Journal of Digital Convergence (디지털융복합연구)

The Society of Digital Policy and Management (한국디지털정책학회)
권호 표지
DOI QR코드

DOI QR Code

Why Security Awareness Education is not Effective?

정보보안 인식 교육의 효과에 대한 연구

  • Received : 2013.12.04
  • Accepted : 2014.02.20
  • Published : 2014.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

While organizations are making a considerable effort to leverage formal and informal control mechanisms (e.g., policies, procedures, organizational culture) to improve security, their impact and effectiveness is under scrutiny as employees seldom comply with information security procedures. The best way to ensure the viability of a security policy is to make sure users understand it and accept necessary precautions. From an organization's perspective, a lack of security knowledge and awareness on the part of employees is a major problem. However, previous studies suggest that effect of security awareness education is inconsistent. Thus, this study is to find the answer why security awareness education is not effective. Conclusions and implications are discussed.

많은 조직들이 여전히 정보보안 수준을 향상시키기 위해 공식적/비공식적 통제 메커니즘(예. 정책, 절차, 조직 문화)의 향상에 상당한 노력을 쏟고 있으나, 이러한 메커니즘의 영향과 효과에 대한 연구는 아직 초기 수준이다. 보안 정책의 실행가능성을 높이기 위한 가장 확실한 방법 중 하나는 준수자들로 하여금 정책을 이해하고 필수요소로 받아들이게 하는 것이다. 하지만 조직 구성원들의 보안에 관한 지식 및 인지의 부족은 여전히 주요한 문제이다. 그동안 많은 연구에서 보안 지식과 인지를 높이기 위해 보안인식 교육의 수행을 주장하였으나 많은 연구에서 제시된 결과는 일관되지 않는다. 따라서 본 연구는 왜 보안인식 교육이 효과적이지 못한지 그 의문에 대한 해답을 찾기 위해 수행되었다.

