The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

Influencing Factors for Compliance Intention of Information Security Policy

정보보안 정책 준수 의도에 대한 영향요인

  • Received : 2011.10.12
  • Accepted : 2011.11.12
  • Published : 2011.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

This research derived the influencing factors for employees' compliance with the information security policy in organizations on the basis of Neutralization Theory, Theory of Planned Behavior and Protection Motivation Theory. To empirically analyze the research model and the hypotheses, data were collected by conducting web survey, 194 of 207 questionnaires were available. The test of causal model was conducted by PLS. Reliability, validity and model fit were found to be statistically significant. the results of hypotheses tests showed that seven ones of eight hypotheses could be accepted. The theoretical implications of this study are as follows : 1) this study is expected to play a role of baseline for future research about employee compliance with the information security policy, 2) this study attempted interdisciplinary approach through combining psychology and information system security research, and 3) it suggested concrete operational definitions of influencing factors for information security policy compliance through comprehensive theoretical review. Also, this study has some practical implications. First, it can provide the guideline to support the successful execution of the strategic establishment for implement of information system security policies in organizations. Second, it is proved that the need for conducting education and training program suppressing employees. neutralization psychology to violate information security policy should be emphasized in the organizations.

본 연구는 중화이론, 계획된 행동이론, 보호동기이론에 기반하여 조직원들의 정보보안 정책 준수에 영향을 미치는 요인들을 도출하고 이들 요인들의 관계에 관한 연구모형 및 가설을 설정하였다. 연구모형 및 가설에 대한 실증분석을 위해 웹 서베이를 통해 자료를 수집하였고 총 207개의 설문 중 194개 설문이 사용 가능하였다. 통계분석은 PLS 방법에 의하였고 신뢰도, 타당도, 모형의 적합도가 모두 적정한 것으로 나타났으며, 가설검증 결과는 총 8개의 가설 중 7개의 가설이 모두 지지되는 것으로 나타났다. 본 연구의 이론적인 시사점은 첫째, 조직원들의 정보보안 정책 준수에 대한 향후 연구들의 초석이 될 것으로 기대된다. 둘째, 심리학에서 근거한 요인을 접목하여 IS 연구와 심리학연구의 고찰을 통해 정보보안연구의 학제 간 접근을 시도한 것과 마지막으로 이론적 고찰을 통해 정보보안 정책 준수에 관한 요인들에 대한 조작적 정의를 구체화시켜 제시하였다는 점이다. 아울러 실무적 시사점은 첫째, 조직에서 정보보안 정책의 성공적인 실행을 위한 전략방안을 수립할 때 본 연구결과에 근거한 가이드라인을 제공할 수 있다는 점이며, 둘째, 조직원들의 정보보안 정책 위반에 대한 중화심리를 억제시키기 위해 조직구성원들에 대한 의식교육 및 훈련 프로그램 실시에 대한 필요성을 부각시켰다는 점이다.

