporate information is to differentiate security activities according to the importance of corporation information after it is evaluated (Jouini et al. 2014; KISA 2009). Most corporations currently use the confidentiality, integrity, and availability (CIA) triad as a standard when evaluating the importance of corporate information (Kang and Kim 2014; MSIT 2013). Confidentiality refers to keeping an information secret; integrity, to keeping information invariable; and availability, to immediately using information irrespective of geographic or time constraints (Von Solms and Van Niekerk 2013). However, a contradiction rises when using confidentiality for evaluating the importance of corporate information because various standards (e.g., integrity or availability) for rating also have identical meanings for judging the degree of confidentiality. In other words, judging the degree of confidentiality can be interpreted as judging the grade of corporate information. Furthermore, evaluating the importance of corporate information only by the CIA triad can be limiting as it does not further consider task status of corporation or business process, and so on (Parker 2012). Thus, in this study, establishing a rating model of corporate information by not only CIA triad, but also by deriving a new standard through analyzing a relevant previous studies is desired to be designed, so that corporate information can be accessible from various perspectives.
Most corporate information can be protected selectively based on the business environment and corporation strategy (Suzuki 2015). A typical protection method can be sorted into two forms: formal and informal appropriation (Zobel et al. 2017). Here, appropriation is an act of using something without permission; in other words, it is a concept of ownership (Strang and Busse 2011). The best example of formal appropriation is a patent. For patents, a corporation allows public access to their own important information and instead, they are empowered with legally monopolistic and exclusive patent for certain periods (Munson 1996). A typical example of informal appropriation is a trade secret. In this case, the strategy is to disallow public access to important corporate information, that is, protect it as a secret (McGurk and Jia 2015). If maintaining this status of secrecy is possible, a permanent monopoly can be sustained; but if an outflow incident occurs, legal compensation becomes impossible (KIPO 2011). If important corporate information is protected under informal appropriation, the respective corporation is left with the full responsibility of that information; this can be considered highly risky. Accordingly, a corporation should effectively select a protection method depending on the characteristics of its corporate information. It must precisely consider importance, and focus more on relatively important information when conducting security activities (Dhillon and Torkzadeh 2006).
A rating model of corporate information
First of all, study was conducted on characteristics of rating model of corporate information that were mainly used and analyzed a problem. As mentioned in section "Corporate information management: status quo", the CIA triad is primarily used to design a rating model of corporate information. However, the ambiguity of standards and absence of variety were noted as a problem. To address these problems, relevant previous studies are analyzed and the various perspectives of components of rating model are outlined.
A statistical verification procedure was conducted to derive components that would be used as a standard for the rating model of corporate information. First, a primary survey was done to distinguish the appropriateness of components; this uses a five-point Likert scale. Then, reliability is to be verified by combining components using factor analysis. These steps allow us to develop the final rating model.
To design a usable rating model, prioritizing a derived factor by analyzing relative weights is done first, classifying the corporate information classification system and designing differentiated security activities according to the grade is conducted. Then, a secondary survey is conducted to distinguish relative weights. This survey uses pairwise comparison, and AHP analysis is used to derive results. Then, based on relevant previous studies, corporate information classification system is categorized, place differentiated security countermeasures by the grade and design a final rating model of corporate information.
Components derivation of rating model of corporate information: analysis of previous studies
To derive new factors for the rating model of corporate information, a solution for the problems which were mentioned in section "Research methodology" was considered. The need for deciding on a components of rating model in various perspectives came first. Accordingly, multi-dimensional perspective of factors of rating model was to be set by analyzing a previous studies that are relevant to various types of information (personal information, information assets, information system, information resource, intellectual property right, patent, etc.) which falls under corporate information. In addition, there is a need to derive (or identify?) not only corporate information itself, but also its components by considering the life cycle of corporate information and the business flow. A number of efforts form the (input) to settle the level of quality, availability, convenience, and so on, which form the (output). This corporate information is then used at various levels, standards(use) and finally, internally and externally for business(outcome) or comes to a natural end of lifespan(destruction by needs) (Bernard 2007; Tipton and Nozaki 2007). In this study, qualitative comparative analysis research using numerical method was conducted by coding components which were derived from various rating-related previous studies based on corporate information life cycle.
