Article reading

Development of cyber information security education and training system

Bong-Hyun Kim1 & Ki-Chan Kim2 & Sung-Eon Hong3 & Sang-Young Oh4

Received: 27 April 2015 /Revised: 7 December 2015 /Accepted: 24 March 2016 / Published online: 8 April 2016 # Springer Science+Business Media New York 2016

Abstract Due to recent expansion of internet, use of personal internet banking and E- commerce is rapidly increasing. Additionally, services and marketing in corporations, govern- ment and banks are rapidly increasing mostly at the internet shopping malls and web sites. Accordingly, there are increasing number of cyber attacks like intelligent and high-tech APT attack, cyber intrusion access and digitalized information. However, countermeasures, opera- tion exercise and security education about these security accidents are not executed properly. Therefore, this study is to develop cyber information security training system based on the internet. Additionally, in order to deal with security accidents caused by malicious emails and attaching files that frequently occur at public institutions and private companies, information security education is tried to be executed targeting affiliated employees and education and training subjects using the system. Through this, security accidents caused by malicious emails could be prevented in advance and economic loss could be minimized by preventing infor- mation loss or paralysis state in computer system.

Keywords Information security. Cyber security education . Training web server. Monitoring and reporting server. Virtual security web server

Multimed Tools Appl (2017) 76:6051–6064 DOI 10.1007/s11042-016-3495-y

* Sang-Young Oh [email protected]

1 Academia-Industrial Convergence Research, 1362 Wolpyeong-dong, Seo-gu, Daejeon Metropolitan, Republic of Korea

2 Department of Eletrical Engineering, Hanbat National University, 125 Dongseodaero, Yuseong-gu, Daejeon-si, Republic of Korea

3 Department of Land Management, Cheongju University, 298 Daedeong-ro, Cheongwon-gu, Chungcheongbuk-do, Republic of Korea

4 Department of Business Administration, Youngdong University, 310 Daehak-ro, Youngdong-eup, Youngdong-gun, Chungcheongbuk-do, Republic of Korea

1 Introduction

Due to the expansion of internet, use of personal internet banking and E-commerce is rapidly increasing. Additionally, services and marketing in corporations, government and banks are rapidly increasing mostly at the internet shopping mall and web sites. (2013) Under these circumstances, various illegal behaviors are also increasing including illegal acquisition of financial credit information like personal information and credit card, company’s marketing, new product information, large size internet service interruption and service disability. Illegal behaviors mean hacking or circulation of worm virus targeting unspecified individuals [16].

Currently, there are endless cyber hacking and personal information leak accidents and security infringement accidents, and attack methods are more evolved due to the development of various information communication technologies [7]. According to KISA’s monthly report of 2012 November Internet infringement accident trends and analysis, there were 18,937 cases of malicious code damage and 18,126 cases of hacking accident receipt and processing. Regarding various local and overseas security threat accidents, most accidents continue to malicious code infection and phishing accidents through web site access [13]. As broad scale reports by mass media and national interests about personal information leak are increasing and infringement strength and areas in mobile web and cloud environment are gradually increasing, national economy and security are threatened in general as well as privacy infringement of the individuals [10] (Fig. 1).

Recently, production and circulation of malicious code and additional attacks become very easy and the mutants are also exponentially increasing [11]. Due to these threatening web site access and related malicious code infection, there are increasing crimes using computer like information leak caused by malicious hacking or industrial spy, company secrets from the employees in the company and customer information leak [4] (Fig. 2).

When infringement accidents occur in this situation, the social atmosphere that the victims are more blamed than assailants is made. In other words, as infringement accidents are recognized as the faults of the victims unconditionally, the effort to seek perfect prevention is increasing by applying and developing various security solutions. In order to protect against these illegal behaviors, various information protection systems are being operated like intrusion block system against number of intruders, intrusion detection system and virus vaccine [9].

However, countermeasures and patch against various illegal behaviors are not shared with each other but independently operated by individual institutions and companies. Also, in- fringement accidents cannot be perfectly prevented with security solutions. Security solutions

Fig. 1 SMS phishing statistics by malware

6052 Multimed Tools Appl (2017) 76:6051–6064

are just the control against the specific threat. In other words, security solution should open the access route which has to be allowed in business environments. Eventually, under the situation with no online system which could effectively educate about information security, extensive damages occur because of unclear responsibility for security accidents [6].

