The Journal of the Korea institute of electronic communication sciences (한국전자통신학회논문지)

Korea Institute of Electronic Communication Science (한국전자통신학회)
권호 표지
DOI QR코드

DOI QR Code

The Impact of IS Policy and Sanction Perceptions on Compliance Intention through Justice: The Role of Justice Sensitivity

정보보안 정책 및 제재 인식이 공정성을 통해 준수 의도에 미치는 영향: 공정 민감성의 역할

  • In-Ho Hwang (College of General Education, Kookmin University)
  • Received : 2023.02.23
  • Accepted : 2023.04.17
  • Published : 2023.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

As protecting organizations' information assets affects their substantiality, they are increasing their investments in policies, regulations, and technologies for systematic information asset management and protection. This study confirms the impact on information security(IS) compliance from the perspective of employees who apply IS policies to actual work. In particular, this study identifies mechanisms linked to IS policy awareness, sanction, justice, and IS compliance from the perspective of expanding deterrence theory. We applied 316 samples obtained from workers of organizations that applied IS policies and regulations to work and verified the relationship between mechanisms by using AMOS and SPSS packages. As a result of the verification, IS policy awareness had a positive effect on organization justice and compliance intention through the severity and clarity of sanctions. Individual justice sensitivity had a moderating effect on the cause and outcome of justice. The sanction-related mechanism presented in this study provides strategic implications for organizations that require active IS activities by insiders.

조직의 정보 자산에 대한 보호가 조직의 지속가능성에 영향을 주면서, 조직들은 체계적인 정보 자산관리 및 보호를 위한 정책, 규정, 그리고 기술 등에 대한 투자를 높이고 있다. 본 연구는 조직 내 도입된 정보보안 정책을 실제 업무에 적용하는 조직원의 관점에서 보안 준수에 미치는 영향을 확인한다. 특히, 본 연구는 억제 이론 확장의 관점에서 정보보안 정책 인식, 제재의 방식, 공정성, 그리고 정보보안 준수로 이어지는 메커니즘을 밝힌다. 본 연구는 정보보안 규정을 업무에 적용한 조직의 근로자를 대상으로 확보된 316개의 표본을 적용하였으며, AMOS 및 SPSS 패키지를 활용하여 메커니즘의 연관 관계를 확인하였다. 가설 검증 결과, 정보보안 정책 인식이 제재의 심각성과 명확성을 통해 조직 공정성 및 준수 의도를 높이는 것을 확인하였으며, 개인의 공정 민감성이 공정의 원인과 결과의 과정에 조절 효과를 가지는 것을 확인하였다. 본 연구에서 확인한 제재의 영향 메커니즘은 조직내부의 보안 행동 수준 강화를 추구하는 조직에서 조직원의 참여 증진을 위한 방법 마련에 도움을 줄 것으로 기대한다.

