The Journal of Information Systems (한국정보시스템학회지:정보시스템연구)

Korea Association of Information Systems (한국정보시스템학회)
권호 표지
DOI QR코드

DOI QR Code

The Effect of Organizational Information Security Environment on the Compliance Intention of Employee

조직의 정보보안 환경이 조직구성원의 보안 준수의도에 미치는 영향

  • 황인호 ((사)한국창업경영연구원, 정보전략 연구팀) ;
  • 김대진 (중앙대학교 경영학과)
  • Received : 2016.01.08
  • Accepted : 2016.05.09
  • Published : 2016.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Purpose Organizations invest significant portions of their budgets in fortifying information security. Nevertheless, the security threats by employees are still at large. We discuss methods to reduce security threats that are posed by employees in organization. This study finds antecedent factors that increases or decreases employee's compliance intention. Also, the study suggests organizations' security environmental factors which influences the antecedent factors of compliance intention. Design/methodology/approach The structural equation model is then applied in order to verify this research model and hypothesis. Data were collected on 415 employees working in organizations with an implemented information security policy in South Korea. We analyzed the fitness and validity of the research model via confirmatory factor analysis in order to verify the research hypothesis, then we analyzed structural model, and derived the result. Findings The result shows that organizational commitment and peer behavior increase security compliance intention of employees, while security system anxiety decreases compliance intention. And, organization's physical security system and security communication both have influence on antecedent factors for information security compliance of employees. Our findings help organizations to establish information security strategies that enhance employee security compliance intention.

