Title: Policy Design Based on Risk at Big Data Era: Case Study of Privacy Invasion in South Korea

Authors: Hyejung Moon; Hyun Suk Cho ; Seo Hwa Jeong; Jangho Park

Abstract: This paper has conducted analyzing the accident case of data spill to study policy issues for ICT security from a social science perspective focusing on risk. The results from case analysis are as follows. First, ICT risk can be categorized 'severe, strong, intensive and individual' from the level of both probability and impact. Second, strategy of risk management can be designated 'avoid, transfer, mitigate, accept' by understanding their own culture type of relative group such as 'hierarchy, egalitarianism, fatalism and individualism'. Third, personal data has contained characteristics of big data such like 'volume, velocity, variety' for each risk situation. Therefore, government needs to establish a standing organization responsible for ICT risk policy and management in a new big data era. And the policy for ICT risk management needs to balance in considering 'technology, norms, laws, and market' in big data era.

I. INTRODUCTION

Informationization has increased side effects like privacy invasion, illegal information distribution, system breakdown, hacking and tampering(Beck, 1998). Even though South Korea has world best level of IT quality, the damage of security incidents from IT infrastructure is very serious. Whole population of country will be the total victims from major accidents of privacy invasion: 18 million of E-Bay Auction at Feb 2008, 35 million of SK coms, 13  million of Nexon Korea at Nov 2011, 53   million of KB card at Jan
2014, 26 million of Lotte card at Jan 2014, 25  million people of NH card at Jan 2014. Actually the population of South Korea is 49.7 million people(world bank, 2011). So total summation of victims will be several times than population. It is meaning that whole people has risk of privacy   invasion.   The   leaked   private  information   has sensitive private information including social-identification, credit-card information, phone number and address. Now privacy invasion becomes important policy issue as the 1st degree disaster.
This social issue has growing due to big data era with the development of ICT and internet user. There are both opportunity and risk in features of big data including volume, velocity, variety and etc. How could we prepare the policy for information security in big data era? This paper is starting from this basic question. Recent Invasion of information and security has been occurring from the weak-point of not technology but also user's psychology and organization (Gonzalez, 2002). The response policy against ICT problem need to treat security issue as a social risk focusing on cultural features(Douglas & Wildavsky, 1982).
There are several policy implications in approaching information-security as a perspective of risk management. Above all things, the problem of information and security will be regarded social and economical issue over just technical problem like system error(Young Jin So, at al., 2001). A risk is always accompanying uncertainty. Information and security also has high uncertainty. It is natural situation that risk management is useful for technical development. We cannot be free from all kinds of technical risk in uncertainty environment. The realistic approach for treating it-security problem is decision making to accept or avoid which risks(Ik Jae Jung, 2007). The purpose of this paper is to provide the specific direction about policy design for risk response against problem of information and security using increased cases of privacy invasion last ten years in South Korea.

II. BACKGROUND

The background of this paper is based on theory and previous studies of technical risk and big data.

A.   Risk Theory on Cluture
The theory of this study is based on risk-based culture type(Douglas & Wildavsky, 1982), response policy for each risk type(Wildavsky, 1988), risk management strategy(PMI, 2008), risk-based policy type(May, 1991).
Basic theory are different culture types(Douglas, 1970) and response type of risk(Douglas & Wildavsky,1982) in Figure 1. Douglas(1970) was distinguished culture type with grid and group: hierarchy, fatalism, egalitarianism, individualism. The grid means born characteristics such as age, sex, home-town. The group means life characteristics like job, education level.




Douglas & Wildavsky(1982) provide four problems of risk for each culture type in Figure 2.  These risks have also different type of problem and solution with level of knowledge and consent.




Next theory is response strategy according to level of knowledge and predictability about risk in Figure 3 (Wildavsky, 1988).



PMI(2008) is providing four response strategy after distinguishing risk according to frequency and impact like Figure 4.




