KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

The Moderating Effects of Information Security Policy between Information Security Maturity and Organizational Performance

정보보호 성숙도와 조직성과 간의 정보보호 정책의 효과분석

  • Received : 2014.07.21
  • Accepted : 2014.09.03
  • Published : 2014.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

The absence of proactive information security management to ensure availability, accessibility and safety of information can bring serious risks to customers as well as to the organization's performance and competitiveness because improper security management undermines business continuity. This study analyzed the maturity of information security which affects the organizational performance. Through the literature reviews, a research model using the organizational performance as the dependent variable, the risk management process maturity and risk assessment process as independent variables and the information security policy indexes as moderate variables was proposed, and an empirical analysis was made on the basis of survey. The results showed that there was a high causal relationship between information security maturity and organizational performance. However, even if the proportions of information security staff ratio and the information security budget ratio increased, information security maturity did not affect organizational performance. It suggests that information security maturity affects organizational performance, but information security regulations have their limitation as being a catalyst to improve organizational performance.

정보의 가용성, 접근성, 안전성을 확보하기 위한 선제적인 정보보호 관리의 부재는 서비스 연속성을 훼손하여 고객에게 뿐만 아니라 조직의 성과와 경쟁력에 심각한 리스크를 가져다 줄 수 있다. 본 연구는 정보보호 성숙도가 조직성과에 미치는 영향을 분석하기 위하여 문헌 조사를 통해 조직성과, 위험 관리 프로세스 성숙도, 위험 평가 프로세스 성숙도, 정보보호 정책지표를 포함하는 연구모형을 만들고 설문을 통한 실증 분석을 하였다. 연구결과 위험 관리 및 위험 평가의 프로세스 성숙도와 조직성과 간에는 높은 인과 관계가 있는 것으로 나타났다. 하지만 정보보호 인력비율, 정보보호 예산비율에 따라 정보보호 성숙도가 조직성과에 미치는 영향은 차이가 없는 것으로 나타났다. 이는 정보보호 성숙도 수준은 조직성과에 영향을 미치나, 실효성이 검증되지 않은 정보보호 정책 및 규제는 정보보호 성숙도가 조직의 성과 향상의 촉매제로 활용하는데 한계가 있음을 시사하고 있다.

Keywords

References

  1. Suhazimah Dzazali and Ali Hussein Zolait, "Assessment of information security maturity: An exploration study of Malaysian public service organizations", Journal of Systems and Information Technology, Vol.14, Issue.1, pp.23-57, 2013.
  2. ISO/IEC 27001-2005(E), "Information Technology-Security Techniques-Information Security Management Systems- Requirements", 2005.
  3. M. Simonsson, P. Johnson, and M. Ekstedt, "The effect of IT governance maturity on IT governance performance", Information Systems Management, Vol.27, pp.10-24, 2010. https://doi.org/10.1080/10580530903455106
  4. NIST SP 800-39, "Managing Information Security Risk: Organization, Mission and Information System View", available at http://csrc.nist.gov/publications, 2011.
  5. ISO/IEC TR 13335-2, "Information technology -Guidelines for the management of IT Security- Part 2 : Managing and planning IT Security", 1997.
  6. NIST SP 800-30, "Guide for Conducting Risk Assessment", available at http://csrc.nist.gov/publications/, 2012.
  7. ENISA(European Network and Information Security Agency), "Regulation No 460/2004 of the european parliament and of the council", 2004.
  8. OCTAVE, "Method Implementation Guide Version 2.0", Carnegie Mellon University, 2001.
  9. J. H. Hall, S. Sarkani, and T. A. Mazzuchi, "Impacts of organizational capabilities in information security", Information Management & Computer Security", Vol.19, Issue.3, pp.155-176, 2011. https://doi.org/10.1108/09685221111153546
  10. J. Jenkins, "Organisational IT security theory and practices: and never the twain shall meet?", available at www.sans.org/rr/securitybasics/ITsec2.php, 2003.
  11. R. Sommer, "How to buy information security", available at www.virtualcity.co.uk.hottobuy.htm, 2003.
  12. R. Baskerville, "Designing Information System Security", Wiley, Chichester, 1998.
  13. B. Schneier, "Secret and Lies-Digital Security in a Networked World", Wiley Computer Publishing, New York, NY, 2002.
  14. S. Berinato, "After the storm, reform", CIO Magazine, available at www.cio.com/archive/121503/securityfuture.html, 2003.
  15. K. N. Bhaskar, "Computer Security: Threat and Countermeasures", NCC-Blackwell, Oxford, 1993.
  16. M. B. Chrissis, M. Konrad, and S. Shrum, "CMMI- Guidelines for Process Integration and Product Improvement", United States : SEI, 2005.
  17. IT Governance Institute (ITGI), "Cobit 4.1", Estados Unidos:ITGI, 2007.
  18. Project Management Institute (PMI), "PMI Fact Sheet", USA: PMI, 2006.
  19. Project Management Institute (PMI), "A guide to the project management body of knowledge (PMBOK Guide)", Upper Darby, PA, 2000.
  20. J. M. Hagen, E. Albrechtsen, and J. Hovden, "Implementation and effectiveness of organizational information security measures", Information Management & Computer Security, Vol.16, Issue.4, pp.377-397, 2008. https://doi.org/10.1108/09685220810908796
  21. S. Smith, G. Stephen, and W. Malampy, "A financial Management Approach for Selecting Optimal, Cost-Effective Safeguards Upgrades for Computer and Information Security Risk Management." Computer and Security, Vol.14, No.1, pp.28-29, 1995.
  22. M. J. Baek and S. H. Shon, "A Study on information security awareness and behavior affecting information security effectiveness in smaller member organization", Small Business Research, Vol.33, No.2, pp.113-132, 2011.
  23. K. K. Kim, H. K. Shin, S. S. Park, and B.S. Kim, "A Study on impact information assets protection accomplish affecting organizational performance", Information Management Research, Vol.40, No.3, pp.61-77, 2009. https://doi.org/10.1633/JIM.2009.40.3.061
  24. G. H. Hong, "A Study on Impact on Information Security control and activities affecting information security performance", a doctoral thesis department of Kookmin University Graduate School, Information management department, 2003.
  25. Korea Financial Telecommunications & Clearings Institute, "The financial IT and information security trend prediction", Payment and information technology, No.55 pp.90-126, 2014.
  26. Financial Supervisory Commission, "Electronic financial supervisory regulation", 2014.
  27. Financial Supervisory Commission, "The financial institutions information technology security duties standard", 2012.
  28. B. B. Yeol, "Structural equation model for understanding and use", Publishing Daegyeong, 2006.
  29. X. Koufteros and G. Marcoulides, "Product development Practices and performance: A structural equation modelingbased multi-group analysis", International Journal of Production Economics, pp.286-307, 2006.
  30. C. Fornell and D. Larcker, "Evaluating structural equation models with unobservable variables and measurement error", Journal of Marketing Research, pp.39-50, 1981.