The Journal of Information Systems (한국정보시스템학회지:정보시스템연구)

Korea Association of Information Systems (한국정보시스템학회)
권호 표지
DOI QR코드

DOI QR Code

A Study for Influencing Factors of Organizational Performance: The Perspective of the Mediating Effect of Information Security Maturity Level

조직성과에 미치는 영향요인에 관한 연구: 정보보호 성숙도의 매개효과를 중심으로

  • 박정국 (동국대학교-서울캠퍼스 대학원 경영정보학과) ;
  • 김인재 (동국대학교-서울캠퍼스 경영대학 경영학부)
  • Received : 2014.08.04
  • Accepted : 2014.09.17
  • Published : 2014.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Internet environment and innovative ICT(information and communication technology) have brought about big changes to our lifestyle and industrial structure. In spite of the convenience of Internet, various cyber incidents such as malicious code infection, personal information leakage, smishing(sms + phishing), and pharming have frequently occurred. Information security must be recognized as a key and compulsory element for surviving in a global economy. Strategic roles of information security have recently been increasing, but effective implementation of information security is still a major challenge to organizations. Our study examines the influencing factors of information security and investigates the causal relationship between information security maturity level and organizational performance through an empirical survey. According to the results of our study, personal, organizational, technical, and social factors affect organizations's information security maturity level altogether. This result suggests that when dealing with security issues, the holistic and multi-disciplinary approaches should be required. In addition, there is a causal relationship between information security maturity level and organizational performance, and organizations aim to establish the efficient and effective ways to enhance information security maturity level on the basis of the results of this study.

