금융회사 정보보안정책의 위반에 영향을 주는 요인 연구 : 지각된 고객정보 민감도에 따른 조절효과

A Study on the Factors for Violation of Information Security Policy in Financial Companies : Moderating Effects of Perceived Customer Information Sensitivity

  • 이정하 (서울과학종합대학원대학교 경영학과) ;
  • 이상용 (한양대학교 경영대학)
  • 투고 : 2015.11.14
  • 심사 : 2015.12.24
  • 발행 : 2015.12.31


This paper analyzed factors for employees to violate information security policy in financial companies based on the theory of reasoned action (TRA), general deterrence theory (GDT), and information security awareness and moderating effects of perceived sensitivity of customer information. Using the 376 samples that were collected through both online and offline surveys, statistical tests were performed. We found that the perceived severity of sanction and information security policy support to information policy violation attitude and subjective norm but the perceived certainty of sanction and general information security awareness support to only subjective norm. Also, the moderating effects of perceived sensitivity of customer information against information policy violation attitude and subjective norm were supported. Academic implications of this study are expected to be the basis for future research on information security policy violations of financial companies; Employees' perceived sanctions and information security policy awareness have an impact on the subjective norm significantly. Practical implications are that it can provide a guide to establish information security management strategies for information security compliance; when implementing information security awareness training for employees to deter violations by emphasizing the sensitivity of customer information, a company should make their employees recognize that the customer information is very sensitive data.



  1. 강다연, 장명희, "해운항만조직 구성원들의 정보보안정책 준수에 영향을 미치는 요인", 한국항만경제학회지, 제28권 제1호, 2012, pp. 1-23.
  2. 강다연, 장명희, "정보보안정책 준수가 정보보안능력 및 행동에 미치는 영향 분석 : 해운항만조직 구성원을 대상으로", 한국항만경제학회지, 제30권 제1호, 2014, pp. 97-118.
  3. 강욱, 전용태, "산업보안 담당자의 보안정책 준수에 영향을 미치는 요인 : 억제이론과 합리적 선택이론을 중심으로", 한국경찰연구, 제13권 제3호, 2014, pp. 273-298.
  4. 김상현, 송영미, "조직 구성원들의 정보보안정책 준수 동기요인에 관한 연구", e-비즈니스연구, 제12권 제3호, 2011, pp. 327-349.
  5. 김상훈, 박선영, "정보보안정책 준수 의도에 대한 영향요인", 한국전자거래학회지, 제16권 제4호, 2011, pp. 33-51.
  6. 김중인, "반영지표 vs. 조형지표", 마케팅연구, 제27권 제4호, 2012, pp. 199-226.
  7. 박철주, 임명성, "기술스트레스가 정보보안에 미치는 영향에 관한 연구", 디지털융복합연구, 제10권 제5호, 2012a, pp. 37-51.
  8. 박철주, 임명성, "보안 대책이 지속적 보안 정책 준수에 미치는 영향", 디지털정책연구, 제10권 제4호, 2012b, pp. 23-35.
  9. 안중호, 박준형, 성기문, 이재홍, "처벌과 윤리교육이 정보보안준수에 미치는 영향 : 조직유형의 조절효과를 중심으로", Information Systems Review, 제12권 제1호, 2010, pp. 23-42.
  10. 윤일한, 권순동, "정보보안 컴플라이언스와 위기대응이 정보보안 신뢰에 미치는 영향에 관한 연구", Information Systems Review, 제17권 제1호, 2015, pp. 141-169.
  11. 이강신, "전자금융거래 시 보안 통제 사항의 개선 연구", 정보보호학회논문지, 제25권 제4호, 2015, pp. 881-888.
  12. 이성규, 채명신, "산업보안정책 준수의지에 영향을 미치는 요인분석", 대한경영학회지, 제27권 제6호, 2014, pp. 927-953.
