Journal of Information Technology Applications and Management

Korea Data Strategy Society (한국데이터전략학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Factors for Violation of Information Security Policy in Financial Companies : Moderating Effects of Perceived Customer Information Sensitivity

금융회사 정보보안정책의 위반에 영향을 주는 요인 연구 : 지각된 고객정보 민감도에 따른 조절효과

  • 이정하 (서울과학종합대학원대학교 경영학과) ;
  • 이상용 (한양대학교 경영대학)
  • Received : 2015.11.14
  • Accepted : 2015.12.24
  • Published : 2015.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

This paper analyzed factors for employees to violate information security policy in financial companies based on the theory of reasoned action (TRA), general deterrence theory (GDT), and information security awareness and moderating effects of perceived sensitivity of customer information. Using the 376 samples that were collected through both online and offline surveys, statistical tests were performed. We found that the perceived severity of sanction and information security policy support to information policy violation attitude and subjective norm but the perceived certainty of sanction and general information security awareness support to only subjective norm. Also, the moderating effects of perceived sensitivity of customer information against information policy violation attitude and subjective norm were supported. Academic implications of this study are expected to be the basis for future research on information security policy violations of financial companies; Employees' perceived sanctions and information security policy awareness have an impact on the subjective norm significantly. Practical implications are that it can provide a guide to establish information security management strategies for information security compliance; when implementing information security awareness training for employees to deter violations by emphasizing the sensitivity of customer information, a company should make their employees recognize that the customer information is very sensitive data.