Keywords

References

  1. Bagozzi, R. P., Yi, Y., and Phillips, L. W., Assessing Construct Validity in Organizational Research, Administrative Science Quarterly, vol. 36, pp. 421-458, 1991. https://doi.org/10.2307/2393203
  2. Bandura, A., Social Foundations of Thought and Action: A Social Cognitive Theory, Prentice hall, Englewood Cliffs, NJ., 1986.
  3. Barclay, D. W., Higgins, C. A., and Thompson, R., The Partial Least Squares Approach to Causal Modeling: Personal Computer Adoption and Use as Illustration, Technology Studies, vol. 2, no. 2, pp. 285-309, 1995.
  4. Chen, C. C., Shaw, R. S., and Yang, S. C., Mitigating Information Security Awareness: A Case Study of an Information Security Awareness System, Information Technology, Learning, and Performance Journal, vol. 24, no. 1, pp. 1-14, 2006.
  5. Chin, W. W., The Partial Least Squares Approach to Structural Equation Modeling. In G. A. Marcoulides (Ed.), Modern Methods for Business Research. Mahwah, New Jersey: Lawrence Erlbaum Associates, pp. 295-336, 1998.
  6. Craighead, C. W., Ketchen, D. J., Dunn, K. S., and Hult, T. M., Addressing Common Method Variance: Guidelines for Survey Research on Information Technology, Operations, and Supply Chain Management, IEEE Transactions on Engineering Management, vol. 58, no. 3, pp. 578-588, 2011. https://doi.org/10.1109/TEM.2011.2136437
  7. D'Arcy, J., and Herath, T., A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings, European Journal of Information Systems, vol. 20, pp. 643-658, 2011. https://doi.org/10.1057/ejis.2011.23
  8. D'Arcy, J., Hovav, A., and Galletta, D., User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach, Information Systems Research, vol. 20, no. 1, pp. 79-98, 2009. https://doi.org/10.1287/isre.1070.0160
  9. D'Arcy, J., and Hovav, A., Deterring Internal Information Systems Misuse, Communications of the ACM, vol. 50, no. 10, pp. 113-144, 2007.
  10. Fornell, C., and Larcker, D. F., Evaluating Structural Equation Models with Unobservable and Measurement Error, Journal of Marketing Research, vol. 18, pp. 39-50, 1981. https://doi.org/10.2307/3151312
  11. Gefen, D., and Straub, D., A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example, Communications of the Association for Information Systems, vol. 16, pp. 91-109, 2005.
  12. Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., Tatham, R. L., Multivariate Data Analysis, 6th eds., Pearson Education, Inc., Upper Saddle River, New Jersey, 2006.
  13. Hair, J. F., Sarstedt, M., Ringle, C. M., and Mena, J. A., An Assessment of the Use of Partial Least Squares Structural Equation Modeling in Marketing Research, Journal of the Academy of Marketing Science, vol. 40, pp. 414-433, 2012. https://doi.org/10.1007/s11747-011-0261-6
  14. Hansmann, K., and Ringle, C. M., SmartPLS Manual, Universitat Hamburg, 2004.
  15. Henseler, J., Ringle, C. M., and Sinkovics, R. R., The Use of Partial Least Squares Path Modeling in International Marketing, Advances in International Marketing, vol. 20, pp. 277-319, 2009.
  16. Hulland, J., Use of Partial Least Squares (PLS) in Strategic Management Research: A Review of Four Recent Studies, Strategic Management Journal, vol. 20, pp. 195-204, 1999. https://doi.org/10.1002/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7
  17. Kankanhalli, A., Teo, H. H., Tan, B. C. Y., and Wei, K. K., An Integrative Study of Information Systems Security Effectiveness, International Journal of Information Management, vol. 23, pp. 139-154, 2003. https://doi.org/10.1016/S0268-4012(02)00105-6
  18. Kruger, H. A., and Kearney, W. D., A Prototype for Assessing Information Security Awareness, Computers & Security, vol. 25, pp. 289-296, 2006. https://doi.org/10.1016/j.cose.2006.02.008
  19. Lindell, M. K., and Whitney, D. J., Accounting for Common Method Variance in Cross-Sectional Research Designs, Journal of Applied Psychology, vol. 86, no. 1, pp. 114-121, 2001. https://doi.org/10.1037/0021-9010.86.1.114
  20. Malhotra, N. K., Kim, S. S., and Patil, A., Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research, Management Science, vol. 52, no. 12, pp. 1865-1883, 2006. https://doi.org/10.1287/mnsc.1060.0597
  21. Nunnally, J. C., and Bernstein, I. H., Psychometric Theory, 3rd eds. McGraw-Hill Inc., New York, 1994.
  22. Pavlou, P., Liang, H., and Xue, Y., Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal-Agent Perspective, MIS Quarterly, vol. 31, no. 1, pp. 105-136, 2007. https://doi.org/10.2307/25148783
  23. Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., and Podsakoff, N. P., Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies, Journal of Applied Psychology, vol. 88, no. 5, pp. 879-903, 2003. https://doi.org/10.1037/0021-9010.88.5.879
  24. Puhakainen, P., and Siponen, M., Improving Employees' Compliance through Information Systems Security Training: An Action Research Study, MIS Quarterly, vol. 34, no. 4, pp. 757-778, 2010. https://doi.org/10.2307/25750704
  25. Ringle, C. M., Wende, S., and Will, A., SmartPLS 2.0 (beta), Hamburg, Germany, 2005.
  26. Siponen, M., Vance, A., and Willison, R., New Insights into the Problem of Software Piracy: The Effects of Neutralization, Shame, and Moral Beliefs, Information & Management, vol. 49, pp. 334-341, 2012. https://doi.org/10.1016/j.im.2012.06.004
  27. Slater, S. F., and Atuahene-Gima, K., Conducting Survey Research in Strategic Management, vol. 1, Emerald Group Publishing Ltd., pp. 227-249, 2004.
  28. Sosik, J. J., Kahai, S. S., and Piovoso, M. J., Silver Bullet or Voodoo Statistics? A Primer for Using the Partial Least Squares Data Analytic Technique in Group and Organization research, Group and Organization Management, vol. 34, no. 1, pp. 5-36, 2009. https://doi.org/10.1177/1059601108329198
  29. Straub, D. W., and Welke, R. J., Coping with Systems Risk: Security Planning Models for Management Decision-Making, MIS Quarterly, vol. 22, no. 4, pp. 441-469, 1998. https://doi.org/10.2307/249551
  30. Tenenhaus, M., Vinzi, V. E., Chaterlin, Y. M., and Lauro, C., PLS Path Modeling, Computational Statistics & Data Analysis, vol. 48, no. 1, pp. 159-205, 2005. https://doi.org/10.1016/j.csda.2004.03.005
  31. Tsohou, A., Kokolakis, S., Karyda, M., and Kiountouzis, E., Investigating Information Security Awareness: Research and Practice Gaps, Information Security Journal: A Global Perspective, vol. 17, pp. 207-227, 2008a. https://doi.org/10.1080/19393550802492487
  32. Tsohou, A., Kokolakis, S., Karyda, M., and Kiountouzis, E., Process-variance Models in Information Security Awareness Research, Information Management & Computer Security, vol. 16, no. 3, pp. 271-287, 2008b. https://doi.org/10.1108/09685220810893216
  33. Wetzels, M., Odekerken-Schröder, G., and van Oppen, C., Using PLS Path Modeling for Assessing Hierarchical Construct Models: Guidelines and Empirical Illustration, MIS Quarterly, vol. 33, no. 1, pp. 177-195, 2009. https://doi.org/10.2307/20650284