Journal of Information Technology Applications and Management

Korea Data Strategy Society (한국데이터전략학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Information Security Measures Influencing Information Security Policy Compliance Intentions of IT Personnel of Banks

은행 IT 인력의 정보보호 정책 준수에 영향을 미치는 정보보호 대책에 관한 연구

  • 심준보 (동국대학교 서울캠퍼스 경영대학 경영정보학과) ;
  • 황경태 (동국대학교 서울캠퍼스 경영대학 경영정보학과)
  • Received : 2015.05.13
  • Accepted : 2015.06.25
  • Published : 2015.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

This study proposes the practical information security measures that help IT personnel of banks comply the information security policy. The research model of the study is composed of independent variables (clarity and comprehensiveness of policy, penalty, dedicated security organization, audit, training and education program, and top management support), a dependent variable (information security policy compliance intention), and moderating variables (age and gender). Analyses results show that the information security measures except 'clarity of policy' and 'training and education program' are proven to affect the 'information security policy compliance intention.' In case of moderating variables, age moderated the relationship between top management support and compliance intention, but gender does not show any moderating effect at all. This study analyzes information security measures based solely on the perception of the respondents. Future study may introduce more objective measurement methods such as systematically analyzing the contents of the information security measures instead of asking the respondents' perception. In addition, this study analyzes intention of employees rather than the actual behavior. Future research may analyze the relationship between intention and actual behavior and the factors affecting the relationship.

Keywords

References

  1. 강다연, 장명희, "정보보안 정책 준수가 정보 보안능력 및 행동에 미치는 영향 분석 : 해운항만조직 구성원을 대상으로", 한국항만경제학회지, 제30권 제1호, 2014, pp. 97-118.
  2. 교육과학기술부, 정보보안 모범사례 가이드, 2011.
  3. 금융위원회 전자금융과, 금융감독원 IT감독국, "금융전산 보안 강화 종합대책", 2013.
  4. 김상현, 송영미, "조직 구성원들이 정보보안 준수 동기요인에 관한 연구", e-비즈니스 연구, 제12권 제5호, 2011, pp. 327-349.
  5. 김상훈, 박선영, "정보보안 정책 준수 의도에 대한 영향요인", 한국전자거래학회지, 제16권 제4호, 2011, pp. 33-51. https://doi.org/10.7838/JSEBS.2011.16.4.033
  6. 김지수, 김종배, 신용태, "조직 내 정보보호 최고책임자(CISO)의 역할인식이 정보보호 성과에 미치는 영향에 관한 연구", 경영컨설팅연구, 제12권 제4호, 2012, pp. 21-34.
  7. 박종원, 김현규, "정보보안 전략과 보안준수 의도의 관계에 관한 연구모델개발을 위한 탐색적 연구", 한국경영정보학회 추계학술대회, 2012, pp. 559-564.
  8. 박철주, 임명성, "보안 대책이 지속적 보안 정책 준수에 미치는 영향", 디지털정책연구, 제10권, 제4호, 2012, pp. 23-35.
  9. 배병렬, LISREL 구조방정식 모델-이해와 활용, 청람, 2005년.
  10. 보안뉴스, "개정 전자금융거래법! 꼭 체크해야 할 8개 보안조항", 보안뉴스, 2014. 12. 9.
  11. 신윤정, "저출산 시대의 가사 노동 및 자녀 돌봄 시간 변화와 시사점", 보건.복지 Issue and Focus, 2015.
  12. 신현구, 이주락, "조직공정성이 산업보안담당자의 보안정책 준수의지에 미치는 영향", 한국경호경비학회, 제39권, 2014, pp. 241-268.
  13. 안중호, 박준형, 성기문, 이재홍, "처벌과 윤리교육이 정보보안 준수에 미치는 영향 : 조직유형의 조절효과를 중심으로", Information Systems Review, Vol. 12, No. 1, 2010, pp. 23-42.
  14. 위키백과, "정보보안", http://ko.wikipedia.org/w/index.php?title=%EC%A0%95% EB%B3%B4_%EB%B3%B4%EC%95%88&oldid=13061197, 2015. 2. 1.
  15. 임명성, "조직 구성원들의 정책 준수행위 의도에 관한 연구", 디지털정책연구, 제10권 제10호, 2012, pp. 119-228.
  16. 임명성, "정보보안 정책의 채택이 구성원들의 보안정책 준수 행위에 미치는 영향에 관한 연구", 디지털정책연구, 제11권 제1호, 2013, pp. 27-38.
  17. 임명성, "조직 구성원들의 정보보안 정책 준수에 영향을 미치는 요인에 관한 연구 -금융서비스업을 중심으로", 서비스경영학회지, 제14권 제1호, 2013, pp. 143-171.
