DOI QR코드

DOI QR Code

Meta-analysis of Information Security Policy Compliance Based on Theory of Planned Behavior

정보보안 정책준수에 대한 메타분석: 계획된 행동이론을 중심으로

  • Kim, Jongki (Dept. of Business Administration, Pusan National University) ;
  • Mou, Jian (Dept. of Business Administration, Pusan National University)
  • 김종기 (부산대학교 경영학과) ;
  • 모건 (부산대학교 경영학과)
  • Received : 2020.10.06
  • Accepted : 2020.11.20
  • Published : 2020.11.28

Abstract

With widespread use of information technologies the importance of information security has been heightened. Security policies which deal with fundamental direction of information security are critical elements of information security management. Numerous studies have been conducted on users' intention to comply security policies. They were based on various theoretical foundations and the theory of planned behavior(TPB) was the most frequently used. This research employed one of the quantitatively synthesizing meta-analytic techniques called Two-Stage Structural Equation Modeling to investigate factors influencing information security policy compliance behavior based on TPB. Analysis results indicated that all three factors of TPB were significantly influencing the behavioral intention. Moreover, the overall fit indices of structural model exhibited satisfactory level.

정보기술의 발전에 따라 정보보안의 중요성이 갈수록 커지고 있다. 정보보안의 근본적인 방향을 제시하고 조직 구성원이 따라야 하는 규정과 지침을 다루는 보안정책은 보안관리의 핵심적인 요소이며, 조직 구성원의 보안정책 준수에 영향을 미치는 다양한 요인에 대한 연구들이 다수 수행되었다. 이들 연구는 다양한 이론적 기반으로 수행되었으며, 여러 문헌연구에 따르면 계획된 행동이론이 가장 빈번하게 사용되었다. 본 연구는 기존의 다양한 연구결과를 정량적으로 종합하는 메타분석 기법 중의 하나인 TSSEM을 적용하여 정보보안 정책준수 행동에 영향을 미치는 요인을 계획된 행동이론을 기반으로 실증분석한 연구들을 대상으로 분석하였다. 분석결과 계획된 행동이론의 행동의도를 설명하는 세가지 요인인 태도, 주관적 규범 및 인지된 행동통제 모두 유의한 영향을 미쳤으며, 구조방정식 모형의 전반적인 적합도도 만족스럽게 나타났다.

