Woohyun Shim

• Ph.D.
• Research Fellow at Korea Institute of Public Administration

We study interdependent risks in security, and shed light on the economic and policy implications of increasing security interdependence in presence of reactive attackers. We investigate the impact of potential public policy arrangements on the security of a group of interdependent organizations, namely, airports. Focusing on security expenditures...

Assessing the risks of software vulnerabilities is a key process of software development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status of the vulnerability lifecycle, etc.) and may depend from the assessor’s knowledge and skills. In this work, we...

As effective government capacity is essential to avoid government failures and improve its performance, performance management in the public sector has to prioritize ways to manage its capacity. Since the high performance profile requires a systematic and sustainable mechanism, government capacity should be adequately identified and measured to gai...

As interests in government capacity have increased, the development and the use of capacity indicators and indices are being actively promoted, both domestically and internationally. These indices, however, are limited in grasping the entirety of Korean government capacity since they were not directly developed for its measurement. This study analy...

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered th...

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered th...

We analyze the issue of agency costs in aviation security by combining results from a quantitative economic model with a qualitative study based on semi-structured interviews. Our model extends previous Principal-Agent models by combining the traditional fixed and varying monetary responses to physical and cognitive effort with non-monetary welfare...

Various regulation affecting investment in the telecommunications industry have been investigated thoroughly by researchers. However, the previous literature has largely overlooked the issue of a regulatory constellation. Using data for 28 European countries for the period between 1997 and 2010, this study explores how price regulation on fixed and...

In order to ensure that all firms are cyber-secure, many governments have started to enforce the implementation of various security measures on firms. Prior to the implementation, however, it is vague whether government enforced security measures will be effective for mitigating cyber-security risks. By applying a method for estimating the effectiv...

Many researchers have argued that security measures are not effective for protecting IT systems against cyber-attacks because they cannot keep up with attack strategies and are often developed reactively. However, according to principal-agent theory, the low effectiveness of security measures might be the outcome of moral hazard which results in su...

A cybersecurity public policy economic model for civil aviation and several interviews with key stakeholders illustrate how interdependency issues can lead to aviation regulations that put smaller airports at a disadvantage.

While careful and prudent settings for airport security policies and strategies are more important than ever, most of them have been implemented as a direct result of terrorist activities rather than motivated by a proper assessment. Furthermore, even if many scholars have proposed ways to assess and evaluate alternative airport security policies p...

While many governments and airport operators have emphasized the importance of security training and committed a large amount of budget to security training programs, the implementation of security training programs was not proactive but reactive. Moreover, most of the security training programs were employed as a demand or a trend-chasing activity...

Cybercrime is notoriously maintained and empowered by the underground economy, manifested in black markets. In such markets, attack tools and vulnerability exploits are constantly traded. In this paper, we focus on making a quantitative assessment of the risk of attacks coming from such markets, and investigating the expected reduction in overall a...

This study investigates the effects of incentive and deterrence strategies that might turn a security researcher into a malware writer, or vice versa. By using a simple game theoretic model, we illustrate how hackers maximize their expected utility. Furthermore, our simulation models show how hackers' malicious activities are affected by changes in...

This paper examines the effects of sector regulation on innovation in telecommunications and related information industries. Building on innovation research, a typology of innovation processes in ICT industries is developed. The economic and policy conditions conducive to different types of innovation are analyzed to draw inferences on the effects...

Information and communication technologies (ICTs) are an important determinant of productivity growth and innovation. This study examines the effects of sector regulation on innovation in telecommunications and related information industries. A typology of innovation processes in ICT industries is developed. The conditions conducive to innovation u...

Many governments have tried to develop a liability and compliance law that can improve cyber security in a sustainable way. This paper explores whether a liability and compliance law is effective in motivating firms' information security activities. In particular, I empirically investigate the impact of the 2007 Electronic Financial Transaction Act...

This article develops an economic model that shows the optimal level of information security investment in the context of interdependent security risks. Using particular functional forms, the analysis shows that the relationship between the security vulnerability level and the level of optimal information security investment is affected by external...