B.   Conceptualization of Big Data

Big data is data that exceeds the processing capacity of conventional database system(Manyika & Chui, 2011).  This data contains characteristics such like volume, velocity, variety and new value(Douglas, 2001). Course of these complex features, big data has also many risks with high uncertainty of new technology(Moon & Cho, 2012). Using big data need to next generation technology including new problem solving method(Gantz & Reinsel, 2011; Moon & Cho,  2012).  These  characteristics  become  different  as  a technical culture like Figure 5.




C.   Previous Studies

First study of quantitative analysis of the risk is paper of Crouch & Wilson(1983). They calculated and categorized risk using frequency and impact about social problem with economical perspective. Deloach(2000) also study risk on business process with economical perspective. Norrman & Jansson(2004) is categorized risk using recover time at process in SCM(Supply Chain Management).
Next is the study of technical risk. Slovic(1987) conducted  representative  research  of  risk  problem  with policy perspective about the  most risky activity or technology of USA. The weak-point of this study is that basic data was collected by survey. Ik Jae Jung(2007) is analyzed risk of FedCIRC(The Federal Incident Response Capability, USA) from 1998 to 2000 using frequency and impact in agenda setting process. As a result of these two studies most dangerous risk of country is occurring from technical complexity.
May et al.,(2009a; 2009b) researched the impact of risk of public problem in department of homeland security, USA during 25 years. He distinguished the difference of agenda setting process according to risk features. But he could not conduct quantitative analysis of risk.
Chang Hee Han, et al.,(2011) calculated economical volume of damage about privacy invasion in South Korea using risk management of Ponemon(2010). He provide method for measuring index of damage of risk in policy perspective. He did not concern predictability of risk.
The result of previous studies is the criteria of risk type base on culture in Table I.




I would like to design research framework with two dimensions of predictability and impact of risk using this criteria.

D.   Differences of this Study

The differences between this paper are previous studies are as follows.
First, this paper will be conducted empirical study using privacy invasion based on many kinds of accident on information and security in South Korea.
Second, I will apply predictability of risk using real occurred accidents in information and security last ten years.
Third, I will calculate the impact of possible risk using law as a cost perspective before accident.
Fourth,  I  will  analyze  the  response  policy  for  each different risk according to culture using grid and group of society.
Finally, I will suggest the method of policy-design for accident using experience of response for same type accident as a risk management.

III. RESEARCH DESIGN

Before analyzing case of privacy invasion, I will make clear the research question for gain the purpose of the study. And I will provide analysis framework for understanding case study.

A.   Research Questions
Research questions will be focused on different features and policy design according to culture-type, risk-response and characteristics of big data.
Q1. What are the different characteristics of technical risk in information and security according to predictability and impact?
Q2. What is difference of response policy against risk according to situation such as culture?
Q3. What are the features of both technology and big data according to risk situation?

B.   Case Study
Research subjects are case of privacy invasion in South Korea during last 11 years from 2003 to 2013. Basic data is the results from statistics which provided by Korea Internet Security Association(KISA). The statistics has made from call service for information and security of KISA. The summation of total accident is almost 700 thousands.

C.   Research Method
Research method is a descriptive case study through the analysis of specific case and categorization(George and Bennett, 2005). Total cases are whole accident of privacy invasion in South Korea. Research subject is the reporting data from call center service of information and security of KISA. I will categorize the accidents to 15 segmentations by criteria of KISA. Impact of accident will be concerned as an act(Information  and  Communication  Network  Utilization and Information Protection Act). Frequency of accident is segmented according to statistics of reports of KISA. The segmentation of case will be applied four areas according to culture type, risk situation, features of big data. And I will find difference of policy design for risk response in big data era.

D.   Analysis Framework
Social issue as a policy subject is influenced by political environment (Cobb, Ross & Ross, 1976). Policy design is changed by the features of imbedded risk for social problem such as natural disaster and technical accident accompany with high public opinion. (Cobb & Elder, 1983). Therefore major social issue is occurring technical risk (Douglas & Wildavsky, 1982). And risk response would be complex approach include policy regard to culture, risk and features of big data like Figure 6.




