BSI / 2005 / Code of Practices for Information Security Management / British Standards Institution Broderick, J.S / 2001 / Information Security Management ?When Should it be Managed? / Information Security Technical Report 6 (3) : 12 ~ 18 CMU / 1999 / Operationally Critical Threat, Asset,Vulnerability Evaluation(OCTAVE) Framework, Ver.1.0, CMU/SEI-99-TR-017. Carnegie Mellon University/Software Engineering Institute, Ju CSE / 1996 / Guide to Security Risk Management for IT Systems, Communications Security Establishment,Government of Canada Choi, N / 2008 / Knowing is Doing / Information Management & Computer Security 16 (5) : 484 ~ 501