4차산업 시대가 도래하면서 전통적인 산업조차도 네트워크에 연결되어 기업 의 사업 연속성이 사이버보안에 긴밀한 영향을 받게 됐다. 그러나 기업의 사이 버보안 투자가 적절하게 이루어지고 있는지에 대해서는 대부분의 연구가 부정 적이다. 기업에게 보안 투자란 생산비용 증가를 의미하거나 외부효과에 의한 시장실패 문제 논란에서 벗어날 수 없기 때문이며, 정부개입의 필요성이 제기 된다. 특히 국가 전체 네트워크의 안전을 위해서는 약한 고리를 제거하는 것이 중요하기 때문에, 사이버보안 역량이 낮고 투자 여력이 부족한 중소기업을 위 한 정부의 지원 정책이 요구되는 바이다. 본 연구에서는 기업의 보안 투자 현황을 이해하기 위해 한국의 정보보호 공 시제도 데이터를 활용하여 통계 분석을 진행하였다. 그 결과 기업의 보안 활동 은 기업이 속한 산업 분야에 따른 특성이 존재했다. 보안 활동 지표인 CAI와 보안 예산을 기준으로 모집단을 2개의 그룹으로 나누었을 때, 전통적인 산업 분야는 IT와 더욱 밀접한 산업보다 매출액과 보안 예산 비율의 평균은 높았으 나 보안 전담 인력은 절반 정도로 적었고, CAI 평균은 낮은 비효율적인 투자 결과가 나타났다. 또한 기업 보안 예산은 CAI에 대해 역 U자형 상관관계를 보 였다. 보안 예산이 일정 수준 이상이 되면 특정 분야에 투입을 집중하는 형태 를 보이는데, IT에 덜 친숙한 기업들은 보안 예산이 늘어나더라도 보안장비 도 입 등에 집중적으로 투자하여 CAI의 증가에는 한계가 있었다. 사이버 공격이 빈번해지고 위협의 강도가 높아짐에 따라 완벽한 방어는 사실 상 불가능해졌다. 이에 따라, 피해가 발생하더라도 그 영향을 최소화하고 신속 하게 사업을 정상화하는 방법으로 기업 사이버 복원력 강화가 중요해지고 있 다. 본 연구에서는 정부의 기업 사이버 복원력 지원 정책을 연구하기 위해, 기 존 기업의 사이버보안 투자 관련 모델에 정부 정책 요소 등을 추가하였다. 다양한 정부 정책 시나리오를 실험해 본 결과 정부가 보안 투자에 대한 인센 티브(세금감면)를 제공하는 것이 규제를 가하는 것보다 더 효과적인 방안으로 확인되었다. 또한 해킹 사고가 발생했을 때 기업의 자체 해결보다는 정부의 지 원을 받는 것이 빠른 회복에 도움이 된다는 것을 확인할 수 있었다. 이런 이점 이 알려져서 해킹 피해기업의 신고가 활성화되면, 음지에서 벌어지는 해킹 공 격의 피해를 양지로 이끌어 사이버 안전 가시성 확보가 가능할 것이다. 그리고 이를 통해 정부가 최신 공격 기법을 확인하고 공유하여 피해의 확산을 막고, 대응 방안을 수립할 수 있어 국가 사이버보안 강화에도 큰 도움이 될 것이다.|With the advent of the 4th industrial era, even traditional industries are connected to networks, and corporate business continuity is closely affected by cybersecurity. However, most studies are negative on whether companies' cybersecurity investments are being made appropriately. Companies are reluctant to invest in security due to concerns about increased production costs. In addition, since security investment is controversial over the problem of market failure due to external effects, the need for government intervention is raised. For the government, it is important to remove the weak link for the safety of the entire country's network. SMEs with low cybersecurity capabilities and insufficient investment capacity are the weak link, and for this, the government's support policy is required._x000D_
<br>In this study, a statistical analysis was conducted using data from the information protection disclosure system in Korea to understand the current status of corporate security investment. As a result, it was confirmed that the security activities of companies have characteristics according to the industry sector to which the company belongs. When companies were divided into two groups based on CAI, which are indicators of security activities, and the security budget ratio, the average of sales and security budgets ratio was higher in the traditional industry than in the industry more closely related to IT. However, the number of security personnel of companies in the traditional industry was about half small, and the CAI average was lower, resulting in inefficient investment. In addition, the corporate security budget showed an inverted-U-shaped correlation with CAI. When the security budget exceeds a certain level, companies focus their budget on specific areas. Even if companies that are less familiar with IT increase their security budgets, they invest intensively in purchasing security equipment, so there was a limit to the increase in CAI._x000D_
<br>As cyberattacks become frequent and the intensity of threats increases, perfect defense has become impossible. Accordingly, it is becoming important to strengthen corporate cyber resilience as a way to minimize the impact and quickly normalize business even if damage occurs. In this study, government policy elements were added to the existing corporate cybersecurity investment model to study the government's corporate cyber resilience support policy._x000D_