Keywords

References

  1. 김대진, 황인호, 김진수, "조직 구성원의 정보보안정책 준수행도에 대한 연구: 수정된 Triandis 모델의 적용," 디지털정책연구, 제14권, 제4호, pp.209-220.
  2. 김종기, "정보시스템 보안의 효과성 모형에 관한 실증적 연구," 정보시스템연구, 제7권 제2호, 1998, pp. 91-108.
  3. 김종기, 강다연, 전진환, "패스워드 선택을 위한 사용자의 보안행위의도에 영향을 미치는 요인," 정보시스템연구, 제17권 제1호, 2008, pp. 23-43.
  4. 박철주, 임명성, "기술스트레스가 조직원의 보안 인식과 조직성과에 미치는 영향에 관한 연구," 한국정보기술학회논문지, 제10권 제1호, 2012, pp.97-110.
  5. 이장형, 김종원, "보안 및 통제와 정보기술 사용자의 성격의 관계," 정보시스템연구, 제19권 제3호, 2010, pp.1-12.
  6. 보안뉴스, 대담하고 지능적인 기술유출, 산업보안이 뒷받침돼야, 2015. 5. 14. http://www.boannews.com/media/view.asp?idx=46241
  7. 황인호, 김대진, 김태하, 김진수, "조직의 정보보안 문화형성이 조직구성원의 보안 지식 및 준수의도에 미치는 영향 연구," Information Systems Review, 제18권, 제1호, 2016, pp.1-23.
  8. Brockner, J., Spreitzer, G., Mishra, A., Hochwarter, W., Pepper, L., and Weinberg, J., "Perceived Control as an Antidote to the Negative Effects of Layoffs on Survivors' Organizational Commitment and Job Performance," Administrative Science Quarterly, Vol. 49, No. 1, 2004, pp.76-100.
  9. Brown, W. S., "Ontological Security, Existential Anxiety and Workplace Privacy," Journal of Business Ethics, Vol. 23, No. 1, 2000, pp.61-65. https://doi.org/10.1023/A:1006223027879
  10. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance:An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol. 34, No. 3, 2010, pp.523-548. https://doi.org/10.2307/25750690
  11. Carr, N. G., "IT doesn't Matter," Educause Review, Vol. 38, 2003, pp.24-38.
  12. Chan, M., Woon, I., and Kankanhalli, A. "Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy & Security, Vol. 1, No. 3, 2005, pp.18-41. https://doi.org/10.1080/15536548.2005.10855772
  13. Chen, Y., Ramamurthy, K., and Wen, K. W., "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?," Journal of Management Information Systems, Vol. 29, No. 3, 2012, pp.157-188. https://doi.org/10.2753/MIS0742-1222290305
  14. Compeau, D. R., and Higgins, C. A., "Computer Self-Efficacy: Development of a Measure and Initial Test," MIS Quarterly, Vol. 19, No. 2, 1995, pp.189-211. https://doi.org/10.2307/249688
  15. D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, 2009, pp.79-98. https://doi.org/10.1287/isre.1070.0160
  16. Da Veiga, A., and Eloff, J. H., "A Framework and Assessment Instrument for Information Security Culture," Computers & Security, Vol. 29, No. 2, 2010, pp.196-207. https://doi.org/10.1016/j.cose.2009.09.002
  17. Dugo, T., "The Insider Threat to Organizational Information," Auburn University, Auburn, AL., 2007.
  18. Ernest Chang, S. and Lin, C. S., "Exploring Organizational Culture for Information Security Management," Industrial Management & Data Systems, Vol. 107, No. 3, 2007, pp.438-458. https://doi.org/10.1108/02635570710734316
  19. Faily, S., and Flechais, I., "Designing and Aligning e-Science Security Culture with Design," Information Management & Computer Security, Vol. 18, No. 5, 2000, pp.339-349. https://doi.org/10.1108/09685221011095254
  20. Fornell, C., and Larcker, D. F., "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, Vol. 18, No. 1, 1981, pp.39-50. https://doi.org/10.2307/3151312
  21. Gartner, Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware, 2014, http://www.gartner.com/newsroom/id/2828722
  22. Guo, K. H., Yuan, Y., Archer, N. P. and Connelly, C. E., "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model," Journal of Management Information Systems, Vol. 28, No. 2, 2011, pp.203-236. https://doi.org/10.2753/MIS0742-1222280208
  23. Herath, T., and Rao, H. R., "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems, Vol. 47, No. 2, 2009a, pp.154-165. https://doi.org/10.1016/j.dss.2009.02.005
  24. Herath, T., and Rao, H. R., "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations," European Journal of Information Systems, Vol. 18, No. 2, 2009b, pp.106-125. https://doi.org/10.1057/ejis.2009.6
  25. Hu, Q., Xu, Z., Dinev, T., and Ling, H., "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?," Communications of the ACM, Vol. 54, No. 6, 2011, pp.54-60. https://doi.org/10.1145/1953122.1953142
  26. Ifinedo, P., "Understanding Information Systems Security Policy Compliance:An Integration of the Theory of Planned Behavior and the Protection Motivation Theory," Computers & Security, Vol. 31, No. 1, 2012, pp.83-95. https://doi.org/10.1016/j.cose.2011.10.007
  27. Jimenez-Castillo, D., and Sanchez-Perez, M., "Nurturing Employee Market Knowledge Absorptive Capacity through Unified Internal Communication and Integrated Information Technology," Information & Management, Vol. 50, No. 2, 2013, pp.76-86. https://doi.org/10.1016/j.im.2013.01.001
  28. Johnston, A. C., and Warkentin, M., "Fear Appeals and Information Security Behaviors: An Empirical Study," MIS Quarterly, Vol. 34, No. 3, 2010, pp.549-566. https://doi.org/10.2307/25750691
  29. Knapp, K. J., Morris, R. F., Marshall, T. E., and Byrd, T. A., "Information Security Policy: An Organizational-Level Process Model," Computers & Security, Vol. 28, No. 7, 2009, pp.493-508. https://doi.org/10.1016/j.cose.2009.07.001
  30. Kwok, L. F., and Longley, D., "Information Security Management and Modelling," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.30-40. https://doi.org/10.1108/09685229910255179
  31. Lee, J., and Lee, Y., "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, Vol. 10, No. 2, 2002, pp.57-63. https://doi.org/10.1108/09685220210424104
  32. Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information & Management, Vol. 41, No. 6, 2004, pp.707-718. https://doi.org/10.1016/j.im.2003.08.008
  33. Lee, Y., and Larsen, K. R., "Threat or Coping Appraisal: Determinants of SMB Executives' Decision to Adopt Anti-Malware Software," European Journal of Information Systems, Vol. 18, No. 2, 2009, pp.177-187. https://doi.org/10.1057/ejis.2009.11
  34. Li, H., Zhang, J., and Sarathy, R., "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory," Decision Support Systems, Vol. 48, No. 4, 2010, pp.635-645. https://doi.org/10.1016/j.dss.2009.12.005