Recently, Park et al. (2015) conducted similar rating of personal information using diverse factors, such as value of assets, sensitivity, importance, and identification. The author measured the use of personal information (use) and risk of abuse of this information (outcome) as components of rating model.
In MEST (2011), information assets’ value rating was conducted by using qualitative and quantitative methods; the impact of the outflow incident of information assets (outcome) and accessibility in the perspective of information assets (output) was measured as components of rating model.
Despite the fact that each institution under the government falls under different regulations, manpower, organizational conditions and so on, of information security, MOI (2016) tried to prevent excess management expenses by systematically incorporating security activities and levels of information security to the institutions’ information. This study desired to select an information security grade of institutions’ information by considering the characteristics of the information system (range of service impact, information processing, related system, security of task continuity and amount of retaining information) and the characteristics of the institution (credibility). A degree of information usage of information system (use) and internal–external influential level on utilization of information system (outcome) were mainly measured as a components of rating model.
MOPAS (2013) composed a measurement view for deciding the grade of information resource with the characteristics of task priority, resource, and maintenance. Task priority measures the importance of the information system- or service-related task that is supported by information resource; and characteristics of resource measures the unique feature of information resource and complexity of formation. The characteristics of maintenance measure a level of difficulty for maintenance such as using range of information system(service) which is operated through information resource, method of organization, etc. In this study, the importance of the information resource (output), the preservation period and the degree of utilization (use) as the components of rating model.
Albert (1997) created institutions’ technology evaluation process using technology information, organizing a technology evaluation team, and followed by primary investigation, data collection, detailed assessment, and reporting on evaluation results. The grades were from 0 to 10 according to the rating factors for each technology. In this study, cost of information creation (input), the level of derived technology and the degree of quality (output) and components of effects created by the use of technology (outcome) were measured as the components of rating model.
Park and Shin (2010) rated their scores as (+), (−), (0), and so on for the characteristics of each technology. They calculated the final grade as Low, Medium, and High. In this study, usefulness (use), availability of substitute technology and development maintainability (outcome), novelty and differentiation of technology (output) were mainly measured as the components of rating model.
Yoon et al. (2004) calculated the result of the grade from A to D by aggregating the score per evaluation subject for each technology. In this study, novelty and availability of realization (output) and marketability (outcome) were mainly measured as the components of rating model.
In a study reported by JPO (2017), the score of intellectual property rights are composed of filling in the scores of evaluation subjects. The evaluation subjects are classified into fundamental measure, inherent assessment of rights, evaluation for relocation of negotiability, and business assessment. In this study, completeness (output), business continuity and development continuity (outcome) were mainly measured as components of rating model.
KIPA-A (2013a) has developed a guide for evaluating the value of intellectual property rights. In this study, for the value evaluation of intellectual property rights, technical value (output), and market value (outcome) were mainly measured as components of rating model.
KIPA-B (2013b) granted patent information a grade by scoring the evaluation of the degree of the rights, of technology, of utilization, dividing them into nine grades with AA being the highest and C being the lowest. In this study, safety (output), use range (use), and availability of commercialization (outcome) were mainly measured as a components of rating model.
Finally, based on an analysis of previous study, the components of the rating model (14) are derived and the operational definition is established (Bang 2014; Chung et al. 2004a, b; Lee 1992; Sung et al. 2016; Timothy 2016) (see Table 1). Since there are a number of aspects to consider when judging the relative value between each component at the present stage, a survey is conducted to judge whether components are valid as a standard for the rating model. Then, using factor analysis, 14 components are grouped into fewer factors, and the relative weights are then determined using AHP.
Proof analysis of the rating model of corporate information
Questionnaires are used to verify the validity of the derived components. The authors participated in both international and domestic conferences/symposiums and conducted primary survey, confirming whether survey respondents have a certain level of experience in the field of security. The number of corporations surveyed (51) is the same as the number of respondents (51). Details of corresponding survey is same with Fig. 4. The average period of the respondents’ career in the security field is 17 years. Most of their positions were organizations’ chief security officer (chief information security officer, as well as chief risk officer, 51%) or chief information officer, security business included (37%).
