Impacts of Punishment and Ethics Training on Information Security Compliance: Focus on the Moderating Role of Organizational Type

처벌과 윤리교육이 정보보안준수에 미치는 영향: 조직유형의 조절효과를 중심으로

  • Ahn, Joong-Ho (Graduate School of Business, Seoul National University) ;
  • Park, Jun-Hyung (Republic of Korea Army, The 3rd Army Academy) ;
  • Sung, Ki-Moon (Republic of Korea Air Force, Korea Air Force Headquarters) ;
  • Lee, Jae-Hong (College of Business Administration, Seoul National University)
  • Received : 2009.12.27
  • Accepted : 2010.04.08
  • Published : 2010.04.30

Abstract

Although organizations are given various benefits with information technologies, they sometimes have suffered fatal damages due to information security incidents now such as computer virus, hacking, counterfeiting, plagiarizing, etc. The fundamentalcauses of information security incidents are closely related to individuals who do not comply with information security policy or rules. The spontaneous self-control of individuals and monitoring for individuals could be the most essential solution for the ongoing observance of information security policy. Thus, the purpose of this study is to analyze effects of punishment and ethics training on compliance of information security policy of individuals in organizations, to determine individual divide among security propensity depending on organization types, and to find the more fundamental solution which leads change of organizational members’ behaviors and self-control. Regardless of the type of organizations, the results of the study suggest that there exist positive effects of punishment and ethics training in all types of organization on compliance of information security rules or regulations. A member of unitary form organization has higher cognition of punishment than a member's cognition of the multi-divisional form organization, while relatively lower awareness of ethics training. Also, a member of public organization has higher awareness of ethics training than a member’s awareness of private organization, while lower cognition of punishment. Finally, the result shows that punishment and ethics training may be major factors which affect information security. It also suggests that organizational security managers have to understand and consider organization member’s propensity relying on organization form and organization characteristics for establishment and enforcement of information security policy.

정보기술이 조직에게 다양한 혜택을 제공하고 있지만, 컴퓨터 바이러스, 해킹, 무단복제, 도용 등 정보보안 사고로 인해 조직에게 치명적인 피해를 주는 경우도 있다. 정보보안 사고의 원인은 정보보안 통제를 지키지 않고 이를 위반하는 개인의 행위와 밀접하게 관련되어 있다. 따라서 개인의 행위에 대한 자발적 통제를 이끌어내고 이를 감독하는 것이 정보보안을 유지하는데 있어서 근본적이고 핵심적인 해결책이 될 수 있다. 본 연구의 목적은 처벌과 윤리교육이 각 조직 구성원들이 정보보안정책을 준수하는데 있어서 어느 정도 효과가 있는지를 분석하고, 조직 구성원들이 조직유형에 따라 성향의 차이가 있는지를 파악하여, 조직 구성원의 행위 변화와 자기통제를 이끌어내는 방법을 찾고자 하는 것이다. 연구결과 조직유형에 관계없이 처벌과 윤리교육이 정보보안준수에 긍정적 영향을 주는 핵심요인임을 확인하였다. 또 단일형태 조직 구성원에 비해 다분할 형태 조직 구성원이 처벌에 대한 인식이 높은 반면 윤리교육에 대한 인식은 상대적으로 낮고, 공공조직 구성원이 민간조직 구성원보다 처벌에 대한 인식이 높은 반면 윤리교육에 대한 인식은 낮은 것으로 파악되었다. 결론적으로, 처벌과 윤리교육이 조직의 정보보안준수에 영향을 주는 주요요인이며, 정보보안정책의 수립과 시행은 조직형태 및 특성을 이해하고 추진해야 함을 암시하고 있다. 따라서 조직은 정보보안정책의 수립 시 조직형태 및 특성에 따른 구성원의 성향을 먼저 인식하고, 구성원의 성향 차이를 정보보안정책에 반영한다면 정보보안정책을 수립하는데 있어서 더 큰 효과를 거둘 수 있을 것이다.

