• Convergence Security Journal
• /
• v.22 no.1
• /
• pp.113-120
• /
• 2022

Despite the limitations of existing security policies due to technological development, companies are unable to actively respond to changes by maintaining a closed security policy. This study classified information security policy into three types: regulatory type policy, advisory type policy, and informative type policy. For each classified policy type, the effect on the information security policy compliance behavior of organizational members was investigated by applying the extended theory of planned behavior, and the moderating effect of information security stress was investigated. SmartPLS 2.0 and SPSS 21.0, which are structural equation modeling techniques, were used to analyze the relationship affecting each factor. As a result of the study, regulatory type, advisory type, and informative type security policies affected organizational members' information security policy compliance behavior, and security stress had an effect on information security compliance attitudes and subjective norms on information security, which are prerequisites for planned behavior theory. gave. This study suggests that various types of corporate information security policies can be applied and that security stress can affect information security behaviors of members.

• Journal of Digital Convergence
• /
• v.10 no.5
• /
• pp.37-51
• /
• 2012

The purpose of this study is to approach information security from a more comprehensive perspective. Particularly, information countermeasures includes a technological tool for end users, thereby increasing the end users' technological stresses. Based on the technostress framework, we investigate a effect of security awareness training on technostress, and also examine a effect of technostress on the persistent security compliance. Results showed that security awareness training influenced on techno-overload and techno-uncertainty. We also found that techno-overload and techno-uncertainty have a significant effect on the persistent security compliance. Conclusion and implications are discussed.

• Convergence Security Journal
• /
• v.18 no.1
• /
• pp.69-84
• /
• 2018

This study examines antecedents of the intention of compliance with information security policies based on Ajzen's Theory of Planned Behavior. The study conducted the following: Verification of casual relations between role of management and protection motivation and the antecedents of planned behavior as parameters to determine the effect on the intention of compliance with information security policy, and comparative analysis between the research model and a competition model. The result of the study disclosed that, in the research model, attitude and subjective norm took an intermediary role on management beliefs, response efficacy, response cost, self-efficacy, and compliance intention, and perceived behavior control on management beliefs, self-efficacy and compliance intention.

• Journal of Information Technology Applications and Management
• /
• v.22 no.4
• /
• pp.225-251
• /
• 2015

This paper analyzed factors for employees to violate information security policy in financial companies based on the theory of reasoned action (TRA), general deterrence theory (GDT), and information security awareness and moderating effects of perceived sensitivity of customer information. Using the 376 samples that were collected through both online and offline surveys, statistical tests were performed. We found that the perceived severity of sanction and information security policy support to information policy violation attitude and subjective norm but the perceived certainty of sanction and general information security awareness support to only subjective norm. Also, the moderating effects of perceived sensitivity of customer information against information policy violation attitude and subjective norm were supported. Academic implications of this study are expected to be the basis for future research on information security policy violations of financial companies; Employees' perceived sanctions and information security policy awareness have an impact on the subjective norm significantly. Practical implications are that it can provide a guide to establish information security management strategies for information security compliance; when implementing information security awareness training for employees to deter violations by emphasizing the sensitivity of customer information, a company should make their employees recognize that the customer information is very sensitive data.

• The Journal of the Korea Contents Association
• /
• v.21 no.4
• /
• pp.153-165
• /
• 2021

The purpose of this study is to find precedent factors that positively and negatively affect the information security compliance intention. In detail, the study finds precedent factors to reduce anxiety that negatively affects compliance intentions, and confirms that feedback moderates the negative relationship between anxiety and compliance intention. The questionnaire was targeted at office workers working in organizations with information security policies, and research hypothesis verification was conducted through structural equation modeling to analyze main effects and moderation effects. As a result of the study, anxiety had a negative effect on the compliance intention, and the organizational culture that was raised through management support reduced anxiety of employees. In addition, feedback mitigated the negative impact relationship between anxiety and compliance intention. The implications of this study were to suggest a direction to mitigate the anxiety of the employees of the organization through the introduction and operation of information security technology.