Keywords

References

  1. 김윤호, "네트워크 노드에 대한 포렌식분석기법을 적용한 감사시스템의 구현", 한국전자거래학회지, 제14권 ,제3호, pp. 169- 181, 2009.
  2. 안중호, 최규철, 성기문, 이재홍, "보안위험 수준이 지식관리시스템의 성공에 미치는 영향 : '신뢰'를 매개변인으로", 한국전자거래학회지, 제15권, 제4호, pp. 143- 163, 2010.
  3. 이선중, 이미정, "정보보호 문화의 평가지표에 관한 탐색적 연구", 정보화정책, 제15권, 제3호, pp. 100-119, 2008.
  4. 이철, "순응자 일탈에 대한 중화기술의 영향에 관한 연구", 형사정책연구, pp. 243-278, 2008.
  5. 정익재, "정보사회 위험관리로서 정보보안의 정책 논리", 한국행정학회 2005년도 추계학술대회, pp. 19-34, 2005.
  6. Ajzen, I., "The Theory of Planned Behavior," Organizational Behavior and Human Decision, Vol. 50, pp. 179-211, 1991. https://doi.org/10.1016/0749-5978(91)90020-T
  7. Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., and Boss, R. W. "If Someone Is Watching, I'll Do What I'm Asked : Mandatoriness, Control, and Information Security," European Journal of Information Systems, Vol. 18, No. 2, pp. 151-164, 2009.
  8. Bulgurcu, Burcu Cavusoglu, Hasan Benbasat and Izak, "Information Security Policy Compliance : An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol. 34, No. 3, pp. 523-A7, 2010. https://doi.org/10.2307/25750690
  9. Chen, C., Medlin, B., and Shaw, R., "A cross-cultural investigation of situational information security awareness programs," Information Management and Computer Security, Vol. 16, No. 4, pp. 360-376, 2008. https://doi.org/10.1108/09685220810908787
  10. Chin, W., "Issues and opinion on structural equation modeling," MIS Quarterly, Vol. 22, No. 1, pp. 7-16, 1998.
  11. Cohen, J., Statistical Power Analysis for the Behavioral Sciences(2nd ed.), Lawrence Erlbaum, 1988.
  12. Coleman, James, W., "Toward an Integrated Theory of Whitte-Collar Crime," American Journal of Sociology, Vol. 93, pp. 406-439, 1987. https://doi.org/10.1086/228750
  13. Cressey, Donald R., "Other People's Money : A study in the Social Psychology of Embezzlement," Glencoe, IL : Free Press, 1953.
  14. Durgin, M., "Understanding the Importance of and Implementing Internal Security Measures," SANS Institute Reading Room, 2007.
  15. Fishbein, M. and Ajen, I., Belief, Attitude, Intention, and Behavior : An Introduciton to Theory and Research, Reading, Addison-Wesley, 1975.
  16. Gefen, D. and Straub, D. W., "A Practical Guide to Factorial Validity Using PLSGraph : Tutorial and Annotated Example," Communications of the Association for Information Systems, Vol. 16, No. 5, pp. 91-109, 2005.
  17. Greenberg, J., The cognitive geometry of employee theft : negotiating 'the line' between taking and stealing. In R. Griffin, A. O'Leary-Kelly, and J. Collins (Eds.), Dysfunctional behavior in organizations : Nonviolent behaviors in organizations. Part B. Stamford, CT : JAI Press, 1998.
  18. Hoffer, J. A. and Straub, D. W., "The 9 to 5 underground : Are you policing computer crimes?," Sloan Management Review, Vol. 30, pp. 35-43, 1989.
  19. Johnston, Allen C. Warkentin and Merrill, "Fear Appeals and Information Security Behaviors : An Empirical Study," MIS Quarterly, Vol. 34, No. 3, pp. 549-A4, 2010. https://doi.org/10.2307/25750691
  20. Johnston, K. L. and White, K. M., "Bingedrinking : A test of the roll of group norms in the roy of planned behavior," psychology and Health, Vol. 18, No. 1, pp. 63-77, 1995.
  21. Klockars, C. B., "The Professional Fence," New York, FreePress, 1974.
  22. Minor, W. W., "Techniques of Neutralization : A Reconceptualization and Empirical Examination," Journal of Research in Crime and Delinquency, Vol. 18, No. 2, pp. 295-318, 1981. https://doi.org/10.1177/002242788101800206
  23. Petter, S., Straub, D. and Rai, A., "Specifying Formative Constructs in IS Research," MIS Quarterly, Vol. 31, No. 4, pp. 623- 656, 2007. https://doi.org/10.2307/25148814
  24. Piquero, N. L., Tibbetts, S. G., and Blankenship, M. B., "Examining the Role of Differential Association and Techniques of Neutralization in Explaining Corporate Crime," Deviant Behavior, Vol. 26, No. 2, pp. 159-188, 2005. https://doi.org/10.1080/01639620590881930
  25. Price waterhouse Coopers., "Employee Behavior Key to Improving Information Security, New Survey Finds," 2008.
  26. Robinson, S. L. and Kraatz, M. S., Constructing the reality of normative behavior : the use of neutralization strategies by organizational deviants. In R. Griffin, A. O'Leary-Kelly, and J. Collins (Eds.), Dysfunctional behavior in organizations : Violent and deviant behavior. Part A. Stamford, CT : JAI Press, 1998.
  27. Rogers, J. W. and Buffalo, M. D., "Neutralization Techniques : Toward a Simplified Measurement Scale," Pacific Sociological Review, Vol. 17, No. 3, pp. 313-331, 1974. https://doi.org/10.2307/1388569
  28. Rogers, R. W., "A Protection Motivation Theory of Fear Appeals and Attitude Change," Journal of Psychology, Vol. 91, pp. 93-114, 1975. https://doi.org/10.1080/00223980.1975.9915803
  29. Rogers, R. W., Cognitive and psychological process in fear appeals and attitude change : A revised theory of protection motivation. In J. Cacioppo and R. Petty (Eds.), Social Psychology, NY : Guilford, 1983.
  30. Scholtz, J. T., "Enforcement policy and corporate misconduct : The changing perspective of deterrence theory," Law and Contemporary Problems, Vol.60, pp. 253-268, 1997. https://doi.org/10.2307/1192014
  31. Siponen, M. T., Pahnila, S., and Mah mood, A., "Employees'Adherence to Information Security Policies : An Empirical Study," in New Approaches for Security, Privacy and Trust in Complex Environments, H. Venter, M. Eloff, L. Labuschagne, J. Eloff, and R. von Solms, Boston : Springer, 2007.
  32. Siponen, Mikko Vance and Anthony, "Neutralization : New Insights into the Problem of Employee Information Systems Security Policy Violations," MIS Quarterly, Vol. 34, No. 3, pp. 487-A12, 2010. https://doi.org/10.2307/25750688
  33. Srite, M. and Karahanna, E., "The Role of Espoused National Cultural Values in Technology Acceptance," MIS Quarterly, Vol. 30, No. 3, pp. 679-704, 2006. https://doi.org/10.2307/25148745
  34. Straub, D. W. and Nance, W. D., "Discovering and disciplining computer abuse in organizations : A field study," MIS Quarterly, Vol. 14, pp. 45-60, 1990. https://doi.org/10.2307/249307
  35. Sykes, G. and Matza, D., "Techniques of Neutralization : A Theory of Delinquency," American Sociological Review, Vol. 22, No. 6. pp. 664-670, 1957. https://doi.org/10.2307/2089195
  36. Tenenhaus, M., Vinzi, V. E., Chatelin, Y. M., and Lauro, C., "PLS path modeling," Computational statistics and Data analysis, Vol. 48, No. 1. pp. 159-205, 2005. https://doi.org/10.1016/j.csda.2004.03.005
  37. Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., "The insider threat of information systems and the effectiveness of ISO17799," Computers and Security, Vol. 24, pp. 472-484, 2005. https://doi.org/10.1016/j.cose.2005.05.002
  38. Tyler, T. R. and Blader, S. L., "Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings," Academy of Management Journal, Vol. 48, No. 6, pp. 1143-1158, 2005. https://doi.org/10.5465/AMJ.2005.19573114

