DOI QR코드

DOI QR Code

A Study on Employee's Compliance Behavior towards Information Security Policy : A Modified Triandis Model

조직 구성원의 정보보안정책 준수행동에 대한 연구 : 수정된 Triandis 모델의 적용

  • Kim, Dae-Jin (College of Business and Economics, Chung-Ang University) ;
  • Hwang, In-Ho (Korea Entrepreneurship & Management Institute) ;
  • Kim, Jin-Soo (College of Business and Economics, Chung-Ang University)
  • 김대진 (중앙대학교 경영경제대학) ;
  • 황인호 ((사)한국창업경영연구원) ;
  • 김진수 (중앙대학교 경영경제대학 경영학부)
  • Received : 2016.03.01
  • Accepted : 2016.04.20
  • Published : 2016.04.28

Abstract

Although organizations are providing information security policy, education and support to guide their employees in security policy compliance, accidents by non-compliance is still a never ending problem to organizations. This study investigates the factors that influence employees' information security policy compliance behavior using elements of Triandis model. We analyzed the relationships among Triandis model's factors using PLS(Partial Least Squares). The result of the hypothesis tests shows that organization can induce individual's information security policy compliance intention and behavior by information security policy and facilitating conditions that support it, and proves the importance of members' expected value, habit and affect about information security compliance. This study is significant in a way that it applies Triandis model in the field of information security, and presents direction for members' information security behavior, and will be able to provide measures to establish organization's information security policy and increase members' compliance behavior.

조직은 정보보안정책을 제공하고 이를 준수하기 위한 교육 및 지원 등 지속적인 노력을 하고 있으나, 조직 구성원의 보안 미준수에 따른 사고는 끊이지 않고 있다. 본 연구는 조직 구성원의 정보보안정책 준수행동에 영향을 주는 요인들을 Triandis 모델을 적용하여 규명하였으며, 요인들간의 영향 관계를 구조방정식모델링 기법인 PLS(Partial Least Squares)를 통해 살펴보았다. 가설검증 결과 조직은 정보보안정책과 이를 지원하는 촉진조건을 통해 구성원의 정보보안정책 준수의도 및 행동을 유도할 수 있으며, 조직의 정보보안정책에 대한 구성원의 기대가치, 습관 및 감정이 중요함을 증명하였다. 본 연구는 Triandis 모델을 정보보안 분야에 적용하여 분석하고, 구성원의 정보보안 행동에 대한 방향성을 제시하였다는 점에 의의가 있다. 그리고 본 연구 결과를 통해 조직의 정보보안정책 수립 및 구성원의 준수행동을 높이기 위한 방안을 제공할 수 있을 것이다.