Public risk has high predictability and strong impact. For response of public risk is focusing on prevention- strategy(anticipation). Private risk has low predictability and weak impact. So response of private risk is focusing on recovery-strategy(resilience).

IV. CASE STUDY

For case analysis, I will categorize all kinds of accident to law. Next step is measuring the predictability using frequency and impact using fine in law. And segmentation accident will be conducted for each risk type. For analysis the characteristics of accident, we will focusing on technical perspective. Last step is design response policy for risk type.

A.   Outline
There  are  following 15  cases  of  privacy  invasion by condition of KISA.
A01 Collection of personal information without the user's consent
A02 Duty-break of notice for collecting personal information
A03 Excessive collection of personal information
A04 Providing privacy to third party beyond notice
A05 Privacy invasion by person in charge
A06 Duty-break of notice for consignment personal information
A07 Duty-break of notice for business sale
A08 Un-designation personal information manager
A09 Privacy invasion cause of insufficient treat of technology and management
A10 Un-destruction of privacy after gaining purpose
A11 Non-acceptance of requests about agreement, destruction, browsing and updating
A12 Non-acceptance of making easy process than collection in agreement, destruction, browsing
      and updating
A13 Collection of child's information without agreement of a legal representative
A14 Privacy invasion other's information such as social identification
A15 Any privacy invasion beyond act

These each cases will be corresponding to law(Information and Communication Network Utilization and Information Protection Act) like following Table II.




Case of privacy invasion had been increased 8 times than 10 years ago. Increasing rate was just 10 % before 2010. But Recent Increasing size becomes over 200% after 2011 in privacy invasion. Increasing cases are 8  types(A01, A02, A03, A04, A05, A06, A10, A14). The rate of A14 is severe with 50.92% rate of accident such as such as "Privacy invasion other's information such as social identification". Decreasing cases are 7 types(A07, A08, A09,A11, A12, A13, A15). Case of A13 has been decreased 1/40 than accident of 2003.
The rate of case which occurs from inside is just 10%  of accident include 12 cases. Otherwise, the rate of case which occurs from outside is almost 90% including only 3 cases(A09, A14, A15). There is the result of statistics about privacy invasion during last ten years in Table III.




B.   Case analysis

Total cases of accident are around 700 thousands. The case of accidents was distinguished 15 cases by reporting categorization of KISA. Whole case of accident was distinguished according to level of predictability and impact in Table IV.
Potential severity of accidents was measured according to level of predictability and impact for analyzing technical risk based on case of privacy invasion. Indicate of predictability was measured using total frequency of accidents. Impact could be measured regarding fine in legislation about privacy invasion.




Each case also could be distinguished four risks(severe, potential, fundamental and intensive) in Figure 7.



1) Avoid cases for Severe Risk(A09, A14, A15): Thease cases  has  characteristics  of  high  frequency  and  strong impact in culture type of hierachy. There are 3 types of A09, A14, A15 as a policy problem. Especially, A09 is risk about privacy invasion cause of insufficient treat of technology and  management. Case of A09 was just around  20,000 before 2012. But the summation of victims from accident of A09 was over 100 million people in KB card, Lotte card, NH card last Jan, 2014. These accidents has become disaster of state. Response strategy is avoid risk. Because the impact of severe risk is so much higher than prevention cost. The government need to find complicated method and total solution to avoid these accident using technology and other environment. These cases occur from characteristics of big data with volume, velocity, variety and complexity.

2)   Transfer cases for Strong Risk(A03, A06): Thease cases has characteristics of low frequency and strong impact in culture type of egalitarianism. There are 2 types of A03, A06 as a policy problem like ‘Excessive collection of personal information’ and ‘Duty-break of notice for consignment personal information.’. Total summation of these cases was under 200 accidents during last 10 years. Strong risk is occuring among profit company with culture type of egalitarianism. The impact of strong risk is so high. So company invest money against risk. Response strategy is transfering risk such as insurance and certification. These accident is occuring at high velocity system with real-time transaction.