• Journal of Digital Convergence
• /
• v.11 no.1
• /
• pp.27-38
• /
• 2013

There are two elements of security policy that can have a bearing on its effectiveness: content and form. While the content of the security policy has been investigated extensively in the most of the previous studies, there is very little literature on the form of the security policy. Since the form of the policy influences its success, it is important to understand how to articulate the form of a security policy. Thus, the aim of this study is to investigate the relationship between security form and policy compliance of employees. Research results find that dimensions of security form have effect on attitude towards security compliance, subjective norm, perceived behavioral control, and perceived response costs, and besides attitude towards security compliance and subjective norm have an effect on persistent security compliance intention. The conclusions and implications are discussed.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.16 no.6
• /
• pp.1101-1112
• /
• 2021

Organizations continue to increase investment in information security(IS) policies and technologies to prevent external intrusion and internal exposure to information assets. However, as the organization's regulations and behavioral requirements for strict IS policy increase, employees may induce negative behaviors through IS-related stress. The purpose of this study is to suggest the effects of challenge and hindrance stressors on IS compliance intentions and to confirm how authentic leadership moderates the positive and negative effects of stressors. We reflected employees of the organization who are applying IS policy to their work as a study target and applied a survey to obtain a sample for research hypothesis verification. As a result of analysis through structural equation modeling, challenge and hindrance stressors affected IS compliance intentions, and authentic leadership moderated the effects of stressors on compliance intention. Our research helps to establish insiders support strategies to achieve internal IS goals, because the results suggested stressor conditions and leaders' behavioral directions that influence employees IS compliance behavior.

• The Journal of Information Systems
• /
• v.28 no.4
• /
• pp.105-129
• /
• 2019

Purpose Issues related to information security have been a crucial topic of interest to researchers and practitioners in the IT/IS field. This study develops a research model based on a Structure-Conduct-Outcome (SCO) framework for the social exchange relationship between employees and organizations regarding information security. Design/methodology/approach In applying an SCO framework to information security, structure and conduct are activities imposed on employees within an organizational context; outcomes are activities that protect information security from an employee. Data were collected from 438 employees working in manufacturing and service firms currently implementing an information security policy in South Korea. Structural equation modeling (SEM) with AMOS 22.0 is used to test the validation of the measurement model and the proposed casual relationships in the research model. Findings The results demonstrate support for the relationships between predicting variables in organization structure (security policy and physical security system) and the outcome variables in organization conduct (top management support, security education program, and security visibility). Results confirm that the three variables in organization conduct had a positive effect on individual outcome (security knowledge and compliance intention).

• Information Systems Review
• /
• v.12 no.1
• /
• pp.23-42
• /
• 2010

Although organizations are given various benefits with information technologies, they sometimes have suffered fatal damages due to information security incidents now such as computer virus, hacking, counterfeiting, plagiarizing, etc. The fundamentalcauses of information security incidents are closely related to individuals who do not comply with information security policy or rules. The spontaneous self-control of individuals and monitoring for individuals could be the most essential solution for the ongoing observance of information security policy. Thus, the purpose of this study is to analyze effects of punishment and ethics training on compliance of information security policy of individuals in organizations, to determine individual divide among security propensity depending on organization types, and to find the more fundamental solution which leads change of organizational members’ behaviors and self-control. Regardless of the type of organizations, the results of the study suggest that there exist positive effects of punishment and ethics training in all types of organization on compliance of information security rules or regulations. A member of unitary form organization has higher cognition of punishment than a member's cognition of the multi-divisional form organization, while relatively lower awareness of ethics training. Also, a member of public organization has higher awareness of ethics training than a member’s awareness of private organization, while lower cognition of punishment. Finally, the result shows that punishment and ethics training may be major factors which affect information security. It also suggests that organizational security managers have to understand and consider organization member’s propensity relying on organization form and organization characteristics for establishment and enforcement of information security policy.

• Journal of Navigation and Port Research
• /
• v.40 no.4
• /
• pp.213-222
• /
• 2016

Recently, as cases of organizations' information disclosure occur continuously, it is urgent to manage security of information and establish measures to enhance security of information by an organization itself. Especially, members of an organization should be prepared with measures for information security, and an organization should do its efforts to raise its members' awareness toward information security. I set a research model to verify what effects an organization's fulfillment of regulations to secure information brings to performance of information security and selected members from maritime and port organizations and financial and insurance institutes as sample. Results of the analysis to identify factors affecting information security performance among members of maritime and port organizations are as follows. Firstly, I found that the factors affecting information security awareness are information security attitude and information security standards. Secondly, the factor giving influence on information security policy of an organization was found to be information security standards. In contrast, information security punishments and information security training were verified not to give influence on compliance of information security policy. Thirdly, information security awareness was identified to give significant influence on compliance of information security policy, information security competence and information security behavior. Fourthly, compliance of information security policy was verified to be those factors that give influence on information security competence and information security behavior. Lastly, information security competence and information security behavior were found to be such factors that give influence on information security performance.