<br>Experimenting with various government policy scenarios, it was confirmed that providing incentives(tax credits) for security investments by the government is more effective than imposing regulations. In addition, it was confirmed that when a cyber incident occurs, receiving government support rather than corporate self-resolving is helpful for rapid recovery. If these benefits are known, reporting of companies affected by hacking can become active._x000D_
<br>If the government can identify more hacking damage, it will ensure cyber safety visibility. And through this, the government can identify and share the latest attack techniques to prevent the spread of damage and establish countermeasures, which will greatly help strengthen national cybersecurity.
Alternative Abstract
With the advent of the 4th industrial era, even traditional industries are connected to networks, and corporate business continuity is closely affected by cybersecurity. However, most studies are negative on whether companies' cybersecurity investments are being made appropriately. Companies are reluctant to invest in security due to concerns about increased production costs. In addition, since security investment is controversial over the problem of market failure due to external effects, the need for government intervention is raised. For the government, it is important to remove the weak link for the safety of the entire country's network. SMEs with low cybersecurity capabilities and insufficient investment capacity are the weak link, and for this, the government's support policy is required._x000D_
<br>In this study, a statistical analysis was conducted using data from the information protection disclosure system in Korea to understand the current status of corporate security investment. As a result, it was confirmed that the security activities of companies have characteristics according to the industry sector to which the company belongs. When companies were divided into two groups based on CAI, which are indicators of security activities, and the security budget ratio, the average of sales and security budgets ratio was higher in the traditional industry than in the industry more closely related to IT. However, the number of security personnel of companies in the traditional industry was about half small, and the CAI average was lower, resulting in inefficient investment. In addition, the corporate security budget showed an inverted-U-shaped correlation with CAI. When the security budget exceeds a certain level, companies focus their budget on specific areas. Even if companies that are less familiar with IT increase their security budgets, they invest intensively in purchasing security equipment, so there was a limit to the increase in CAI._x000D_
<br>As cyberattacks become frequent and the intensity of threats increases, perfect defense has become impossible. Accordingly, it is becoming important to strengthen corporate cyber resilience as a way to minimize the impact and quickly normalize business even if damage occurs. In this study, government policy elements were added to the existing corporate cybersecurity investment model to study the government's corporate cyber resilience support policy._x000D_
<br>Experimenting with various government policy scenarios, it was confirmed that providing incentives(tax credits) for security investments by the government is more effective than imposing regulations. In addition, it was confirmed that when a cyber incident occurs, receiving government support rather than corporate self-resolving is helpful for rapid recovery. If these benefits are known, reporting of companies affected by hacking can become active._x000D_
<br>If the government can identify more hacking damage, it will ensure cyber safety visibility. And through this, the government can identify and share the latest attack techniques to prevent the spread of damage and establish countermeasures, which will greatly help strengthen national cybersecurity.