3)   Mitigate cases for Potentil Risk(A11, A12): These cases has characteristics of high frequency and weak impact in culture type of fatalism. There are 2 types of A11, A12 as a policy problem such as ‘Nonacceptance of making easy process than collection in agreement, destruction, browsing and updating’, ‘Collection of child's information without agreement of a legal representative’. These cases has been decreased every year. Response strategy is mitigating risk using security system or other technical treats. These accident has been occurred at portal site and social network service. This situation has the characteristic of high volume of big data.

4)  Accept cases   for Fundamental Risk(A07, A08): Thease cases has characteristics of low frequency and weak impact in culture type of individualism. There are 2 types of A07,  A08  like  ‘Duty-break of  notice  for  business sale’, ‘Undesignation personal information manager’. These cases hardly have been occurred. And the impact of accident is so small. So response strategy is just accept these case as a personal perspective. These accidents has been occurred in various environment of big data.

C.   Case Study Results
As results of case study, policy design of risk response is different according to culture and technology of big data in Figure 8.




Public area is the response policy based on risk with high probability and strong impact. General Public License(GPL) is typical case of public policy and governance. GPL is the governance   for   Open   Source   Software(OSS)  by   Free Software Foundation(FSF). Private area is the response strategy based on risk with low probability and weak impact. CCL(Creative Common License) is typical case of private strategy. CCL is one of several public copyright licenses that enable the free distribution of an otherwise copyrighted work. CCL is the base way to risk response for individual accident in big data era.

D.   Answers for Research Questions

Answer for question 1 is that risk type will be separated four types with severe, strong, potential, and fundamental in environment of information and security.
Answer for question 2 is that risk response will be established according to culture type. Response strategies are

1. avoid against severe risk, 2. transfer of strong risk, 3. mitigate for potential, 4. accept the fundamental risk.
Answer for question 3 is that technical characteristics will be distinguished according to culture type and risk situation in environment of big data. Technical characteristics are 1. 3vc(volume, velocity, variety and complexity) in severe risk and hierarchy culture, 2. velocity in strong risk and egalitarianism culture, 3. volume in potential risk and fatalism culture, 4. variety in fundamental risk and individualism culture.
The results from case analysis are as follows. First, ICT risk can be categorized 'severe, strong, intensive and individual' from the level of both probability and impact. Second,  strategy  of  risk  management  can  be  designated 'avoid, transfer, mitigate, accept' by understanding their own culture type of relative group such as 'hierarchy, egalitarianism, fatalism and individualism'. Third, personal data  has  contained  characteristics  of  big  data  such  like 'volume, velocity, variety' for each risk situation.

 V. CONCLUSION

The implications from case analysis are as follows. First, ICT risk can be categorized 'severe, strong, intensive and individual' from the level of both probability and impact. Second,  strategy  of  risk  management  can  be  designated 'avoid, transfer, mitigate, accept' by understanding their own culture type of relative group such as 'hierarchy, egalitarianism, fatalism and individualism'. Third, personal data  has  contained  characteristics  of  big  data  such  like 'volume, velocity, variety' for each risk situation.
This study can provide useful case study for other countries. First, this paper would provide the trend of technical risk such as various privacy invasions. Because, information and technology of Korea is advanced than other countries. Next, this paper also suggests the direction for policy design based on technical risk at big data era. The direction is the methodology how policy should be established by different strategies with regarding to technical features on culture conditions.
Therefore, the government needs to establish a standing organization  responsible  for  ICT  risk  policy  and management in a new big data era. And the policy for ICT risk management needs to balance in considering 'technology, norms, laws, and market' in big data era(Lessig, 1999). Furthermore, policy base on risk from big data should be designed with regarding global governance.
Furthermore, there are critical different trends as a result of the contents analysis about privacy invasion in South Korea. We are still analyzing the trends with visualization tool for big data. For these results, I would like to leave the subjects for next study.



Policy Design Based on Risk at Big Data Era: Case Study of Privacy Invasion in South Korea  by Hyejung Moon is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at www.itpolicy.co.kr.