  18. 임명성, 한군희, "정보보안 정책준수에 영향을 미치는 요인 : 위험보상이론 관점에서", The Journal of Digital Policy and Management, Vol. 11, No. 10, 2013, pp. 153-168.
  19. 장명희, 강다연, "항만지업 종사자들의 정보보안인식과 지각된 정보보안위험에 영향을 미치는 요인", 한국항해항만학회지, 제36권 제3호, 2012, pp. 261-271. https://doi.org/10.5394/KINPR.2012.36.3.261
  20. 황경태, 정보시스템 감사- IT 거버넌스의 핵심수단, 탑북스, 2011.
  21. Gendered Innovation, "지나치게 성별 차이를 강조하면 문제가 될 수 있다", , 2015. 5. 1.
  22. Nellycw, "우리나라 은행 순위 및 종류", 2015. 2. 17..
  23. Ajzen, I., "The Theory of Planned Behavior", Organizational Behavior and Human Decision Processes, Vol. 50, No. 2, 1991, pp. 179-211. https://doi.org/10.1016/0749-5978(91)90020-T
  24. Bauer, S., Bernroider, E. W. N., and Chudzikowski, K., "End User Information Security Awareness Programs for Improving Information Security in Banking Organizations : Preliminary Results from an Exploratory Study", Proceedings of the Eighth Pre-ICIS Workshop on Information Security and Privacy(SIGSEC), 2013, pp. 33-49.
  25. Bentler, P. M., "Comparative Fit Indexes in Structural Models", Psychological Bulletin, Vol. 107, No. 2, 1990, pp. 238-246. https://doi.org/10.1037/0033-2909.107.2.238
  26. Blakley, B., McDermott, E., and Geer, D., "Information Security is Information Risk Management", Proceedings of the 2001 workshop on New security paradigms, ACM, 2001, pp. 97-104.
  27. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R., "If Someone Is Watching, I'll Do What I'm Asked : Mandatoriness, Control, and Information Security", European Journal of Information Systems, Vol. 18, No. 2, 2009, pp. 151-164. https://doi.org/10.1057/ejis.2009.8
  28. Brancheau, J. C., Janz, B. D., and Wetherbe, J. C., Key Issues in Information Sstems Mnagement : 1994-1995 SIM Delphi Results", MIS Quarterly, Vol. 20, No. 2, 1996, pp. 225-242. https://doi.org/10.2307/249479
  29. Brockman, B. K. and Morgan, R. M., "The Moderating Effect of Organizational Cohesiveness in Knowledge Use and New Product Development", Journal of the Academy of Marketing Science, Vol. 34, No. 3, 2006, pp. 295-307. https://doi.org/10.1177/0092070306286707
  30. Browne, M. W. and Cudeck, R., "Alternative Ways of Assessing Model Fit", Sage Focus Editions, Vol. 154, 1993, pp. 136-136.
  31. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance : An Empirical Study of Rationality-based Beliefs and Information Security Awareness", MIS Quarterly, Vol. 34, No. 3, 2010, pp. 523-548. https://doi.org/10.2307/25750690
  32. Cavusoglu, H., Mishra, B., and Raghunathan, S., "A Model for Evaluating IT Security Investments", Communications of the ACM, Vol. 47, No. 7, 2004, pp. 87-92. https://doi.org/10.1145/1005817.1005828
  33. Chan, M., Woon I., and Kankanhalli A., "Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior", Journal of Information Privacy and Security, Vol. 1, No. 3, 2005, pp. 18-41. https://doi.org/10.1080/15536548.2005.10855772
  34. Chang, A. J.-T. and Yeh, Q.-J., "On Security Preparations Against Possible IS Threats Across Industries", Information Management and Computer Security, Vol. 14, No. 4, 2006, pp. 343-360. https://doi.org/10.1108/09685220610690817
  35. Cheng, L., Li, Y., Li, W., Holm, E., and Zhai, Q., "Understanding the Violation of IS Security Policy in Organizations : An Integrated Model Based on Social Control and Deterrence Theory", Computers and Security, Vol. 39, 2013, pp. 447-459. https://doi.org/10.1016/j.cose.2013.09.009