Keywords

References

  1. 강다연, 장명희, "해운항만조직 구성원들의 정보보안정책 준수에 영향을 미치는 요인", 한국항만경제학회지, 제28권 제1호, 2012, pp. 1-23.
  2. 강다연, 장명희, "정보보안정책 준수가 정보보안능력 및 행동에 미치는 영향 분석 : 해운항만조직 구성원을 대상으로", 한국항만경제학회지, 제30권 제1호, 2014, pp. 97-118.
  3. 강욱, 전용태, "산업보안 담당자의 보안정책 준수에 영향을 미치는 요인 : 억제이론과 합리적 선택이론을 중심으로", 한국경찰연구, 제13권 제3호, 2014, pp. 273-298.
  4. 김상현, 송영미, "조직 구성원들의 정보보안정책 준수 동기요인에 관한 연구", e-비즈니스연구, 제12권 제3호, 2011, pp. 327-349.
  5. 김상훈, 박선영, "정보보안정책 준수 의도에 대한 영향요인", 한국전자거래학회지, 제16권 제4호, 2011, pp. 33-51. https://doi.org/10.7838/JSEBS.2011.16.4.033
  6. 김중인, "반영지표 vs. 조형지표", 마케팅연구, 제27권 제4호, 2012, pp. 199-226.
  7. 박철주, 임명성, "기술스트레스가 정보보안에 미치는 영향에 관한 연구", 디지털융복합연구, 제10권 제5호, 2012a, pp. 37-51. https://doi.org/10.14400/JDPM.2012.10.5.037
  8. 박철주, 임명성, "보안 대책이 지속적 보안 정책 준수에 미치는 영향", 디지털정책연구, 제10권 제4호, 2012b, pp. 23-35.
  9. 안중호, 박준형, 성기문, 이재홍, "처벌과 윤리교육이 정보보안준수에 미치는 영향 : 조직유형의 조절효과를 중심으로", Information Systems Review, 제12권 제1호, 2010, pp. 23-42.
  10. 윤일한, 권순동, "정보보안 컴플라이언스와 위기대응이 정보보안 신뢰에 미치는 영향에 관한 연구", Information Systems Review, 제17권 제1호, 2015, pp. 141-169. https://doi.org/10.14329/isr.2015.17.1.141
  11. 이강신, "전자금융거래 시 보안 통제 사항의 개선 연구", 정보보호학회논문지, 제25권 제4호, 2015, pp. 881-888. https://doi.org/10.13089/JKIISC.2015.25.4.881
  12. 이성규, 채명신, "산업보안정책 준수의지에 영향을 미치는 요인분석", 대한경영학회지, 제27권 제6호, 2014, pp. 927-953.
  13. 임명성, "조직 구성원들의 정보보안정책 준수행위 의도에 관한 연구", 디지털정책연구, 제10권 제10호, 2012a, pp. 119-128.
  14. 임명성, "조직의 보안 분위기가 개인의 기회주의 행동에 미치는 영향에 관한 실증 연구", 디지털융복합연구, 제10권 제10호, 2012b, pp. 31-46. https://doi.org/10.14400/JDPM.2012.10.10.031
  15. 임명성, "정보보안정책의 특성이 구성원들의 보안정책 준수 행위에 미치는 영향에 관한 연구", 디지털정책연구, 제11권 제1호, 2013a, pp. 27-38.
  16. 임명성, "조직 구성원들의 정보보안정책 위반에 영향을 미치는 요인", 디지털융복합연구, 제11권 제2호, 2013b, pp. 19-32. https://doi.org/10.14400/JDPM.2013.11.2.019
  17. 임명성, "조직 구성원들의 정보보안정책 준수에 영향을 미치는 요인에 관한 연구 : 금융서비스업을 중심으로", 서비스경영학회지, 제14권 제1호, 2013c, pp. 143-171.
  18. 임명성, 한군희, "정보보안정책 준수에 영향을 미치는 요인 : 위험보상이론 관점에서", 디지털융복합연구, 제11권 제10호, 2013, pp. 153-168. https://doi.org/10.14400/JDPM.2013.11.10.153
  19. 장상수, 조태희, 신승호, 신대철, 정보보호관리체계의 구축과 활용, 제1판, 생능출판사, 2013.
  20. 정우진, 신유형, 이상용, "금융회사의 고객정보보호에 대한 내부직원의 태도 연구", Asia Pacific Journal of Information Systems, 제22권 제1호, 2012, pp. 53-77. https://doi.org/10.1111/j.1365-2575.2011.00369.x
  21. 정해철, 김현수, "조직구성원의 정보보안 의식과 조직의 정보보안 수준과의 관계 연구", Journal of Information Technology Applications and Management, 제7권 제2호, 2000, pp. 117-134.
  22. Ajzen, I., "The theory of planned behavior", Organizational behavior and human decision processes, Vol. 50, No. 2, 1991, pp. 179-211. https://doi.org/10.1016/0749-5978(91)90020-T
  23. Anderson, C. L. and Agarwal, R., "Practicing safe computing : A multimedia empirical examination of home computer user security behavioral intentions", Mis Quarterly, Vol. 34, No. 3, 2010, pp. 613-643. https://doi.org/10.2307/25750694
  24. Anderson, J. C. and Gerbing, D. W., "Structural equation modeling in practice : A review and recommended two-step approach", Psychological Bulletin, Vol. 103, No. 3, 1988, p. 411. https://doi.org/10.1037/0033-2909.103.3.411
  25. Aurigemma, S., "A composite framework for behavioral compliance with information security policies", Journal of Organizational and End User Computing, Vol. 25, No. 3, 2013, pp. 32-51. https://doi.org/10.4018/joeuc.2013070103
  26. Bagozzi, R. P. and Yi, Y., "On the evaluation of structural equation models", Journal of the Academy of Marketing Science, Vol. 16, No. 1, 1988, pp. 74-94. https://doi.org/10.1007/BF02723327
  27. Bansal, G. and Gefen, D., "The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online", Decision Support Systems, Vol. 49, No. 2, 2010, pp. 138-150. https://doi.org/10.1016/j.dss.2010.01.010
  28. Barclay, D., Higgins, C., and Thompson, R., "The partial least squares (pls) approach to causal modeling : Personal computer adoption and use as an illustration", Technology Studies, Vol. 2, No. 2, 1995, pp. 285-309.
  29. Bollen, K. A., Structural equations with latent variables, John Wiley and Sons, 2014.
  30. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Effects of individual and organization based beliefs and the moderating role of work experience on insiders' good security behaviors", Computational Science and Engineering, 2009 CSE'09 International Conference on, Vol. 3, 2009a, pp. 476-481.
  31. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Roles of information security awareness and perceived fairness in information security policy compliance", Proceedings of the Americas Conference on Information Systems, Vol. 15, No. 5, 2009b, pp. 3269-3277.
