Information Security of Organization and Employees in Social Exchange Perspective : Using Structure-Conduct-Outcome Framework

SCO Framework을 적용한 조직과 조직원의 정보보안 준수 관계 연구

  • Received : 2019.08.25
  • Accepted : 2019.11.19
  • Published : 2019.12.31


Purpose Issues related to information security have been a crucial topic of interest to researchers and practitioners in the IT/IS field. This study develops a research model based on a Structure-Conduct-Outcome (SCO) framework for the social exchange relationship between employees and organizations regarding information security. Design/methodology/approach In applying an SCO framework to information security, structure and conduct are activities imposed on employees within an organizational context; outcomes are activities that protect information security from an employee. Data were collected from 438 employees working in manufacturing and service firms currently implementing an information security policy in South Korea. Structural equation modeling (SEM) with AMOS 22.0 is used to test the validation of the measurement model and the proposed casual relationships in the research model. Findings The results demonstrate support for the relationships between predicting variables in organization structure (security policy and physical security system) and the outcome variables in organization conduct (top management support, security education program, and security visibility). Results confirm that the three variables in organization conduct had a positive effect on individual outcome (security knowledge and compliance intention).


Supported by : 한국연구재단


  1. 박철주, 임명성, "기술스트레스가 정보보안에 미치는 영향에 관한 연구," 디지털융복합연구, 제10권, 제5호, 2012, pp.37-51.
  2. 유인진, 박도형 "중소기업 프로파일링 분석을 통한 기술유출 방지 및 보호 모형 연구," 정보시스템연구, 제27권, 제1호, 2018, pp.171-191.
  3. 최경선, 안현철, "개인적.사회적 요인을 고려한 가상 공동체에서의 지식 공유 모형," 정보시스템연구, 제28권, 제5호, 2019, pp.41-72.
  4. 황인호, 김대진, "조직의 정보보안 환경이 조직구성원의 보안 준수의도에 미치는 영향," 정보시스템연구, 제25권, 제2호, 2016, pp.51-77.
  5. Armeli, S., Eisenberger, R., Fasolo, P., and Lynch, P., "Perceived Organizational Support and Police Performance: The Moderating Influence of Socioemotional Needs," Journal of Applied Psychology, Vol. 83, No. 2, 1998, pp.288-297.
  6. Bang, Y., Lee, D. J., Bae, Y. S., and Ahn, J. H., "Improving Information Security Management: An Analysis of ID-password Usage and a New Login Vulnerability Measure," International Journal of Information Management, Vol. 32, No. 5, 2012, pp.409-418.
  7. Boss, S., Galletta, D., Lowry, P. B., Moody, G. D., and Polak, P., "What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Security Behaviors," MIS Quarterly, Vol. 39, No. 4, 2015, pp.837-864.
  8. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol. 34, No. 3, 2010, pp.523-548.
  9. Carr, N. G., "IT doesn't Matter," Educause Review, Vol. 38, 2003, pp.24-38.
  10. Cegarra-Navarro, J. G., Cepeda-Carrion, G., and Eldridge, S., "Balancing Technology and Physician-patient Knowledge Through an Unlearning Context," International Journal of Information Management, Vol. 31, No. 5, 2011, pp.420-427.
  11. Chen, Y., Ramamurthy, K., and Wen, K. W., "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?," Journal of Management Information Systems, Vol. 29, No. 3, 2012, pp.157-188.
  12. Chou, H. L., and Chou, C., "An Analysis of Multiple Factors Relating to Teachers' Problematic Information Security Behavior," Computers in Human Behavior, Vol. 65, 2016, pp.334-345.
  13. Cook, K. S., Emerson, R. M., Gillmore, M. R., and Yamagishi, T., "The Distribution of Power in Exchange Networks: Theory and Experimental Results," American Journal of Sociology, Vol. 89, No. 2, 1983, pp.275-305.
  14. D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, 2009, pp.79-98.
  15. Devaraj, S., Fan, M., and Kohli, R., "Examination of Online Channel Preference: Using the Structure-Conduct-Outcome Framework," Decision Support Systems, Vol. 42, No. 2, 2006, pp.1089-1103.
  16. Da Veiga, A., and Eloff, J. H., "An Information Security Governance Framework," Information Systems Management, Vol. 24, NO.4, 2007, pp.361-372.
