An Ex Ante Evaluation Method for Assessing a Government Enforced Security Measure

Woohyun Shim


In order to ensure that all firms are cyber-secure, many governments have started to enforce the implementation of various security measures on firms. Prior to the implementation, however, it is vague whether government enforced security measures will be effective for mitigating cyber-security risks. By applying a method for estimating the effectiveness of a mandatory seatbelt law in reducing fatalities from motor vehicle accidents, this study develops an ex ante evaluation method that can approximate the effectiveness of a government enforced security measure in reducing country-wide or industry-wide cyber-security risks. Using data obtained from the Korean Internet and Security Agency, this study then explores how to employ the developed method to assess the effectiveness of a specific security measure in mitigating cyber-security risks, if enforced by the government, and compares the effectiveness of various security measures. The comparison shows that compulsory security training has the highest effectiveness.

Full Text:



Bort, J., “Security Blogger Brian Krebs Is Trying To Track Down The Target Hacker By Talking To Suspected Credit Card Thieves,” in Business Insider, ed. New York, NY: Business Insider Inc., 2013.

Bratus, S., “Hacker curriculum: How hackers learn networking,” IEEE Distributed Systems Online, Vol. 10, p. 2, 2007.

Chipman, M. L., Li, J., and Hu, X., “The effectiveness of safety belts in preventing fatalities and major injuries among school-aged children,” in Annual proceedings of the Association for the Advancement of Automotive Medicine, 1995, pp. 133-145.

Colwill, C., “Human factors in information security: The insider threat–Who can you trust these days?,” Information security technical report, Vol. 14, No. 4, pp. 186-196, 2009.

D’Arcy, J., Hovav, A., and Galletta, D., “User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach,” Information Systems Research, Vol. 20, No. 1, pp. 79-98, 2009.

Eminağaoğlu, M., Uçar, E., and Eren, Ş., “The positive outcomes of information security awareness training in companies-A case study,” information security technical report, Vol. 14, No. 1, pp. 223-229, 2009.

Evans, L., “Double pair comparison-a new method to determine how occupant characteristics affect fatality risk in traffic crashes,” Accident Analysis & Prevention, Vol. 18, No. 3, pp. 217-227, 1986.

Evans, L., “The effectiveness of safety belts in preventing fatalities,” Accident Analysis & Prevention, Vol. 18, No. 3, pp. 229-241, 1986.

Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Sohail, T., “The impact of the Sarbanes-Oxley Act on the corporatedisclosures of information security activities,” Journal of Accounting and Public Policy, Vol. 25, No. 5, pp. 503-530, 2006.

Hoo, K. J. S., “How much is enough? A risk management approach to computer security,” Consortium for Research on Information Security Policy (CRISP) Working Paper, Stanford University, 2000.

Johnson, V. R., “Cybersecurity, Identity Theft, and the Limits of Tort Liability,” South Carolina Law Review, Vol. 57, pp. 255-311, 2005.

Kim, R., “Card firms may see over W1 tril. in losses,” in The Korea Times, ed. Seoul, Korea: The Korea Times, 2014.

KISA, “2007 Korean Information Security Survey,” Korean Internet & Security Agency, Seoul, Korea, 2007.

KISA, “2008 Korean Information Security Survey,” Korean Internet & Security Agency, Seoul, Korea, 2008.

Lee, C.-S. and Park, W., “Enhancing industrial security management system for multimedia environment,” Forthcoming in Multimedia Tools and Applications.

Merete Hagen, J., Albrechtsen, E., and Hovden, J., “Implementation and effectiveness of organizational information security measures,” Information Management & Computer Security, Vol. 16, No. 4, pp. 377-397, 2008.

Reich, P. C., “Cybercrime, Cybersecurity, and Financial Institutions Worldwide,” in Cyberlaw for Global E-business: Finance, Payments and Dispute Resolution, Kubota, T., Ed., ed Hershey, PA: IGI Global, 2008.

Robertson, L. S., “Estimates of motor vehicle seat belt effectiveness and use: implications for occupant crash protection,” American Journal of Public Health, Vol. 66, No. 9, pp. 859-864, 1976.

Schneier, B., “Computer security: It’s the economics, stupid,” in 1st Workshop on Economics of Information Security, Barkeley, CA, 2002.

Shim, W., “Analysis of the Impact of Security Liability and Compliance on a Firm’s Information Security Activities,” The Journal of Society for e-Business Studies, Vol. 16, No. 4, pp. 53-73, 2011.

Varian, H., “Managing online security risks,” in New York Times, ed. New York, N.Y., 2000.

Yonhap News, “Personal data of 12 million KT customers stolen: police,” in Yonhap News, ed. Seoul, Korea: Yonhap News Agnecy, 2014.


  • There are currently no refbacks.