Keywords

Acknowledgement

Supported by : 지식경제부, 정보통신산업진흥원

References

  1. 김미희, 이명진, 채기준, 김호원, "센서 네트워크에서 AODV 라우팅 정보 변조공격에 대한 분석", 정보처리학회논문지, 제14-C권, 제3호, 통권 제113호, 2007, pp. 229-238.
  2. 김원형, 공기업과 민간기업간 조직풍토 비교분석, 대전대학교 사회과학연구소, 1996.
  3. 김종기, 전진환, 임호섭, "정보보안정책, 보안통제 및 사용자특성이 정보보안효과에 미치는 영향: 컴퓨터 바이러스를 중심으로", 정보시스템연구, 제15권, 제1호, 2006, pp. 145-168.
  4. 문태영, 대기업병과 치유방안에 관한 연구, 건국대학교, 1996.
  5. 백승훈, 민천홍, "보안통제와 정책이 기업의 보안체계에 미치는 영향에 대한 탐색적 연구", 한국경영정보학회 2004년 춘계학술대회, 2004, pp. 854-860.
  6. 윤순봉, 대기업병: 그 실체와 치유방안, 삼성경제연구소, 1994.
  7. 이순묵, 공변량 구조 분석, 성원사, 1990.
  8. 채서일, 사회과학조사방법론, 학현사, 1997.
  9. 하영길, "인터넷 정보보안 기술에 관한 연구", 상업기술연구, 제13호, 2004, pp. 176-187.
  10. 홍재영, 대기업병의 증세와 진단, 한국 경영자총협회, 1986.
  11. 황윤철, "체계적인 보안 정책 관리를 위한 계층적 보안 모델 설계", 컴퓨터 정보통신 연구, 제9권, 제1호, 2001, pp. 21-32.
  12. Ajzen, I., From intentions to actions: A theory of planned behavior, In From cognition to behavior Action-control, J. Kuhl and J. Beckman (Eds.), Heidelberg, Germany: Springer, 1985.
  13. Akers, R. L., M. D. Krohn, L. Lanza-Kaduce, and M. Rodosevich, "Social learning and deviant behavior: A specific test of a general theory", American Sociological Review, Vol.44, 1979, pp. 636-655. https://doi.org/10.2307/2094592
  14. Aubert, V., Sociology of law, Baltimore: Penguin Books, 1969.
  15. Benn, S. I. and G. F. Gaus, Public and Private in Social life, New york: Palgrave Macmillan, 1983.
  16. Bozeman, B., All Organizations are Public: Comparing Public and Private Organizations, Beard Books, 1987.
  17. Calluzzo, V. J. and C. J. Cante, "Ethics in information technology and software use", Journal of Business Ethics, Vol.52, 2004, pp. 301-312.
  18. Costa, A. L. and B. Kallick, Assessment in the learning organization: Shifting the paradigm, New York: ASCD Books, 1997.
  19. Harrington, S. J., "The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions", MIS Quarterly, Vol.20, 1996, pp. 257-278. https://doi.org/10.2307/249656
  20. Harrington, S. J., "A test of a person-Issue contingent model of ethical decision making in organizations", Journal of Business Ethics, Vol.16, 1997, pp. 363-375. https://doi.org/10.1023/A:1017900615637
  21. Hoffer, J. A. and D. W. Straub, "The 9 to 5 underground: Are you policing computer crimes?", Sloan Management Review, Vol.30, 1989, pp. 35-43.
  22. Hsu, M. H. and F. Y. Kuo, "An investigation of volitional control in information ethics", Behavior and Information Technology, Vol.22, 2003, pp. 53-62. https://doi.org/10.1080/01449290301781
  23. Kankanhalli, A., H. H. Teo, B. C. Y. Tan, and K. K. Wei, "An integrative study of information systems security effectiveness", International Journal of Information Management, Vol.23, 2003, pp. 139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  24. Kurland, N. B., "Ethical intentions and the theories of reasoned action and planned behavior", Journal of Applied Social Psychology, Vol.25, 1995, pp. 297-313. https://doi.org/10.1111/j.1559-1816.1995.tb02393.x
  25. Lee, J. and Lee, Y., "A holistic model of computer abuse within organizations", Information Management and Computer Security, Vol.10, 2002, pp. 57-63. https://doi.org/10.1108/09685220210424104
  26. NIST, An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12, National Institute of Standards and Technology, 1995.