Keywords

References

  1. J. Han and Y. Kim, "Investigating of Psychological Factors Affecting Information Security Compliance Intention: Convergent Approach to Information Security and Organizational Citizenship Behavior", Journal of Digital Convergence, Vol. 13, No. 8, pp. 133-144, 2015.
  2. M. Yim, "A Path Way to Increase the Intention to Comply with Information Security Policy of Employees", Journal of Digital Convergence, Vol. 10, No. 10, pp. 119-128, 2012.
  3. Verizon, 2015 Data Breach Investigations Report, 2015.
  4. M. Yim and K. Han, "An Investigation of the Factors that Influence the Compliance to Information Security Policy : From Risk Compensation Theory", Journal of Digital Convergence, Vol. 11, No. 10, pp. 153-168, 2013. https://doi.org/10.14400/JDPM.2013.11.10.153
  5. J. Do and J. Kim, "A Study on Critical Success Factors for Enterprise Security Collaboration", Journal of Digital Convergence, Vol. 12, No. 10, pp.235-242, 2014. https://doi.org/10.14400/JDC.2014.12.10.235
  6. M. Yim, "An Investigation of the Factors that Influence the Compliance to Information Security Policy: From Risk Compensation Theory", Journal of Digital Convergence, Vol. 11, No. 2, pp.19-32, 2013.
  7. T. Jeong, M. Yim and J. Lee, "A Development of Comprehensive Framework for Continuous Information Security", Journal of Digital Convergence, Vol. 10, No. 2, pp.1-10, 2012.
  8. R. M. Emerson, "Social Exchange Theory", Annual Review of Sociology, Vol. 2, pp. 335-362, 1976. https://doi.org/10.1146/annurev.so.02.080176.002003
  9. L. D. Molm, "Structure, Action, and Outcomes: The Dynamics of Power in Social Exchange", American Sociological Review, Vol. 55, No. 3, pp. 427-447, 1990. https://doi.org/10.2307/2095767
  10. C. A. Sims, "Implications of Rational Inattention", Journal of Monetary Economics, Vol. 50, No. 3, pp. 665-690, 2003. https://doi.org/10.1016/S0304-3932(03)00029-1
  11. Q. Hu, Z. Xu, T. Dinev and H. Ling, "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?", Communications of the ACM, Vol. 54, No. 6, pp. 54-60, 2011. https://doi.org/10.1145/1953122.1953142
  12. A. R. Said, H. Abdullah, J. Uli and Z. A. Mohamed, "Relationship between Organizational Characteristics and Information Security Knowledge Management Implementation", Procedia-Social and Behavioral Sciences, Vol. 123, No. 20, pp. 433-443, 2014. https://doi.org/10.1016/j.sbspro.2014.01.1442
  13. S. Ernest Chang and C. S. Lin, "Exploring Organizational Culture for Information Security Management", Industrial Management & Data Systems, Vol. 107, No. 3, pp.438-458, 2007 https://doi.org/10.1108/02635570710734316
  14. H. C. Triandis, Values, Attitudes, and Interpersonal Behavior, in Nebraska Symposium on Motivation, 1979: Beliefs, Attitudes, and Values, Lincoln, NE: University of Nebraska Press, pp. 195-259, 1980.
  15. B. Bulgurcu, H. Cavusoglu and I. Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness", MIS Quarterly, Vol. 34, No. 3, pp. 523-548, 2010. https://doi.org/10.2307/25750690
  16. R. West, "The Psychology of Security", Communications of the ACM, Vol. 51, No. 4, pp. 34-40, 2008. https://doi.org/10.1145/1330311.1330320
  17. C. Park and M. Yim, "An Understanding of Impact of Security Countermeasures on Persistent Policy Compliance", Journal of Digital Convergence, Vol. 10, No. 4, pp. 23-35, 2012.
  18. J. D'Arcy, A. Hovav and D. Galletta, "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach", Information Systems Research, Vol. 20, No. 1, pp. 79-98, 2009. https://doi.org/10.1287/isre.1070.0160
  19. R. L. Thompson, C. H. Higgins and J. M. Howell, "Towards a Conceptual Model of Utilization", MIS Quarterly, Vol. 15, No. 1, pp. 125-43, 1991. https://doi.org/10.2307/249443
  20. M. K. Chang and W. Cheung, "Determinants of the Intention to Use Internet/WWW at Work: A Confirmatory Study", Information & Management, Vol. 39, No. 1, pp. 1-14, 2001. https://doi.org/10.1016/S0378-7206(01)00075-1
  21. A. Vance, M. Siponen and S. Pahnila, "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory", Information & Management, Vol. 49, No. 3, pp. 190-198, 2012. https://doi.org/10.1016/j.im.2012.04.002
  22. Y. Chen, K. Ramamurthy and K. W. Wen, "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?", Journal of Management Information Systems, Vol. 29, No. 3, pp. 157-188, 2012. https://doi.org/10.2753/MIS0742-1222290305
  23. F. Bergeron, L. Raymond, S. Rivard and M. F. Gara, "Determinants of EIS Use: Testing a Behavioral Model", Decision Support Systems, Vol. 14, No. 2, pp. 131-46, 1995. https://doi.org/10.1016/0167-9236(94)00007-F