Operational definition of components for the rating model of corporate information
Manpower (labor force) required to create and preserve corporate information
The amount of time it takes to create and maintain corporate information
Capital (funds, costs) required to create and preserve (maintain) corporate information
The degree to which the corporate information can be accessed at anytime, anywhere, and on time
The degree to which the calculated corporate information can be easily used (convenience)
6. Level of Quality
The nature and performance inherent in the resulting corporate information (integrity, accuracy, and interoperability)
New (differentiated) degree compared with other corporate information of calculated corporate information (degree of innovation, scarcity)
8. Use frequency
Usage to use with corporate information (degree of use)
9. Use range
Scope to use with corporate information (number of business information use departments, and depth of use)
10. Value creation Potential
The degree to which corporate information can stand out in competition with other corporations (competitive advantage)
The degree to which corporate information can generate revenue in the marketplace (market growth potential)
12. Development maintainability
The degree to which corporate information is preserved or developed continuously (technical sustainability)
13. Business continuity
The possibility of continuing business activities when corporate information is leaked (recovery time)
The degree to which competitive behavior of other corporations can appear when corporate information is leaked
Second, an exploratory factor analysis was conducted to understand the correlation between components (Costello and Osborne 2005). The factor analysis showed the general direction of reliability, convergence validity, and discriminant validity of each factor in measuring theoretical variables. Reliability refers to the degree of consistent measurement of the outcome (Kang and Yoo 2009). Convergence validity is the correlation between each measurement tool and the theoretically assumed construction concept. Judgment feasibility is the judgment of how weakly each measurement item is related to other construction and theoretically related concepts (Kang 2013).
Result of validation of component validity
6. Level of quality
8. Use frequency
9. Use range
10. Value creation potential
12. Development maintainability
13. Business continuity
Results of exploratory factor analysis
Reliability (Cronbach α)
Cost of information creation
Level of information
Level of quality
Effect of internal utilization
Value creation potential
Risk of external leakage
The reliability of the multi-item scale is analyzed using the Cronbach α coefficient—the most commonly used to test reliability (consistent measure of the same concept) by providing a more conservative value than other estimators (Carmines and Zeller 1979). The analysis shows that the reliability of the factors satisfies the criterion of 0.7 or more as preferred by Nunnall (Kim 1999). Thus, the convergence validity and the validity of discrimination among the factors are confirmed. The validity values of the five factors are found to be suitable for the average value of 3.5 or more.
The results of the exploratory factor analysis are linked to the determinants derived from previous studies. The concepts of “economic usefulness” and “business impact” are applied. Economic usefulness is one of the three requirements of trade secrets under domestic law. The concept of economic usefulness means that competitors can gain a competitive advantage or that significant cost or effort is required for the acquisition or development of the information (Yoon 2014). Competitive advantage refers to the value (output, use, and outcome) of the corporate information that is calculated, while significant cost or effort refers to the input before the corporate information is calculated (Devaraj et al. 2007). Prahalad and Hamel (2006) examined business impact from two perspectives: business and technical. From a technical point of view, business impact refers to business continuity planning, and it can be said that maintenance priority and service continuity are preserved in detail when a security incident occurs. This is the outcome of outflow in the rating model of corporate information in this study. From a business point of view, business impact refers to the need for differentiated (new, innovative) competencies and scalable (interoperable) and value-generating skills to have a competitive edge over other corporations. This corresponds to the output of information and the outcome of internal use, which is calculated from the rating model of corporate information of this study.
Thus far, the validity of the components of the model, the factor analysis of the model design, the convergence validity of the factor analysis, the validity of the discriminant validity, and the reliability verification have been examined. From this, the final rating model of corporate information is derived. This model is shown in the Fig. 5, and this model is linked with academic research theories.
Relative importance analysis for rating factors
To carry out the scoring process, it is necessary to calculate the relative weights of each factor. When assuming that certain corporation has used the five factors of the rating model of corporate information in this study to evaluate (rate) the importance of information “A,” there is a necessity to raise doubt on whether evaluating the five factors in the same ratio can be a rational evaluating method (Saaty 2008). Thus, the relative weights of five factors were derived through AHP analysis to recognize the ratio of importance of each components. AHP is a tool for estimating weights; it provides a solid basis for expert decision-making. The AHP calculation model herein is a method to reach final decision-making by analyzing and resolving the entire decision-making process (Kim 2012). By establishing an evaluation method for rating model or corporate information in detail, it can lead to a suggestion of model with high credibility (Yahya and Kingsman 1999; Bodin et al. 2005).