Therefore, the necessity is rising that integrated comprehensive infringement accident response education system should be established and operated which could efficiently deal with illegal behaviors with small number of manpower. In this paper, information security education and training system is to be developed based on the internet. In addition, in order to deal with security accidents caused by malicious emails and attaching documents that fre- quently occur in public institutions and private companies, information education is to be executed targeting affiliated employees and education and training subjects with this system.

2 Current situation of information security and necessity of education

Local statistics about infringement and leak of personal information show that the number of personal information infringement has been increasing every year since 2003 and is rapidly increasing from 2011. According to the statistics of internet infringement accidents, the number of malicious code cases detected by the vaccine program at 2014 March was 82,896 cases and the number of hacking accidents receipt and processing cases was 1,947. Additionally, personal information infringement reporting and counseling data in Korea Internet and Security Agency are just the estimates because most people without clear understanding about information security frequently ignore except infringement reporting cases [15] (Fig. 3).

Looking at the overseas cases, Estonian case in 2007 shows that broad scale DDos attack using more than a million zombie PCs paralyzed national backbone network more than a week. Cyber attacks for 3 weeks scorched the web sites and computer network in major institutions including president palace, national assembly, government, banks and press [1]. Attack to Iran nuclear power plant by Stuxnet in 2010 August stopped the operation of centrifuge with the strike to Natanz nuclear facilities. This attack delayed Iranian nuclear weapon development capability by 2015. In China, it is reported that approximately 6 million computers and 1000 industrial facilities in the country are infected including the infrastructures

Fig. 2 Information infringement statistics

Multimed Tools Appl (2017) 76:6051–6064 6053

like Sansha Dam and Beijing airport. Figure 4 shows the counseling of the privacy infringement.

Overseas statistic data of McAfee in 2013 4th quarter shows various information security threats like XSS attack and RPC attack. And message threat is also increasing and Fig. 5 shows the current situation of message security threat. Message type shows various methods of URL address using method and SMS spam using method [14]. Figure 5 is a mobile message threat may occupy most security threats to the status message.

New malicious code occurrence and damage cases every day are the attacks to infrastruc- ture through APT attacks to major core organizations along with various damage cases like hacking and distributed denial of service (DDoS) attack, web site falsification, phishing and spam, and consequently, the damage size of security threats like social disorder and cyber terrors is increasing. According to 2011 Symantec data, simplified URL attacks caused by insufficient information awareness occupies 65 % of total attacks among these attack tech- niques. This is using the method to disperse malicious codes when the users click the attaching files or URL links through emails/SMS transmission by impersonating social interests and acquaintanceship.

Fig. 3 Current situation of personal information infringement

Fig. 4 Number of personal information infringement counseling

6054 Multimed Tools Appl (2017) 76:6051–6064

Local countermeasures for various above internet infringement accidents according to KISA, 2012 information protection white paper are

(1) establishment of internet infringement accidents countermeasures system (2) establishment of corresponding technologies and system against malicious domains (3) counteracting technology and process to detect malicious code concealed sites (4) operation of cyber treatment system for infected PC by malicious code (5) establishment and operation of DDos response system within internet link section (6) operation of DDos cyber shelter which can divert the attacks (7) joint simulation drills with home and abroad related institutions after 2004

Simulation security drills are expected to be the solution for internet infringement accidents which occur due to the lack of security awareness [12]. In order to deal with internet infringement accidents quickly and effectively, internet infringement response center at Korea Internet and Security Agency is conducting joint simulation drills with home and abroad related institutions since 2004.

Even though email/SMS circulation cases of malicious code or threatening URL address targeting the users who have insufficient security awareness become more diversified and the techniques become tricky, the education to strengthen users’ security awareness in public institutions or companies is not satisfactory as well as the training. Therefore, consistent training and education is required. But, appropriate information security education is not executed because of low availability and high costs for ordinary users [5].

Therefore in this paper, information security education system was developed to strengthen users’ security awareness against information security threats using email/SMS. Education was conducted targeting education targets with the same method as actual malicious code circula- tion using email/SMS, education results were analyzed and finally, grades in each individual

Fig. 5 Current situation of message security threat

Multimed Tools Appl (2017) 76:6051–6064 6055

were classified. Education was conducted with the analysis and classified information in order that user’s security awareness could be strengthened. Additionally, education system was packaged that various education and training could be conducted through consistent develop- ment of education contents and question bank.

