Sage Journals: Discover world-class research

Abstract

Although Internet of Things (IoT) technologies and services are being developed rapidly worldwide, concerns of potential security threats such as privacy violation, information leak, and hacking are increasing as more various sensors are connected to the Internet. There is a need for the study of introducing risk management and existing security management standard (e.g., ISO27001) to ensure the stability and reliability of IoT services. K-ISMS is a representative certification system that evaluates the security management level of the enterprise in Korea and is possible to apply as a standardized process to enhance the security management of IoT services. However, there are growing concerns about the quality deterioration of the K-ISMS certification assessment these days because of internet security incidents occurring frequently in K-ISMS certified enterprises. Therefore, various researches are required to improve the accuracy and objectivity of the certification assessment. Since existing studies mainly focus on simple statistical analysis of the K-ISMS assessment results, analysis on the cause of certification assessment fault based on past data analysis is insufficient. As a method of managing the certification inspection quality, in this paper, we analyze the association among the fault items of the K-ISMS certification assessment results using association rule mining which involves identifying an association rule among items in the database.

1. Introduction

According to a survey by Gartner, things connected to the Internet are expected to grow to 26 billion, and market size is forecast to reach USD 1 trillion by 2020 [1]. IoT is widely applied in various areas closely related to daily lives such as smart home appliance, smart car, and healthcare. Since multiple networks can be controlled even with a sensor, hacking of an area can be fatal since it can cause security threats in a chain reaction. With the IoT service broadly utilizing the sensor information to provide a wide range of information, the risk of information leak will increase. Malfunction or suspension of IoT devices will also pose very serious threat even to social infrastructure that the economic damage is predicted to reach KRW 17.7 trillion by 2020 [1]. Therefore, there is a need to consider the technical and administrative vulnerabilities of each element, such as sensor, wired and wireless network, and platform of IoT, from the design stage and to review and study the application of the existing standard as the key tool for continuously inspecting them even at the operating stage.

Korean government operates the information security management system “K-ISMS” certification system to assess if an organization has established and managed appropriate information security environment. Therefore, the K-ISMS, which is similar to “ISO27001” as the international standard for information security management systems, is designed to improve the information security management level of enterprises and protect them from various security threats [2]. K-ISMS evaluates whether an enterprise has set up a comprehensive information security management system including administrative, technical, and physical protective measures to protect the safety of their information assets, using the 104 certification criteria; it then issues the certification if the enterprise meets the requirements. K-ISMS was introduced in Korea in 2002, and 332 enterprises have acquired the certification. Since the acquisition of the certification by an enterprise over a certain size became mandatory in 2013, demand for and interest in K-ISMS certification has been gradually increasing [3].

With Internet security incidents (e.g., hacking) occurring frequently in K-ISMS certified enterprises, however, there are growing concerns about the quality deterioration of K-ISMS certification assessment these days. Since the information security management systems of enterprises are different, and fault cases vary, specialization and extensive experiences in certification assessment are required. Moreover, there are limits in maintaining objective and accurate assessment quality, since the 104 criteria should be evaluated within a short period of time. To solve these problems, there were various studies including the case study of faults in K-ISMS [4], the economic effect analysis of K-ISMS certification [5], and the analysis about process of security management for various IT services [6, 7]. However, a study using data mining between faults was not performed yet.

Thus, we studied to provide a guide to extracting preferred assessment items during the limited assessment period by analyzing the fault pattern that occurs frequently and association through the K-ISMS fault data. For this purpose, we apply the data mining analysis technique in order to analyze the association relationship among the fault items of the K-ISMS certification criteria. The paper is organized as follows. Section 2 introduces association rule mining the most known and used unsupervised algorithms. In Sections 3 and 4, the experiments are performed on K-ISMS fault data. The conclusion is given in Section 5.

2. Theoretical Background

Data mining is a knowledge-finding process that extracts unknown useful information by analyzing a large quantity of accumulated data. Among the research studies identifying the hidden pattern in the data, the association rule finding area was studied most widely in many areas of market forecast, medical and IT engineering research [8, 9]. The association rule analysis refers to a technique that finds a useful pattern, which is expressed as a “condition-result” formula among data items. The list of association rules extractable from a given data set is compared in order to evaluate their importance level. The measures commonly used to assess the strength of an association rule are the indexes of support, confidence, and interest [10].