Keywords

References

  1. Y. Hong and S. Furnell, "Motivating information security policy compliance: Insights from perceived organizational formalization," J. of Computer Information Systems, vol. 62, no. 1, 2022, pp. 19-28. https://doi.org/10.1080/08874417.2019.1683781
  2. GrandViewResearch, "2022 cyber security market size, share & trends analysis report by component, by security type, by solution, by services, by deployment, by organization size, by applications, by region, and segment forecasts, 2023-2030," Report, Dec. 2022.
  3. Z. Tang, A. S. Miller, Z. Zhou, and M. Warkentin, "Does government social media promote users' information security behavior towards COVID-19 scams? Cultivation effects and protective motivations," Government Information Quarterly, vol. 38, no. 2, 2021, pp. 101572.
  4. I. Hwang, "The effect on the IS role stress on the IS compliance intention through IS self-determination: Focusing on the moderation of person-organization fit," J. of the Korea Institute of Electronic Communication Sciences, vol. 17, no. 2, 2022, pp. 375-386.
  5. Verizon, "2021 data breach investigations report," Report, Dec. 2021.
  6. C. Liu, H. Liang, N. Wang, and Y. Xue, "Ensuring employees' information security policy compliance by carrot and stick: The moderating roles of organizational commitment and gender," Information Technology & People, vol. 35, no. 2, 2021, pp. 802-834. https://doi.org/10.1108/ITP-09-2019-0452
  7. M. I. Merhi and P. Ahluwalia, "Examining the impact of deterrence factors and norms on resistance to information systems security," Computers in Human Behavior, vol. 92, 2019, pp. 37-46. https://doi.org/10.1016/j.chb.2018.10.031
  8. B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness," MIS Quarterly, vol. 34, no. 3, 2010, pp. 523-548. https://doi.org/10.2307/25750690
  9. T. Herath and H. R. Rao, "Protection motivation and deterrence: A framework for security policy compliance in organisations," European J. of Information Systems, vol. 18, 2009, pp. 106-125. https://doi.org/10.1057/ejis.2009.6
  10. S. Hong and J. Park, "Effective management of personal information & information security management system(ISMS-P) authentication systems," J. of the Korea Academia-Industrial Cooperation Society, vol. 21, no. 1, 2020, pp. 634-640.
  11. Nettgov, "Biden administration releases draft zero-trust guidance," Report, Sept. 2021.
  12. J. D'Arcy and P. L. Teh, "Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization," Information & Management, vol. 56, no. 7, 2019, pp. 103151.
  13. Y. Chen, K. Ramamurthy, and K. W. Wen, "Organizations' information security policy compliance: Stick or carrot approach?," J. of Management Information Systems, vol. 29, no. 3, 2012, pp. 157-188. https://doi.org/10.2753/MIS0742-1222290305
  14. H. Li, R. Sarathy, J. Zhang, and X. Luo, "Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance," Information Systems J., vol. 24, no. 6, 2014, pp. 479-502. https://doi.org/10.1111/isj.12037
  15. K. A. Alshare, P. L. Lane, and M. R. Lane, "Information security policy compliance: A higher education case study," Information & Computer Security, vol. 26 no. 1, 2018, pp. 91-108. https://doi.org/10.1108/ICS-09-2016-0073
  16. W. Lee and I. Hwang, "Sustainable information security behavior management: An empirical approach for the causes of employees' voice behavior," Sustainability, vol. 13, no. 11, 2021, pp. 6077.
  17. H. Zhang and N. C. Agarwal, "The mediating roles of organizational justice on the relationships between HR practices and workplace outcomes: An investigation in China," The Int. J. of Human Resource Management, vol. 20, no. 3, 2009, pp. 676-693. https://doi.org/10.1080/09585190802707482
  18. T. A. Judge and J. A. Colquitt, "Organizational justice and stress: The mediating role of work-family conflict," J. of Applied Psychology, vol. 89, no. 3, 2004, pp. 395-404. https://doi.org/10.1037/0021-9010.89.3.395
  19. I. Hwang, "Reinforcement of IS voice behavior within the organization: A perspective on mitigating role stress through organization justice and individual social-identity," J. of the Korea Institute of Electronic Communication Sciences, vol. 17, no. 4, 2022, pp. 649-662.
  20. M. L. Ambrose and M. Schminke, "The role of overall justice judgments in organizational justice research: A test of mediation," J. of Applied Psychology, vol. 94, no. 2, 2009, pp. 491-500. https://doi.org/10.1037/a0013203
  21. J. Son, "Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies," Information & Management, vol. 48, no. 7, 2011, pp. 296-302. https://doi.org/10.1016/j.im.2011.07.002
  22. K. H. Guo, Y. Yuan, N. P. Archer, and C. E. Connelly, "Understanding nonmalicious security violations in the workplace: A composite behavior model," J. of Management Information Systems, vol. 28, no. 2, 2011, pp. 203-236. https://doi.org/10.2753/MIS0742-1222280208
  23. Y. Xue, H. Liang, and L. Wu, "Punishment, justice, and compliance in mandatory IT settings," Information Systems Research, vol. 22, no. 2, 2011, pp. 400-414.  https://doi.org/10.1287/isre.1090.0266
  24. L. Jaeger and A. Eckhardt, "Eyes wide open: The role of situational information security awareness for security related behaviour," Information Systems J., vol. 31, no. 3, 2021, pp. 429-472. https://doi.org/10.1111/isj.12317
  25. L. Li, W. He, L. Xu, I. Ash, M. Anwar, and X. Yuan, "Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior," Int. J. of Information Management, vol. 45, 2019, pp. 13-24. https://doi.org/10.1016/j.ijinfomgt.2018.10.017
  26. J. D'Arcy, T. Herath, and M. K. Shoss, "Understanding employee responses to stressful information security requirements: A coping perspective," J. of Management Information Systems, vol. 31, no. 2, 2014, pp. 285-318. https://doi.org/10.2753/MIS0742-1222310210
  27. R. Cropanzano, L. Paddock, D. E. Rupp, J. Bagger, and A. Baldwin, "How regulatory focus impacts the process-by-outcome interaction for perceived fairness and emotions," Organizational Behavior and Human Decision Processes, vol. 105, no. 1, 2008, pp. 36-51. https://doi.org/10.1016/j.obhdp.2006.06.003
  28. M. Schmitt, M. Gollwitzer, J. Maes, and D. Arbach, "Justice sensitivity," European J. of Psychological Assessment, vol. 21, no. 3, 2005, pp. 202-211. https://doi.org/10.1027/1015-5759.21.3.202
  29. M. Gollwitzer, T. Rothmund, A. Pfeiffer, and C. Ensenbach, "Why and when justice sensitivity leads to pro-and antisocial behavior," J. of Research in Personality, vol. 43, no. 6, 2009, pp. 999-1005. https://doi.org/10.1016/j.jrp.2009.07.003
  30. J. C. Nunnally, Psychometric theory (2nd ed.). New York: McGraw-Hill, 1978.
  31. C. Fornell and D. F. Larcker, "Evaluating structural equation models with unobservable variables and measurement error," J. of Marketing Research, vol. 18, no. 1, 1981, pp. 39-50. https://doi.org/10.1177/002224378101800104
  32. A. F. Hayes, Introduction to mediation, moderation, and conditional process analysis: A regression-based approach. New York: Guilford Publications, 2017.