  35. Loch, K. D., Carr, H. H., and Warkentin, M. E., "Threats to Information Systems:Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, 1992, pp.173-186. https://doi.org/10.2307/249574
  36. Moore, G. C., and Benbasat, I., "Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation," Information Systems Research, Vol. 2, No. 3, 1991, pp.192-222. https://doi.org/10.1287/isre.2.3.192
  37. Murrell, A. J., and Sprinkle, J., "The Impact of Negative Attitudes toward Computers on Employees' Satisfaction and Commitment within a Small Company," Computers in Human Behavior, Vol. 9, No. 1, 1993, pp.57-63. https://doi.org/10.1016/0747-5632(93)90021-J
  38. Nunnally, J. C., "Psychometric theory (2nd ed.)," New York: McGraw-Hill, 1978.
  39. Padayachee, K., "Taxonomy of Compliant Information Security Behavior," Computers & Security, Vol. 31, No. 5, 2012, pp.673-680. https://doi.org/10.1016/j.cose.2012.04.004
  40. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' Behavior towards IS Security Policy Compliance," In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on (pp. 156b-156b). IEEE, 2007.
  41. Rogers, R. W., "A Protection Motivation Theory of Fear Appeals and Attitude Change," Journal of Psychology, Vol. 91, No. 1, 1975, pp.93-114. https://doi.org/10.1080/00223980.1975.9915803
  42. Simon, H. A., "Bounded Rationality in Social Science: Today and Tomorrow," Mind & Society, Vol. 1, No. 1, 2000, pp.25-39. https://doi.org/10.1007/BF02512227
  43. Simonson, M. R., Maurer, M., Montag-Torardi, M., and Whitaker, M., "Development of a Standardized Test of Computer Literacy and a Computer Anxiety Index," Journal of Educational Computing Research, Vol. 3, No. 2, 1987, pp.231-247. https://doi.org/10.2190/7CHY-5CM0-4D00-6JCG
  44. Sims, C. A., "Implications of Rational Inattention," Journal of Monetary Economics, Vol. 50, No. 3, 2003, pp.665-690. https://doi.org/10.1016/S0304-3932(03)00029-1
  45. Sinkula, J. M., "Market Information Processing and Organizational Learning," The Journal of Marketing, Vol. 58, No. 1, 1994, pp.35-45. https://doi.org/10.2307/1252249
  46. Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with Information Security Policies: An Empirical Investigation," Computer, Vol. 43, No. 2, 2010, pp.64-71. https://doi.org/10.1109/MC.2010.35
  47. Siponen, M., and Vance, A., "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations," MIS Quarterly, Vol. 34, No. 3, 2010, pp.487-502. https://doi.org/10.2307/25750688
  48. Son, J. Y., "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies," Information & Management, Vol. 48, No. 7, 2011, pp.296-302. https://doi.org/10.1016/j.im.2011.07.002
  49. Stanton, J. M., Stam, K. R., Guzman, I., and Caldera, C., "Examining the Linkage between Organizational Commitment and Information Security," In IEEE International Conference on Systems Man and Cybernetics, Vol. 3, 2003, October, pp. 2501-2506.
  50. Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J., "Analysis of End User Security Behaviors," Computers & Security, Vol. 24, No. 2, 2005, pp.124-133. https://doi.org/10.1016/j.cose.2004.07.001
  51. Steers, R., "Antecedents and Outcomes of Organizational Commitment," Administrative Science Quarterly, Vol. 22, No.1, 1977, pp.46-56. https://doi.org/10.2307/2391745
  52. Straub, D. W., and Welke, R. J., "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, Vol. 22, No. 4, 1998, pp.441-464. https://doi.org/10.2307/249551
  53. Tarafdar, M., Tu, Q., Ragu-Nathan, B. S., and Ragu-Nathan, T. S., "The Impact of Technostress on Role Stress and Productivity," Journal of Management Information Systems, Vol. 24, No.1, 2007, pp.301-328. https://doi.org/10.2753/MIS0742-1222240109
  54. Todd, P. M., and Gigerenzer, G., "Bounding Rationality to the World," Journal of Economic Psychology, Vol. 24, No. 2, 2003, pp.143-165. https://doi.org/10.1016/S0167-4870(02)00200-3
  55. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance:Insights from Habit and Protection Motivation Theory," Information & Management, Vol. 49, No. 3, 2012, pp.190-198. https://doi.org/10.1016/j.im.2012.04.002
  56. Venkatesh, V., "Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model," Information Systems Research, Vol. 11, No. 4, 2000, pp.342-365. https://doi.org/10.1287/isre.11.4.342.11872
  57. Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly, Vol. 27, No. 3, 2003, pp.425-478. https://doi.org/10.2307/30036540
  58. Verizon., Verizon 2013 Data Breach Investigations Report, 2013.
  59. Walpole, R. E., Myers, R. H., Myers, S. L., and Ye, K., Probability and statistics for engineers and scientists (Vol. 5). New York: Macmillan, 1993.
  60. Wang, P. A., "Information Security Knowledge and Behavior: An Adapted Model of Technology Acceptance," In Education Technology and Computer (ICETC), 2010 2nd International Conference on (Vol. 2, pp. V2-364). IEEE, 2010, June.
  61. West, R., "The Psychology of Security," Communications of the ACM, Vol. 51, No. 4, 2008, pp.34-40. https://doi.org/10.1145/1330311.1330320
  62. Whitman, M. E., "In Defense of the Realm: Understanding the Threats to Information Security," International Journal of Information Management, Vol. 24, No. 1, 2004, pp.43-57. https://doi.org/10.1016/j.ijinfomgt.2003.12.003
  63. Williams, L. J., and Anderson, S. E., "Job Satisfaction and Organizational Commitment as Predictors of Organizational Citizenship and In-role Behaviors," Journal of Management, Vol. 17, No. 3, 1991, pp.601-617. https://doi.org/10.1177/014920639101700305
  64. Wixom, B. H., and Watson, H. J., "An Empirical Investigation of the Factors Affecting Data Warehousing Success," MIS Quarterly, Vol. 25, No. 1, 2001, pp.17-41. https://doi.org/10.2307/3250957
  65. Zhang, J., Reithel, B. J., and Li, H,. "Impact of Perceived Technical Protection on Security Behaviors," Information Management & Computer Security, Vol. 17, No. 4, 2009, pp.330-340. https://doi.org/10.1108/09685220910993980