DOI QR코드

DOI QR Code

The Employee's Information Security Policy Compliance Intention : Theory of Planned Behavior, Goal Setting Theory, and Deterrence Theory Applied

조직구성원의 정보보안 정책 준수의도: 계획된 행동이론, 목표설정이론, 억제이론의 적용

  • Received : 2016.06.02
  • Accepted : 2016.07.20
  • Published : 2016.07.28

Abstract

In accordance with the increase of the importance of information security, organizations are making continuous investments to develop policies and adapt technology for information security. Organization should provide systemized support to enhance employees' security compliance intention in order to increase the degree of organization's internal security. This research suggests security policy goal setting and sanction enforcement as a method to improve employees' security compliance in planning and enforcing organization's security policy, and verifies the influencing relationship of Theory of Planned Behavior which explains employee's security compliance intention. We use structural equation modeling to verify the research hypotheses, and conducted a survey on the employees of organization with information security policy. We verified the hypotheses based on 346 responses. The result shows that the degree of goal setting and sanction enforcement has positive influence on self-efficacy and coping efficacy which are antecedents that influence employees' compliance intention. As a result, this research suggested directions for strategic approach for enhancing employee's compliance intention on organization's security policy.

Keywords

Theory of Planned Behavior;Goal Setting Theory;Information Security Compliance Intention;Security Policy Goal Setting Attitudes;Sanction