The problem of finding association rules $X \to Y$ was first introduced in 1993 by Agrawal et al. [11] as the data mining task of finding frequently cooccurring items in a large Boolean transactional database D [12]. Typical applications include retail market basket analysis, item recommendation systems, cross selling, and loss-leader analysis. In the classical framework, an association rule is considered to be interesting if its support (s) and confidence (c) exceed some user-defined minimum thresholds [13]. Support is defined as the percentage of transactions in the data that contain all items in both the antecedent and the consequent of the rule; that is, $P (X \cap Y) = {X \cap Y} / {D}$ [14]. Confidence on the other hand is an estimate of the conditional probability of Y given X; that is, $P (X \cap Y) / P (X)$ [13].

Association rule finding consists of the process of identifying an association rule that has the threshold value of predefined support and confidence. This process broadly includes two processes [15, 16]. One is “frequent itemset finding,” which finds the itemset that satisfies the support threshold value “minimum support” only as a technique of finding the items that occur concurrently in the transaction. The other is “association rule generation,” which adopts the rule satisfying the confidence threshold value “minimum confidence” only among association rules created from the found frequent itemsets.

2.1. Frequent Itemset Finding

While finding the frequent itemset, a combination of the itemset that can be created from the given item is created, and the transaction data is searched for the individual itemset that has been created in this manner to check whether the minimum support can be satisfied.

When a set of frequent items in the transaction database is $I = {i_{1}, i_{2}, \dots, i_{n}}$ and a transaction set composed of m transactions $T = {t_{1}, t_{2}, \dots, t_{m}}$ is given, transaction $t_{i}$ is defined as a subset of frequent set I $(t_{i} \subseteq I)$ [17]. If I includes k items, it is defined as k-itemset [17, 18]. For example, {Beer, Diapers, Milk} are 3 itemsets; the null item has no items at all.

If transaction $t_{i}$ includes all items in itemset X, $t_{i}$ is said to support X, expressed as $Supp (X)$ . At this time, support count, $σ (X)$ can be regarded as a number of transactions including the itemset in question:

\begin{matrix} σ (X) = |\{t_{i} | X \subseteq t_{i}, t_{i} \in T\}| . \end{matrix}

(1)

When the user defines minimum support (minsup) and $σ (X) \geq$ minsup is satisfied, itemset X is called frequent itemset [19].

2.2. Association Rule Generation

Rule generation is a process of creating an association rule from the frequent itemset found during the “frequent itemset finding” process. Suppose X and Y are a set of items that do not contain the same element: $X \subset I$ , $Y \subset I$ and $X \cap Y \neq \emptyset$ and $Y \neq \emptyset$ [16] The association rule expresses an association among frequently occurring data in the form of “condition → result (Rule: $X \Rightarrow Y$ )” rule. At this time, X is called LHS (Left Hand Side), and Y is called RHS (Right Hand Side) [19].

Support and confidence are used as a statistical criterion to verify the validity of the association rule. “Support” is a ratio of the transactions that satisfy items X and Y among all transactions and is expressed as $Supp (X \Rightarrow Y)$ . At this time, since “support” implies the frequency of the frequently occurring pattern or rule, “support” should have a big value to increase the usefulness of the pattern or rule:

\begin{matrix} Supp (X ⟹ Y) = \Pr (X \cap Y) = \frac{n (X \cap Y)}{n (Total)} . \end{matrix}

(2)

“Confidence” is a criterion for implying the strength of the rule. If the rule $X \Rightarrow Y$ exists, “confidence” refers to a ratio of the transaction that includes Y at the same time, among the transactions that include X. “Confidence” is expressed as $conf (X \Rightarrow Y)$ . This “confidence” becomes an index that can measure the accuracy of the conclusion Y's rule, if condition X is true. Therefore, high “support” enables accurate prediction:

\begin{matrix} Conf (X ⟹ Y) = \Pr (Y \cap X) = \frac{\Pr (X \cap Y)}{\Pr (X)} = \frac{n (X \cap Y)}{n (X)} . \end{matrix}

(3)

Finding an association rule in the data item involves finding an itemset that has higher support and confidence than the user-defined minimum support and minimum confidence. For example, let us assume a situation where in the following association rule candidates are identified from the {bread, egg, milk} itemset [18]. At this time, if the minimum confidence is 70%, the second and third association rules will be selected. In this way, possible combinations of all itemsets are created, and some of them are selected as association rule depending on whether the minimum confidence is satisfied or not.

