Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

The Causal Relationship between Information Security Countermeasures and Information System Misuse

정보보안대책과 정보시스템 오남용과의 인과적 관계

  • Received : 2015.10.26
  • Accepted : 2015.12.11
  • Published : 2015.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Intentional information systems (IS) misuse is a serious problem in many organizations. This study aims at developing the theoretical framework of deterring IS misuse on the basis of Nagin's General Deterrence Theory (GDT) which is very famous in the area of socio-criminology. Applying GDT to the IS misuse situation could be reasoned that the perceived certainty and the perceived severity of sanctions associated with committing IS misuse have positive impact on deterring the deviant behaviors. Also, these two constructs (certainty of sanctions and severity of sanctions) could be inferred to be influenced by the four types of IS security countermeasures (security policies, security awareness program, monitoring practices and preventive security software) derived through critically reviewing IS security-relevant literature. The proposed research model and ten hypotheses were empirically analysed using structural equation modelling with the data collected by conducting a questionnaire survey of staff members in business organizations in Korea. As a result, it was found that five ones of ten hypotheses were supported. It is thought that this study makes theoretical contribution to expanding research area of IS security and also has strong implications for IS security management practices within organizations.

Keywords

References

  1. Ajzen, I., Attitude, Personality, and Behavior, Chicago : Dorsey Press, 1988.
  2. Ajzen, I., "The Theory of Planned Behavior", Organizational Behavior and Human Decision Processes, Vol.50, No.2, 1991, 179-211. https://doi.org/10.1016/0749-5978(91)90020-T
  3. Bachman, R., R. Paternoster, and S. Ward, "The Rationality of Sexual Offending : Testing a Deterrence/Rational Choice Conception of Sexual Assault", Law and Society Review, Vol.26, No.2, 1992, 343-372. https://doi.org/10.2307/3053901
  4. Bagozzi, R.P., Y. Yi, and L.W. Phillips, "Assessing Construct Validity in Organizational Research", Administrative Science Quarterly, Vol.36, No.3, 1991, 421-458. https://doi.org/10.2307/2393203
  5. Barclay, D.C., C. Higgins, and R. Thompson, "The Partial Least Squares Approach to Causal Modeling : Personal Computer Adoption and Use as an Illustration", Technology Studies, Vol.2, No.2, 1995, 285-308.
  6. Cavusoglu, H. and S. Raghunathan, "Economics of IT Security Management : Four Improvements to Current Security Practices", Communications of the AIS, Vol.14, No.3, 2004, 65-75.
  7. Chang, H.S. and D.H. Jung, "Organizational and Personal Characteristics to Determine the Intentions and Actions of the Computer Abuse", Informatization Policy, Vol.20, No.1, 2013, 42-60.(장활식, 정대현, "컴퓨터 오남용의 의도와 행동을 결정하는 조직 및 개인적 특성", 정보화정책, 제20권, 제1호, 2013, 42-60.)
  8. Chin, W.W., "The Partial Least Squares Approach to Structural Equation Modeling", In Modern methods for business research, Vol.295, No.2, 1998, 295-336.
  9. Cook, P.J., "Research In Criminal Deterrence : Laying the Groundwork for the Second Decade", In Crime and Justice, Vol.2, 1880, 211-268.
  10. Dhillon, G., "Managing and Controlling Computer Misuse", Information Management and Computer Security, Vol.7, No.4, 1999, 171-175. https://doi.org/10.1108/09685229910292664
  11. Dutta, A. and R. Roy, "The Dynamics of Organizational Information Security", In Proceedings of the Twenty-Fourth International Conference on Information Systems, December 14-17, Seattle, WA, 2003.
  12. Falk, R.F. and N.B. Miller, A Primer for Soft Modelling, Akron, OH : Univ. of Akron Press, 1992.
