The Journal of Information Systems (한국정보시스템학회지:정보시스템연구)

Korea Association of Information Systems (한국정보시스템학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Factors Influencing User's Security Behavioral Intention for Choosing Password

패스워드 선택을 위한 사용자의 보안행위의도에 영향을 미치는 요인

  • Published : 2008.03.30
Download PDF
⟨ Previous Next ⟩

Abstract

Nowadays, openness and accessibility of information systems increase security threats from inside and outside of organization. Appropriate password is supposed to bring out security effects such as preventing misuses and banning illegal users. This study emphasizes on choosing passwords from perspective of information security and investigated user's security awareness affecting behavioral intention. The research model proposed in this study includes user's security belief which is influenced by risk awareness factors such as information assets, threats and vulnerability elements. The risk awareness factors ale derived from risk analysis methodologies for information security. User's risk awareness is a factor influencing the security belief, attitude toward security behavior, and security behavioral intention. According to the result of this study, while vulnerability is not related to the risk awareness, information assets and threats are related to the user's risk awareness. There is a significant relationship between risk awareness and security belief. Also, user's security behavioral intention is significantly affected by security attitude.

Keywords

References

  1. 김종기, 전진환, "컴퓨터 바이러스 통제를 위한 보안행위의도 모형", 정보화정책, 제13 권, 제3호, 2006, pp. 174-196.
  2. 대한상공회의소, "국내기업의 산업기밀유출 실태조사, 대한상공회의소," 2006. 7.
  3. 이필중, 문희철, "패스워드 시스템의 보안에 관한 고찰," 한국통신정보보호학회지, 제1권, 제1호, 1991, pp. 109-118.
  4. 장명희, "인터넷 쇼핑몰에서 신뢰와 지각된 위험이 태도 및 구매의도에 미치는 영향," 정보시스템연구, 제14권, 제1호, 2005, pp. 227-249.
  5. 전정훈, "누가 당신의 비밀번호를 빼간다면," 한겨레경제주간지, 2007. 7. 23.
  6. 정경수, 김기영, 박종필, "패스워드 이용과 관한 실증분석: 대학과 종합병원을 중심으로," 한국경영정보학회, 제30권, 제1호, 2001, pp. 143-157.
  7. 차윤숙, 정문상, "유비쿼터스 특성요인이 모바일 서비스의 사용의도에 미치는 영향," 정보시스템연구, 제16권, 제2호, 2007, pp. 69-91.
  8. 한국정보보호진흥원, 정보보호 뉴스, 2월호, 2007, pp. 12-14.
  9. Adams, A., & M. Sasse, "Users are not the Enemy," Communications of the ACM, Vol. 42, No. 12, 1999, pp. 41-46.
  10. Ajzen, I., & M. Fishbein, Understanding Attitudes and Predicting Social Behavior. Prentice-Hall, Inc., Englewood Cliffs: New Jersey, 1980.
  11. Anderson, J., "An Approach for Confirmatory Measurement and Structural Equation Modeling of Organizational Properties," Management Science, Vol. 33, No. 4, 1987, pp. 525-541. https://doi.org/10.1287/mnsc.33.4.525
  12. Anderson, J., & D. Gerbing, "Structural Equation Modeling in Practice: A Review and Recommended Two-Step Approach," Psychological Bulletin, Vol. 103, No. 4, 1988, pp. 411-423. https://doi.org/10.1037/0033-2909.103.3.411
  13. Baskerville, R., "Risk Analysis: An Interpretive Feasibility Tool in Justifying Information System Security," European Journal of Information Systems, Vol. 1, No. 2, 1991, pp.121-130. https://doi.org/10.1057/ejis.1991.20
  14. Bagozzi, R., & Y. Yi, "On the Evaluation of Structural Equation Models," Journal of the Academy of Marketing Science, Vol. 16, No. 1, 1988, pp.74-97. https://doi.org/10.1007/BF02723327
  15. CCTA, CRAMM User Guide. Central Computer and Telecommunications Agency, 2001.
  16. CMU/SEI, Operationally Critical Threat, Asset, Vulnerability Evaluation (OCTAVE) Framework, Ver. 1.0, CMU/SEI-99-TR-017. Carnegie Mellon University/Software Engineering Institute, 1999.
  17. CSE, Guide to Security Risk Management for IT Systems, Government of Canada, Communications Security Establishment, 1996.