(Rule 1) bread ⇒ egg, milk confidence = 0.3/0.5 = 60%.

(Rule 2) bread, egg ⇒ milk confidence = 0.3/0.3 = 100%.

(Rule 3) bread, milk ⇒ egg confidence = 0.3/0.4 = 75%.

A strong association rule can be filtered out using the support and confidence criteria. However, there are weakness of support and confidence. Support suffers from the “rare item problem” [20]: infrequent items not meeting minimum support are ignored which is problematic if rare items are important [21]. On the other hand, if the minimum support is low, the find area becomes larger. In addition, high minimum confidence and minimum support do not necessarily mean strong association, and they can occur accidently. Therefore, there is a need for statistical correlation analysis, such as lift and conviction, to solve these problems and find a strong association rule [21]. Interest (or lift) is another statistic which attempts to correct this weakness [22].

Confidence tends to rate rules highly where the consequent $(Y)$ is frequent [23]. For example, if 80% of transactions in a database contain Y, then the expected confidence of any rule $X \to Y$ is 80%, even before taking the influence of X on Y into account.

The $interest (X \to Y)$ is defined as the $confidence (X \to Y)$ divided by the proportion of all transactions that contain Y. This scales the confidence to account for the commonality (or rarity) of Y [22].

The interest measure [13] is defined over $[0, \infty]$ and its interpretation is as follows:

\begin{array}{l} Intrest (X \Rightarrow Y) = lift = \frac{Pr (X \cap Y)}{Pr (X) Pr (Y)} \\ = \frac{Supp (X \cup Y)}{Supp (X) \cdot Supp (Y)} . \end{array}

(4)

(i)

If $interest (Lift) < 1$ , then X and Y appear less frequently together in the data than expected under the assumption of conditional independence. X and Y are said to be negatively interdependent.

(ii)

If $interest (Lift) = 1$ , then X and Y appear as frequently together as expected under the assumption of conditional independence. X and Y are said to be independent of each other.

(iii)

If $interest (Lift) > 1$ , then X and Y appear more frequently together in the data than expected under the assumption of conditional independence. X and Y are said to be positively interdependent.

3. Association Rule Analysis of the K-ISMS Fault

3.1. Analysis Data

In this paper, we analyzed the fault data of 76 enterprises that received certification assessment in 2013 (uses only the statistical results) and applied the representative “Apriori algorithm” [17–19] for association rule mining. The average fault rate of those enterprises was found to be 15%. (The explanation about terms of K-ISMS control items used in this paper is described in appendix.)

Among the 104 K-ISMS certification assessment items, the frequent itemset whose value was higher than the minimum support was created. A total of 825 rules were found using the brute-force method. When a number of fault items included in these rules were analyzed, 58 one-itemsets, 494 two-itemsets, 312 three-itemsets, and 20 four-itemsets were created. Figure 1 illustrates the K-ISMS fault items that occur frequently, listed in order of CL-1-1 (asset identification), AC-3-3 (access control), OS-2-2 (security system operation), AC-2-3 (access right review), and CC-1-1 (encryption policy establishment).

Figure 1

Frequency items of faults in the data set of K-ISMS.

If a number of items increase when generating a frequently occurring itemset candidate, the computation workload increases exponentially. To solve this problem, the “pruning” method [24] is used to make the unnecessary part concise. “Pruning” involves getting rid of the combination that does not satisfy the threshold criterion in each phase. The most universal pruning method is MSP (minimum support pruning). In other words, if support of the itemset combination is smaller than the threshold value, the item is no longer added. To remove the duplicated association rule, 307 association rule candidate groups are created through support-based pruning.

3.2. Association Rule Analysis

In the stage of support analysis, a 10% support of a certain rule $(X \to Y)$ means that the ratio of the rule followed by the rule in question is 10% among all faults. Figure 2(a) shows a support distribution graph of all fault items. The average of support is 13.7%, and 2 rules have more than 30% support value. On the other hand, 19 rules have over 20% support value and 286 rules have over 10% support value. (We used arules package in R tools [19, 25].)

Figure 2

(a) A distribution graph of support, (b) a distribution graph of confidence.