  36. CNSS, CNSSI-4014 Information Assurance Training Standard for Information Systems Security Officers, 2010.
  37. Crossler, R. E., Johnston, A. C., Lowry, P. B., Hud, Q., Warkentin, M., and Baskerville, R., "Future Directions for Behavioral Information Security Research", Computers and Security, Vol. 32, 2013, pp. 90-101. https://doi.org/10.1016/j.cose.2012.09.010
  38. D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse : a Deterrence Perspective", Information Systems Research, Vol. 20, No. 1, 2009, pp. 79-98. https://doi.org/10.1287/isre.1070.0160
  39. Doherty, N. F., Anastasakis, L., and Fulford, H., "The Information Security Policy Unpacked : A Critical Study of the Content of University Policies", International Journal of Information Management, Vol. 29, No. 6, 2009, pp. 449-457. https://doi.org/10.1016/j.ijinfomgt.2009.05.003
  40. Feng, T. and Zhao, G., "Top Management Support, Inter-organizational Relationships and External Involvement", Industrial Management and Data Systems, Vol. 114, No. 4, 2014, pp. 526-549. https://doi.org/10.1108/IMDS-03-2013-0127
  41. Fornell, C. and Larcker, D. F., "Structural Equation Models with Unobservable Variables and Measurement Error : Algebra and Statistics", Journal of Marketing Research, No. 18, No. 3, 1981, pp. 382-388. https://doi.org/10.2307/3150980
  42. Furnell, S. and Thomson, K.-L., "From Culture to Disobedience : Recognising the Varying User Acceptance of IT Security", Computer Fraud and Security, No. 2, 2009, pp. 5-10.
  43. George, D. and Mallery, P., SPSS for Windows Step by Step : A Simple Guide and Reference. 11.0 update (4th ed.), 2003, Boston : Allyn and Bacon.
  44. Goel, S. and Chengalur-Smith, I. N., "Metrics for Characterizing the Form of Security Policies", The Journal of Strategic Information Systems, Vol. 19, No. 4, 2010, pp. 281-295. https://doi.org/10.1016/j.jsis.2010.10.002
  45. Gundu, T. and Flowerday, S. V., "Ignorance to Awareness : Towards an Information Security Awareness Process", SAIEE Africa Research Journal, Vol. 104, No. 2, 2013, pp. 69-79.
  46. Guo, K. H., "Security-related Behavior in Using Information Systems in the Workplace : A Review and Synthesis", Computers and Security, Vol. 32, 2013, pp. 242-251. https://doi.org/10.1016/j.cose.2012.10.003
  47. Haeussinger, F. J. and Kranz, J. J., "Information Security Awareness : Its Antecedents and Mediating Effects on Security Compliant Behavior", International Conference on Information Systems, 2013, pp. 1-16.
  48. Hagen, J. M., Albrechtsen, E., and Hovden, J., "Implementation and Effectiveness of Organizational Information Security Measures", Information Management and Computer Security, Vol. 16, No. 4, 2008, pp. 377-397. https://doi.org/10.1108/09685220810908796
  49. Hansch, N. and Benenson, Z., "Specifying IT Security Awareness", 25th International Workshop on Database and Expert Systems Applications, 2014, pp. 326-330.
  50. Herath, T. and Rao, H. R., "Encouraging Information Security Behaviors in Organizations : Role of Penalties, Pressures and Perceived Effectiveness", Decision Support Systems, Vol. 47, No. 2, 2009, pp. 154-165. https://doi.org/10.1016/j.dss.2009.02.005
  51. Hovav, A. and D'Arcy, J., "Applying an Extended Model of Deterrence Across Cultures : An Investigation of information Systems Misuse in the U.S. and South Korea", Information and Management, Vol. 49, No. 2, 2012, pp. 99-110. https://doi.org/10.1016/j.im.2011.12.005
  52. Hu, Q., Dinev, T., Hart, P., and Cooke, D., "Managing Employee Compliance with Information Security Policies : The Critical Role of Top Management and Organizational Culture", Decision Sciences, Vol. 43, No. 4, 2012, pp. 615-659. https://doi.org/10.1111/j.1540-5915.2012.00361.x
  53. Ifinedo, P., "Understanding Information Systems Security Policy Compliance : An Integration of the Theory of Planned Behavior and the Protection Motivation Theory", Computers and Security, Vol. 31, No. 1, 2012, pp. 83-95. https://doi.org/10.1016/j.cose.2011.10.007
  54. ISO, ISO/IEC 27000:2009 Overview and Vocabulary, 2009.
  55. Khalid, S., Solimana, K. S., and Janzb, B. D., "An Exploratory Study to Identify the Critical Factors Affecting the Decision to Establish Internet-based Interorganizational Information Systems", Information and Management, Vol. 41, No. 6, 2004, pp. 697-706. https://doi.org/10.1016/j.im.2003.06.001
  56. Khan, S. A., Lederer, A. L., and Mirchandani, D. A., "Top Management Support, Collective Mindfulness, and Information Systems Performance", Journal of International Technology and Information Management, Vol. 22, No. 1, 2013, p. 6.