  13. Finch, J., "The Vignette Technique in Survey Research", Sociology, Vol.21, No.1, 1987, 105-114. https://doi.org/10.1177/0038038587021001008
  14. Foltz, C.B., "The Impact of Deterrent Countermeasures upon Individual Intent to Commit Misuse : A Behavioral Approach", Ph.D. diss, University of Arkansas, 2000.
  15. Fornell, C. and D.F. Larcker, "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error", Journal of Marketing Research, Vol.18, No.1, 1981, 39-50. https://doi.org/10.2307/3151312
  16. Furnell, S.M., M. Gennatou, and P.S. Dowland, "A Prototype Tool for Information Security Awareness and Training", Logistics Information Management, Vol.15, No.5, 2002, 352-357. https://doi.org/10.1108/09576050210447037
  17. Gefen, D., D.W. Straub, and M.C. Boudreau, "Structural Equation Modeling Techniques and Regression : Guidelines for Research Practice", Communications of the AIS, Vol.7, No.7, 2000, 1-78.
  18. Gordon, L.A., M.P. Loeb, W. Lucyshyn, and R. Richardson, 2004 CSI/FBI Computer Crime and Security Survey, Computer Security Journal, Vol.20, No.3, 2004, 33-51.
  19. Ha, S.W. and H.J. Kim, "The Effects of User's Security Awareness on Password Security Behavior", Journal of Digital Contents Society, Vol.14, No.2, 2013, 179-189.(하상원, 김형중, "정보보안의식이 패스워드 보안행동에 미치는 영향에 관한 연구", 한국디지털콘텐츠학회논문지, 제14권, 제2호, 2013, 179-189.) https://doi.org/10.9728/dcs.2013.14.2.179
  20. Hair, J.F., R.E. Anderson, R.L. Tatham, and W.C. Black, Multivariate Data Analysis, Englewood Ciffs, NJ : Prentice Hall, 1998.
  21. Hansche, S., "Designing a Security Awareness Program : Part 1", Information Systems Security, Vol.9, No.6, 2001, 14-22.
  22. Harrington, S.J., "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions", MIS Quarterly, Vol.20, No.3, 1996, 257-278. https://doi.org/10.2307/249656
  23. Irakleous, I., S.M. Furnell, P.S. Dowland, and M. Papadaki, "An Experimental Comparison of Secret-Based User Authentication Technologies", Information Management and Computer Security, Vol.10, No.3, 2002, 100-108. https://doi.org/10.1108/09685220210431854
  24. Ives, B., K.R. Walsh, and H. Schneider, "The Domino Effect of Password Reuse", Communications of the ACM, Vol.47, No.4, 2004, 75-78. https://doi.org/10.1145/975817.975820
  25. Jensen, B., "The Importance of Security Awareness Traing", Available at http://www.giac.org/practical/GSEC/Beth_Jensen_GSEC.pdf (Accessed May 13, 2003).
  26. Kankanhalli, A., H.H. Teo, B.C.Y. Tan, and K.K. Wei, "An Integrative Study of Information Systems Security Effectiveness", International Journal of Information Management, Vol.23, No.2, 2003, 139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  27. Kerlinger, F.N., Foundations of Behavioral Research, Second Edition, New York : Holt, Rinehart and Winston, 1973.
  28. Lee, J. and Y. Lee, "A Holistic Model of Computer Abuse within Organizations", Information Management and Computer Security, Vol.10, No.2, 2002, 57-63. https://doi.org/10.1108/09685220210424104
  29. Lee, S.M., S.G. Lee, and S. Yoo, "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theorices", Information and Management, Vol.41, No.6, 2004, 707-718. https://doi.org/10.1016/j.im.2003.08.008
  30. Leonard, L.N.K., T.P. Cronan, and J. Kreie., "What Influences IT Ethical Behavior Intentions-Planned Behavior, Reasoned Action, Perceived Importance, Individual Characteristics?", Information and Management, Vol.42, No.1, 2004. 143-158. https://doi.org/10.1016/j.im.2003.12.008
  31. Nagin, D.S., "General Deterrence : A Review of the Empirical Evidence", In Deterrence and incapacitation : Estimating the effexts of criminal sanctions on crime rates, edited by A. Blumstein, J. Cohen and D.S. Nagin, Washington, D.C. : National Academy of Sciences, 1978.
