DOI QR코드

DOI QR Code

An Empirical Study on Influencing Factors of Using Information Security Technology

정보보안기술 사용의 영향요인에 관한 실증적 연구

  • Received : 2015.09.23
  • Accepted : 2015.11.06
  • Published : 2015.11.30

Abstract

Although three types of the information security measures (technical, physical and managerial ones) are all together critical to maintaining information security in the organizations and should be implemented at the same time, this study aims at providing theoretical basis of establishing and implementing effective managerial security measures. The rationale behind this research objective is that it is very important to effectively perform the managerial security measures to achieve the target performance level of the technical and the physical security measures because main agents of practicing the information security measures in the organizations are staff members even though the technical and the physical ones are well constructed and implemented. In particular, this study intends to develop and propose the theoretical model applicable to providing the way of improving organizational members' intention to use information security technologies since the very intention to use them is essential to effectively establishing and promoting managerial security measures. In order to achieve the objective of this study, the factors critical to influencing upon the intention to use information security technologies are derived through systematically reviewing related theories and previous studies, and then the research model and hypotheses are proposed by logically reasoning the casual relationship among the these factors. Also, the empirical analyses are performed by conducting the survey of the organization members of domestic large companies and analyzing the structural equation model by PLS (Partial Least Squares) method. The significant results of this study can contribute to expanding the research area of managerial information security and can be applied to suggesting the practical guidelines for effectively establishing and implementing the managerial security measures in various organizations.

조직의 정보보안을 위해서는 세 가지 유형의 정보보안(기술적, 물리적 및 관리적 보안) 모두가 중요하며 병행 추진되어야 할 것이지만, 본 연구는 관리적 보안대책의 수립 및 추진의 효과성을 보다 높이기 위한 이론적 근거를 확보하는데 연구목표를 설정하였다. 즉, 기술적 및 물리적 보안대책이 철저하게 정비되고 추진된다고 하더라도 이를 준수하고 실행하는 주체는 결국 조직구성원들이므로 기술적 및 물리적 보안대책이 소기의 성과를 이루기 위해서는 이에 부응한 관리적 보안대책이 균형 있게 추진되는 것이 필수적이기 때문에 관리적 보안을 보다 효과적으로 수행할 수 있기 위한 이론적 근거를 확보하는 것은 매우 중요한 의미를 지닌다고 본다. 특히, 본 연구에서는 효과적인 관리적 보안대책의 수립 추진의 핵심과제라고 할 수 있는 조직구성원들의 정보보안기술 사용의도를 향상시키기 위한 방안 마련 시에 적용될 수 있는 이론적 모형을 개발 제시하고자 하였다. 이를 위해 정보보안기술 사용의도에 영향을 미치는 요인들을 주요 관련 이론 및 선행연구들에 대한 체계적 고찰을 통해 도출하고 이들 간의 인과적 관계를 논리적으로 추론함으로써 연구모형 및 가설을 도출하였다. 실증분석을 위해서는 국내 대기업들의 직원들을 대상으로 현장서베이를 통한 자료수집을 하였고 부분최소자승법(PLS: Partial Least Squares)기법에 의한 구조방정식 모형분석을 실시하였다. 본 연구의 유의한 결과는 이론적인 측면에서 관리적 정보보안 분야 연구의 외연을 확대하는데 기여할 수 있다고 보며, 실무적인 측면에서는 제반 조직들이 관리적 정보보안 방안 및 대책 수립을 함에 있어서 업무지침의 일부로 적용될 수 있을 것으로 예상된다.