Cited by

  1. Factors Influencing the Introduction of Mobile Security Technology vol.18, pp.4, 2013, https://doi.org/10.7838/jsebs.2013.18.4.215
  2. Analysis of Loss Expectancy on Personal Information leakage using Quantitative Invest Decision Model vol.20, pp.2, 2015, https://doi.org/10.7838/jsebs.2015.20.2.093
  3. The Effect of the Precedential Factors on the SNS User's Revisit and Switching Intention vol.19, pp.2, 2014, https://doi.org/10.7838/jsebs.2014.19.2.125
  4. Factor Analysis of the Motivation on Crowdfunding Participants : An Empirical Study of Funder Centered Reward-type Platform vol.20, pp.1, 2015, https://doi.org/10.7838/jsebs.2015.20.1.137
  5. Factors Affecting Sustainable Web Technology Adoption : Pro-social Behavior Perspectives vol.19, pp.4, 2014, https://doi.org/10.7838/jsebs.2014.19.4.205
  6. An Empirical Study on Influencing Factors of Using Information Security Technology vol.20, pp.4, 2015, https://doi.org/10.7838/jsebs.2015.20.4.151
  7. 은행 IT 인력의 정보보호 정책 준수에 영향을 미치는 정보보호 대책에 관한 연구 vol.22, pp.2, 2015, https://doi.org/10.21219/jitam.2015.22.2.171
  8. 금융회사 정보보안정책의 위반에 영향을 주는 요인 연구 : 지각된 고객정보 민감도에 따른 조절효과 vol.22, pp.4, 2015, https://doi.org/10.21219/jitam.2015.22.4.225
  9. 소셜 네트워크 서비스(SNS) 이용자들의 개인정보보호 행동에 관한 연구: 보호동기이론을 중심으로 vol.25, pp.3, 2011, https://doi.org/10.5859/kais.2016.25.3.1
  10. 정보유출의도에 대한 영향요인: 일반 억제 이론 및 합리적 선택 이론을 기반으로 vol.27, pp.6, 2011, https://doi.org/10.13089/jkiisc.2017.27.6.1507
  11. 보안교육 및 보안서비스가 조직구성원의 정보보안정책 준수에 미치는 영향 vol.25, pp.1, 2018, https://doi.org/10.22693/niaip.2018.25.1.099
  12. 조직 구성원들의 보안정책 위반에 관한 연구 vol.25, pp.3, 2011, https://doi.org/10.22693/niaip.2018.25.3.095
  13. 중·노년층의 온라인 개인정보보호 행동에 영향을 미치는 요인에 관한 연구; 한국과 중국 인터넷 사용자를 중심으로 vol.29, pp.1, 2020, https://doi.org/10.5859/kais.2020.29.1.51