DOI QR코드

DOI QR Code

Analysis of MASEM on Behavioral Intention of Information Security Based on Deterrence Theory

억제이론 기반의 정보보안 행동의도에 대한 메타분석

  • Kim, Jongki (Dept. of Business Administration, Pusan National University)
  • Received : 2021.01.18
  • Accepted : 2021.02.20
  • Published : 2021.02.28

Abstract

While the importance of information security policies is heightened, numerous empirical studies have been conducted to investigate the factors that influence employee's willingness to comply organizational security policies. Some of those studies, however, were not consistent and even contradictory each other. Synthesizing research outcomes has been resulted as qualitative literature reviews or quantitative analysis on individual effect sizes, which leads to meta-analyze on whole research model. This study investigated 28 empirical research based on the deterrence theory with sanction certainty, severity and celerity. The analysis with random effect model resulted in well-fitted research model as well as all of significant paths in the model. Future research can include informal deterrent factors and contextual factors as moderator variables.

효과적인 정보보안관리의 핵심요소인 정보보안 정책의 중요성이 고조되는 가운데, 조직 구성원의 보안정책 준수 여부에 영향을 미치는 요인에 대하여 다양한 이론에 기반한 실증연구가 다수 수행되었다. 억제이론은 사용자의 보안행동을 설명하는 연구에서 널리 사용되었다. 그러나, 여러 연구들이 일관적이지 않거나 서로 상충되는 결과를 보여 주었다. 이에 따라, 기존의 연구결과를 종합하는 연구들이 수행되었으나, 정성적인 문헌검토 차원이거나 개별 효과크기에 대한 단순한 정량적 분석에 그쳐 억제이론의 전반적인 모형을 대상으로 기존 연구결과를 종합적으로 분석하는 메타분석의 필요성이 대두되었다. 본 연구는 28편의 기존연구를 대상으로 다변량 메타분석의 일종인 TSSEM 기법을 R 기반의 metaSEM 패키지를 활용하여 분석하였다. 무선효과모형을 활용한 분석결과, 전반적인 억제이론 모형의 적합성은 만족스러운 수준이었으며, 억제이론을 구성하는 공식적인 세 가지 요인인 처벌의 확실성, 엄격성 및 신속성 모두 유의하게 나타났다. 향후 연구에서는 비공식적 억제요인에 대한 추가적인 분석과 함께 상황적 변수를 조절변수로 고려할 필요가 있다.