  17. Da Veiga, A., and Eloff, J. H., "A Framework and Assessment Instrument for Information Security Culture," Computers & Security, Vol. 29, No. 2, 2010, pp.196-207.
  18. Da Veiga, A., and Martins, N., "Defining and Identifying Dominant Information Security Cultures and Subcultures," Computers & Security, Vol. 70, 2017, pp.72-94.
  19. Desouza, K. C., "Facilitating Tacit Knowledge Exchange," Communications of the ACM, Vol. 46, No. 6, 2003, pp.85-88.
  20. Dhillon, G., Oliveira, T., Susarapu, S., and Caldeira, M., "Deciding Between Information Security and Usability: Developing Value Based Objectives," Computers in Human Behavior, Vol. 61, 2016, pp.656-666.
  21. Eisenberger, R., Fasolo, P., and Davis-LaMastro, V., "Perceived Organizational Support and Employee Diligence, Commitment, and Innovation," Journal of Applied Psychology, Vol. 75, No. 1, 1990, pp.51-59.
  22. Emerson, R. M., "Power-Dependence Relations," American Sociological Review, Vol. 27, No. 1, 1962, pp.31-41.
  23. Emerson, R. M., "Exchange Theory, Part I: A Psychological Basis for Social Exchange," Sociological Theories in Progress, Vol. 2, 1972, pp.38-57.
  24. Emerson, R. M., "Social Exchange Theory," Annual Review of Sociology, Vol. 2, 1976, pp.335-362.
  25. Fornell, C., and Larcker, D. F., "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, Vol. 18, No. 1, 1981, pp.39-50.
  26. Geyskens, I., Steenkamp, J. B. E., and Kumar, N., "A Meta-Analysis of Satisfaction in Marketing Channel Relationships," Journal of Marketing Research, Vol. 36, No. 2, 1999, pp.223-238.
  27. Griffin, M. A., and Neal, A., "Perceptions of Safety at Work: A Framework for Linking Safety Climate to Safety Performance, Knowledge, and Motivation," Journal of Occupational Health Psychology, Vol. 5, No. 3, 2000, pp.347-358.
  28. Herath, T., and Rao, H. R., "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems, Vol. 47, No. 2, 2009, pp.154-165.
  29. Hendricks, J., Exchange Theory in Aging. In G. Maddox (Eds.), The Encyclopedia of Aging (2nd eds.). New York: Springer, 1995.
  30. Hwang, I., and Cha, O., "Examining Technostress Creators and Role Stress as Potential Threats to Employees' Information Security Compliance," Computers in Human Behavior, Vol. 81, 2018, pp.282-293.
  31. Hwang, I., Kim, D., Kim, T., and Kim, S., "Why Not Comply with Information Security? An Empirical Approach for the Causes of Non-compliance," Online Information Review, Vol. 41, No. 1, 2017, pp.2-18.
  32. Jacobs, R., and Washington, C., "Employee Development and Organizational Performance: A Review of Literature and Directions for Future Research," Human Resource Development International, Vol. 6, No. 3, 2003, pp.343-354.
  33. Jiang, J. C., Chen, C. A., and Wang, C. C., "Knowledge and Trust in E-consumers' Online Shopping Behavior," In Electronic Commerce and Security, 2008 International Symposium on IEEE, 2008, pp.652-656.
  34. Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An Integrative Study of Information Systems Security Effectiveness," International Journal of Information Management, Vol. 23, No. 2, 2003, pp.139-154.
  35. KBresearch, KB Knowledge Vitamin: Recent Information Security Trend of Financial Institution and Outlook, 2015.
  36. Knapp, K. J., Morris, R. F., Marshall, T. E., and Byrd, T. A., "Information Security Policy: An Organizational-Level Process Model," Computers & Security, Vol. 28, No. 7, 2009, pp.493-508.
  37. Kwok, L. F., and Longley, D., "Information Security Management and Modelling," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.30-40.
  38. Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information & Management, Vol. 41, No. 6, 2004, pp.707-718.
  39. Lee, J., and Lee, Y., "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, Vol. 10, No. 2, 2002, pp.57-63.
  40. Loch, K. D., Carr, H. H., and Warkentin, M. E., "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, 1992, pp.173-186.
  41. Lowry, P. B., and Moody, G. D., "Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies," Information Systems Journal, Vol. 25, No. 5, 2015, pp.433-463.
  42. Mary MacNeil, C., "Exploring the Supervisor Role as a Facilitator of Knowledge Sharing in Teams," Journal of European Industrial Training, Vol. 28, No. 1, 2004, pp.93-102.
