공격 시나리오 기반의 정보보호 투자 최적화: 병원 정보 시스템을 대상으로

Recent medical services have been evolving through integration with information and communication technologies. To prevent security incidents in the healthcare service sector, a comprehensive investment in information security, incorporating various security measures, is essential. Sönmez et al. (2022) conducted risk assessments on hospital information system vulnerabilities and optimized security control measures using CysecTool, an attack graph-based information security investment optimization tool. In this study, we created an attack graph by utilizing vulnerability and countermeasure-related data from Sönmez et al. (2022) along with the actual network topology of major hospitals in Korea. Additionally, we improved the limitations of the CysecTool investment optimization model to enhance information security investment optimization. By developing a model that eliminates more threats than the CysecTool model under the same attack scenario, this study enables more efficient cybersecurity investment based on attack scenarios. The proposed model allows for a more effective risk management approach for cyberattacks targeting hospital information systems. Furthermore, by presenting various countermeasures, this research supports decision-making processes for executives in information security investments.