Keywords

References

  1. R. Willison & M. Warkentin. (2013). Beyond Deterrence: An Expanded View of Employee Computer Abuse. MIS Quarterly, 37(1), 1-20. DOI: 10.25300/misq/2013/37.1.01
  2. P. Balozian & D. Leidner. (2017). Review of IS Security Policy Compliance: Toward the Building Blocks of an IS Security Theory. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 48(3), 11-43. DOI: 10.1145/3130515.3130518
  3. W. A. Cram, J. G. Proudfoot, & J. D'Arcy. (2017). Organizational Information Security Policies: A Review and Research Framework. European Journal of Information Systems, 26(6), 605-641. DOI: 10.1057/s41303-017-0059-9
  4. T. Sommestad, J. Hallberg, K. Lundholm & J. Bengtsson. (2014). Variables Influencing Information Security Policy Compliance: A Systematic Review of Quantitative Studies. Information Management & Computer Security, 22(1), 42-75. DOI: 10.1108/imcs-08-2012-0045
  5. B. Lebek, J. Uffen, M. Neumann, B. Hohler & M. Breitner. (2014). Information Security Awareness and Behavior: A Theory-based Literature Review. Management Research Review, 37(12), 1049-1092. DOI: 10.1108/mrr-04-2013-0085
  6. W. A. Cram, J. D'Arcy & J. G. Proudfoot (2019). Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance. MIS Quarterly, 43(2), 525-554. DOI: 10.24251/hicss.2017.489
  7. M. W. L. Cheung & W. Chan. (2005). Meta-Analytic Structural Equation Modeling: A Two-Stage Approach. Psychological methods, 10(1), 40-64. DOI: 10.1037/1082-989x.10.1.40
  8. M. Fishbein & I. Ajzen. (1975). Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research. Reading, MA: Addison-Wesley.
  9. I. Ajzen. (2011). The Theory of Planned Behaviour: Reactions and Reflections. Psychology and Health, 26(9), 1113-1127. DOI: 10.1080/08870446.2011.613995
  10. L. Leone, M. Perugini & A. P. Ercolani. (1999). A comparison of three models of attitude-behavior relationships in the studying behavior domain. European Journal of Social Psychology, 29(2‐3), 161-189. DOI: 10.1002/(SICI)1099-0992(199903/05)29:2/33.0
  11. I. Ajzen. (1991). The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211. DOI: 10.1016/0749-5978(91)90020-t
  12. I. Ajzen. (1985). From Intentions to Actions: A Theory of Planned Behavior. In Action control from Cognition to Behavior(pp. 11-39). Springer, Berlin, Heidelberg.
  13. A. Bandura. (1977). Self-Efficacy: Toward a Unifying Theory of Behavioral Change. Psychological Review, 84(2), 191-215. DOI: 10.1037/0033-295x.84.2.191
  14. M. Nieles, K. Dempsey & V. Pillitteri. (2017). An Introduction to Information Security (NIST Special Publication 800-12 Rev. 1). National Institute of Standards and Technology.
  15. K. H. Guo. (2013). Security-Related Behavior in Using Information Systems in the Workplace: A Review and Synthesis. Computers and Security, 32, 242-251. DOI: 10.1016/j.cose.2012.10.003
  16. F. Karlsson, J. Astrom & M. Karlsson. (2015). Information Security Culture-State-of-the-Art Review between 2000 and 2013. Information and ComputerSecurity, 23(3), 246-285. DOI: 10.1108/ICS-05-2014-0033
  17. S. Hwang.(2015). Meta-Analysis Using R, Hakjisa.
  18. K. Yeon. (2018). Meta-analysis of the effects of TPM activity factors on Corporate performance. Journal of Digital Convergence, 16(2), 151-156. DOI: 10.14400/JDC.2018.16.2.151
  19. B. Cho & J. Lee. (2018). A Meta Analysis on Effects of Flipped Learning in Korea. Journal of Digital Convergence, 16(3), 59-73. DOI: 10.14400/JDC.2018.16.3.059
  20. C. J. Armitage & M. Conner. (2001). Efficacy of the Theory of Planned Behaviour: A Meta‐Analytic Review. British journal of social psychology, 40(4), 471-499. DOI: 10.1348/014466601164939
  21. H. Steinmetz, M. Knappstein, I. Ajzen, P. Schmidt & R. Kabst. (2016). How Effective are Behavior Change Interventions Based on the Theory of Planned Behavior?: A Three-Level Meta-Analysis. Zeitschrift fur Psychologie, 224(3), 216-233. DOI: 10.1027/2151-2604/a000255
  22. Y. Han & H. Hansen. (2012). Determinants of Sustainable Food Consumption: A Meta-Analysis Using a Traditional and a Structural Equation Modelling Approach. International Journal of Psychological Studies, 4(1), 22-45. DOI: 10.5539/ijps.v4n1p22