Support is designed to measure how frequently those two faults occur among all transactions, whereas confidence implies that the possibility of fault “Y” occurrence is 30% if “X” has occurred when the confidence of a certain rule $(X \to Y)$ is 30%. Figure 2(b) shows a confidence distribution graph of all fault items. The average of confidence is 51%; 11 rules have more than 80% confidence and 98 rules have over 60% confidence and 160 rules have over 50% confidence.

Figure 3 shows a visualization of the correlation among fault items that were found by the measure criterion (support, confidence, and lift) of association analysis.

Figure 3

(a) This graph focuses on how the rules are composed of individual items and shows which rules share items. (b) Scatter plot with three measures (e.g., support and confidence and lift).

Table 1 shows the top 5 association rules sorted by the measure of support value. Number 44 of rule can be analyzed as follows. The support level is 34.2%, which is the ratio of finding a fault in the CL-1-1 and OS-2-2 control items at the same time. There is 59% probability that a fault occurs in the OS-2-2 control item if a fault occurs in the CL-1-1 control item. In addition, since the lift is over 1, which shows a correlation between the two control items, the correlation of the association rule is strong. On the other hand, Number 443 of rule is the association rule with low correlation because the lift is under 1, even though the support and confidence of this rule are 30.2% and 52.2%, respectively.

Table 1

Top 5 association rules sorted by the measure of support.

	Rules	Support	Confidence	Lift
442	{(C)CL-1-1}⇒{(C)OS-2-2}	34.2%	59.0%	1.247
443	{(C)AC-3-3}⇒{(C)CL-1-1}	30.2%	52.2%	0.902
369	{(C)PH-1-4}⇒{(C)AC-3-3}	26.3%	74.0%	1.279
423	{(C)CC-1-1}⇒{(C)CL-1-1}	26.3%	60.6%	1.046
429	{(C)AC-2-3}⇒{(C)AC-3-3}	26.3%	60.6%	1.046

Table 2 shows the top 5 association rules sorted by the measure of confidence.

Table 2

Top 5 association rules sorted by the measure of confidence.

	Rules	Support	Confidence	Lift
490	{(C)CC-2-1, (C)DR-2-1}⇒{(C)AC-2-3}	10.5%	100%	Inf
481	{(C)AC-2-2, (C)OS-2-2}⇒{(C)CL-1-1}	10.5%	100%	Inf
583	{(C)AC-4-6, (C)OS-2-2}⇒{(C)CL-1-1}	15.7%	92.3%	11.625
47	{(C)OS-4-1}⇒{(C)CL-1-1}	15.7%	92.3%	1.594
496	{(C)DR-2-1, (C)OS-2-2}⇒{(C)CL-1-1}	10.5%	88.8%	6.888

Number 40 of rule can be analyzed as follows. The ratio that a fault occurs in control items CC-2-1, DR-2-1, and AC-2-3 at the same time “support” is low (10.5%). Note, however, that the ratio of a fault occurring in control item AC-2-3—when fault occurs in control items AC2-2 and OS-2-2 “confidence”—is 100%. In addition, since the lift of this rule is over 1, the correlation of the association rule seems strong rule.

4. Results and Discussion

We have performed the process of figuring out the association rule that has the predefined support and confidence threshold value, in order to carry out relation analysis among K-ISMS faults. The first process is “frequent itemset finding,” which finds the itemset that satisfies the support threshold value only. The other process is “association rule generation” that adopts the rule satisfying the confidence threshold value only among association rules, which were created from the found frequent itemsets. Table 3 shows the summary of strong association rules within the range of the minimum support and minimum confidence.

Table 3

Summary of the association rules found by interesting measure (support, confidence, and lift).

Support	Confidence	Number of rules	Lift >1
10%	10%	302	258
	20%	300	252
	30%	287	246
	40%	233	212
	50%	160	152
	60%	98	98
	70%	30	30
	80%	11	11
	90%	4	4
	100%	2	2

20%	10%	21	15
	20%	21	15
	30%	21	15
	40%	18	13
	50%	13	11
	60%	7	7
	70%	2	2
	80%	0	0
	90%	0	0
	100%	0	0

30%	10%	2	1
	20%	2	1
	30%	2	1
	40%	2	1
	50%	2	1
	60%	0	0
	70%	0	0
	80%	0	0
	90%	0	0
	100%	0	0

However, all strong association rules are not always useful. The support-confidence framework can induce a rule $X \to Y$ as an interesting rule, even though X occurrence actually does not affect Y occurrence. To solve this issue, interest analysis is required that indicates the level of rules' correlation. This paper selects 43 association rules by applying the following three conditions (see Table 4): (1)

minimum support > 30% and minimum confidence > 50% and lift > 1,

(2)

minimum support > 20% and minimum confidence > 30% and lift > 1,

(3)

minimum support > 10% and minimum confidence > 80% and lift > 1.