  32. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information security policy compliance : An empirical study of rationality-based beliefs and information security awareness", MIS quarterly, Vol. 34, No. 3, 2010, pp. 523-548. https://doi.org/10.2307/25750690
  33. Chin, W. W., "The partial least squares approach to structural equation modeling", Modern Methods for Business Research, Vol. 295, No. 2, 1998, pp. 295-336.
  34. Chin, W. W. and Gopal, A., "Adoption intention in gss : Relative importance of beliefs", ACM SigMIS Database, Vol. 26, No. 2-3, 1995, pp. 42-64. https://doi.org/10.1145/217278.217285
  35. Chin, W. W., Marcolin, B. L., and Newsted, P. R., "A partial least squares latent variable modeling approach for measuring interaction effects : Results from a monte carlo simulation study and an electronic-mail emotion/adoption study", Information Systems Research, Vol. 14, No. 2, 2003, pp. 189-217. https://doi.org/10.1287/isre.14.2.189.16018
  36. Cohen, J., Statistical power analysis for the behavioral sciences, Academic press, 2013.
  37. D'Arcy, J. and Herath, T., "A review and analysis of deterrence theory in the is security literature : Making sense of the disparate findings", European Journal of Information Systems, Vol. 20, No. 6, 2011, pp. 643-658. https://doi.org/10.1057/ejis.2011.23
  38. D'Arcy, J. and Hovav, A., "Deterring internal information systems misuse", Communications of the ACM, Vol. 50, No. 10, 2007, pp. 113-117. https://doi.org/10.1145/1290958.1290971
  39. D'Arcy, J., Hovav, A., and Galletta, D., "User awareness of security countermeasures and its impact on information systems misuse : A deterrence approach", Information Systems Research, Vol. 20, No. 1, 2009, pp. 79-98. https://doi.org/10.1287/isre.1070.0160
  40. Fishbein, M. and Ajzen, I., Belief, attitude, intention and behavior : An introduction to theory and research, MA : Addison-Wesley, 1975.
  41. Fishbein, M., Ajzen, I., Albarracin, D., and Hornik, R. C., Prediction and change of health behavior : Applying the reasoned action approach, Psychology Press, 2007.
  42. Fornell, C. and Larcker, D. F., "Evaluating structural equation models with unobservable variables and measurement error", Journal of Marketing Research, Vol. 18, No. 1, 1981, pp. 39-50. https://doi.org/10.2307/3151312
  43. Foltz C. B., Schwager, P. H., and Anderson, J. E., "Why users (fail to) read computer usage policies", Industrial Management and Data Systems, Vol. 108, No. 6, 2008, pp. 701-712. https://doi.org/10.1108/02635570810883969
  44. Gefen, D. and Straub, D., "A practical guide to factorial validity using pls-graph : Tutorial and annotated example", Communications of the Association for Information Systems, Vol. 16, 2005, p. 1.
  45. Geisser, S., "The predictive sample reuse method with applications", Journal of the American Statistical Association, Vol. 70, No. 350, 1975, pp. 320-328. https://doi.org/10.1080/01621459.1975.10479865
  46. Guo, K. H., Yuan, Y., Archer, N. P., and Connelly, C. E., "Understanding nonmalicious security violations in the workplace : A composite behavior model", Journal of Management Information Systems, Vol. 28, No. 2, 2011, pp. 203-236. https://doi.org/10.2753/MIS0742-1222280208
  47. Hair, J. F., Sarstedt, M., Ringle, C. M., and Mena, J. A., "An assessment of the use of partial least squares structural equation modeling in marketing research", Journal of the Academy of Marketing Science, Vol. 40, No. 3, 2012, pp. 414-433. https://doi.org/10.1007/s11747-011-0261-6
  48. Henseler, J., Ringle, C. M., and Sinkovics, R. R., "The use of partial least squares path modeling in international marketing", Advances in International Marketing (AIM), Vol. 20, 2009, pp. 277-320.
  49. Herath, T. and Rao, H. R., "Encouraging information security behaviors in organizations : Role of penalties, pressures and perceived effectiveness", Decision Support Systems, Vol. 47, No. 2, 2009a, pp. 154-165. https://doi.org/10.1016/j.dss.2009.02.005
  50. Herath, T. and Rao, H. R., "Protection motivation and deterrence : A framework for security policy compliance in organisations", European Journal of Information Systems, Vol. 18, No. 2, 2009b, pp. 106-125. https://doi.org/10.1057/ejis.2009.6
  51. Herzberg, F., "The motivation-hygiene concept and problems of manpower", Personnel Administration, 1964.