Keywords

References

  1. 금융보안연구원, "금융IT 보안컴플라이언스," 2011.
  2. 금융위원회, "금융회사 정보기술 보호업무 모범규준," 2012.
  3. 김경규, 신호경, 박성식, 김범수, "정보자산보호 성과가 조직성과에 미치는 영향에 관한 연구 : 관리활동과 통제활동을 중심으로," 정보관리연구, 제40권, 제3호, 2009, pp.61-77.
  4. 김상현, 박현선, "위치기반서비스 사용에 영향을 미치는 프라이버시 염려감소 선행요인, 신뢰 그리고 개인혁신성의 조절효과," 한국정보시스템학회지, 제21권 제2호, 2012, pp.73-96.
  5. 김인재, 설경환, "조직성과에 미치는 SPI 영향 요인에 관한 연구," 정보시스템연구, 제19권, 제2호, 2010, pp.97-118.
  6. 백민정, 손승희, "중소규모 조직구성원의 정보 보안인식과 행동이 정보보안성과에 미치는 영향에 관한 연구," 중소기업연구, 제33권, 제2호, 2011, pp. 113-132.
  7. 배병렬, "구조방정식모델 이해와 활용," 도서출판 대경, 2011.
  8. 송정석, 전민준, 최명길, "공공기관 정보보호 거버넌스 수준에 영향을 미치는 요인에 관한 연구," 한국전자거래학회지, 제16 권 제1호, 2011, pp.133-151. https://doi.org/10.7838/jsebs.2011.16.1.133
  9. 윤재욱, 김인재(2006), "소프트웨어 프로세스 개선활동이 조직성과에 미치는 영향," 한국경영과학회지, 제31권, 제1호, 2006, pp.37-53.
  10. 임채호, "효과적인 정보보호인식제고 방안," 정보보호학회지, 제16권, 제2호, 2006, pp.30-36.
  11. 전자금융거래법 시행령 제 11조의2, 2012.
  12. 최명길, 황원주, 김명수, "정보보호정책의 성숙도에 영향을 미치는 요인에 관한 연구," 한국정보보호학회지, 제18권, 제3호, 2008, pp.132-142.
  13. 한국정보보호진흥원, "인터넷 침해사고 피해액 산출모형 개발에 관한 연구," 2006.
  14. Agarwal, R. and Prasad, J., "A Conceptual and Operational Definition of Personal Innovativeness in the Domain of Information Technology," Information Systems Research, vol.9 No.2, 1998, pp.204-215.
  15. Alder, M. P., "A unified approach to information security compliance," EDUCASE Review, Vol.41, No.5, 2006, pp.46-48.
  16. Alshawaf, A.H., Ali, J.M.H. and Hasan, M.H., "A benchmarking framework for information systems management issues in Kuwait," Benchmarking: An International Journal, Vol.12 No.1, 2005, pp.30-44. https://doi.org/10.1108/14635770510582899
  17. Bassellier, G., Reich, B.H. and Benbasat, I., "Information Technology Competence of Business Managers: A Definition and Research Model," Journal of Management Information Systems, Vol.17, No.4, 2001, pp.159-182. https://doi.org/10.1080/07421222.2001.11045660
  18. Beznosov, K. and Beznosova, O., "On the imbalance of the security problem space and its expected consequences," Information Management & Computer Security, Vol.15, No.5, 2007, pp. 420-431. https://doi.org/10.1108/09685220710831152
  19. Bostrom, R.P., & Heinen,J.S.. "A socio-technical perspective. Part I :The causes," MIS Quarterly, Vol.1, No.3, 1977, pp.17-32. https://doi.org/10.2307/248710
  20. Bulgurcu,B.H. and Cavusoglu,H., "Roles of Information Security Awareness and Perceived Fairness in Information Security Policy Compliance," AMCIS 2009, pp.419.
  21. Chang, S.E. and Ho, C. B., "Organizational factors to the effectiveness of implementing information security management," Industrial Management & Data Systems, Vol.106, No.3, 2006, pp.345-361. https://doi.org/10.1108/02635570610653498
  22. Choi, N. and D. Kim, "Knowing is doing," Information Management and Computer Security, Vol.16, No.5, 2008, pp.484-501. https://doi.org/10.1108/09685220810920558
  23. COBIT(Control Objectives for Information and Related Technology) 5, ISACA, 2012.
  24. Dzazali, S. and Zolait, A. H., "Assessment of information security maturity: An exploration study of Malaysian public service organizations," Journal of Systems and Information Technology, Vol.14 No.1, 2012, pp.23-57. https://doi.org/10.1108/13287261211221128
  25. Dzazali, S., "Social Factors Influencing the Information Security Maturity of Malaysian Public Service Organisation: An Empirical Analysis," ACIS 2006 Proceedings, 2006, pp.103.
  26. Dhillon, G. and Backhouse, J., "Current direction in IS security research: toward socio-technical perspectives," Information System, Vol.11, No.2, 2001, pp. 127-53. https://doi.org/10.1046/j.1365-2575.2001.00099.x
  27. Doddrell, G.R., "Information security and the internet," Internet Research, Vol.6, No.1, 1996, pp.5-9.
  28. Eloff, J.H.P., "Information security policy—what do international information security standards say?," Computers & Security, Vol.21, No.5, 2002, pp.402-409. https://doi.org/10.1016/S0167-4048(02)00504-7
  29. Fornell, C. and D. Larcker, "Evaluating structural equation models with unobservable variables and measurement error," Journal of Marketing Research, Vol.18, 1981, pp.39-50. https://doi.org/10.2307/3151312
  30. Goldsmith, R. E., and Hofacker, C. F., "Measuring Consumer Innovativeness," Journal of the Academy of Marketing Science, Vol.19, No.3, 1991, pp.209-221. https://doi.org/10.1007/BF02726497