  57. Lebek, B., Uffen, J., Breitner, M. H., Neumann, M., and Hohler, B., "Employees' Information Security Awareness and Behavior : A Literature Review", 2013 46th Hawaii International Conference on System Sciences, 2013, pp. 2979-2987.
  58. Lee, J. and Lee, Y., "A Holistic Model of Computer Abuse Within Organizations", Information Management and Computer Security, Vol. 10, No. 2, 2002, pp. 57-63. https://doi.org/10.1108/09685220210424104
  59. Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories", Information Management, Vol. 41, No. 6, 2004, pp. 707-718. https://doi.org/10.1016/j.im.2003.08.008
  60. Leonard, L. N. K., Cronan, T. P., and Kreie, J., "What Influences IT Ethical Behavior Intentions-Planned Behavior, Reasoned Action, Perceived Importance, Individual Characteristics?", Information Management, Vol. 42, No. 1, 2004, pp. 143-158. https://doi.org/10.1016/j.im.2003.12.008
  61. Li, M., Lou, W., and Ren, K., "Data Security and Privacy in Wireless Body Area Networks", Wireless Communications, IEEE, Vol. 17, No. 1, 2010, pp. 51-58. https://doi.org/10.1109/MWC.2010.5416350
  62. Lohmeyer, D. F., McCrory, J., and Pogreb, S., "Managing Information Security (Current Research)", The McKinsey Quarterly, 2002, p. 12.
  63. Meredith, S. L., "Comparative Perspectives on Human Gender Development and Evolution", American Journal of Physical Anthropology, Vol. 156, No. S59, 2015, pp. 72-97. https://doi.org/10.1002/ajpa.22660
  64. Merete, J., Eirik, H., and Hovden, A. J., "Implementation and Effectiveness of Organizational Information Security Measures", Information Management and Computer Security, Vol. 16, No. 4, 2008, pp. 377-397. https://doi.org/10.1108/09685220810908796
  65. Mobley, W. H., Griffeth, R. W., Han, H. H., and Meglino, B. M., "Review and Conceptual Analysis of the Employee Turnover Process", Psychological Bulletin, Vol. 86, No. 3, 1979, pp. 493-522. https://doi.org/10.1037/0033-2909.86.3.493
  66. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A., "What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules and Quest; An Empirical Study", European Journal of Information Systems, Vol. 18, No. 2, 2009, pp. 126-139. https://doi.org/10.1057/ejis.2009.10
  67. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' Behavior Towards Is Security Policy Compliance", Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007, pp. 156-166.
  68. Peace, A. G., Galletta, D. F., and Thong, J. Y. L., "Software Piracy in the Workplace : A Model and Empirical Test", Journal of Management Information Systems, Vol. 20, No. 1, 2003. pp. 153-177. https://doi.org/10.1080/07421222.2003.11045759
  69. Pogarsky, G. and Piquero, A. R., "Studying the Reach of Deterrence : Can Deterrence Theory Help Explain Police Misconduct?", Journal of Criminal Justice, Vol. 32, No. 4, 2004, pp. 371-386. https://doi.org/10.1016/j.jcrimjus.2004.04.007
  70. PricewaterhouseCoopers, "Global State of Information Security Survey 2011", http://www.pwc.com/gx/en/information-security-survey/pdf/giss-2011-survey-report.pdf, July 25, 2012.
  71. Ransbotham, S. and Mitra, S., "Choice and Chance : A Conceptual Model of Paths to Information Security Compromise", Information Systems Research, Vol. 20, No. 1, 2009, pp. 121-139. https://doi.org/10.1287/isre.1080.0174
  72. Rosemann, M. and Vessey, I., "Toward Improving the Relevance of Information Systems Research to Practice : The Role of Applicability Checks", MIS Quarterly, Vol. 32, No. 1, 2008, pp. 1-22. https://doi.org/10.2307/25148826
  73. Sari, P. K. and Trianasari, N., "Information Security Awareness Measurement with Confirmatory Factor Analysis", 2014 International Symposium on Technology Management and Emerging Technologies(ISTMET 2014), 2014, pp. 218-223.