  23. J. L. Guo, T. F. Wang, J. Y. Liao & C. M. Huang. (2016). Efficacy of the Theory of Planned Behavior in Predicting Breastfeeding: Meta-Analysis and Structural Equation deling. Applied Nursing Research, 29, 37-42. DOI: 10.1016/j.apnr.2015.03.016
  24. R. Cooke, M. Dahdah, P. Norman & D. P. French. (2016). How Well Does the Theory of Planned Behaviour Predict Alcohol Consumption? A Systematic Review and Meta-Analysis. Health Psychology Review, 10(2), 148-167. DOI: 10.1080/17437199.2014.947547
  25. L. Zhang, J. Zhu & Q. Liu. (2012). A Meta-Analysis of Mobile Commerce Adoption and the Moderating Effect of Culture. Computers in Human Behavior, 28, 1902-1911. DOI: 10.1016/j.chb.2012.05.008
  26. T. M. Nguyen, P. T. Nham & V. N. V. Hoang. (2019). The Theory of Planned Behavior and Knowledge Sharing: A Systematic Review and Meta-Analytic Structural Equation Modelling. VINE Journal of Information and Knowledge Management Systems, 49(1), 76-94. DOI: 10.1108/VJIKMS-10-2018-0086
  27. G. D. Moody, M. Siponen & S. Pahnila. (2018). Toward a Unified Model of Information Security Policy Compliance. MIS Quarterly, 42(1), 285-311. DOI: 10.25300/misq/2018/13 853
  28. T. Sommestad & J. Hallberg. (2013, July). A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance. IFIP International Information Security Conference (pp. 257-271). Springer, Berlin, Heidelberg.
  29. D. Milicevic & M. Goeken. (2013). Systematic Review and Meta-Analysis of IS Security Policy Compliance Research. First Steps Towards Evidence-Based Structuring of the IS Security Domain. International Conference on Wirtschaftsinformatik. (pp. 1067-81). Leipzig,
  30. M. W. L. Cheung, K., Leung & K. Au. (2006). Evaluating Multilevel Models in Cross-Cultural Research: An Illustration with Social Axioms. Journal of Cross-Cultural Psychology, 37, 522-541. DOI: 10.1177/0022022106290476
  31. J. D'Arcy & P. B. Lowry, (2019). Cognitive-Affective Drivers of Employees' Daily Compliance with Information Security Policies: A Multilevel, Longitudinal Study. Information Systems Journal, 29(1), 43-69. DOI: 10.1111/isj.12173
  32. J. Shropshire, M. Warkentin & S. Sharma. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security, 49, 177-191. DOI: 10.1016/j.cose.2015.01.002
  33. J. L. Jenkins. (2013). Alleviating Insider Threats: Mitigation Strategies and Detection Techniques. unpublished doctoral dissertation, University of Arizona.
  34. A. M. Chu, P. Y. Chau & M. K. So. (2015). Explaining the misuse of information systems resources in the workplace: A dual-process approach. Journal of Business Ethics, 131(1), 209-225. DOI: 10.1007/s10551-014-2250-4
  35. K. Guo, Y. Yuan, N. Archer & C. Connelly. (2011). Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. Journal of Management Information Systems, 28(2), 203-236. DOI: 10.2753/MIS0742-1222280208
  36. T. M. Dugo. (2007). The Insider Threat to Organizational Information Security: A Structural Model and Empirical Test, unpublished doctoral dissertation, Auburn University.
  37. A. G. Peace. D. F. Galletta & J. Y. Thong. (2003). Software Piracy in the Workplace: A Model and Empirical Test. Journal of Management Information Systems, 20(1), 153-177. DOI: 10.1080/07421222.2003.11045759
  38. M. W. L. Cheung. (2015). metaSEM: An R Package for Meta-Analysis using Structural Equation Modeling. Frontiers in Psychology. 5, 1-7. DOI: 10.3389/fpsyg.2014.01521
  39. S. Jak. (2015). Meta-analytic Structural Equation Modelling. New York: Springer. DOI: 10.1007/978-3-319-27174-3
  40. M. Cho & H. Park. (2019). Convergence Study on the Effect of Music Mediation Program on Children with ADHD - Systematic Review and Meta-Analysis. Journal of Digital Convergence. 17(10), 497-507. DOI: 10.14400/JDC.2019.17.10.497
  41. Y. Sohn & B. Lee. (2012). An Efficacy of Social Cognitive Behavior Model based on the Theory of Planned Behavior : A Meta-Analytic Review. Korean Journal of Journalism & Communication Studies. 56(6), 127-161. UCI: G704-000203.2012.56.6.007