A 10-point scale is used for scoring, with calculations based on the consistency index. This index is an indicator of how much consistency a comparator has responded to. For example, if the consistency index is less than 0.1, the respondents’ answers are considered reliable (Alonso and Lamata 2006). The topic of survey was named “Survey on Relative Weights of Rating Model of Corporate Information,” and the questions were answered in the form of pairwise comparison between five components.
Relative weights on the rating model of corporate information
Relative priority (weight) (%)
Cost of information creation
Level of information
Effects of information utilization
Effect of internal utilization
Risk of external leakage
Designing the economic security activity using a rating model
The basic security management procedures for protecting corporate information are conducted in four steps (Karabacak and Sogukpinar 2005; Lee 2004; Stoneburner et al. 2002). The first step involves identifying corporate information, such as technical information (e.g., research and development information or production and manufacturing information), and management information (e.g., personnel affairs information, accounting financial information, and purchase sales information). The second step calculates the corporate information classification system, which is the rating model derived from this study. The third step is the classification of corporate information. The fourth step is to prepare and implement a security management strategy by the rating model of corporate information. These four-stepped security procedures can be considered the ultimate resolution for effectively protecting corporate information.
Previous studies on rating model of existing information typically classified information into three or four grades (NSW Government 2015; Perkins 2012; Malcolm 2001). In the three-level classification, information was classified as follows: (1) general information (public information, non-confidential information, and general information) that can be disclosed; (2) confidential information used in the corporation (confidential and internal information for internal use only); and (3) only a small number of information that can be accessed (confidential information). A fourth classification includes extra information (e.g., Coca-Cola recipe) that a corporation would consider more important than confidential information; it ultimately controls its durability. In this study, the rating model is set to three grades, and the form is to add critical information as needed (see Table 5).
The basic security management measures to protect corporate information comprise three main areas (Peltier 2016; Soomro et al. 2016; Kim 2016; Noh and Lim 2017). First, identification of corporate information, rating, indicating, designation of dedicated personnel for security management, and arrangement and implementation of security-related regulations, among others, are included as institutional management (Chung et al. 2004a, b). Next, physical management includes the designation and management of storage of corporate information, granting access control, arranging a solution for access control, and management evidence secure, among others (Cha 2008). Third, human resources management involves the implementation of the protection obligation, such as confidentiality oath or agreement, the obligation to protect the classified corporate information, and security education (Safa et al. 2016).
In this study, differentiated security activities were designed according to the new grade level as shown in Table 6. This design reflects the above security management procedures and measures of security management.
A corresponding study establishes the rating model of corporate information to support corporations’ economic security activities. The objective rating factors that grade ratings according to the importance of the corporate information are suggested, calculated the relative weights per factors, and suggested a guide for security activities in the perspective of cost-effective institutional management, HR, and physical management to be available. For instance, if security activities in the perspective of institutional management are conducted according to the grade, the policy conversion for the protection of corporate information becomes easier. This, in turn, could reduce the role of security administrators, and allow corporations to conduct economic security activities.
Conclusion and future research
In South Korea, occurrences of industrial technology outflow incidents have reached critical levels. Nevertheless, distinction and the rating of information that currently inform the actions of security activities are insufficient and corporations’ awareness of such incidents is still incomplete. Thus, in this study, objective factors for = rating were suggested, designed and verified a rating model of corporate information, which also includes a grade classification system of corporate information and security activities by the grade.
