Information Systems Review (경영정보학연구)

The Korea Society of Management Information Systems (한국경영정보학회)
권호 표지
DOI QR코드

DOI QR Code

Violations of Information Security Policy in a Financial Firm: The Difference between the Own Employees and Outsourced Contractors

금융회사의 정보보안정책 위반요인에 관한 연구: 내부직원과 외주직원의 차이

  • Jeong-Ha Lee (Business Administration, Seoul School of Integrated Sciences and Technologies) ;
  • Sang-Yong Tom Lee (School of Business, Hanyang University)
  • 이정하 (서울과학종합대학원대학교) ;
  • 이상용 (한양대학교 경영대학)
  • Received : 2016.06.03
  • Accepted : 2016.11.11
  • Published : 2016.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Information security incidents caused by authorized insiders are increasing in financial firms, and this increase is particularly increased by outsourced contractors. With the increase in outsourcing in financial firms, outsourced contractors having authorized right has become a threat and could violate an organization's information security policy. This study aims to analyze the differences between own employees and outsourced contractors and to determine the factors affecting the violation of information security policy to mitigate information security incidents. This study examines the factors driving employees to violate information security policy in financial firms based on the theory of planned behavior, general deterrence theory, and information security awareness, and the moderating effects of employee type between own employees and outsourced contractors. We used 363 samples that were collected through both online and offline surveys and conducted partial least square-structural equation modeling and multiple group analysis to determine the differences between own employees (246 samples, 68%) and outsourced contractors (117 samples, 32%). We found that the perceived sanction and information security awareness support the information security policy violation attitude and subjective norm, and the perceived sanction does not support the information security policy behavior control. The moderating effects of employee type in the research model were also supported. According to the t-test result between own employees and outsourced contractors, outsourced contractors' behavior control supported information security violation intention but not subject norms. The academic implications of this study is expected to be the basis for future research on outsourced contractors' violation of information security policy and a guide to develop information security awareness programs for outsourced contractors to control these incidents. Financial firms need to develop an information security awareness program for outsourced contractors to increase the knowledge and understanding of information security policy. Moreover, this program is effective for outsourced contractors.

금융회사의 정보보안사고는 정당한 접근 권한을 가진 내부자에 의해 발생하는 사례가 증가하고 있으며, 특히 외주직원에 의한 사고가 증가하고 있다. 금융회사의 외주용역 증가에 따라, 내부자 위협관점에서 정당한 권한을 가진 외주직원은 조직의 정보보안정책을 위반할 수 있는 위협적인 존재가 되고 있다. 본 연구의 목적은 내부직원과 외주직원의 차이를 분석하고 정보보안정책의 위반요인을 확인하여 금융회사의 정보보안정책이 바르게 작용할 수 있도록 하기 위함이다. 금융회사 조직원의 정보보안정책에 대한 위반요인에 대해 계획된 행동이론, 일반억제이론 및 정보보안인식을 기초하여 연구모형을 설계하고, 내부직원과 외주직원 간의 차이를 분석하였다. 분석에 사용된 설문은 온라인과 오프라인으로 수집된 363개의 샘플이 사용되었으며, 그룹 간 차이를 분석하기 위해 내부직원 246명(68%)과 외주직원 117명(32%)을 두 그룹으로 나누어 다중 집단 분석을 이용하였다. 차이 분석을 수행한 결과, 외주직원은 내부직원과 달리 정보보안정책에 대한 위반의도가 정보보안정책에 대한 주관적규범에 영향을 받지 않고 정보보안정책에 대한 행동통제에 영향을 받아 억제되는 것으로 나타났다. 이는 외주직원은 자신이 스스로 할 수 있다고 여기는 자기효능감과 같은 요인에 의해 정보보안정책에 대한 위반의도가 통제되는 것을 나타내는 것이며, 외주직원관리에 이를 응용하여 정보보안교육을 내부직원과 달리 정보보안정책에 대한 조직의 기대를 강조하기보다는 스스로 지킬 수 있을 정도로 외주직원이 기술을 가지고 있음을 강조하고 쉽게 지킬 수 있다는 것을 강조하면 더욱 효과적일 것이다. 결론적으로 금융회사의 외주직원에 대한 정보보안교육 프로그램은 정보보안정책에 대한 이해도를 높일 수 있도록 하여야 하며, 외주직원관리에서는 외주직원이 스스로 지킬 수 있도록 쉬운 보안체계를 유지하는 것이 효과적이라 할 수 있다.