  13. 임명성, "조직 구성원들의 정보보안정책 준수행위 의도에 관한 연구", 디지털정책연구, 제10권 제10호, 2012a, pp. 119-128.
  14. 임명성, "조직의 보안 분위기가 개인의 기회주의 행동에 미치는 영향에 관한 실증 연구", 디지털융복합연구, 제10권 제10호, 2012b, pp. 31-46.
  15. 임명성, "정보보안정책의 특성이 구성원들의 보안정책 준수 행위에 미치는 영향에 관한 연구", 디지털정책연구, 제11권 제1호, 2013a, pp. 27-38.
  16. 임명성, "조직 구성원들의 정보보안정책 위반에 영향을 미치는 요인", 디지털융복합연구, 제11권 제2호, 2013b, pp. 19-32.
  17. 임명성, "조직 구성원들의 정보보안정책 준수에 영향을 미치는 요인에 관한 연구 : 금융서비스업을 중심으로", 서비스경영학회지, 제14권 제1호, 2013c, pp. 143-171.
  18. 임명성, 한군희, "정보보안정책 준수에 영향을 미치는 요인 : 위험보상이론 관점에서", 디지털융복합연구, 제11권 제10호, 2013, pp. 153-168.
  19. 장상수, 조태희, 신승호, 신대철, 정보보호관리체계의 구축과 활용, 제1판, 생능출판사, 2013.
  20. 정우진, 신유형, 이상용, "금융회사의 고객정보보호에 대한 내부직원의 태도 연구", Asia Pacific Journal of Information Systems, 제22권 제1호, 2012, pp. 53-77.
  21. 정해철, 김현수, "조직구성원의 정보보안 의식과 조직의 정보보안 수준과의 관계 연구", Journal of Information Technology Applications and Management, 제7권 제2호, 2000, pp. 117-134.
  22. Ajzen, I., "The theory of planned behavior", Organizational behavior and human decision processes, Vol. 50, No. 2, 1991, pp. 179-211.
  23. Anderson, C. L. and Agarwal, R., "Practicing safe computing : A multimedia empirical examination of home computer user security behavioral intentions", Mis Quarterly, Vol. 34, No. 3, 2010, pp. 613-643.
  24. Anderson, J. C. and Gerbing, D. W., "Structural equation modeling in practice : A review and recommended two-step approach", Psychological Bulletin, Vol. 103, No. 3, 1988, p. 411.
  25. Aurigemma, S., "A composite framework for behavioral compliance with information security policies", Journal of Organizational and End User Computing, Vol. 25, No. 3, 2013, pp. 32-51.
  26. Bagozzi, R. P. and Yi, Y., "On the evaluation of structural equation models", Journal of the Academy of Marketing Science, Vol. 16, No. 1, 1988, pp. 74-94.
  27. Bansal, G. and Gefen, D., "The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online", Decision Support Systems, Vol. 49, No. 2, 2010, pp. 138-150.
  28. Barclay, D., Higgins, C., and Thompson, R., "The partial least squares (pls) approach to causal modeling : Personal computer adoption and use as an illustration", Technology Studies, Vol. 2, No. 2, 1995, pp. 285-309.
  29. Bollen, K. A., Structural equations with latent variables, John Wiley and Sons, 2014.
  30. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Effects of individual and organization based beliefs and the moderating role of work experience on insiders' good security behaviors", Computational Science and Engineering, 2009 CSE'09 International Conference on, Vol. 3, 2009a, pp. 476-481.
  31. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Roles of information security awareness and perceived fairness in information security policy compliance", Proceedings of the Americas Conference on Information Systems, Vol. 15, No. 5, 2009b, pp. 3269-3277.
  32. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information security policy compliance : An empirical study of rationality-based beliefs and information security awareness", MIS quarterly, Vol. 34, No. 3, 2010, pp. 523-548.
  33. Chin, W. W., "The partial least squares approach to structural equation modeling", Modern Methods for Business Research, Vol. 295, No. 2, 1998, pp. 295-336.