  43. Molm, L. D., "Structure, Action, and Outcomes: The Dynamics of Power in Social Exchange," American Sociological Review, Vol. 55, No. 3, 1990, pp.427-447.
  44. Moore, G. C., and Benbasat, I., "Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation," Information Systems Research, Vol. 2, No. 3, 1991, pp.192-222.
  45. Nunnally, J. C., Psychometric theory (2nd ed.). New York: McGraw-Hill, 1978.
  46. Nesheim, T., and Gressgard, L. J., "Knowledge Sharing in a Complex Organization: Antecedents and Safety Effects," Safety Science, Vol. 62, 2014, pp.28-36.
  47. Neal, A., Griffin, M. A., and Hart, P. M., "The Impact of Organizational Climate on Safety Climate and Individual Behavior," Safety Science, Vol. 34, No. 1, 2000, pp.99-109.
  48. Nelson, K. M., and Cooprider, J. G., "The Contribution of Shared Knowledge to IS Group Performance," MIS Quarterly, Vol. 20, No. 4, 1996, pp.409-432.
  49. Pham, H. C., "Information Security Burnout: Identification of Sources and Mitigating Factors from Security Demands and Resources," Journal of Information Security and Applications, Vol. 46, 2019, pp.96-107.
  50. Safa, N. S., Maple, C., Furnell, S., Azad, M. A., Perera, C., Dabbagh, M., and Sookhak, M., "Deterrence and Prevention Based Model to Mitigate Information Security Insider Threats in Organisations," Future Generation Computer Systems, Vol. 97, 2019, pp.587-597.
  51. Said, A. R., Abdullah, H., Uli, J., and Mohamed, Z. A., "Relationship between Organizational Characteristics and Information Security Knowledge Management Implementation," Procedia - Social and Behavioral Sciences, Vol. 123, 2014, pp.433-443.
  52. Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with Information Security Policies: An Empirical Investigation," Computer, Vol. 43, No. 2, 2010, pp.64-71.
  53. Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N., "The Influence of a Good Relationship between the Internal Audit and Information Security Functions on Information Security Outcomes," Accounting, Organizations and Society, Vol. 71, 2018, pp.15-29.
  54. Straub, D. W., and Welke, R. J., "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, Vol. 22, No. 4, 1998, pp.441-464.
  55. Thibaut, J. W., and Kelley, H. H., The Social Psychology of Groups. New York: Wiley, 1959.
  56. Thomson, K., and van Niekerk, J., "Combating Information Security Apathy by Encouraging Prosocial Organisational Behaviour," Information Management & Computer Security, Vol. 20, No. 1, 2012, pp.39-46.
  57. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory," Information & Management, Vol. 49, No. 3, 2012, pp.190-198.
  58. Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly, Vol. 27, No. 3, 2003, pp.425-478.
  59. Verizon, Verizon 2016 Data Breach Investigations Report, 2016.
  60. Von Solms, R., "Information Security Management: Why Standards are Important," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.50-58.
  61. Vroom, C., and Von Solms, R., "Towards Information Security Behavioural Compliance," Computers & Security, Vol. 23, No. 3, 2004, pp.191-198.
  62. Wang, P. A., "Information Security Knowledge and Behavior: An Adapted Model of Technology Acceptance," In Education Technology and Computer (ICETC), 2010 2nd International Conference on (Vol. 2, pp. V2-364). IEEE, 2010, June.
  63. Warkentin, M., and Willison. R., "Behavioral and Policy Issues in Information Systems Security: The Insider Threat," European Journal of Information Systems, Vol. 18, 2009, pp.101-105.
  64. West, R., "The Psychology of Security," Communications of the ACM, Vol. 51, No. 4, 2008, pp.34-40.
  65. Whitman, M. E., "In Defense of the Realm: Understanding the Threats to Information Security," International Journal of Information Management, Vol. 24, No. 1, 2004, pp.43-57.
  66. Whitman, M. E., Townsend, A. M., and Aalberts, R. J., "Information Systems Security and the Need for Policy," In Information Security Management: Global Challenges in the New Millennium, 2001, pp.9-18.
  67. Wixom, B. H., and Watson, H. J., "An Empirical Investigation of the Factors Affecting Data Warehousing Success," MIS Quarterly, Vol. 25, No. 1, 2001, pp.17-41.