Table 4

The result of associated relationship among K-ISMS faults (interest >1).

Probability by support, confidence		Association rules	Associated relationship among K-ISMS faults
Support > 30%	Confidence > 50%	{(C)CL-1-1}⇒{(C)OS-2-2}	If a fault occurs in “Information asset identification” ⇒ there is a probability of a fault concurrently in “System and service operation security”

Support > 20%	Confidence > 70%	{(C)PH-1-4}⇒{(C)AC-3-3}	If a fault occurs in “Access control of physical area” ⇒ there is a probability of a fault concurrently “User password management”
	Confidence > 70%	{(C)AC-4-6}⇒{(C)CL-1-1}	If a fault occurs in “Access control of internet connection” ⇒ there is a probability of a fault concurrently in “Information asset identification”
	Confidence > 60%	{(C)CC-2-1}⇒{(C)CL-1-1}	If a fault occurs in “Encryption key generation and use” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)CC-2-1}⇒{(C)AC-2-3}	If a fault occurs in “Encryption key generation and use” ⇒ there is a probability of a fault concurrently in “Access permission review”
		{(C)CC-2-1}⇒{(C)AC-3-3}	If a fault occurs in “Encryption key generation and use” ⇒ there is a probability of a fault concurrently in “User password management”
		{(C)CC-1-1}⇒{(C)CL-1-1}	If a fault occurs in “Encryption policy establishment” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)AC-2-3}⇒{(C)AC-3-3}	If a fault occurs in “Access permission review” ⇒ there is a probability of a fault concurrently in “User password management”
	Confidence > 50%	{(C)OS-6-2}⇒{(C)CL-1-1}	If a fault occurs in “Logging and archiving” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)PH-1-4}⇒{(C)CL-1-1}	If a fault occurs in “Access control of physical area” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)OS-6-2}⇒{(C)OS-2-2}	If a fault occurs in “Logging and archiving” ⇒ there is a probability of a fault concurrently in “Performance and capacity management”
	Confidence > 40	{(C)AC-2-3}⇒{(C)OS-2-2}	If a fault occurs in “Access permission review” ⇒ there is a probability of a fault concurrently in “Performance and capacity management”
	Confidence > 40	{(C)AC-3-3}⇒{(C)AC-4-6}	If a fault occurs in “User password management” ⇒ there is a probability of a fault concurrently in “Access control of internet connection”
	Confidence > 30	{(C)AC-3-3}⇒{(C)AC-4-1}	If a fault occurs in “User password management” ⇒ there is a probability of a fault concurrently in “Network access control”
	Confidence > 30	{(C)AC-3-3}⇒{(C)ET-2-1}	If a fault occurs in “User password management” ⇒ there is a probability of a fault concurrently in “Training and evaluation”