  27. O'Donoghue, T. and M. Rabin, "The economics of immediate gratification", Journal of Behavioral Decision Making, Vol.13, 2000, pp. 233-250. https://doi.org/10.1002/(SICI)1099-0771(200004/06)13:2<233::AID-BDM325>3.0.CO;2-U
  28. Peace, A., G. Graham, F. Dennis, and J. Y. L. Thong, "Software piracy in the workplace: A model and empirical test", Journal of Management Information Systems, Vol.20, 2003, pp. 153-177. https://doi.org/10.1080/07421222.2003.11045759
  29. Rahim, M. M. D., A. H. Seyal, and M. N. Rahman, "Factors affecting softlifing intention of computing students: An empirical study", Journal of Educational Computing Research, Vol.24, 2001, pp. 385-405. https://doi.org/10.2190/2U2D-30LC-R3YM-T364
  30. Robbins, S. P., Organization Theory: Structure, Design and Applications, Third Edition, Prentice Hall, 1990.
  31. SANS, "The SANS security policy project", Bethesda, MD: SANS Institute(URL: http://www.sans.org/resources/policies), 2005.
  32. Sasse, M. A., "Usability and trust in information systems", Cyber Trust and Crime Prevention Project, University College London, 2004, pp. 1-18.
  33. Schein, E. H., Organizational Culture and Leadership, San Francisco, CA: Jossey-Bass, 1985.
  34. Scholtz, J. T., "Enforcement policy and corporate misconduct: The changing perspective of deterrence theory", Law and Contemporary Problems, Vol.60, 1997, pp. 253-268. https://doi.org/10.2307/1192014
  35. Simpson, P. M., D. Banerjee, and C. L. Simpson, "Softlifting: A model of motivating factors", Journal of Business Ethics, Vol.13, 1994, pp. 431-438. https://doi.org/10.1007/BF00881451
  36. Straub, D. W., "Effective IS security: An empirical study", Information Systems Research, Vol.1, 1990, pp. 255-276. https://doi.org/10.1287/isre.1.3.255
  37. Straub, D. W. and W. D. Nance, "Discovering and disciplining computer abuse in organizations: A field study", MIS Quarterly, Vol.14, 1990, pp. 45-60. https://doi.org/10.2307/249307
  38. Straub, D. W. and R. J. Welke, "Coping with systems risk: Security planning models for management decision-making", MIS Quarterly, Vol.22, 1998, pp. 441-469. https://doi.org/10.2307/249551
  39. Tapp, J. L. and L. Kohlberg, Developing senses of law and legal justice, In Law, justice, and the individual in society: Psychological and legal issues, J. L. Tapp and F. J. Levine (eds.), New York: Holt, Rinehart and Winston, 1977.
  40. Theoharidou, M., S. Kokolakis, M. Karyda, and E. Kiountouzis, "The insider threat of information systems and the effectiveness of ISO17799", Computers and Security, VoI.24, 2005, pp. 472-484. https://doi.org/10.1016/j.cose.2005.05.002
  41. Weir, C., "Organizational structure and corporate performance", Management Decision, Vol.33, 1995, pp. 24-32.
  42. Wenzel, M., "The social side of sanctions: Personal and social norms as moderators of deterrence", Law and Human Behavior, Vol.28, 2004, pp. 547-567. https://doi.org/10.1023/B:LAHU.0000046433.57588.71
  43. WilIiamson,. O. E., Markets and Hierarchies: Analysis and Antitrust Implications, New York: Macmillan Press, 1975.
  44. Workman, M. and J. Gathegi, "Punishment and Ethics Deterrents: A Study of Insider Security Contravention", Journal of the American Society for Information Science and Technology, Vol.58, No.2, 2006, pp. 212-222.