  74. Siponen, M. T., "A Conceptual Foundation for Organizational Information Security Awareness", Information Management and Computer Security, Vol. 8, No. 1, 2000, pp. 31-41. https://doi.org/10.1108/09685220010371394
  75. Siponen, M., Vance, A., and Willison, R., "New Insights into the Problem of Software Piracy : The Effects of Neutralization, Shame, and Moral Beliefs", Information and Management, Vol. 49, No. 7, 2012, pp. 334-341. https://doi.org/10.1016/j.im.2012.06.004
  76. Solms, R., "Information security management( 3) : the Code of Practice for Information Security Management (BS 7799)", Information Management and Computer Security, Vol. 6, No. 5, 1998, pp. 224-225. https://doi.org/10.1108/09685229810240158
  77. Richardson, R., "CSI Computer Crime and Security Survey", Computer Security Institute, Vol. 1, 2008, pp. 1-30.
  78. Sandhu, R. S. and Samarati, P., "Access Control : Principle and Practice", Communications Magazine, IEEE, Vol. 32, No. 9, 1994, pp. 40-48.
  79. Son, J. Y., "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies", Information and Management, Vol. 48, No. 7, 2011, pp. 296-302. https://doi.org/10.1016/j.im.2011.07.002
  80. Spears, J. L. and Barki, H., "User Participation in Information Systems Security Risk Management", MIS Quarterly, Vol. 34, No. 3, 2010, pp. 503-522. https://doi.org/10.2307/25750689
  81. Srinivasan, S., "Information Security Policies and Controls for a Trusted Environment", Information Systems Control Journal, No. 2, 2008.
  82. Steel, R. P., "Turnover Theory at the Empirical Interface : Problems of Fit and Functions", Academy of Management Review, Vol. 27, No. 3, 2002, pp. 346-360. https://doi.org/10.5465/amr.2002.7389900
  83. Stemberger, M. I., Manfreda, A., and Kovacic, A., "Achieving top management support with business knowledge and role of IT/IS personnel", International Journal of Information Management, Vol. 31, No. 5, 2011, pp. 428-436. https://doi.org/10.1016/j.ijinfomgt.2011.01.001
  84. Straub, D., "Effective IS Security : An Empirical Study", Information Systems Research, Vol. 1, No. 3, 1990, pp. 255-276. https://doi.org/10.1287/isre.1.3.255
  85. Tomarken, A. J. and Waller, N. G., "Structural Equation Modeling : Strengths, Limitations, and Misconceptions", Annu. Rev. Clin. Psychol., Vol. 1, 2005, pp. 31-65. https://doi.org/10.1146/annurev.clinpsy.1.102803.144239
  86. Tariq, M. A., Brynielsson, J., and Artman, H., "The Security Awareness Paradox : A Case Study", 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining(ASONAM 2014), 2014, pp. 704-711.
  87. Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E., "Analyzing Trajectories of Information Security Awareness", Information Technology and People, Vol. 25, No. 3, 2012, pp. 327-352. https://doi.org/10.1108/09593841211254358
  88. Vance, A. and Siponen, M. T., "IS Security Policy Violations : A Rational Choice Perspective", Journal of Organizational and End User Computing (JOEUC), Vol. 24. No. 1, 2012, pp. 21-41. https://doi.org/10.4018/joeuc.2012010102
  89. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance : Insights From Habit and Protection Motivation Theory", Information and Management, Vol. 49, No. 3, 2012, pp. 190-198. https://doi.org/10.1016/j.im.2012.04.002
  90. Vroom, C. and Solms, R. von, "Towards Information Security Behavioural Compliance", Computers and Security, Vol. 23, No. 3, 2004, pp. 191-198. https://doi.org/10.1016/j.cose.2004.01.012
  91. Wenzel, M., "The Social Side of Sanctions : Personal and Social Norms as Moderators of Deterrence", Law and Human Behavior, Vol. 28, No. 5, 2004, p. 547. https://doi.org/10.1023/B:LAHU.0000046433.57588.71
  92. Wong, W. I. and Hines, M., "Preferences for Pink and Blue : The Development of Color Preferences as a Distinct Gender-Typed Behavior in Toddlers", Archives of Sexual Behavior, 2015, pp. 1-12.
  93. Workman, M., Bommer, W. H., and Straub, D., "Security Lapses and the Omission of Information Security Measures : A Threat Control Model and Empirical Test", Computers in Human Behavior, Vol. 24, 2008, pp. 2799-2816. https://doi.org/10.1016/j.chb.2008.04.005
  94. Yildirima, E. Y., Akalpa, G., Aytacb, S., and Bayramb, N., "Factors Influencing Information Security Management in Small- and Medium-sized Enterprises : A Case Study from Turkey", International Journal of Information Management, Vol. 31, 2011, pp. 360-365. https://doi.org/10.1016/j.ijinfomgt.2010.10.006
  95. Zmud, B., "Editor's Comments", Management Information Systems Quarterly, Vol. 22, No. 3, 1998, p. 1. https://doi.org/10.2307/249676