Keywords

References

  1. Adams, D. A., Nelson, R. R., and Todd, P. A., "Perceived Usefulness, Ease of Use, and Usage of Information Technology: a Replication," MIS Quarterly, Vol. 16, No. 2, pp. 227-247, 1992. https://doi.org/10.2307/249577
  2. Ajzen, I., "The theory of planned behavior," Organizational Behavior and Human Decision Processes, Vol. 50, pp. 179-211, 1991. https://doi.org/10.1016/0749-5978(91)90020-T
  3. Ajzen, I., "Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior," Journal of Applied Social Psychology, Vol. 32, pp. 665-683, 2002. https://doi.org/10.1111/j.1559-1816.2002.tb00236.x
  4. Amoroso, D. L., "Organizational issues of end-user computing," Data Base, Vol. 19, No. 3-4, pp. 49-58, 1988. https://doi.org/10.1145/65766.65773
  5. Bagozzi, R. P., "Attitudes, intentions, and behavior: A test of some key hypotheses," Journal of Personality and Social Psychology, Vol. 41, No. 4, pp. 607-627, 1981. https://doi.org/10.1037/0022-3514.41.4.607
  6. Bagozzi, R. P., "A Field Investigation of Causal Relations among Cognitions, Affect, Intentions, and Behavior," Journal of Marketing Research, Vol. 19, No. 4, pp. 562-583, 1982. https://doi.org/10.2307/3151727
  7. Bandura, A., "Self-efficacy: toward a unifying theory of behavioral change," Psychological Review, Vol. 84, No. 2, pp. 191-215, 1986. https://doi.org/10.1037//0033-295X.84.2.191
  8. Chin, W., "Issues and Opinion on Structural Equation Modeling," MIS Quarterly, Vol. 22, No. 1, pp.7-16, 1998.
  9. Davis, F. D., "Perceived usefulness, perceived ease of use, and user acceptance of information technology," MIS Quarterly, Vol. 13, No. 1, pp. 319-340, 1989. https://doi.org/10.2307/249008
  10. Davis. F. D., Bagozzi. R. P., and Warshaw, P. R., "User acceptance of computer technology: a comparison of two theoretical models," Management Science, Vol. 35, No. 8, pp. 982-1003, 1989. https://doi.org/10.1287/mnsc.35.8.982
  11. Dinev, T. and Hart, P., "Internet privacy concerns and social awareness as determinants of intention to transact," International Journal of E-Commerce, Vol. 10, No. 2, pp. 7-31, 2006. https://doi.org/10.2753/JEC1086-4415100301
  12. Dinev, T. and Hu, Q., "The centrality of awareness in the formation of user behavioral intention toward protective information technologies," Journal of the Association for Information Systems, Vol. 8, pp. 386-408, 2007. https://doi.org/10.17705/1jais.00133
  13. Fishbein, M., "An investigation of relationships between beliefs about an object and the attitude toward that object," Human Relations, Vol. 16, pp. 233-240, 1963. https://doi.org/10.1177/001872676301600302
  14. Fishbein, M. and Ajzen, I., Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research, Reading, MA: Addison-Wesley, 1975.
  15. Gefen, D. and Straub, D. W., "A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example," Communications of the Association for Information Systems, Vol. 16, No. 5, pp. 91-109, 2005.
  16. Goodhue, D. L. and Straub, D. W., "Security concerns of system users: A study of perceptions of the adequacy of security," Information and Management, Vol. 20, No. 1, pp. 13-27, 1991. https://doi.org/10.1016/0378-7206(91)90024-V
  17. Hu, Q. and Dinev, T., "Is Spyware an Internet Nuisance or Public Menace?," Communications of the ACM, Vol. 48, No. 8, pp. 61-66, 2005. https://doi.org/10.1145/1076211.1076241
  18. Hu, Q., Hart, P., and Cooke, D., "The Role of External Influences on Organizational Information Security Practices: An Institutional Perspective," Proceedings of the 39th Hawaii International Conference on Systems Science (HICSS 39), January 4-7, Hawaii, USA. CD-ROM, IEEE Computer Society, 2006.
  19. Igbaria, M., "An examination of the factors contributing to microcomputer technology acceptance," Accounting Management and Information Technologies, Vol. 4, No. 4, pp. 205-224, 1994. https://doi.org/10.1016/0959-8022(94)90023-X
  20. Jackson, C. M. and Chow, S., "Toward an Understanding of the Behavioral Intention to Use an Information System," Decision Sciences, Vol. 28, No. 2, pp. 357-389, 1997. https://doi.org/10.1111/j.1540-5915.1997.tb01315.x