  52. Hu, Q., Xu, Z., Dinev, T., and Ling, H., "Does deterrence work in reducing information security policy abuse by employees?", Communications of the ACM, Vol. 54, No. 6, 2011, pp. 54-60. https://doi.org/10.1145/1953122.1953142
  53. Hulland, J., "Use of partial least squares (pls) in strategic management research : A review of four recent studies", Strategic Management Journal, Vol. 20, No. 2, 1999, pp. 195-204. https://doi.org/10.1002/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7
  54. Ifinedo, P., "Understanding information systems security policy compliance : An integration of the theory of planned behavior and the protection motivation theory", Computers and Security, Vol. 31, No. 1, 2012, pp. 83-95. https://doi.org/10.1016/j.cose.2011.10.007
  55. Joreskog, K. G. and Sorbom, D., Lisrel 7 : A guide to the program and applications, SPSS, 1989.
  56. Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An integrative study of information systems security effectiveness", International Journal of Information Management, Vol. 23, No. 2, 2003, pp. 139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  57. Keil, M., Rai, A., and Liu, S., "How user risk and requirements risk moderate the effects of formal and informal control on the process performance of it projects", European Journal of Information Systems, Vol. 22, No. 6, 2013, pp. 650-672. https://doi.org/10.1057/ejis.2012.42
  58. Keil, M., Tan, B. C., Wei, K. K., Saarinen, T., Tuunainen, V., and Wassenaar, A., "A cross-cultural study on escalation of commitment behavior in software projects", MIS Quarterly, Vol. 24, No. 2, 2000, pp. 299-325. https://doi.org/10.2307/3250940
  59. Kim, S. H., Yang, K. H., and Park, S. Y., "An integrative behavioral model of information security policy compliance", The Scientific World Journal, Vol. 2014, 2014.
  60. Kutner, M. H., Nachtsheim, C., and Neter, J., Applied linear regression models, McGraw-Hill/Irwin, 2004.
  61. Leach, J., "Improving user security behaviour", Computers and Security, Vol. 22, No. 8, 2003, pp. 685-692. https://doi.org/10.1016/S0167-4048(03)00007-5
  62. Lee, J. T. and Lee, Y. H., "A holistic model of computer abuse within organizations", Information Management and Computer Security, Vol. 10, No. 2, 2002, pp. 57-63. https://doi.org/10.1108/09685220210424104
  63. Li, H., Zhang, J., and Sarathy, R., "Understanding compliance with internet use policy from the perspective of rational choice theory", Decision Support Systems, Vol. 48, No. 4, 2010, pp. 635-645. https://doi.org/10.1016/j.dss.2009.12.005
  64. Nagin, D. S. and Paternoster, R., "Enduring individual differences and rational choice theories of crime", Law and Society Review, Vol. 27, No. 3, 1993, pp. 467-496. https://doi.org/10.2307/3054102
  65. Nagin, D. S. and Pogarsky, G., "Integrating celerity, impulsivity, and extralegal sanction threats into a model of general deterrence : Theory and evidence", Criminology, Vol. 39, No. 4, 2001, pp. 865-892. https://doi.org/10.1111/j.1745-9125.2001.tb00943.x
  66. Ophoff, J., Jensen, A., Sanderson-Smith, J., Porter, M., and Johnston, K., "A descriptive literature review and classification of insider threat research", Proceedings of Informing Science and IT Education Conference (InSITE), 2014.
  67. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' behavior towards is security policy compliance", System Sciences, 2007 HICSS 2007 40th Annual Hawaii International Conference on, 2007, p. 156b.
  68. Paternoster, R. and Simpson, S., "Sanction threats and appeals to morality : Testing a rational choice model of corporate crime", Law and Society Review, Vol. 30, No. 3, 1996, pp. 549-583. https://doi.org/10.2307/3054128
  69. Peltier, T. R., "Implementing an information security awareness program", Information Systems Security, Vol. 14, No. 2, 2005, pp. 37-49. https://doi.org/10.1201/1086/45241.14.2.20050501/88292.6
  70. Siponen, M., Mahmood, M. A., and Pahnila, S., "Employees'adherence to information security policies : An exploratory field study", Information and Management, Vol. 51, No. 2, 2014, pp. 217-224. https://doi.org/10.1016/j.im.2013.08.006
  71. Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with information security policies : An empirical investigation", Computer, Vol. 43, No. 2, 2010, pp. 64-71. https://doi.org/10.1109/MC.2010.35
  72. Siponen, M. and Vance, A., "Neutralization : New insights into the problem of employee information systems security policy violations", MIS quarterly, Vol. 34, No. 3, 2010, pp. 487-502. https://doi.org/10.2307/25750688