3 System design and development

In order develop the system for information security training for individual users, the system in this paper was composed of mail server for education, personal computers, agent system, web server for monitoring & reporting, web server for virtual security threat education. Regarding education server, the list was written and the server for mail/SMS transfer system was established to test the subjects using the list.

For real-time monitoring server by the administrator, high performance server was constructed to handle multiple simultaneous traffics and scripts at the same time when educating about the construction of NginX / Apache servers. And DB was constructed based on MySQL (Fig. 6).

Mail server for education was developed for security education with the function to manage malicious and education email sending which could bring virtual security threat to education and training subjects. And, it was also composed that mailing list of education and training subjects and mail transmission and receiving for education could be identified. Personal computer was used in order that the education and training subjects who received the malicious emails from education mail server could open the emails and make security training.

Agent system was installed in personal computer and developed with the functions for host surveillance by the education and training subjects who identified malicious emails and for the transmission of their situation handling ability about test/education service. Monitoring &

Fig. 6 Design of system components

6056 Multimed Tools Appl (2017) 76:6051–6064

reporting server was developed with the functions to identify the transmission results of their situation handling ability from agent system and to report information/statistics (Fig. 7).

Additionally, it was composed that subject’s email transmission, subject’s email receiving, subject’s code execution, agent’s movements and agent’s collected information reporting could be identified. Web server for virtual security threat education was developed with the function that education and training subjects could open malicious emails and access virtual security threat URL or identify malicious emails in the personal computer which were reported after identifying the code execution. And, it was composed that virtual security threat education web server and monitoring & reporting server could be connected each other and analyze the results by identifying the accessor to virtual security threat education server.

Education statistics analysis system was developed by generating Test-Code based on JavaScript and OpenRelay. And browser based Explot method was studied and web-based Java Applet method was applied. This system writes mail/SMS including user click driven based link and operates the warning window as pop-up for security policy with web browser when the user clicks the link. Regarding execution results and information/statistics analysis through simulation education, the education was evaluated by result report after completing the education, and indexes of each individual and question bank were enabled to be classified in each step. And according to education results, additional security education will be conducted by conducting additional education and improving security awareness class (Fig. 8).

In this paper, we have developed a cyber information security education and training systems and Internet-based. For this reason, the agent system that sends the ability to deal with training for the mail server to send out a malicious e-mail, personal computer of education/training subject, the situation of maliciouse-mail, Webserver monitoring and reportingfor virtual securityI haveconfigured thesystem as a Web server for training of threat above [3]. Training for mail server performs the processing functions and sending malicious e-mail for training in education/training subject. At this point, it is possible to construct additional test center to add functionality for managing the agent (Fig. 9).

Be to train to open the malicious e-mail that is transferred to the personal computer of the education/training subject, the operation of the web site malware attachments, training, Web server for training of threat of virtual security on, the agent the run of the information-gathering capabilities management function, about whether or not to delete, unconfirmed, undeclared illegal incoming mail. At this time, in conjunction with the Web server for monitoring and reporting, so as to understand the analysis and confirmation of the accessor threat training for Web server for virtual security.

The web server for monitoring and reporting is configure for the training to deal with the situation education/training subjects delete mail, mail opening, code execution, access to the threat URL of the virtual security, accident report, accident, such as undeclared is set to check the results of the implementation [2]. It also makes a malicious e-mail that configured Test- code generator, links clicked induction base contains user. When a user clicks on a link it is configured to pop up a warning window for security policy through a web browser. To gather

Fig. 7 Agent system

Multimed Tools Appl (2017) 76:6051–6064 6057

information and make sure no agent behavior during the execution of the training, and whether to uninstall, and that you want to delete, unconfirmed, undeclared illegal e-mail, agent system, the web server of the monitoring and reporting for send. Also, always need vaccines in the host operating, education/training person must be able to confirm [8]. Finally, education/training subjects, to determine whether the access to a web site with an attachment that is attached to a malicious e-mail (Fig. 10).

4 System development and simulations

In this paper, cyber information security education and training system was developed based on the internet. This system was composed of education mail server which sends malicious

Fig. 8 System flowchart

Fig. 9 Education center

6058 Multimed Tools Appl (2017) 76:6051–6064

emails, personal computer for education and training subjects, agent system which transmits situation handling ability against malicious emails, web server for monitoring & reporting and web server system for virtual security threat education.