	Confidence > 100%	{(C)CC-2-1, (C)DR-2-1}⇒{(C)AC-2-3}	If two faults occur in “Encryption key generation and use” and “Recovery measure establishment based on impact analysis” ⇒ there is a probability of a fault concurrently in “Access permission review”
	Confidence > 100%	{(C)AC-2-2, (C)OS-2-2}⇒{(C)CL-1-1}	If two faults occur in “Administrator and special permission management” and “Performance and capacity management” ⇒ there is a probability of a fault concurrently in “Information asset identification”
	Confidence > 90%	{(C)AC-4-6, (C)OS-2-2}⇒{(C)CL-1-1}	If two faults occur in “Access control of Internet connection” and “Performance and capacity management” ⇒ there is a probability of a fault concurrently in “Information asset identification”
	Confidence > 90%	{(C)OS-4-1}⇒{(C)CL-1-1}	If a fault occurs in “Information system storage media management” ⇒ there is a probability of a fault concurrently in “Information asset identification”
	Confidence > 80%	{(C)DR-2-1, (C)OS-2-2}⇒{(C)CL-1-1}	If two faults occur in “Recovery measure establishment based on impact analysis” and “Performance and capacity management” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)ET-2-1 (C)PH-1-4}⇒{(C)AC-3-3}	If two faults occur in “Training target” and “Access control of physical security” ⇒ there is a probability of a fault concurrently in “User password management”
		{(C)OS-2-7}⇒{(C)CL-1-1}	If a fault occurs in “Open server security” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)AC-4-2}⇒{(C)AC-3-3}	If a fault occurs in “Server access control” ⇒ there is a probability of a fault concurrently in “User password management”
		{(C)CL-2-1 (C)EP-1-1}⇒{(C)OS-6-2}	If two faults occur in “Security grade and handling” and “requirement of security in contract with external parties” ⇒ there is a probability of a fault concurrently in “Logging and archiving”
		{(C)CL-1-1, (C)OS-5-2}⇒{(C)OS-2-2}	If two faults occur in “Information asset identification” and “Patch management” ⇒ there is a probability of a fault concurrently in “Performance and capacity management”
		{(C)IH-1-1}⇒{(C)CL-1-1}	If a fault occurs in “Intrusion incident response procedure establishment” ⇒ there is a probability of a fault concurrently in “Information asset identification”
	Confidence > 70%	{(C)AC-2-3, (C)PH-1-4}⇒{(C)CC-2-1}	If two faults occur in “Access permission review” and “Access control of physical area” ⇒ there is a probability of a fault concurrently in “Encryption key generation and use”
		{(C)CL-1-1, (C)ET-2-1}⇒{(C)OS-2-2}	If two faults occur in “Information asset identification” and “Training and evaluation” ⇒ there is a probability of a fault concurrently in “Performance and capacity management”
Support > 10%		{(C)DS-1-1}⇒{(C)CL-1-1}	If a fault occurs in “Definition of security requirement during system development” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)AC-2-3 (M)RM-2}⇒{(C)CC-2-1}	If two faults occur in “Access permission review” and “(M) Risk identification and evaluation” ⇒ there is a probability of a fault concurrently in “Encryption key generation and use”
		{(C)CC-1-1 (C)OS-6-2}⇒{(C)CL-1-1}	If two faults occur in “Encryption policy establishment” and “Logging and archiving” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)CC-1-1, (C)OS-2-2}⇒{(C)CL-1-1}	If two faults occur in “Encryption policy establishment” and “Performance and capacity management” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)PH-3-1}⇒{(C)CL-1-1}	If a fault occurs in “Personal business environment security” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)AC-4-4}⇒{(C)AC-3-3}	If a fault occurs in “Database access control” ⇒ there is a probability of a fault concurrently in “User password management”
		{(C)AC-2-3, (C)CC-1-1}⇒{(C)CC-2-1}	If two faults occur in “Access permission review” and “Encryption policy establishment” ⇒ there is a probability of a fault concurrently in “Encryption key generation and use”
		{(C)CL-1-1, (C)OS-4-2}⇒{(C)OS-2-2}	If two faults occur in “Information asset identification” and “Portable storage media management” ⇒ there is a probability of a fault concurrently in “Performance and capacity management”
		{(C)AC-2-3 (C)CC-1-1}⇒{(C)AC-3-3}	If two faults occur in “Access permission review” and “Encryption policy establishment” ⇒ there is a probability of a fault concurrently in “User password management”
		{(C)OS-5-2}⇒{(C)AC-3-3}	If a fault occurs in “Patch management” ⇒ there is a probability of a fault concurrently in “User password management”
		{(C)AC-3-3, (M)RM-2}⇒{(C)OS-6-3}	If two faults occur in “User password management” and “(M) Risk identification and evaluation” ⇒ there is a probability of a fault concurrently in “Access and use monitoring”
		{(C)SO-1-3}⇒{(C)AC-3-3}	If a fault occurs in “Information security committee” ⇒ there is a probability of a fault concurrently in “User password management”
		{(M)PM-3}⇒{(C)AC-3-3}	If a fault occurs in “Internal audit” ⇒ there is a probability of a fault concurrently in “User password management”
		{(M)PM-3}⇒{(C)CL-1-1}	If a fault occurs in “Internal audit” ⇒ there is a probability of a fault concurrently in “Information asset identification”
		{(C)OS-6-3}⇒{(C)AC-3-3}	If a fault occurs in “Access and use monitoring” ⇒ there is a probability of a fault concurrently in “User password management”