  32. Nagin, D.S. and G. Pogarsky, "Integrating Celerity, Impulsivity, and Extralegal Sanction Threats into a Model of General Deterrence and Evidence", Criminology, Vol.39, No.4, 2001, 865-891. https://doi.org/10.1111/j.1745-9125.2001.tb00943.x
  33. Nunnally, J.C., Psychometric Theory, Second Edition, New York : McGraw-Hill, 1978.
  34. Panko, R.R. and H.G. Beh, "Monitoring for Pornography and Sexual Harrassment", Communications of the ACM, Vol.45, No.1, 2002, 84-87. https://doi.org/10.1145/506218.506220
  35. Parker, D.B., Fighting Computer Crime, New York : John Wiley and Sons, 1998.
  36. Peace, A.G., D.F. Galletta, and J.Y.L. Thong, "Software Piracy in the Workplace : A Model and Empirical Test", Journal of Management Information System, Vol.20, No.1, 2003, 153-177. https://doi.org/10.1080/07421222.2003.11045759
  37. Saari, J., "Computer Crime-Numbers Lie", Computers and Security, Vol.6 No.2, 1987, 111-117. https://doi.org/10.1016/0167-4048(87)90081-2
  38. Schou, C.D. and K. Trimmer, J., "Information Assurance and Security", Journal of Organizational and End User Computing, Vol.16, No.3, 2004, 1-7. https://doi.org/10.4018/joeuc.2004070101
  39. Silberman, M., "Toward a Theory of Criminal Deterrence", American Sociological Review, Vol.41, No.3, 1976, 442-461. https://doi.org/10.2307/2094253
  40. Siponen, M.T., "A Conceptual Foundation for Organizational Information Security Awareness", Information Management and Computer Security, Vol.8, No.1, 2000, 31-41. https://doi.org/10.1108/09685220010371394
  41. Solarz, A., "Computer-Related Embezzlement", Computers and Security, Vol.6 No.1, 1987, 49-53. https://doi.org/10.1016/0167-4048(87)90125-8
  42. Stanton, J.M., C. Caldera, A. Issac, K.R. Stam, and S.J. Marchinlowski, "Behavioral Information Security : Defining the Criterion Space", The Systems Assurance Institute, Syracuse University, Syracuse, New York, 2003.
  43. Straub, D.W., "Effective IS Security : An Empirical Study", Information Systems Research, Vol.1, No.3, 1990, 255-276. https://doi.org/10.1287/isre.1.3.255
  44. Straub, D.W. and W.D. Nance, "Discovering and Disciplining Computer Abuse in Organizations : A Field Study", MIS Quarterly, Vol. 14, No.1, 1990, 45-60. https://doi.org/10.2307/249307
  45. Straub, D.W. and R.J. Welke, "Coping with Systems Risk : Security Planning Models for Management Decision Making", MIS Quarterly, Vol.22, No.4, 1998, 441-469. https://doi.org/10.2307/249551
  46. Tittle, C.R., Sanctions and Social Deviance : The Question of Deterrence, New York : Praeger, 1980.
  47. Urbaczewski, A. and L.M. Jessup, "Does Electronic Monitoring of Employee Internet Usage Work?", Communications of the ACM, Vol. 45, No.1, 2002, 80-83.
  48. Weaver, F.M. and J.S. Carroll, "Crime Perceptions in a Natural Setting by Expert and Novice Shoplifters", Social Psychology Quarterly, Vol.48, No.4, 1985, 349-359. https://doi.org/10.2307/2786696
  49. Whitman, M.E., A.M. Townsen, and R.J. Alberts, "Information Systems Security and the Need for Policy", In Information security management : Global challenges in the new millenium, edited by M. Khosrowpou, Hershey, PA : Idea Group Publishing, 2001.
  50. Willson, R., "Understanding and Addressing Criminal Opportunity : The Application of Situational Crime Prevention to IS Security", Journal of Financial Crime, Vol.7, No.3, 2000, 201-210. https://doi.org/10.1108/eb025940
  51. Wybo, M.D. and D.W. Straub, "Protecting Organizational Information Resources", Information Resources Management Journal, Vol.2, No.4, 1989, 1-15. https://doi.org/10.4018/irmj.1989100101
  52. Yu, K.H., W.C. Choi, S.K. Kim, and C.Y. Goo, "A Study on Establishing Guidelines for Information Protection and Security for Educational Institutes", Journal of the Korea Society of IT Services, Vol.7, No.3, 23-43.(유기훈, 최웅철, 김신곤, 구천열, "학내 정보보호수립에 관한 연구", 한국IT서비스학회지, 제7권, 제3호, 2008, 23-43.)