References

  1. Gartner, Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware, 2014, http://www.gartner.com/newsroom/id/2828722.
  2. J. Han, and Y. Kim, "Investigating of Psychological Factors Affecting Information Security Compliance Intention: Convergent Approach to Information Security and Organizational Citizenship Behavior", Journal of Digital Convergence, Vol.13, No.8, pp.133-144, 2015.
  3. T. Jeong, M. Yim, and J.Lee, "A Development of Comprehensive Framework for Continuous Information Security", Journal of Digital Convergence, Vol. 10, No. 2, pp.1-10, 2012.
  4. Verizon, Verizon 2013 Data Breach Investigations Report, 2013.
  5. C. Park, and M. Yim, "An Understanding of Impact of Security Countermeasures on Persistent Policy Compliance", Journal of Digital Convergence, Vol. 10, No. 4, pp. 23-35, 2012.
  6. B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness", MIS Quarterly, Vol. 34, No. 3, pp.523-548, 2010. https://doi.org/10.2307/25750690
  7. Y. Chen, K. Ramamurthy, and K. W. Wen, "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?", Journal of Management Information Systems, Vol. 29, No. 3, pp.157-188, 2012. https://doi.org/10.2753/MIS0742-1222290305
  8. J. D'Arcy, A. Hovav, and D. Galletta, "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach", Information Systems Research, Vol. 20, No. 1, pp.79-98, 2009. https://doi.org/10.1287/isre.1070.0160
  9. T. Herath, and H. R. Rao, "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness", Decision Support Systems, Vol. 47, No. 2, pp.154-165, 2009. https://doi.org/10.1016/j.dss.2009.02.005
  10. Q. Hu, Z. Xu, T. Dinev, and H. Ling, "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?", Communications of the ACM, Vol. 54, No. 6, pp.54-60, 2011.
  11. M. Siponen, S. Pahnila, and M. A. Mahmood, "Compliance with Information Security Policies: An Empirical Investigation", Computer, Vol. 43, No. 2, pp. 64-71, 2010.
  12. A. Vance, M. Siponen, and S. Pahnila, "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory", Information & Management, Vol. 49, No. 3, pp.190-198, 2012. https://doi.org/10.1016/j.im.2012.04.002
  13. E. A. Locke, and G. P. Latham, "Building a Practically Useful Theory of Goal Setting and Task Motivation: A 35-year Odyssey", American Psychologist, Vol. 57, No. 9, pp.705-717, 2002. https://doi.org/10.1037/0003-066X.57.9.705
  14. B. E. Wright, and B. S. Davis, "Job Satisfaction in the Public Sector the Role of the Work Environment", The American Review of Public Administration, Vol. 33, No. 1, pp.70-90, 2003. https://doi.org/10.1177/0275074002250254
  15. R. West, "The Psychology of Security", Communications of the ACM, Vol. 51, No. 4, pp.34-40, 2008.
  16. M. Yim, "A Path Way to Increase the Intention to Comply with Information Security Policy of Employees", Journal of Digital Convergence, Vol. 10, No. 10, pp.119-128, 2012.
  17. D. Kim, I. Hwang, and J. Kim, "A Study on Employee's Compliance Behavior towards Information Security Policy : A Modified Triandis Model", Journal of Digital Convergence, Vol. 14, No. 4, pp.209-220, 2016.
  18. J. Do, and J. Kim, "A Study on Critical Success Factors for Enterprise Security Collaboration", Journal of Digital Convergence, Vol. 12, No. 10, pp.235-242, 2014.
  19. M. Yim, "An Investigation of the Factors that Influence the Compliance to Information Security Policy: From Risk Compensation Theory", Journal of Digital Convergence, Vol. 11, No. 2, pp.19-32, 2013.
  20. I. Hwang, D. Kim, T. Kim, and J. Kim, "The Study about Security Compliance Intention and Knowledge of Employee based on Security Culture of Organization", Information Systems Review, Vol. 18, No. 1, pp.1-23, 2016.
  21. I. Ajzen, "The Theory of Planned Behavior", Organizational Behavior and Human Decision Processes, Vol. 50, No. 2, pp.179-211, 1991. https://doi.org/10.1016/0749-5978(91)90020-T
  22. A. C. Johnston, and M. Warkentin, "Fear Appeals and Information Security Behaviors: An Empirical Study", MIS Quarterly, Vol. 34, No. 3, pp.549-566, 2010. https://doi.org/10.2307/25750691
  23. N. S. Safa, M. Sookhak, R. Von Solms, S. Furnell, N. A. Ghani, and T. Herawan, "Information Security Conscious Care Behaviour Formation in Organizations", Computers & Security, Vol. 53, pp.65-78, 2015. https://doi.org/10.1016/j.cose.2015.05.012
  24. T. Dugo, "The Insider Threat to Organizational Information Security: A Structural Model and Empirical Test", Auburn University, Auburn, AL, 2007.