  31. Hagen, J.M., Albrechtsen, E. and Hovden, J., "Implementation and effectiveness of organizational information security measures," Information Management & Computer Security, Vol.16, No.4, 2008, pp.377-397. https://doi.org/10.1108/09685220810908796
  32. Hall, J. H., Sarkani, S. and Mazzuchi, T.A., "Impacts of organizational capabilities in information security," Information Management & Computer Security, Vol.19, No.3, 2011, pp.155-176. https://doi.org/10.1108/09685221111153546
  33. ISO27001, "ISO/IEC 27001-2005(E): Information Technology-Security Techniques- Information Security Management Systems-Requirements," International Organisation for Standardization, Geneva, 2005.
  34. Kankanhalli, A., Teo, H., Bernard, C.Y. and Tan, K. W., "An integrative study of information systems security effectiveness", International Journal of Information Management Vol.23, 2003, pp.139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  35. Knapp, K.J., Marshall, T.E., Rainer, R.K. and Ford, F.N., "Information security: management's effect on culture and policy," Information Management & Computer Security, Vol.14, No.1, 2006, pp.24-36. https://doi.org/10.1108/09685220610648355
  36. Koufteros, X., and G. Marcoulides., "Product development Practices and performan ce: A structural equation modeling-based multi-group analysis," International Journal of Production Economics, Vol.103, No.1, 2006, pp.286-307. https://doi.org/10.1016/j.ijpe.2005.08.004
  37. Kowalski, S., "IT Insecurity: A Multi-disciplinary Inquiry. Diss. The Royal Institute of Technology," Department of Computer and Systems Science Stockholm Univ. Report series No 94-040, 1994.
  38. Midgley, D. and Dowling, G. R., "Innovativeness: The Concept and Its Measurement," Journal of Consumer Research, Vol.4, No.4, 1978, pp.229-242. https://doi.org/10.1086/208701
  39. NIST SP 800-30, "Guide for Conducting Risk Assessment," 2012.
  40. NIST SP 800-33, "Underlying Technical Models for Information Technology Security," 2001.
  41. NIST SP 800-61, "Computer Security Incident Handling Guide," 2007.
  42. NIST SP 800-100, "Information Security Handbook: A Guide for Managers," 2007.
  43. Peltier, T.R., "Information Security Risk Analysis," Auerbach Publications, New York, 2001.
  44. Rogers, E. M., "Diffusion of Innovation," The Free Press, New York, 2003.
  45. Schneier, B., "Secret and Lies -Digital Security in a Networked World," Wiley Computer Publishing, New York, 2002.
  46. Smith, S., Stephen, G., and Malampy, W., "A financial Management Approach for Selecting Optimal, Cost-Effective Safeguards Upgrades for Computer and Information Security Risk Management," Computer and Security, Vol.14, No.1, 1995, pp.28-29.
  47. Solms, R., "Driving safely on the information superhighway," Information Management & Computer Security, Vol.5, No.1, 1997, pp.20-22. https://doi.org/10.1108/09685229710168006
  48. Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J., "Analysis of end user security behaviors," Computers & Security, Vol.24, No.2, 2005, pp.124-33. https://doi.org/10.1016/j.cose.2004.07.001
  49. Steven J. Ross, Risk Masters and ISACA, "Creating a culture of Security," 2011.
  50. Tashi, I., "Regulatory Compliance and Information Security Assurance," 2009 International Conference on Availability, Reliability and Security, 2009, pp.670-674.
  51. Thomson, K. and Solms, R., "Information security obedience: a definition," Computers & Security, Vol.24, 2005, pp.69-75. https://doi.org/10.1016/j.cose.2004.10.005
  52. Trist, E., "The evolution of socio-technical systems," Vol.2, Wiley, 1981.
  53. Werlinger, R., Hawkey, K. and Beznosov, K., "An integrated view of human, organizational and technological challenges of IT security management," Information Management & Computer Security, Vol.17 No.1, 2009, pp.4-19. https://doi.org/10.1108/09685220910944722
  54. Yngstrom, L., "A Systemic- Holistic Approach to Academic Programmes in IT Security," Ph.D Thesis, Department of Computer and Systems Science, University of Stockholm and the Royal Institute of Technology, 1996, Stockholm.
  55. Young, R.F, "Defining the Information Security Posture : An Empirical Examination of Structure and Managerial Effectiveness," University of North Texas, 2008.