The Moderating Effects of Information Security Policy between Information Security Maturity and Organizational Performance

정보보호 성숙도와 조직성과 간의 정보보호 정책의 효과분석

  • 박정국 (동국대학교 경영정보학과) ;
  • 김인재 (동국대학교 경영학부)
  • Received : 2014.07.21
  • Accepted : 2014.09.03
  • Published : 2014.09.30


The absence of proactive information security management to ensure availability, accessibility and safety of information can bring serious risks to customers as well as to the organization's performance and competitiveness because improper security management undermines business continuity. This study analyzed the maturity of information security which affects the organizational performance. Through the literature reviews, a research model using the organizational performance as the dependent variable, the risk management process maturity and risk assessment process as independent variables and the information security policy indexes as moderate variables was proposed, and an empirical analysis was made on the basis of survey. The results showed that there was a high causal relationship between information security maturity and organizational performance. However, even if the proportions of information security staff ratio and the information security budget ratio increased, information security maturity did not affect organizational performance. It suggests that information security maturity affects organizational performance, but information security regulations have their limitation as being a catalyst to improve organizational performance.


  1. M. Simonsson, P. Johnson, and M. Ekstedt, "The effect of IT governance maturity on IT governance performance", Information Systems Management, Vol.27, pp.10-24, 2010.
  2. NIST SP 800-39, "Managing Information Security Risk: Organization, Mission and Information System View", available at, 2011.
  3. ISO/IEC TR 13335-2, "Information technology -Guidelines for the management of IT Security- Part 2 : Managing and planning IT Security", 1997.
  4. J. H. Hall, S. Sarkani, and T. A. Mazzuchi, "Impacts of organizational capabilities in information security", Information Management & Computer Security", Vol.19, Issue.3, pp.155-176, 2011.
  5. NIST SP 800-30, "Guide for Conducting Risk Assessment", available at, 2012.
  6. ENISA(European Network and Information Security Agency), "Regulation No 460/2004 of the european parliament and of the council", 2004.
  7. OCTAVE, "Method Implementation Guide Version 2.0", Carnegie Mellon University, 2001.
  8. J. Jenkins, "Organisational IT security theory and practices: and never the twain shall meet?", available at, 2003.
  9. R. Sommer, "How to buy information security", available at, 2003.
  10. R. Baskerville, "Designing Information System Security", Wiley, Chichester, 1998.
  11. Suhazimah Dzazali and Ali Hussein Zolait, "Assessment of information security maturity: An exploration study of Malaysian public service organizations", Journal of Systems and Information Technology, Vol.14, Issue.1, pp.23-57, 2013.
  12. ISO/IEC 27001-2005(E), "Information Technology-Security Techniques-Information Security Management Systems- Requirements", 2005.
  13. B. Schneier, "Secret and Lies-Digital Security in a Networked World", Wiley Computer Publishing, New York, NY, 2002.
  14. S. Berinato, "After the storm, reform", CIO Magazine, available at, 2003.
  15. K. N. Bhaskar, "Computer Security: Threat and Countermeasures", NCC-Blackwell, Oxford, 1993.
  16. M. B. Chrissis, M. Konrad, and S. Shrum, "CMMI- Guidelines for Process Integration and Product Improvement", United States : SEI, 2005.
  17. IT Governance Institute (ITGI), "Cobit 4.1", Estados Unidos:ITGI, 2007.
  18. Project Management Institute (PMI), "PMI Fact Sheet", USA: PMI, 2006.
  19. Project Management Institute (PMI), "A guide to the project management body of knowledge (PMBOK Guide)", Upper Darby, PA, 2000.
  20. K. K. Kim, H. K. Shin, S. S. Park, and B.S. Kim, "A Study on impact information assets protection accomplish affecting organizational performance", Information Management Research, Vol.40, No.3, pp.61-77, 2009.
  21. J. M. Hagen, E. Albrechtsen, and J. Hovden, "Implementation and effectiveness of organizational information security measures", Information Management & Computer Security, Vol.16, Issue.4, pp.377-397, 2008.
  22. S. Smith, G. Stephen, and W. Malampy, "A financial Management Approach for Selecting Optimal, Cost-Effective Safeguards Upgrades for Computer and Information Security Risk Management." Computer and Security, Vol.14, No.1, pp.28-29, 1995.
  23. M. J. Baek and S. H. Shon, "A Study on information security awareness and behavior affecting information security effectiveness in smaller member organization", Small Business Research, Vol.33, No.2, pp.113-132, 2011.
  24. G. H. Hong, "A Study on Impact on Information Security control and activities affecting information security performance", a doctoral thesis department of Kookmin University Graduate School, Information management department, 2003.
  25. Korea Financial Telecommunications & Clearings Institute, "The financial IT and information security trend prediction", Payment and information technology, No.55 pp.90-126, 2014.
  26. Financial Supervisory Commission, "Electronic financial supervisory regulation", 2014.
  27. Financial Supervisory Commission, "The financial institutions information technology security duties standard", 2012.
  28. B. B. Yeol, "Structural equation model for understanding and use", Publishing Daegyeong, 2006.
  29. X. Koufteros and G. Marcoulides, "Product development Practices and performance: A structural equation modelingbased multi-group analysis", International Journal of Production Economics, pp.286-307, 2006.
  30. C. Fornell and D. Larcker, "Evaluating structural equation models with unobservable variables and measurement error", Journal of Marketing Research, pp.39-50, 1981.