This study has pointed out a limitation of CIA triad of information security which is actively used as a rating factors of corporation information and desired to establish a model that can complement (considering working status and business flow) the CIA triad by addressing its limitation. Above all, 14 rating components of corporate information (Manpower, Time, Capital, Availability, Usability, Level of Quality, Novelty, Use Frequency, Use Range, Value Creation Potential, Marketability, Development Maintainability, Business Continuity and Competitiveness) were derived by analyzing ten previous studies that are related to ratings of corporate information. Using primary survey, validity of components was verified, and derived five factors (Cost of Information Creation, Level of Information, Information Utilization, Effects of Internal Utilization and Risk of External Leakage) through exploratory factor analysis; these were the final factors for ratings of corporate information. Moreover, reliability analysis was done using a Cronbach’s alpha to verify if measured values of survey responses which were done to derive 14 components and 5 factors are reliable. Lastly, AHP was done through a secondary survey to calculate the relative weights of the five factors, with the results showing importance priority of 36.1% for effect of internal utilization, 29.2% for risk of external leakage, 13.4% for level of information, 11.5% for information utilization, and 9.7% for cost of information creation and maintenance. Subsequently, a corporate information classification system was designed, came up with the strategy of security activity based on the grade and designed economic rating model of corporate information. This research results have established a differential rating model that can proactively correspond with corporate information outflow incidents and is expected to enable an effective security management within the corporation by suggesting a multi-dimensional strategy of security activities.
Corporate information classification system
Critical information (special grade)
Confidential information (first grade)
Internal information (second grade)
Public information (third grade)
Information that is only exposed to very few people in the corporation
(Component data and manufacturing technology of core technology of corporation, etc.)
(1) Information that may violate customer’s privacy and laws
(2) Integrity, confidentiality, and limited availability for corporation existence should be maintained at the highest level
(3) Access to information is very limited, and information outflow can pose a very serious risk to the corporation
(1) Information for business activities and operations should be managed by internal approvals
(2) Unauthorized access may result in financial loss to the corporation, and can be a significant detriment to operational efficiency and customer confidence
(1) Information that does not affect corporation when the information is disclosed
(2) Loss of availability due to system downtime is considered an acceptable risk and is accessible to everyone
Security activity design by corporate information classification system
Classification of general information and corporate information
Indicate that it is corporate information for anyone to know
Establish and enforce security-related regulations
Designate dedicated personnel for security management of the information irrespective of the rating of corporate information
Establish and enforce security-related regulations
Establish and enforce security-related regulations regarding the information irrespective of rating of corporate information (production ~ utilize ~ discard)
Human Resources Management
Obligations to protect corporate information for those with accessibility
Imposition of protection obligation under the handling of applicable corporate information
Conduct periodic security training
Conduct a periodic security training to personnel (board of directors, manager, employees, etc.) related to information regardless of rating of corporate information
Notice corporate information and protection obligation
Periodic (once a month)
Upon joining or leaving a corporation
Designate and manage separate corporate information development and storage locations
Access control system and security system construction and operation
Designation and management of development and storage sites
Designate and manage separate corporate information development and storage locations
Gain evidence of corporate information management against disputes
Periodic (once a month)
When to change
This research was supported by the MSIT(Ministry of Science and ICT), Korea, under the ITRC(Information Technology Research Center) support program(IITP-2018-2018-0-01799) supervised by the IITP(Institute for Information & communications Technology Promotion).