Keywords

References

  1. 감사원, 감사결과보고서-금융회사 개인정보유출 관련 검사.감독 실태, 감사원, 2014.
  2. 강다연, 장명희, "정보보안정책 준수가 정보보안능력 및 행동에 미치는 영향 분석: 해운항만조직 구성원을 대상으로", 한국항만경제학회지, 제30권, 제1호, 2014, pp. 97-118.
  3. 강 욱, 전용태, "산업보안 담당자의 보안정책 준수에 영향을 미치는 요인-억제이론과 합리적 선택이론을 중심으로", 한국경찰연구, 제13권, 제3호, 2014, pp. 273-298.
  4. 강주영, 이재규, "산업은행: 금융 IT 아웃소싱-공동협력으로 안전한 문을 연다", Information Systems Review, 제7권, 제2호, 2005, pp. 229-255.
  5. 김상현, 송영미, "조직 구성원들의 정보보안정책 준수 동기요인에 관한 연구", e-비즈니스연구, 제12권, 제3호, 2011, pp. 327-349.
  6. 김양훈, 문제욱, 황선호, 장항배, "ICT 아웃소싱 환경에서 보안관리 방안 연구", 정보보호학회지, 제24권, 제1호, 2014, pp. 23-31.
  7. 삼정KPMG 경제연구원, Asian Outsourcing: the next wave, SAMJONG Insight, 제4권, 2007, pp. 1-7.
  8. 송지호, 전략적 Outsourcing-은행산업을 중심으로, Opentide ViSTA, 2001.
  9. 안중호, 박준형, 성기문, 이재홍, "처벌과 윤리교육이 정보보안준수에 미치는 영향: 조직유형의 조절효과를 중심으로", Information Systems Review, 제12권, 제1호, 2010, pp. 23-42.
  10. 이민화, "The factors affecting outsourcing of data processing services", 정보시스템연구, 제6권, 제2호, 1997, pp. 1-28.
  11. 이정하, 이상용, "금융회사 정보보안정책의 위반에 영향을 주는 요인 연구: 지각된 고객정보 민감도에 따른 조절효과", Journal of Information Technology Applications and Management, 제22권, 제4호, 2015, pp. 225-251.
  12. 이학식, 임지훈, SPSS 20.0 매뉴얼, 집현재, 2013.
  13. 임명성, "조직 구성원들의 정보보안 정책 준수행위 의도에 관한 연구", 디지털정책연구, 제10권, 제10호, 2012, pp. 119-128.
  14. 임명성, "정보보안정책의 특성이 구성원들의 보안정책 준수 행위에 미치는 영향에 관한 연구", 디지털정책연구, 제11권, 제1호, 2013a, pp. 27-38.
  15. 임명성, "조직 구성원들의 정보보안 정책 위반에 영향을 미치는 요인", 디지털융복합연구, 제11권, 제2호, 2013b, pp. 19-32.
  16. 장효강, 류황건, 배성권, "병원 아웃소싱 직원과 정규직원의 조직문화 인식이 직무에 미치는 영향", 한국콘텐츠학회논문지, 제9권, 제2호, 2009, pp. 279-288.
  17. 정우진, 신유형, 이상용, "금융회사의 고객정 보보호에 대한 내부직원의 태도 연구", Asia Pacific Journal of Information Systems, 제22권, 제1호, 2012, pp. 53-77.
  18. 최창래, 윤장호, 이경호, "금융보안 리스크 기반의 IT도급 정책 연구", 정보보호학회논문지, 제24권, 제4호, 2014, pp. 681-694.
  19. KRG, IT 아웃소싱 동향 보고서, KRG Report, 2002.
  20. Ajzen, I., "The theory of planned behavior", Organizational Behavior and Human Decision Processes, Vol.50, No.2, 1991, pp. 179-211.
  21. Ajzen, I., D. Albarracin, and R. Hornik, Prediction and change of health behavior: Applying the reasoned action approach, Lawrence Erlbaum Associates, New Jersey, 2007.
  22. Apte, U., "Global outsourcing of information systems and processing services", The Information Society, Vol.7, No.4, 1990, pp. 287-303.
  23. Aurigemma, S., "A composite framework for behavioral compliance with information security policies", Journal of Organizational and End User Computing, Vol.25, No.3, 2013, pp. 32-51.
  24. Aurigemma, S. and R. Panko, "A composite framework for behavioral compliance with information security policies", 2012 45th Hawaii International Conference on System Science, 2012, pp. 3248-3257.
  25. Bardhan, A. D. and C. A. Kroll, "The new wave of outsourcing", Fisher Center for Real Estate and Urban Economics, 2003, pp. 1-12.
  26. Bulgurcu, B., H. Cavusoglu, and I. Benbasat, "Effects of individual and organization based beliefs and the moderating role of work experience on insiders' good security behaviors", International Conference on Computational Science and Engineering, Vol.3, 2009, pp. 476-481.
  27. Bulgurcu, B., H. Cavusoglu, and I. Benbasat, "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness", MIS Quarterly, Vol.34, No.3, 2010, pp. 523-548.