  73. Siponen, M., "A conceptual foundation for organizational information security awareness", Information Management and Computer Security, Vol. 8, No. 1, 2000, pp. 31-41. https://doi.org/10.1108/09685220010371394
  74. Sommestad, T., Hallberg, J., Lundholm, K., and Bengtsson, J., "Variables influencing information security policy compliance", Information Management and Computer Security, Vol. 22, No. 1, 2014, pp. 42-75. https://doi.org/10.1108/IMCS-08-2012-0045
  75. Son, J. Y., "Out of fear or desire? Toward a better understanding of employees' motivation to follow is security policies", Information and Management, Vol. 48, No. 7, 2011, pp. 296-302. https://doi.org/10.1016/j.im.2011.07.002
  76. Sosik, J. J., Kahai, S. S., and Piovoso, M. J., "Silver bullet or voodoo statistics? A primer for using the partial least squares data analytic technique in group and organization research", Group and Organization Management, Vol. 34, No. 1, 2009, pp. 5-36. https://doi.org/10.1177/1059601108329198
  77. Stone, M., "Cross-validatory choice and assessment of statistical predictions", Journal of the Royal Statistical Society Series B (Methodological), 1974, pp. 111-147.
  78. Straub, D., "Effective is security : An empirical study", Information Systems Research, Vol. 1, No. 3, 1990, pp. 255-276. https://doi.org/10.1287/isre.1.3.255
  79. Tenenhaus, M., Amato, S., and Esposito, Vinzi V., "A global goodness-of-fit index for pls structural equation modelling", Proceedings of the XLII SIS scientific meeting, Vol. 1, 2004, pp. 739-742.
  80. Tenenhaus, M., Vinzi, V. E., Chatelin, Y. M., and Lauro, C., "PLS path modeling", Computational Statistics and Data Analysis, Vol. 48, No. 1, 2005, pp. 159-205. https://doi.org/10.1016/j.csda.2004.03.005
  81. Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., "The insider threat to information systems and the effectiveness of iso17799", Computers and Security, Vol. 24, No. 6, 2005, pp. 472-484. https://doi.org/10.1016/j.cose.2005.05.002
  82. Vance, A., Siponen, M., and Pahnila, S., "Motivating is security compliance : Insights from habit and protection motivation theory", Information and Management, Vol. 49, No. 3-4, 2012, pp. 190-198. https://doi.org/10.1016/j.im.2012.04.002
  83. Vance, A. and Siponen, M., "Is security policy violations : A rational choice perspective", Journal of Organizational and End User Computing (JOEUC), Vol. 24, No. 1, 2012, pp. 21-41. https://doi.org/10.4018/joeuc.2012010102
  84. Wall, J. D., Palvia, P., and Lowry, P. B., "Control- related motivations and information security policy compliance : The role of autonomy and efficacy", Journal of Information Privacy and Security, Vol. 9, No. 4, 2013, pp. 52-79. https://doi.org/10.1080/15536548.2013.10845690
  85. Whitman, M. E., "In defense of the realm : Understanding the threats to information security", International Journal of Information Management, Vol. 24, No. 1, 2004, pp. 43-57. https://doi.org/10.1016/j.ijinfomgt.2003.12.003
  86. Whitman, M. E., Townsend, A. M., and Aalberts, R. J., "Information systems security and the need for policy", Information Security Management : Global Challenges in the New Millennium, 2001, pp. 9-18.
  87. Williams, K. R. and Hawkins, R., "Perceptual research on general deterrence : A critical review", Law and Society Review, Vol. 24, No. 4, 1986, pp. 545-572.
  88. Willison, R. and Warkentin, M., "Beyond deterrence : An expanded view of employee computer abuse", MIS Quarterly, Vol. 37, No. 1, 2013.
  89. Yang, Y., Stafford, T. F., and Gillenson, M., "Satisfaction with employee relationship management systems : The impact of usefulness on systems quality perceptions", European Journal of Information Systems, Vol. 20, No. 2, 2011, pp. 221-236. https://doi.org/10.1057/ejis.2010.69
  90. Yoon, C. H., "Theory of planned behavior and ethics theory in digital piracy : An integrated model", Journal of Business Ethics, Vol. 100, No. 3, 2011, pp. 405-417. https://doi.org/10.1007/s10551-010-0687-7
  91. Yoon, C. H. and Kim, H. G., "Understanding computer security behavioral intention in the workplace", Information Technology and People, Vol. 26, No. 4, 2013, pp. 401-419. https://doi.org/10.1108/ITP-12-2012-0147
  92. Zhang, J., Reithel, B. J., and Li, H., "Impact of perceived technical protection on security behaviors", Information Management and Computer Security, Vol. 17, No. 4, 2009, pp. 330-340. https://doi.org/10.1108/09685220910993980

Cited by

  1. 조직 구성원들의 보안정책 위반에 관한 연구 vol.25, pp.3, 2015, https://doi.org/10.22693/niaip.2018.25.3.095