Education web server executes the functions to send and process the malicious emails to train education and training subjects. In order to add the function to manage the agent at this moment, test center can be additionally constructed. Web server for virtual security threat education opens malicious emails which are transmitted to personal computers of education and training subjects and executes the functions including malicious code attachment documents for education, operation of education web site, agent management, and deletion of malicious received emails, collection of unidentified and unreported information. At this moment, the server identifies and analyzes the accessor to virtual security threat education web server by connecting with monitoring & reporting server.

Monitoring & reporting server is composed in order that education and training subjects could identify situation handling education results like deleting mail, reading mail, executing code, access to virtual security threat URL, reporting and unreported accidents. Additionally, the server composes Test-code generator and writes malicious emails which include user click driven based link. The server is composed that the warning window could be popped up for security policy through web browser when the user clicks the link.

Agent system identifies no-movement and deletion of the agent when executing the education, deletes malicious emails, collects the information about unidentified and unreported emails and finally, transmits the information to monitoring & reporting server. And, the system

Fig. 10 Training management source

Multimed Tools Appl (2017) 76:6051–6064 6059

should enable the education and training subjects to identify the operating vaccine in the host and this movement should be identified. Finally, education and training subjects identify whether the web site is accessed by the documents attached in malicious emails.

Cyber information security education system operation process was classified largely into generation of security education, execution of security education, security education results and statistics. For the generation of security education, subject of security education, mail name, security education period, SMTP address and sender are written. Contents for trainees are 1 to 3 pieces and users identify the contents through the links. Security education contents are identified by classifying into contents, infected page and result pages.

And regarding the kinds of education, the trainee select one from email or SMS and can select education start time and session, education execution time. Education start and comple- tion time can be identified by checking the education generation date. Finally, security education site can be set in advance. Regarding setting categories, number of basic education, number of basic tests and basic SMTP are established. And, administrator IP, layout path and layout resource path can be managed with advance setting as well (Fig 11).

In the execution of security education, title, number or participants, senders, SMTP, security education institutions, security education site links, contents and attaching files are identified and executed. Not in the case of security education period, security education execution contents become vacant and therefore, mails cannot be transmitted. Regarding the execution of security education, execution sign of security education is exposed at previously established security education period. And when clicking the execution button, security education is conducted by transmitting the mails to the trainees (Fig. 12).

Fig. 11 Security training creation screen

Fig. 12 Security training execution screen

6060 Multimed Tools Appl (2017) 76:6051–6064

Security education results are in the stage to identify the completed conditions of security education schedules by the trainees. When clicking each line, it is moved to individual security education confirmation page. In security education confirmation page, trainees can classify the degrees of security education execution through non-execution and completion. And, those who didn’t execute security education and completed security education are identified by classifying the trainees in reporting time (Fig. 13).

In security education statistics, trainees who are enrolled in security education, degree of security education and analysis contents can be comprehensively identified. For example, when selecting only security education, trainees who are enrolled in relevant education are identified regardless of the affiliation and when selecting only affiliation, trainees in relevant departments are identified regardless of security education (Figs. 14 and 15).

As a result, the security education rate of 78 % was raised through the system and user sense of security has been strengthened.

Fig. 13 Security training result screen

Fig. 14 Security training result statistics

Multimed Tools Appl (2017) 76:6051–6064 6061

5 Conclusion

Due to the expansion of internet, use of personal internet banking and E-commerce is rapidly increasing. Currently, there are endless cyber hacking and personal information leak accidents and security infringement accidents, and attack methods are more evolved due to the devel- opment of various information communication technologies. Under these circumstances, various illegal behaviors are also increasing including illegal acquisition of financial credit information like personal information and credit card, company’s marketing, new product information, large size internet service interruption and service disability.

Recently, production and circulation of malicious code and additional attacks become very easy and the mutants are also exponentially increasing. Due to these threatening web site access and related malicious code infection, there are increasing crimes using computer like information leak caused by malicious hacking or industrial spy, company secrets from the employees in the company and customer information leak. Eventually, under the situation with no online system which could effectively educate about information security, extensive damages occur because of unclear responsibility for security accidents.