  28. Carroll, M. D., "Information security: Examining and managing the insider threat", Proceedings of the 3rd annual conference on Information security curriculum development, 2006, pp. 156-158.
  29. Chin, W. W., "The partial least squares approach to structural equation modeling", in Marcoulides G. A.(eds), Modern Methods for Business Research, Lawrence Erlbaum Associates, New Jersey, 1998, pp. 295-336.
  30. Chin, W. W., B. L. Marcolin, and P. R. Newsted, "A partial least squares latent variable modeling approach for measuring interaction effects: Results from a monte carlo simulation study and an electronic-mail emotion/adoption study", Information Systems Research, Vol.14, No.2, 2003, pp. 189-217.
  31. Cohen, J., Statistical power analysis for the behavioral sciences, Lawrence Erlbaum Associates, New Jersey, 2013.
  32. D'Arcy, J. and A. Hovav, "Deterring internal information systems misuse", Communications of the ACM, Vol.50, No.10, 2007, pp. 113-117.
  33. D'Arcy, J., A. Hovav, and D. Galletta, "User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach", Information Systems Research, Vol.20, No.1, 2009, pp. 79-98.
  34. Fornell, C. and D. F. Larcker, "Evaluating structural equation models with unobservable variables and measurement error", Journal of Marketing Research, Vol.18, No.1, 1981, pp. 39-50.
  35. Gaonjur, P. and C. Bokhoree, "Risk of insider threats in information technology outsourcing: Can deceptive techniques be applied?", Proceedings of the 2006 International Conference on Security and Management, 2006, pp. 522-529.
  36. Gefen, D. and D. Straub, "A practical guide to factorial validity using PLS-Graph: Tutorial and annotated example", Communications of the Association for Information Systems, Vol.16, 2005, pp. 91-109.
  37. Geisser, S., "The predictive sample reuse method with applications", Journal of the American Statistical Association, Vol.70, No.350, 1975, pp. 320-328.
  38. Guo, K. H., Y. Yuan, N. P. Archer, and C. E. Connelly, "Understanding nonmalicious security violations in the workplace: A composite behavior model", Journal of Management Information Systems, Vol.28, No.2, 2011, pp. 203-236.
  39. Hair, J. F., W. C. Black, B. J. Babin, R. E., Anderson, and R. L. Tatham, Multivariate data analysis, 6th edition, Pearson, 2006.
  40. Hair, J. F., M. Sarstedt, C. M. Ringle, and J. A. Mena, "An assessment of the use of partial least squares structural equation modeling in marketing research", Journal of the Academy of Marketing Science, Vol.40, No.3, 2012, pp. 414-433.
  41. Hamin, Z., "Insider cyber-threats: Problems and perspectives", International Review of Law, Computers and Technology, Vol.14, No.1, 2000, p. 105.
  42. Henseler, J., C. M. Ringle, and R. R. Sinkovics, "The use of partial least squares path modeling in international marketing", Advances in International Marketing, Vol.20, 2009, pp. 277-320.
  43. Herath, T. and H. R. Rao, "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness", Decision Support Systems, Vol.47, No.2, 2009a, pp. 154-165.
  44. Herath, T. and H. R. Rao, "Protection motivation and deterrence: A framework for security policy compliance in organizations", European Journal of Information Systems, Vol.18, No.2, 2009b, pp. 106-125.
  45. Hong, J., J. Kim, and J. Cho "The trend of the security research for the insider cyber threat", International Journal of Future Generation Communication and Networking, Vol.3, No.2, 2010, pp. 31-40.