  24. M. Limayem, S. G. Hirt, "Force of Habit and Information Systems Usage: Theory and Initial Validation", Journal of Association for Information Systems, Vol. 4, pp. 65-97, 2003. https://doi.org/10.17705/1jais.00030
  25. C. Cheung and M. Limayem, "The Role of Habit in Information Systems Continuance: Examining the Evolving Relationship between Intention and Usage", Proceedings of the Twenty-Sixth International Conference on Information Systems, Las Vegas, pp. 471-482, 2005.
  26. M. K. Chang, W. Cheung, C. H. Cheng, and J. H. Yeung, "Understanding ERP System Adoption from the Users' Perspective", International Journal of Production Economics, Vol. 113, No. 2, pp. 928-942, 2008. https://doi.org/10.1016/j.ijpe.2007.08.011
  27. W. Cheung, M. K. Chang and V. S. Lai, "Prediction of Internet and World Wide Web Usage at Work: A Test of an Extend Triandis Model", Decision Support Systems, Vol. 30, No. 1, pp. 83-100, 2000. https://doi.org/10.1016/S0167-9236(00)00125-1
  28. M. Fishbein and I. Ajzen, Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research, Reading, MA: Addison-Wesley Publishing Company, 1975.
  29. T. Herath and H. R. Rao, "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness", Decision Support Systems, Vol. 47, No. 2, pp. 154-165, 2009. https://doi.org/10.1016/j.dss.2009.02.005
  30. M. Siponen, S. Pahnila and M. A. Mahmood, "Compliance with Information Security Policies: An Empirical Investigation", Computer, Vol. 43, No. 2, pp. 64-71, 2010. https://doi.org/10.1109/MC.2010.35
  31. R. Von Solms, "Information Security Management: Why Standards are Important", Information Management & Computer Security, Vol. 7, No. 1, pp. 50-58, 1999. https://doi.org/10.1108/09685229910255223
  32. S. Lee, S. Lee and S. Yoo, "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories", Information & Management, Vol. 41, No. 6, pp. 707-718, 2004. https://doi.org/10.1016/j.im.2003.08.008
  33. C. T. Upfold and D. A. Sewry, "An Investigation of Information Security in Small and Medium Enterprises (SMEs) in the Eastern Cape", In: H. S. Venter, J. H. P. Eloff, L. Labuschagne, & M. M. Eloff (Eds.), Proceedings of the ISSA 2005 new knowledge today conference, 29 June-1 July 2005, South Africa, Article 082, pp.1-17, 2005.
  34. J. G. Dawes, "Do Data Characteristics Change According to the Number of Scale Points Used? An Experiment Using 5 Point, 7 Point and 10 Point Scales", International Journal of Market Research, Vol. 51, No. 1, pp. 61-77. 2008.
  35. M. Siponen, S. Pahnila and A. Mahmood, "Factors Influencing Protection Motivation and IS Security Policy Compliance", Innovations in Information Technology, pp. 1-5, 2006.
  36. J. C. Nunnally, I. H. Bernstein, Psychometric Theory(3rd ed.), New York: McGraw-Hill, 1994.
  37. C. Fornell and D. F. Larcker, "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error", Journal of Marketing Research, Vol. 18, No. 1, pp.39-50, 1981. https://doi.org/10.2307/3151312
  38. M. Noh, K. Lee, S. Kim and G. Garrison, "Effect of Collectivism on Actual S-Commerce Use and the Moderating Effect of Price Consciousness", Journal of Electronic Commerce Research, Vol. 14, No. 3, pp. 244-260, 2013.
  39. R. E. Walpole, R. H. Myers, S. L. Myers, and K. Ye, Probability and Statistics for Engineers and Scientists (Vol. 5). New York: Macmillan, 1993.
  40. N. K. Malhotra, S. S. Kim and A. Patil, "Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research", Management Science, Vol. 52, No. 12, pp. 1865-1883, 2006. https://doi.org/10.1287/mnsc.1060.0597
  41. P. A. Pavlou and M. Fygenson, "Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior", MIS Quarterly, Vol. 30, No. 1, pp. 115-144, 2006. https://doi.org/10.2307/25148720
  42. P. Podsakoff, S. MacKenzie, J. Lee and N. Podsakoff, "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies", Journal of Applied Psychology, Vol. 88, No. 5, pp. 879-903, 2003. https://doi.org/10.1037/0021-9010.88.5.879
  43. H. Liang, N. Saraf, Q. Hu and Y. Xue, "Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top-Management", MIS Quarterly, Vol. 31, No. 1, pp. 59-87, 2007. https://doi.org/10.2307/25148781
  44. L. J. Williams, J. R. Edwards and R. J. Vandenberg, "Recent Advances in Causal Modeling Methods for Organizational and Management Research", Journal of Management, Vol. 29, No. 6, pp. 903-936, 2003. https://doi.org/10.1016/S0149-2063(03)00084-9
  45. W. W. Chin, "Issues and Opinion on Structural Equation Modeling", MIS Quarterly, Vol. 22, No. 1, pp. 52-104, 1998.
  46. M. Tenenhaus, V. E Vinzi, Y. M. Chatelin and C. Lauro, "PLS Path Modeling", Computational Statistics & Data Analysis, Vol. 48, No. 1, pp. 159-205, 2005. https://doi.org/10.1016/j.csda.2004.03.005