In this paper, cyber information security education and training system was developed based on the internet. Additionally, in order to deal with the security accidents caused by malicious emails and attaching documents which frequently occur in public institutions and private companies, the information education was executed by applying this system targeting affiliated employees or education and training subjects. Through this, information about education and training subjects’ malicious attachment file were identified and analyzed in virtual security threat education web server. And, this study deducted the effect to minimize the infected damages that the education and training subjects were damaged by hacking and virus by identifying the execution results and reporting the information and statistics.

References

1. Barnett SF (1996) Computer security training and education:a needs analysis. IEEE Symposium on Security and Privacy, pp 26–27

2. Brancheau JC, Janz BD, Weatherbe JC (1996) Key issues in information systems management: 1994–95 SIM Delphi results. MIS Q 20(2):225–242

3. Denning D (1986) An intrusion detection system. Proc. Symp. Security and Privacy, IEEE Computer Soc. Press, Los Alamitos, Calif., pp 118–131

4. Dutta A, Roy R (2008) Dynamics of organizational information security. Syst Dyn Rev 24(3):349–375 5. Harrison M, Ruzzo W, Ullman J (1976) Protection in operating systems. Commun ACM 19(8):461–471 6. Jung TS, Lim MS, Lee JB (2012) A development of comprehensive framework for continuous information

security. Journal of Korean Digital Policy & Management Society 10(2):1–10 7. Kim SH, Park SY (2011) Influencing factors for compliance intention of information security policy. Journal

of Korean Electronic Business Society 16(4):33–51 8. Loch KD, Carr HH, Warkentin ME (1992) Threats to information systems: today’s reality, yesterday’s

understanding. MIS Q 16(2):173–186

Fig. 15 Statistics analysis

6062 Multimed Tools Appl (2017) 76:6051–6064

9. National Cyber Safety Center (2013) Information security management conditions evaluation introduction. Journal of Korean Information Security Society 23(5):9–11

10. Park JY (2012) An analysis on training curriculum for educating information security experts. Journal of Korean Management Information Society 31(1):149–165

11. Rhee HS, Kim C, Ryu YU (2009) Self-efficacy in information security: its influence on users’ information security practice behavior. Computer & Security 28:816–826

12. Saltzer J, Schroeder M (1975) The protection of information in computer systems. Proc IEEE 63(9):1278–1308 13. Shin SJ (2013) Your innovation by security. L Company Publications 14. Straub DW, Welke RJ (1998) Coping with systems risk: security planning models for management decision

making. MIS Q 22(4):441–469 15. Wood CC (2000) Integrated approach includes information security. Security 37(2):43–44 16. Yang DI (2013) Information security introduction. Hanbit Academy Publications

Bong-Hyun Kim received the B.S., M.S., and Ph.D. degrees from the Department of Computer Engineering of Hanbat National University, Daejeon, Korea, in 2000, 2002, and 2009, respectively. From 2012 to 2015, he was a professor in the Department of Computer Engineering, Kyungnam University, Korea. He is currently a director of technique in the Academia-Industrial Covergence Research, Korea. He is research interests include Bio-signals analysis, security system, USN applications, e-Commerce and u-Healthcare system.

Ki-Chan Kim received the B.S. and M.S. degrees all in electrical engineering from Hanyang University, Seoul, Korea, in 1996 and 1998, respectively. From 1998 to 2004, he was a research engineer at the Electro-Mechanical Research Institute of Hyundai Heavy Industries Co., LTD. He received the Ph. D degrees in electrical engineering from Hanyang University, Seoul, Korea, in 2008. Since 2005, he is associate professor in the Department of

Multimed Tools Appl (2017) 76:6051–6064 6063

Electrical Engineering, Hanbat National University. His research interests include design, analysis, testing and control of motors, generators and electromagnetic sensors for electric vehicle, trains and wind turbine.

Sung-Eon Hong received the Ph.D. degrees in GIS from the INHA University of Incheon at Korea, in 2002 and 2005, respectively. He is a Professor in the Department of Land Management at Cheongju University at Cheongju Korea. His current research interest cadastral information system and its application, GIS, SMCDM, cadastral surveying. He has published 40 journal papers, 30 conference papers, and several undergraduate textbooks.

Sang-Young Oh received the Ph.D. degrees from the College of Business of Chungbuk National University, Korea, in 2001. He is currently a professor in the Department of Business Administration, Youngdong University, Korea. He is research interests include Business Innovation and Management Information System.

6064 Multimed Tools Appl (2017) 76:6051–6064

Reproduced with permission of copyright owner. Further reproduction prohibited without permission.