  46. Hu, Q., T. Dinev, P. Hart, and D. Cooke, "Managing employee compliance with information security policies: The critical role of top management and organizational culture", Decision Sciences, Vol.43, No.4, 2012, pp. 615-660.
  47. Hu, Q., Z. Xu, T. Dinev, and H. Ling, "Does deterrence work in reducing information security policy abuse by employees?", Communications of the ACM, Vol.54, No.6, 2011, pp. 54-60.
  48. Hulland, J., "Use of partial least squares(PLS) in strategic management research: A review of four recent studies", Strategic Management Journal, Vol.20, No.2, 1999, pp. 195-204.
  49. Ifinedo, P., "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory", Computers and Security, Vol. 31, No.1, 2012, pp. 83-95.
  50. Kankanhalli, A., H. H. Teo, B. C. Tan, and K. K. Wei, "An integrative study of information systems security effectiveness", International Journal of Information Management, Vol.23, No.2, 2003, pp. 139-154.
  51. Keil, M., A. Rai, and S. Liu, "How user risk and requirements risk moderate the effects of formal and informal control on the process performance of it projects", European Journal of Information Systems, Vol.22, No.6, 2013, pp. 650-672.
  52. Keil, M., B. C. Tan, K. K. Wei, T. Saarinen, V. Tuunainen, and A. Wassenaar, "A cross-cultural study on escalation of commitment behavior in software projects", MIS Quarterly, Vol.24, No.2, 2000, pp. 299-325.
  53. Kim, S. H., K. H. Yang, and S. Park, "An integrative behavioral model of information security policy compliance", The Scientific World Journal, Vol.2014, 2014, pp. 1-12.
  54. Lacity, M. C. and R. A. Hirschheim, Information systems outsourcing; myths, metaphors, and realities, John Wiley & Sons, Inc., New York, 1993.
  55. Leach, J., "Improving user security behaviour", Computers and Security, Vol.22, No.8, 2003, pp. 685-692.
  56. Lee, J. T. and Y. H. Lee, "A holistic model of computer abuse within organizations", Information Management and Computer Security, Vol.10, No.2, 2002, pp. 57-63.
  57. Loh, L. and N. Venkatraman, "An empirical study of information technology outsourcing: Benefits, risks, and performance implications", ICIS 1995 Proceedings, 1995, pp. 277-288.
  58. Nagin, D. S. and R. Paternoster, "Enduring individual differences and rational choice theories of crime", Law and Society Review, Vol.27, No.3, 1993, pp. 467-496.
  59. Nagin, D. S. and G. Pogarsky, "Integrating celerity, impulsivity, and extralegal sanction threats into a model of general deterrence: Theory and evidence", Criminology, Vol.39, No.4, 2001, pp. 865-892.
  60. Pahnila, S., M. Siponen, and A. Mahmood, "Employees' behavior towards is security policy compliance", Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007, p. 156b.
  61. Paternoster, R. and S. Simpson, "Sanction threats and appeals to morality: Testing a rational choice model of corporate crime", Law and Society Review, Vol.30, No.3, 1996, pp. 549-583.
  62. Peltier, T. R., "Implementing an information security awareness program", Information Systems Security, Vol.14, No.2, 2005, pp. 37-49.
  63. Pfleeger, C. P., "Reflections on the insider threat", in Stolfo, S. J., S. M. Bellovin, A. D. Keromytis, S. Hershkop, S. W. Smith, and S. Sinclair(eds), Insider Attack and Cyber Security: Beyond the Hacker, Springer US, Boston, 2008, pp. 5-16.