  34. Chin, W. W. and Gopal, A., "Adoption intention in gss : Relative importance of beliefs", ACM SigMIS Database, Vol. 26, No. 2-3, 1995, pp. 42-64.
  35. Chin, W. W., Marcolin, B. L., and Newsted, P. R., "A partial least squares latent variable modeling approach for measuring interaction effects : Results from a monte carlo simulation study and an electronic-mail emotion/adoption study", Information Systems Research, Vol. 14, No. 2, 2003, pp. 189-217.
  36. Cohen, J., Statistical power analysis for the behavioral sciences, Academic press, 2013.
  37. D'Arcy, J. and Herath, T., "A review and analysis of deterrence theory in the is security literature : Making sense of the disparate findings", European Journal of Information Systems, Vol. 20, No. 6, 2011, pp. 643-658.
  38. D'Arcy, J. and Hovav, A., "Deterring internal information systems misuse", Communications of the ACM, Vol. 50, No. 10, 2007, pp. 113-117.
  39. D'Arcy, J., Hovav, A., and Galletta, D., "User awareness of security countermeasures and its impact on information systems misuse : A deterrence approach", Information Systems Research, Vol. 20, No. 1, 2009, pp. 79-98.
  40. Fishbein, M. and Ajzen, I., Belief, attitude, intention and behavior : An introduction to theory and research, MA : Addison-Wesley, 1975.
  41. Fishbein, M., Ajzen, I., Albarracin, D., and Hornik, R. C., Prediction and change of health behavior : Applying the reasoned action approach, Psychology Press, 2007.
  42. Fornell, C. and Larcker, D. F., "Evaluating structural equation models with unobservable variables and measurement error", Journal of Marketing Research, Vol. 18, No. 1, 1981, pp. 39-50.
  43. Foltz C. B., Schwager, P. H., and Anderson, J. E., "Why users (fail to) read computer usage policies", Industrial Management and Data Systems, Vol. 108, No. 6, 2008, pp. 701-712.
  44. Gefen, D. and Straub, D., "A practical guide to factorial validity using pls-graph : Tutorial and annotated example", Communications of the Association for Information Systems, Vol. 16, 2005, p. 1.
  45. Geisser, S., "The predictive sample reuse method with applications", Journal of the American Statistical Association, Vol. 70, No. 350, 1975, pp. 320-328.
  46. Guo, K. H., Yuan, Y., Archer, N. P., and Connelly, C. E., "Understanding nonmalicious security violations in the workplace : A composite behavior model", Journal of Management Information Systems, Vol. 28, No. 2, 2011, pp. 203-236.
  47. Hair, J. F., Sarstedt, M., Ringle, C. M., and Mena, J. A., "An assessment of the use of partial least squares structural equation modeling in marketing research", Journal of the Academy of Marketing Science, Vol. 40, No. 3, 2012, pp. 414-433.
  48. Henseler, J., Ringle, C. M., and Sinkovics, R. R., "The use of partial least squares path modeling in international marketing", Advances in International Marketing (AIM), Vol. 20, 2009, pp. 277-320.
  49. Herath, T. and Rao, H. R., "Encouraging information security behaviors in organizations : Role of penalties, pressures and perceived effectiveness", Decision Support Systems, Vol. 47, No. 2, 2009a, pp. 154-165.
  50. Herath, T. and Rao, H. R., "Protection motivation and deterrence : A framework for security policy compliance in organisations", European Journal of Information Systems, Vol. 18, No. 2, 2009b, pp. 106-125.
  51. Herzberg, F., "The motivation-hygiene concept and problems of manpower", Personnel Administration, 1964.
  52. Hu, Q., Xu, Z., Dinev, T., and Ling, H., "Does deterrence work in reducing information security policy abuse by employees?", Communications of the ACM, Vol. 54, No. 6, 2011, pp. 54-60.