- Albert, S.R. 1997. NTTC TOP index: A technology assessment and management tool. National Technology Transfer Center at Wheeling Jesuit University.Google Scholar
- Cha, I.H. 2008. A study on the development of personnel security management for protection against insider threat. The Journal of The Korea Institute of Electronic Communication Sciences 3 (4): 210–220.Google Scholar
- Chung, H., J. Kim, and C. Lim. 2004a. A study on the development of an integrated evaluation system for levels of information protection for diagnosing levels of information security and maturity of enterprises. Korea Institute of Information Security & Cryptology 14 (4): 37–44.Google Scholar
- Chung, H., J. Kim, and C. Lemm. 2004b. A study on the development of integrated evaluation system of information security level for diagnosing the level of information protection and maturity of enterprises. Journal of the Korea Institute of Information Security and Cryptology 14 (4): 37–44.Google Scholar
- Chun, Y.T., and J.I. Oh. 2009. The relationship between the stage of exercise behavior change and physical self-concept and self-efficacy of casino security employees. Korean Security Science Review 21: 95–120.Google Scholar
- Costello, A.B., and J.W. Osborne. 2005. Best practices in exploratory factor analysis: Four recommendations for getting the most from your analysis. Practical Assessment, Research & Evaluation 10 (7): 1–9.Google Scholar
- Han, J. 2006. Prior knowledge for effective ‘information protection consulting’. AhnLab: Cyber Security Column.Google Scholar
- Hwang, H., and C. Lee. 2016. A study on the relationship between industrial espionage, self-control, and organizational commitment. Korean Security Science Review 47: 119–137.Google Scholar
- Hyung, M. 2005. Four strategies to prevent key technology outflows. LG Business Insight 1 (12): 21–25.Google Scholar
- Japan Institute for Promoting Invention and Innovation. 2017. On the valuation of intellectual property. JPO(Japan Patent Office).Google Scholar
- Jeong, B. 2009. A study for preventing industrial technology leakage in enterprise. Korean Journal of Industry Security 1 (1): 1–19.Google Scholar
- Jeon, J., and J. Park. 2016. To increase effectiveness new change in member survey. LG Economic Research Institute Report, 1–10.Google Scholar
- Jo, G.H. 2010. Causes and countermeasures of high technology leakage crime. Intellectual Property 21.Google Scholar
- KAITS (Korea Association Industry Technology Security). 2013. Investments in technology protection by corporations and countermeasures according to risk level. Korea: KAITS (Korea Association Industry Technology Security).Google Scholar
- KAITS (Korea Association Industry Technology Security). 2015a. Investigation of technology protection competency of enterprise. Korea: KAITS (Korea Association Industry Technology Security).Google Scholar
- KAITS (Korea Association Industry Technology Security). 2015. Smart workplace for enhancing competitiveness and security of SMEs. Industrial Technology Protection ISSUE PAPER.Google Scholar
- Kang, D.S., and S.H. Yoo. 2009. Assessing the construct validity of PMIS effectiveness measurement—focusing the administration DB construction projects. Information Processing Society Journal 16 (3): 417–422.Google Scholar
- Kim, H. 1999. A study on the quantification of information security level. Asia Pacific Journal of Information Systems 9 (4): 181–201.Google Scholar
- Kim, H., K. Ko, and J. Lee. 2013. Status of corporate information protection system according to amendment of information and communication network act and comparison of certification standard of information protection management system. Korea Institute of Information Security And Cryptology 23 (4): 53–58.Google Scholar
- Kim, M. 2016. A study on a model of convergence security compliance management for business security. Journal of Information and Security 16 (5): 81–86.Google Scholar
- Kim, S.K., and S.J. Lee. 2012. Development of evaluation criteria and key indicators of research competence in university professors. Korean Journal of Educational Administration 30 (2): 233–252.Google Scholar
- Kim, Y. et al. 2012. An analysis of the relative importance of patent valuation: Focused on high technology industry. Report for the POSRI Business and Economic Review 12(2).Google Scholar
- KIPA (Korea Invention Promotion Association). 2013a. Intellectual property valuation practical guide for intellectual property rights collateral. Korea: KIPO (Korea Intellectual Property Office).Google Scholar
- KIPA (Korea Invention Promotion Association). 2013b. Patent analysis and evaluation system SMART (system to measure, analyze and rate patent technology)3. Korea: KIPA (Korea Invention Promotion Association).Google Scholar
- KIPO (Korea Intellectual Property Office). 2011. Trade secret management practices and protection system studies for the prevention of corporation’s skills drain. Korea: KIPO (Korea Intellectual Property Office).Google Scholar