From the result of analysis, we can forecast that the association of fault occurrence among control items is high, as the rule {CL-1-1 (Information asset identification) ⇒ OS-2-2 (Security system operation)} is the one that has over 30% support level and 50% confidence level. The “information asset identification” is a control item that should classify and identify all information assets of the organization. A fault occurs, if those information assets are not identified periodically, or some assets are skipped. In other words, if a fault is found in “information asset identification,” there is a high possibility of fault occurrence in “security system operation.” The “security system operation” fault refers to the case that the security system operating procedure is not complied, or the blocking rule management log of the security system (e.g., firewall) is not available or lost.

There were two rules that have over 20% support level and 70% confidence level. The first rule was {PH-1-4 (Access control of physical area), ⇒ AC-3-3 (User password management)} and the second rule was {AC-4-6 (access control of internet connection) ⇒ CL-1-1 (Information asset identification)}. The first rule—“Access control of physical” control item, refers to the requirement that only the authorized person should be allowed to access the major systems inside the security area, and the access log should be reviewed periodically. A fault occurs, if access control of the outsiders is not sufficient, or the mobile device (e.g., USB) can be brought to it. In addition, the fault of the “user password management” control item occurs when the password of major systems is not changed periodically, or the password use requirements are not met. Therefore, if the enterprise does not perform proper “access control” on major facilities and systems, there is a possibility that the “user password management” of major systems (e.g., server, network) can also be insufficient.

5. Conclusions

In this study, we used the association mining applied with the “Apriori” algorithm in order to analyze the correlation among K-ISMS faults and could find 43 association rules. The result of this study suggests having a high correlation among faults as if the organization identifies and manages their information asset carelessly, then it can also affect security system operation.

Therefore, the result of those association rule may be referred to as the useful information for decision-making of organization's security activities and can be can be utilized as a guide to the assessment method during K-ISMS certification assessment. If any fault occurs among K-ISMS certification criteria, those items related to the association rule can be checked intensively. Also, it can be a guidance of analyzing the level of the Plan-Do-Check-Act activity (organization's security management phase) from the perspective of the correlation among faults.

However, finding a useful rule can be different according to the size of the data set because the adoption of the useful association rule depends on the occurrence frequency of the analysis data. Therefore, we need various studies of K-ISMS fault analysis such as association in accordance with the scope of organization's certification (a number of employees and system). Based on the association rule results obtained in this study, decision-making tree analysis to forecast the fault status, and fault factor analysis using the structural equation model will be studied as a subsequent study.

Because the paradigm of IT environment is changing from conventional PC and mobile to IoT, new approach is needed in terms of range of protection targets, characteristics of protection targets, and protection subjects to strengthen the security level of IoT continuously. In other words, the protection target should be expanded from the existing PC and mobile devices to all objects such as home appliances, automobiles, and medical supplies. It is also necessary to break away from the conventional method of protection with separate security system and software implementation and interface to establish the security policy, procedure, and standard to control and manage efficiently the administrative security, physical security, and technical security.

Moreover, there is a need for the application of information security management system suitable for the IoT environment to maintain the continuous security level of IoT services and prevent the spread of risk of intrusion incidents, including the identification of key assets to be protected and threats as well as assessment of the current security level to establish policies for coping with threats.

Footnotes

Appendix

See Table 5.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This research was supported by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H0301-14-1004) supervised by the NIPA (National IT Industry Promotion Agency).

References

Ministry of Science; ICT and Future Planning (MSIP)

The security roadmap of internet of things

Report of MSIP 2014

Park

Lee

Advanced approach to information security management system model for industrial control system

The Scientific World Journal 2014 2014 13

348305

10.1155/2014/348305

Korea Information Security Agency

The guide of information security management system in Korea

2014, http://isms.kisa.or.kr

Lee

Introduction of ISMS certification system

a presentation material in KISA, 2013

Park

Jang

Park

A study of effect of ISMS certification on organization performance

International Journal of Computer Science and Network Security 2010 10 3 10 20

Kim

Evaluation criteria for Korean smart grid based on K-ISMS

Journal of Korea Institute of Information Security & Cryptology 2012 22 6 1375 1391

Haufe

Dzombeta

Brandis

Proposal for a security management in cloud computing for health care

The Scientific World Journal 2014 2014 7

146970

10.1155/2014/146970

2-s2.0-84896336845

Hai

Q. L.

Somjit

A.-I.