  21. Kim, S. and Park, S., "Influencing Factors for Compliance Intention of Information Security Policy," The Journal of Society for e-Business Studies, Vol. 16, No. 4, pp. 33-51, 2011. https://doi.org/10.7838/jsebs.2011.16.4.033
  22. Kwon, T. H. and Zmud, R. W., "Unifying the fragmented models of information systems implementation," Critical Issues in Information Systems Research(edited by Hirschheim, R. J. and Boland, R. A.), John Wiley and Sons, pp. 227-251, 1987.
  23. Lang, P. J., "Cognition in emotion: Concept and action," Emotions, Cognition and Behavior(edited by Izard, C. E., Kagan, J. and Zajonc, R.), Cambridge University Press, pp. 192-226, 1984.
  24. Lee, S. and Lee, M., "An Exploratory Study on the Information Security Culture Indicator," Informatization Policy, Vol. 15, No. 3, pp. 100-119, 2008.
  25. Nam, G. H. and Won, D. H., Information System Security, Green Publishing Co., Seoul, 2010.
  26. Nunnally, J. C., Psychometric Theory (2nd ed.), New York: McGraw-Hill, 1987.
  27. Rogers, R. W., "A Protection Motivation Theory of Fear Appeals and Attitude Change," Journal of Psychology, Vol. 91, pp. 93-114, 1975. https://doi.org/10.1080/00223980.1975.9915803
  28. Rogers, E. M., Diffusion of Innovations (4th ed.), The Free Press, New York, 1983.
  29. Srite, M. and Karahanna, E., "The Role of Espoused National Cultural Values in Technology Acceptance," MIS Quarterly, Vol. 30, No. 3, pp. 679-704, 2006. https://doi.org/10.2307/25148745
  30. Szajna, B., "Empirical Evaluation of the Revised Technology Acceptance Model," Management Science, Vol. 42, No. 1, pp. 85-92, 1996. https://doi.org/10.1287/mnsc.42.1.85
  31. Telecommunication Technology Association, Dictionary of Information Security Technology, Telecommunication Technology Association, 2006.
  32. Venkatesh, V., "Creation of Favorable User Perceptions: Exploring the Role of Intrinsic Motivation," MIS Quarterly, Vol. 23, No. 2, pp. 239-260, 1999. https://doi.org/10.2307/249753
  33. Venkatesh, V. and Davis, F. D., "A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies," Management Science, Vol. 46, No. 2, pp. 186-198, 2000. https://doi.org/10.1287/mnsc.46.2.186.11926
  34. Venkatesh, V. and Morris M. G., "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly, Vol. 27, No. 3, pp. 425-478, 2003. https://doi.org/10.2307/30036540
  35. Warshaw, P. R., "A New Model for Predicting Behavioral Intentions: An Alternative to Fishbein," Journal of Marketing Research, Vol. 17, No. 2, pp. 153-172, 1980(a). https://doi.org/10.2307/3150927
  36. Warshaw, P. R., "Predicting Purchase and Other Behaviors from General and Contextually Specific Intentions," Journal of Marketing Research, Vol. 17, No. 1, pp. 26-33, 1980(b). https://doi.org/10.2307/3151113
  37. Warshaw, P. R. and Davis, F. D., "Self-Understanding and the Accuracy of Behavioral Expectations," Personality and Social Psychology Bulletin, Vol. 10, No. 2, pp. 111-118, 1984. https://doi.org/10.1177/0146167284101013
  38. Warshaw, P. R. and Davis, F. D., "Disentangling Behavioral Intention and Behavioral Expectation," Journal of Experimental Social Psychology, Vol. 21, No. 2, pp. 213-228, 1985. https://doi.org/10.1016/0022-1031(85)90017-4
  39. Witte, K., "Putting the Fear Back into Fear Appeals: The Extended Parallel Process Model," Communication Monographs, Vol. 59, pp. 329-349, 1992. https://doi.org/10.1080/03637759209376276
  40. Witte, K., "Fear Control and Danger Control: A Test of the Extended Parallel Process Model(EPPM)," Communication Monographs, Vol. 61, pp. 113-134, 1994. https://doi.org/10.1080/03637759409376328
  41. Witte, K., Cameron, K. A., McKeon, J. K., and Berkowitz, J. M., "Predicting Risk Behaviors: Development and Validation f a Diagnostic Scale," Journal of Health Communication, Vol. 1, pp. 317-341, 1996. https://doi.org/10.1080/108107396127988
  42. Witte, K., "Fear as motivator, fear as inhibitor: Using the extended parallel process model to explain fear appeal successes and failures," Handbook of communication and emotion: Research, theory, applications, and contexts (edited by Andersen, P. A. and Guerrero, L. K.), San Diego, CA, US: Academic Press, pp. 423-450, 1998.
  43. Witte, K., Meyer, G., and Martell, D., Effective health risk message: A step-by-step guide, Thousand Oaks, California: Sage, 2001.