  25. W. R. Flores, and M. Ekstedt, "Shaping Intention to Resist Social Engineering through Transformational Leadership, Information Security Culture and Awareness", Computers & Security, Vol. 59, pp.26-44, 2016. https://doi.org/10.1016/j.cose.2016.01.004
  26. P. Ifinedo, "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory", Computers & Security, Vol. 31, No. 1, pp.83-95, 2012. https://doi.org/10.1016/j.cose.2011.10.007
  27. E. A. Locke, and G. P. Latham, "New Directions in Goal Setting Theory", Current Directions in Psychological Science, Vol. 15, No. 5, pp.265-268, 2006. https://doi.org/10.1111/j.1467-8721.2006.00449.x
  28. C. C. Pinder, Work Motivation in Organizational Behavior. Upper Saddle River, NJ: Prentice Hall, 1998.
  29. R. D. Pritchard, S. D. Jones, P. L. Roth, K. K. Stuebing, and S. E. Ekeberg, "Effects of Group Feedback, Goal Setting, and Incentives on Organizational Productivity", Journal of Applied Psychology, Vol. 73, No. 2, pp.337-358, 1988. https://doi.org/10.1037/0021-9010.73.2.337
  30. J. M. Diefendorff, and G. A. Seaton, Work Motivation. International Encyclopedia of the Social & Behavioral Sciences, 2nd edn. Elsevier, Oxford, pp.680-686, 2015.
  31. R. Vollmeyer, B. D. Burns, and K. J. Holyoak, "The Impact of Goal Specificity on Strategy Use and the Acquisition of Problem Structure", Cognitive Science, Vol. 20, No. 1, pp.75-100, 1996. https://doi.org/10.1207/s15516709cog2001_3
  32. E. A. Locke, and G. P. Latham, "Work Motivation and Satisfaction: Light at the End of the Tunnel", Psychological Science, Vol. 1, No. 4, pp.240-246, 1990. https://doi.org/10.1111/j.1467-9280.1990.tb00207.x
  33. A. Bandura, and D. Cervone, "Self-Evaluative and Self-Efficacy Mechanisms Governing the Motivational Effects of Goal Systems", Journal of Personality and Social Psychology, Vol. 45, No, 5, pp.1017-1028, 1983. https://doi.org/10.1037/0022-3514.45.5.1017
  34. K. H. Guo, Y. Yuan, N. P. Archer, and C. E. Connelly, "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model", Journal of Management Information Systems, Vol. 28, No. 2, pp.203-236, 2011. https://doi.org/10.2753/MIS0742-1222280208
  35. J. Y. Son, "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies", Information & Management, Vol. 48, No. 7, pp.296-302, 2011. https://doi.org/10.1016/j.im.2011.07.002
  36. Y. Chen, K. Ramamurthy, and K. W. Wen, "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?", Journal of Management Information Systems, Vol. 29, No. 3, pp.157-188, 2012. https://doi.org/10.2753/MIS0742-1222290305
  37. N. S. Safa, and R. Von Solms, "An Information Security Knowledge Sharing Model in Organizations", Computers in Human Behavior, Vol. 57, pp.442-451, 2016. https://doi.org/10.1016/j.chb.2015.12.037
  38. Y. Xue, H. Liang, and L. Wu, "Punishment, Justice, and Compliance in Mandatory IT Settings", Information Systems Research, Vol. 22, No. 2, pp.400-414, 2011. https://doi.org/10.1287/isre.1090.0266
  39. J. Zhang, B. J. Reithel, and H. Li, "Impact of Perceived Technical Protection on Security Behaviors", Information Management & Computer Security, Vol. 17, No. 4, pp.330-340, 2009. https://doi.org/10.1108/09685220910993980
  40. B. E. Wright, "The Role of Work Context in Work Motivation: A Public Sector Application of Goal and Social Cognitive Theories", Journal of Public Administration Research and Theory, Vol. 14, No. 1, pp.59-78, 2004. https://doi.org/10.1093/jopart/muh004
  41. J. C. Nunnally, Psychometric theory (2nd ed.). New York: McGraw-Hill, 1978.
  42. B. H. Wixom, and H. J. Watson, "An Empirical Investigation of the Factors Affecting Data Warehousing Success", MIS Quarterly, Vol. 25, No. 1, pp.17-41, 2001. https://doi.org/10.2307/3250957
  43. C. Fornell, and D. F. Larcker, "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error", Journal of Marketing Research, Vol. 18, No. 1, pp.39-50, 1981. https://doi.org/10.2307/3151312
  44. H. H. Harman, Modern Factor Analysis, University of Chicago Press, 1976.
  45. P. Podsakoff, S. MacKenzie, J. Lee, and N. Podsakoff, "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies", Journal of Applied Psychology, Vol. 88, No. 5, pp.879-903, 2003. https://doi.org/10.1037/0021-9010.88.5.879
  46. L. J. Williams, and S. E. Anderson, "An Alternative Approach to Method Effects by Using Latent-Variable Models: Applications in Organizational Behavior Research", Journal of Applied Psychology, Vol. 79, No. 3, pp.323-331, 1994. https://doi.org/10.1037/0021-9010.79.3.323
  47. E. T. Higgins, "Beyond Pleasure and Pain", American Psychologist, Vol. 52, No. 12, pp.1280-1300, 1997. https://doi.org/10.1037/0003-066X.52.12.1280