Ngamnij

A.-I.

Association rule hiding based on intersection lattice

Mathematical Problems in Engineering 2013 2013 11

210405

MR3102124

10.1155/2013/210405

Khairudin

N. M.

Mustapha

Ahmad

M. H.

Effect of temporal relationships in associative rule mining for web log data

The Scientific World Journal 2014 2014 10

813983

10.1155/2014/813983

2-s2.0-84893821604

10.

kenett

Salini

Relative linkage disequilibrium: a new measure for association rules

Advances in Data Mining. Medical Applications, E-Commerce, Marketing, and Theoretical Aspects 2008 5077

Berlin, Germany

Springer

189 199 Lecture Notes in Computer Science

10.1007/978-3-540-70720-2_15

11.

Agrawal

Imielinski

Swami

Mining association rules between sets of items in large databases

Proceedings of the ACM SIGMOD International Conference on Management of Data

May 1993

207 216

2-s2.0-0027621699

12.

Shaharanee

I. N.

Dillon

T. S.

Hadzic

Ascertaining data mining rules using statistical approaches

Proceedings of International Symposium on Computing, Communication, and Control (ISCCC ‘11)

2011

IACSIT Press

182 183

13.

Brijs

Vanhoof

Wets

Defining interestingness for association rule

International Journal Information Theories & Applications 2010 10 370 372

14.

Jaiswal

Agarwal

The evolution of the association rules

International Journal of Modeling and Optimization 2012 2 6 726 729

10.7763/ijmo.2012.v2.220

15.

Kanimozhi Selvi

C. S.

Tamilarasi

An automated association rule mining technique with cumulative support thresholds

International Journal of Open Problems in Computer Science and Mathematics 2009 2 3 427 438

16.

Zaki

M. J.

Scalable algorithms for association mining

IEEE Transactions on Knowledge and Data Engineering 2000 12 3 372 390

2-s2.0-0033718951

10.1109/69.846291

17.

Hipp

Güntzer

Nakhaeizadeh

Algorithms for association rule mining—a general survey and comparison

Proceedings of the ACM Conference on Knowledge Discovery and Data Mining

July 2000

SIGKDD Explorations

58 59

18.

Agrawal

Srikant

Fast algorithms for mining association rules in large databases

Proceedings of the 20th International Conference on Very Large Data Bases (VLDB ‘94)

September 1994

487 499

19.

Hahsler

Grün

Hornik

Arules—a computational environment for mining association rules and frequent item sets

Journal of Statistical Software 2005 14 15 11 22

2-s2.0-27544480125

20.

Liu

Hsu

Mining association rules with multiple minimum supports

Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD ‘99)

August 1999

San Diego, Calif, USA

337 341

10.1145/312129.312274

21.

Hahsler

A Probabilistic Approach to Association Rule Mining 2008

Dallas, Tex, USA

Southern Methodist University

22.

Wright

Chen

E. S.

Maloney

F. L.

An automated technique for identifying associations between medications, laboratory results and problems

Journal of Biomedical Informatics 2010 43 6 891 901

2-s2.0-78649328064

10.1016/j.jbi.2010.09.009

23.

Tan

P.-N.

Kumar

Srivastava

Selecting the right interestingness measure for association patterns

Proceedings of the 8th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD ‘02)

July 2002

32 41

2-s2.0-0242625291

24.

Pang-Ning

Steinbach

Kumar

Association analysis, basic concepts and algorithms

Introduction to Data Mining 2005 chapter 6

Addison-Wesley

327 414

25.

Hahsler

Chelluboina

Visualizing Association Rules: Introduction to the R-extension Package arulesViz

The Comprehensive R Archive Network, http://cran.r-project.org/web/packages/arulesViz

A Study of K-ISMS Fault Analysis for Constructing Secure Internet of Things Service

Abstract

1. Introduction

2. Theoretical Background

2.1. Frequent Itemset Finding

2.2. Association Rule Generation

3. Association Rule Analysis of the K-ISMS Fault

3.1. Analysis Data

3.2. Association Rule Analysis

4. Results and Discussion

5. Conclusions

Footnotes

Appendix

Conflict of Interests

Acknowledgment

References