- KISA (Korea Internet & Security Agency). 2009. A guide to conducting a corporate privacy impact assessment. Korea: MOIS (Ministry of the Interior and Safety).Google Scholar
- Lee, G. 1992. An evaluative framework for business information systems. Asia Pacific Journal of Information Systems 2 (1): 17–33.Google Scholar
- Lee, M. 2004. A risk analysis methodology for information systems security management. The Institute of Electronics Engineers of Korea—Computer and Information 41 (6): 13–22.Google Scholar
- Malcolm, E. et al. 2001. Development of information classification standard. Scalable Software Inc.Google Scholar
- McAfee, A., E. Brynjolfsson, T.H. Davenport, D.J. Patil, and D. Barton. 2012. Big data: The management revolution. Harvard Business Review 90 (10): 60–68.Google Scholar
- McGurk, M.R., and W.L. Jia. 2015. Intersection of patents and trade secrets. Hastings Science and Technology Law Journal 7 (2): 189–215.Google Scholar
- MEST (Ministry of Education, Science and Technology). 2011. Information security best practices guide. Korea: MEST (Ministry of Education, Science and Technology).Google Scholar
- Ministry of Trade, Industry and Energy. 2017. Act on Prevention of Divulgence and Protection of Industrial Technology.Google Scholar
- MOI (Ministry of the Interior). 2016. Grading system of government information protection. Korea: MOI (Ministry of the Interior).Google Scholar
- MOPAS (Ministry of Public Administration and Security). 2013. The rating measurement manual for the maintenance of information resources. Korea: MOPAS (Ministry of Public Administration and Security).Google Scholar
- MOTIE (Ministry of Trade, Industry and Energy). 2015. Comprehensive plan for prevention and protection of secondary industrial technology leakage (‘16 ~ ’18). Korea: MOTIE (Ministry of Trade, Industry and Energy).Google Scholar
- MSIT (Ministry of Science, ICT and Future Planning). 2013. Corporate information protection policy direction. KOREA: Information Strategy Bureau.Google Scholar
- Munson, D.C. 1996. The patent-trade secret decision: An industrial perspective. Journal of the Patent and Trademark Office Society 78: 689.Google Scholar
- National Industrial Security Center. 2018. Press release. NIS (National Intelligence Service).Google Scholar
- Noh, S., and J. Lim. 2017. A study for enterprise type realtime information security management system. Journal of The Korea Institute of Information Security & Cryptology 27 (3): 617–636.Google Scholar
- Noh, Y. 2017. Research on development of social value evaluation indicators for public libraries. Journal of the Korean Society for Information Management 34 (2): 181–214.Google Scholar
- NSW Government. 2015. NSW government information classification—labelling and handling guidelines. NSW Government.Google Scholar
- Park, C.S. 2016. Industrial technology protection strategy for future society. Science & Technology Policy STEPI Insight 201.Google Scholar
- Parker, D.B. 2012. Toward a new framework for information security?. In Computer Security Handbook 3-1.Google Scholar
- Perkins, J. 2012. Information security—information classification. LSE Governance.Google Scholar
- Prahalad, C.K., and G. Hamel. 2006. The core competence of the corporation. Berlin: Springer. Strategische unternehmungsplanung - strategische unternehmungsführung.Google Scholar
- Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36 (2): 215–225.Google Scholar
- Soonchunhyang University Cooperation. 2010. A study on development and methodology of globally standardized cybersecurity index. Korea Communication Commission.Google Scholar
- Statistics Korea. 2017. Information asset security management guidelines. Korea: Published Rulings.Google Scholar
- Stoneburner, G., A.Y. Goguen, and A. Feringa. 2002. Sp 800-30. Risk management guide for information technology systems.Google Scholar
- Strang, V., and M. Busse (Eds.). 2011. Ownership and appropriation (Vol. 47). London: Bloomsbury Publishing.Google Scholar
- Sungkyunkwan University Cooperation. 2016. Measures for strengthening technology protection capabilities of SMEs. Presidential Council on Intellectual Property.Google Scholar
- Sung, T., D.S. Kim, J. Jang, and H. Park. 2016. An empirical analysis on determinant factors of patent valuation and technology transaction prices. Journal of Korea Technology Innovation Society 19 (2): 254–279.Google Scholar
- Timothy, P.L. 2016. Information security: Design, implementation, measurement, and compliance. Boca Raton: CRC Press.Google Scholar
- TTA(Telecommunications Technology Association). 2010. The asset management guideline for information security of organization. Korea: TTA(Telecommunications Technology Association).Google Scholar
- Yoon, J.H. 2014. Current criminal issues and the trends of Korean supreme court decisions on the protection of trade secrets. Ewha Law Journal 19 (1): 109–147.Google Scholar
- Yoon, M.H., et al. 2004. A study on development of standard model of patent technical evaluation. Korea: KIIP(Korea Institute of Intellectual Property).Google Scholar
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.