Keywords

References

  1. Q. Hu, Z. Xu, T. Dinev & H. Ling. (2011). Does deterrence work in reducing information security policy abuse by employees?. Communications of the ACM, 54(6), 54-60. DOI: 10.1145/1953122.1953142
  2. J. Kim & J. Mou. (2020). Meta-analysis of Information Security Policy Compliance Based on Theory of Planned Behavior. Journal of Digital Convergence, 18(11), 169-176. DOI: 10.14400/JDC.2020.18.11.169
  3. W. A. Cram, J. D'Arcy & J. G. Proudfoot. (2019). Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance. MIS Quarterly, 43(2), 525-554. DOI: 10.24251/hicss.2017.489
  4. S. Trang & B. Brendel. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), 1265-1284. DOI: 10.1108/ICS-09-2016-0073.
  5. K. M. Kuo, P. C. Talley & C. H. Huang. (2020). A Meta-analysis of the Deterrence Theory in Security-compliant and Security-risk Behaviors. Computers & Security, 101928. DOI: 10.1016/j.cose.2020.101928
  6. M. W. L. Cheung. & W. Chan. (2005). Meta-Analytic Structural Equation Modeling: A Two-Stage Approach. Psychological Methods, 10(1), 40-64. DOI: 10.1037/1082-989x.10.1.40
  7. I. Onwudiwe, J. Odo & E. Onyeozili. (2005). Deterrence Theory. In: Bosworth, M. (Ed.), Encyclopedia of Prisons & Correctional Facilities. Sage Publications, Inc, Thousand Oaks, CA, 234-238. DOI: 10.4135/9781412952514
  8. D. Shin. (2009). The Effect of Punishment: A Critique of Deterrence Theory. Korean Journal of Criminology, 21(2), 191-216. UCI: I410-ECN-0102-2012-320-002372416 https://doi.org/10.36999/KJC.2009.21.2.191
  9. J. D'Arcy & T. Herath. (2011). A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6), 643-658. DOI: 10.1057/ejis.2011.23
  10. I. Hwang & H. Lee. (2016). The Employee's Information Security Policy Compliance Intention: Theory of Planned Behavior, Goal Setting Theory, and Deterrence Theory Applied. Journal of Digital Convergence, 14(7), 155-166. DOI: 10.14400/JDC.2016.14.7.155
  11. J. Abed & H. R. Weistroffer. (2016). Understanding deterrence theory in security compliance behavior: a quantitative meta-analysis approach. SAIS 2016.
  12. K. H. Guo. (2013). Security-related behavior in using information systems in the workplace: a review and synthesis. Computers & Security, 32, 242-251. DOI: 10.1016/j.cose.2012.10.003
  13. J. Bok. (2020). An Study on Privacy Policy Research Trend : Focused on KCI Published. Journal of Digital Convergence, 18(4), 81-89. DOI: 10.14400/JDC.2020.18.4.081
  14. R. Rosenthal. (1979). The File Drawer Problem and Tolerance for Null Results. Psychological Bulletin, 86(3), 638-641. DOI: 10.1037/0033-2909.86.3.638
  15. K. H. Guo & Y. Yuan. (2012). The Effects of Multilevel Sanctions on Information Security Violations. Information & Management, 49(6), 320-326. DOI: 10.1016/j.im.2012.08.001
  16. F. J. Haeussinger & J. J. Kranz. (2013). Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant. 34th International Conference on Information Systems, Milan, Italy.
  17. B. T. Hanus. (2014). The Impact of Information Security Awareness of Compliance with Information Security Policies: A Phishing Perspective. unpublished doctoral dissertation, University of North Texas.
  18. S. J. Harrington. (1996). The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgements and Intentions. MIS Quarterly, 20(3), 257-278. DOI: 10.2307/249656
  19. S. Kinnunen. (2016). Exploring Determinants of Different Information Security Behaviors. unpublished doctoral dissertation, University of Jyvaskyla.
  20. M. Siponen & A. Vance. (2010). Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly, 34(3), 487-502. DOI: 10.2307/25750688
  21. H. Li, J. Zhang, & R. Sarathy. (2010). Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory. Decision Support Systems, 48(4), 635-645. DOI: 10.1016/j.dss.2009.12.005
  22. W. Li & L. Cheng. (2013). Effects of Neutralization Techniques and Rational Choice Theory on Internet Abuse in the Workplace. Pacific Asia Conference on Information Systems, Jeju Island, South Korea.
  23. W. Arunothong. (2014). Three Research Essays on Propensity to Disclose Medical Information through Formal and Social Information Technologies. unpublished doctoral dissertation, University of Wisconsin-Milwaukee.
  24. A. Hovav & J. D'Arcy. (2012). Applying an Extended Model of Deterrence Across Cultures: An Investigation of Information Systems Misuse in the US and South Korea. Information & Management, 49(2), 99-110. DOI: 10.1016/j.im.2011.12.005
  25. X. Chen, D. Wu, L. Chen & J. K. L. Teng. (2018). Sanction severity and employees' information security policy compliance: investigating mediating, moderating, and control variables. Information & Management, 55(8), 1049-1060. DOI: 10.1016/j.im.2018.05.011.
  26. M. I. Merhi & P. Ahluwalia. (2019). Examining the impact of deterrence factors and norms on resistance to Information Systems Security. Computers in Human Behavior. 92, 37-46. DOI: 10.1016/j.chb.2018.10.031
  27. M. Rajab & A. Eydgahi. (2019). Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Computers & Security. 80, 211-223. DOI: 10.1016/j.cose.2018.09.016
  28. N. S. Safa, C. Maple, S. Furnell, M. A. Azad, C. Perera, M. Dabbagh & M. Sookhak. (2019). Deterrence and prevention-based model to mitigate information security insider threats in organisations. Future Generation Computer Systems. 97, 587-597. DOI: 10.1016/j.future.2019.03.024