  53. Hulland, J., "Use of partial least squares (pls) in strategic management research : A review of four recent studies", Strategic Management Journal, Vol. 20, No. 2, 1999, pp. 195-204.<195::AID-SMJ13>3.0.CO;2-7
  54. Ifinedo, P., "Understanding information systems security policy compliance : An integration of the theory of planned behavior and the protection motivation theory", Computers and Security, Vol. 31, No. 1, 2012, pp. 83-95.
  55. Joreskog, K. G. and Sorbom, D., Lisrel 7 : A guide to the program and applications, SPSS, 1989.
  56. Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An integrative study of information systems security effectiveness", International Journal of Information Management, Vol. 23, No. 2, 2003, pp. 139-154.
  57. Keil, M., Rai, A., and Liu, S., "How user risk and requirements risk moderate the effects of formal and informal control on the process performance of it projects", European Journal of Information Systems, Vol. 22, No. 6, 2013, pp. 650-672.
  58. Keil, M., Tan, B. C., Wei, K. K., Saarinen, T., Tuunainen, V., and Wassenaar, A., "A cross-cultural study on escalation of commitment behavior in software projects", MIS Quarterly, Vol. 24, No. 2, 2000, pp. 299-325.
  59. Kim, S. H., Yang, K. H., and Park, S. Y., "An integrative behavioral model of information security policy compliance", The Scientific World Journal, Vol. 2014, 2014.
  60. Kutner, M. H., Nachtsheim, C., and Neter, J., Applied linear regression models, McGraw-Hill/Irwin, 2004.
  61. Leach, J., "Improving user security behaviour", Computers and Security, Vol. 22, No. 8, 2003, pp. 685-692.
  62. Lee, J. T. and Lee, Y. H., "A holistic model of computer abuse within organizations", Information Management and Computer Security, Vol. 10, No. 2, 2002, pp. 57-63.
  63. Li, H., Zhang, J., and Sarathy, R., "Understanding compliance with internet use policy from the perspective of rational choice theory", Decision Support Systems, Vol. 48, No. 4, 2010, pp. 635-645.
  64. Nagin, D. S. and Paternoster, R., "Enduring individual differences and rational choice theories of crime", Law and Society Review, Vol. 27, No. 3, 1993, pp. 467-496.
  65. Nagin, D. S. and Pogarsky, G., "Integrating celerity, impulsivity, and extralegal sanction threats into a model of general deterrence : Theory and evidence", Criminology, Vol. 39, No. 4, 2001, pp. 865-892.
  66. Ophoff, J., Jensen, A., Sanderson-Smith, J., Porter, M., and Johnston, K., "A descriptive literature review and classification of insider threat research", Proceedings of Informing Science and IT Education Conference (InSITE), 2014.
  67. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' behavior towards is security policy compliance", System Sciences, 2007 HICSS 2007 40th Annual Hawaii International Conference on, 2007, p. 156b.
  68. Paternoster, R. and Simpson, S., "Sanction threats and appeals to morality : Testing a rational choice model of corporate crime", Law and Society Review, Vol. 30, No. 3, 1996, pp. 549-583.
  69. Peltier, T. R., "Implementing an information security awareness program", Information Systems Security, Vol. 14, No. 2, 2005, pp. 37-49.
  70. Siponen, M., Mahmood, M. A., and Pahnila, S., "Employees'adherence to information security policies : An exploratory field study", Information and Management, Vol. 51, No. 2, 2014, pp. 217-224.
  71. Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with information security policies : An empirical investigation", Computer, Vol. 43, No. 2, 2010, pp. 64-71.
  72. Siponen, M. and Vance, A., "Neutralization : New insights into the problem of employee information systems security policy violations", MIS quarterly, Vol. 34, No. 3, 2010, pp. 487-502.
  73. Siponen, M., "A conceptual foundation for organizational information security awareness", Information Management and Computer Security, Vol. 8, No. 1, 2000, pp. 31-41.