  64. Sarkar, K. R,, "Assessing insider threats to information security using technical, behavioural and organisational measures", Information Security Technical Report, Vol.15, No.3, 2010, pp. 112-133.
  65. Schultz, E. E., "A framework for understanding and predicting insider attacks", Computers and Security, Vol.21, No.6, 2002, pp. 526-531.
  66. Siponen, M., M. M. Adam, and S. Pahnila, "Employees' adherence to information security policies: An exploratory field study", Information and Management, Vol.51, No.2, 2014, pp. 217-224.
  67. Siponen, M., S. Pahnila, and M. A. Mahmood, "Compliance with information security policies: An empirical investigation", Computer, Vol.43, No.2, 2010, pp. 64-71.
  68. Siponen, M. and A. Vance, "Neutralization: New insights into the problem of employee information systems security policy violations", MIS Quarterly, Vol.34, No.3, 2010, pp. 487-502.
  69. Siponen, M., "A conceptual foundation for organizational information security awareness", Information Management and Computer Security, Vol. 8, No.1, 2000, pp. 31-41.
  70. Sommestad, T., J. Hallberg, K. Lundholm, and J. Bengtsson, "Variables influencing information security policy compliance", Information Management and Computer Security, Vol.22, No.1, 2014, pp. 42-75.
  71. Son, J. Y., "Out of fear or desire? Toward a better understanding of employees' motivation to follow is security policies", Information and Management, Vol.48, No.7, 2011, pp. 296-302.
  72. Stone, M., "Cross-validatory choice and assessment of statistical predictions", Journal of the Royal Statistical Society. Series B (Methodological), Vol.36, No.2, 1974, pp. 111-147.
  73. Straub, D. W., "Effective is security: An empirical study", Information Systems Research, Vol.1, No. 3, 1990, pp. 255-276.
  74. Tenenhaus, M., S. Amato, and V. E. Vinzi, "A global goodness-of-fit index for PLS structural equation modelling", Proceedings of the XLII SIS Scientific Meeting, Vol.1, 2004, pp. 739-742.
  75. Tenenhaus, M., V. E. Vinzi, Y. M. Chatelin, and C. Lauro, "PLS path modeling", Computational Statistics and Data Analysis, Vol.48, No.1, 2005, pp. 159-205.
  76. Theoharidou, M., S. Kokolakis, M. Karyda, and E. Kiountouzis, "The insider threat to information systems and the effectiveness of ISO17799", Computers and Security, Vol.24, No.6, 2005, pp. 472-484.
  77. Vance, A. and M. Siponen, "Is security policy violations: A rational choice perspective", Journal of Organizational and End User Computing, Vol.24, No.1, 2012, pp. 21-41.
  78. Whitman, M. E., A. M. Townsend, and R. J. Aalberts, "Information systems security and the need for policy", In Dhillon, G.(eds), Information Security Management: Global Challenges in the New Millennium, IGI Global, Pennsylvania, 2001, pp. 9-18.
  79. Wixom, B. H. and H. J. Watson, "An empirical investigation of the factors affecting data warehousing success", MIS Quarterly, Vol.25, No.1, 2001, pp. 17-41.
  80. Yang, D. H., S. Kim, C. Nam, and J. W. Min, "Developing a decision model for business process outsourcing", Computers and Operations Research, Vol.34, No.12, 2007, pp. 3769-3778.
  81. Yoon, C., "Theory of planned behavior and ethics theory in digital piracy: An integrated model", Journal of Business Ethics, Vol.100, No.3, 2011, pp. 405-417.