  18. Davis, F., R. Bagozzi, & P. Warchaw, "User Acceptance of computer Technology: A Comparison of Two Theoretical Models," Management Science, Vol. 35, No. 8, 1989, pp. 982-1003. https://doi.org/10.1287/mnsc.35.8.982
  19. Eloff, M., & S. Solms, "Information Security Management: A Hierarchical Framework for Various Approaches," Computers & Security, Vol. 19, No. 3, 2000, pp. 243-356. https://doi.org/10.1016/S0167-4048(00)88613-7
  20. Finne, T., "A Conceptual Framework for Information Security Management," Computers & Security, Vol. 17, No. 4, 1998, pp. 303-307. https://doi.org/10.1016/S0167-4048(98)80010-2
  21. Fornell, C., & D. Larcker, "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, Vol. 18, No. 1, 1981, pp. 39-50. https://doi.org/10.2307/3151312
  22. Garver, M., & J. Mentzer, "Logistics Research Methods: Employing Structural Equation Modeling to Test for Construct Validity," Journal of Business Logistics, Vol. 20, No. 1, 1999, pp. 33-57.
  23. Gefen, D., "Assessing Unidimensionality through LISREL: An Explanation and Example," Communications of the Association for Information Systems, Vol. 12, No. 2, 2003, pp. 23-47.
  24. Gehringer, E., "Choosing Passwords: Security and Human Factors," Proceedings of the 2002 IEEE International Symposium on Technology and Society, June, 2002, pp. 369-373.
  25. Gilbert, I., "Risk Analysis: Concepts and Tools," Datapro Reports on Information Security, 1991, pp. 101-112.
  26. Hair, J., R. Anderson, W. Black, & R. Tatham, Multivariate Data Analysis(5th eds.), Prentice Hall, 1998.
  27. ISO/IEC, IT 보안관리를 위한 지침- 제3부: IT 보 안관리를 위한 기술, KS X ISO/IEC TR 13335-3, 2005a.
  28. ISO/IEC, Information Technology-Security Techniques-Code of Practice for Informations Security Management, ISO/IEC 17799, 2005b.
  29. Ives, B., K. Walsh, & H. Schneider, "The Domino Effect of Password Reuse," Communications to the ACM, Vol 47, No. 4, 2004, pp. 75-78.
  30. Juang, W., "Efficient Password Authenticated Key Agreement Using Smart Cards," Computers & Security, Vol. 23, No. 2, 2004, pp. 167-173. https://doi.org/10.1016/j.cose.2003.11.005
  31. Loch, K., H. Carr, & M. Warkentin, "Threats to Information System: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol 16, No. 2, 1992, pp. 173-186. https://doi.org/10.2307/249574
  32. Martinson, W., Passwords: A Survey on Usage and Policy, Masters Thesis, Air Force Institute of Technology, 2005.
  33. NIST, Risk Management Guide for Information Technology Systems, Special Publication 800-30, 2001.
  34. O'Gorman, L., A. Bagga, & J. Bentley, "Query-Directed Passwords," Computers & Security, Vol. 24, No. 7, 2005, pp. 546-560. https://doi.org/10.1016/j.cose.2005.06.006
  35. Rainer, R., C. Snyder., & H. Carr, "Risk Analysis for Information Technology," Journal of Management Information System, Vol. 8, No. 1, 1991, pp. 129-147.
  36. Segars, A., "Assessing the Unidimensionality of Measurement: A Paradigm and Illustration Within the Context of Information Systems," Omega, Vol. 25, No. 1, 1997, pp. 107-121. https://doi.org/10.1016/S0305-0483(96)00051-5
  37. Tregear, J., "Risk Assessment," Information Security Technical Report, Vol. 6, No. 3, 2001, pp. 19-27. https://doi.org/10.1016/S1363-4127(01)00304-1
  38. Wakefield, R., "Network Security and Password Policies," The CPA Journal, June, 2004, pp. 7-8.
  39. Yan, J., Blackwell, A., Anderson, R., & A. Grant, The Memorability and Security of Passwords - Some Empirical Results, Cambridge University Computer Laboratory, 2000.
  40. Yapp, P, "Passwords: Use and Abuse," Computer Fraud & Security, Vol. 2001, No. 9, 2001, pp. 14-16.
  41. Zviran, M., & W. Haga, "Password Security: An Empirical Study," Journal of Management Information Systems, Vol. 15, No. 4, 1999, pp. 161-485.
  42. CERT/CC, http://www.cert.org/tech_tips/passwd_file_protection.html, 2002.