  74. Sommestad, T., Hallberg, J., Lundholm, K., and Bengtsson, J., "Variables influencing information security policy compliance", Information Management and Computer Security, Vol. 22, No. 1, 2014, pp. 42-75.
  75. Son, J. Y., "Out of fear or desire? Toward a better understanding of employees' motivation to follow is security policies", Information and Management, Vol. 48, No. 7, 2011, pp. 296-302.
  76. Sosik, J. J., Kahai, S. S., and Piovoso, M. J., "Silver bullet or voodoo statistics? A primer for using the partial least squares data analytic technique in group and organization research", Group and Organization Management, Vol. 34, No. 1, 2009, pp. 5-36.
  77. Stone, M., "Cross-validatory choice and assessment of statistical predictions", Journal of the Royal Statistical Society Series B (Methodological), 1974, pp. 111-147.
  78. Straub, D., "Effective is security : An empirical study", Information Systems Research, Vol. 1, No. 3, 1990, pp. 255-276.
  79. Tenenhaus, M., Amato, S., and Esposito, Vinzi V., "A global goodness-of-fit index for pls structural equation modelling", Proceedings of the XLII SIS scientific meeting, Vol. 1, 2004, pp. 739-742.
  80. Tenenhaus, M., Vinzi, V. E., Chatelin, Y. M., and Lauro, C., "PLS path modeling", Computational Statistics and Data Analysis, Vol. 48, No. 1, 2005, pp. 159-205.
  81. Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., "The insider threat to information systems and the effectiveness of iso17799", Computers and Security, Vol. 24, No. 6, 2005, pp. 472-484.
  82. Vance, A., Siponen, M., and Pahnila, S., "Motivating is security compliance : Insights from habit and protection motivation theory", Information and Management, Vol. 49, No. 3-4, 2012, pp. 190-198.
  83. Vance, A. and Siponen, M., "Is security policy violations : A rational choice perspective", Journal of Organizational and End User Computing (JOEUC), Vol. 24, No. 1, 2012, pp. 21-41.
  84. Wall, J. D., Palvia, P., and Lowry, P. B., "Control- related motivations and information security policy compliance : The role of autonomy and efficacy", Journal of Information Privacy and Security, Vol. 9, No. 4, 2013, pp. 52-79.
  85. Whitman, M. E., "In defense of the realm : Understanding the threats to information security", International Journal of Information Management, Vol. 24, No. 1, 2004, pp. 43-57.
  86. Whitman, M. E., Townsend, A. M., and Aalberts, R. J., "Information systems security and the need for policy", Information Security Management : Global Challenges in the New Millennium, 2001, pp. 9-18.
  87. Williams, K. R. and Hawkins, R., "Perceptual research on general deterrence : A critical review", Law and Society Review, Vol. 24, No. 4, 1986, pp. 545-572.
  88. Willison, R. and Warkentin, M., "Beyond deterrence : An expanded view of employee computer abuse", MIS Quarterly, Vol. 37, No. 1, 2013.
  89. Yang, Y., Stafford, T. F., and Gillenson, M., "Satisfaction with employee relationship management systems : The impact of usefulness on systems quality perceptions", European Journal of Information Systems, Vol. 20, No. 2, 2011, pp. 221-236.
  90. Yoon, C. H., "Theory of planned behavior and ethics theory in digital piracy : An integrated model", Journal of Business Ethics, Vol. 100, No. 3, 2011, pp. 405-417.
  91. Yoon, C. H. and Kim, H. G., "Understanding computer security behavioral intention in the workplace", Information Technology and People, Vol. 26, No. 4, 2013, pp. 401-419.
  92. Zhang, J., Reithel, B. J., and Li, H., "Impact of perceived technical protection on security behaviors", Information Management and Computer Security, Vol. 17, No. 4, 2009, pp. 330-340.

피인용 문헌

  1. 조직 구성원들의 보안정책 위반에 관한 연구 vol.25, pp.3, 2015,