DOI QR코드

DOI QR Code

The Employee's Information Security Policy Compliance Intention : Theory of Planned Behavior, Goal Setting Theory, and Deterrence Theory Applied

조직구성원의 정보보안 정책 준수의도: 계획된 행동이론, 목표설정이론, 억제이론의 적용

  • Received : 2016.06.02
  • Accepted : 2016.07.20
  • Published : 2016.07.28

Abstract

In accordance with the increase of the importance of information security, organizations are making continuous investments to develop policies and adapt technology for information security. Organization should provide systemized support to enhance employees' security compliance intention in order to increase the degree of organization's internal security. This research suggests security policy goal setting and sanction enforcement as a method to improve employees' security compliance in planning and enforcing organization's security policy, and verifies the influencing relationship of Theory of Planned Behavior which explains employee's security compliance intention. We use structural equation modeling to verify the research hypotheses, and conducted a survey on the employees of organization with information security policy. We verified the hypotheses based on 346 responses. The result shows that the degree of goal setting and sanction enforcement has positive influence on self-efficacy and coping efficacy which are antecedents that influence employees' compliance intention. As a result, this research suggested directions for strategic approach for enhancing employee's compliance intention on organization's security policy.

정보보안의 중요성의 증대에 따라, 조직은 정보보안을 위한 정책 개발 및 기술 도입을 위한 지속적인 투자를 하고 있다. 조직 내부의 보안 수준을 높이기 위해서는 조직원들의 보안 준수의도 향상을 위한 조직 차원의 체계적인 지원이 필요하다. 본 연구는 조직의 보안 정책 기획 및 실행에 있어, 조직원의 보안 준수를 개선시킬 수 있는 방법으로서, 보안 정책 목표 설정 및 제재 실행을 제시하고, 조직원의 보안 준수의도를 설명하는 계획된 행동이론(Theory of Planned Behavior)와의 연관 관계를 검증하고자 한다. 연구가설 검증을 위하여 구조방정식 모델링을 사용하며, 정보보안 정책이 도입되어 있는 조직의 조직원들을 대상으로 설문을 실시하였다. 346개의 응답을 기반으로 가설을 검증하였다. 결과는 목표 설정 수준과 제재 실행 수준이 조직원들의 준수의도에 영향을 주는 선행 변수들인 자기효능감과 대처효능감에 긍정적인 영향을 미치는 것을 확인하였다. 결과적으로, 본 연구는 조직원의 보안 준수의도 향상을 위해서 보안정책 목표 설정의 중요성과 제재의 실행의 중요성을 제시함으로써, 조직 내 정보보안부서가 수행해야할 효과적인 조직 보안을 위한 전략적 행동 방향을 제시하였다.

Keywords

References

  1. Gartner, Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware, 2014, http://www.gartner.com/newsroom/id/2828722.
  2. J. Han, and Y. Kim, "Investigating of Psychological Factors Affecting Information Security Compliance Intention: Convergent Approach to Information Security and Organizational Citizenship Behavior", Journal of Digital Convergence, Vol.13, No.8, pp.133-144, 2015.
  3. T. Jeong, M. Yim, and J.Lee, "A Development of Comprehensive Framework for Continuous Information Security", Journal of Digital Convergence, Vol. 10, No. 2, pp.1-10, 2012.
  4. Verizon, Verizon 2013 Data Breach Investigations Report, 2013.
  5. C. Park, and M. Yim, "An Understanding of Impact of Security Countermeasures on Persistent Policy Compliance", Journal of Digital Convergence, Vol. 10, No. 4, pp. 23-35, 2012.
  6. B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness", MIS Quarterly, Vol. 34, No. 3, pp.523-548, 2010. https://doi.org/10.2307/25750690
  7. Y. Chen, K. Ramamurthy, and K. W. Wen, "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?", Journal of Management Information Systems, Vol. 29, No. 3, pp.157-188, 2012. https://doi.org/10.2753/MIS0742-1222290305
  8. J. D'Arcy, A. Hovav, and D. Galletta, "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach", Information Systems Research, Vol. 20, No. 1, pp.79-98, 2009. https://doi.org/10.1287/isre.1070.0160
  9. T. Herath, and H. R. Rao, "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness", Decision Support Systems, Vol. 47, No. 2, pp.154-165, 2009. https://doi.org/10.1016/j.dss.2009.02.005
  10. Q. Hu, Z. Xu, T. Dinev, and H. Ling, "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?", Communications of the ACM, Vol. 54, No. 6, pp.54-60, 2011. https://doi.org/10.1145/1953122.1953142
  11. M. Siponen, S. Pahnila, and M. A. Mahmood, "Compliance with Information Security Policies: An Empirical Investigation", Computer, Vol. 43, No. 2, pp. 64-71, 2010. https://doi.org/10.1109/MC.2010.35
  12. A. Vance, M. Siponen, and S. Pahnila, "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory", Information & Management, Vol. 49, No. 3, pp.190-198, 2012. https://doi.org/10.1016/j.im.2012.04.002
  13. E. A. Locke, and G. P. Latham, "Building a Practically Useful Theory of Goal Setting and Task Motivation: A 35-year Odyssey", American Psychologist, Vol. 57, No. 9, pp.705-717, 2002. https://doi.org/10.1037/0003-066X.57.9.705
  14. B. E. Wright, and B. S. Davis, "Job Satisfaction in the Public Sector the Role of the Work Environment", The American Review of Public Administration, Vol. 33, No. 1, pp.70-90, 2003. https://doi.org/10.1177/0275074002250254
  15. R. West, "The Psychology of Security", Communications of the ACM, Vol. 51, No. 4, pp.34-40, 2008. https://doi.org/10.1145/1330311.1330320
  16. M. Yim, "A Path Way to Increase the Intention to Comply with Information Security Policy of Employees", Journal of Digital Convergence, Vol. 10, No. 10, pp.119-128, 2012.
  17. D. Kim, I. Hwang, and J. Kim, "A Study on Employee's Compliance Behavior towards Information Security Policy : A Modified Triandis Model", Journal of Digital Convergence, Vol. 14, No. 4, pp.209-220, 2016. https://doi.org/10.14400/JDC.2016.14.4.209
  18. J. Do, and J. Kim, "A Study on Critical Success Factors for Enterprise Security Collaboration", Journal of Digital Convergence, Vol. 12, No. 10, pp.235-242, 2014. https://doi.org/10.14400/JDC.2014.12.10.235
  19. M. Yim, "An Investigation of the Factors that Influence the Compliance to Information Security Policy: From Risk Compensation Theory", Journal of Digital Convergence, Vol. 11, No. 2, pp.19-32, 2013.
  20. I. Hwang, D. Kim, T. Kim, and J. Kim, "The Study about Security Compliance Intention and Knowledge of Employee based on Security Culture of Organization", Information Systems Review, Vol. 18, No. 1, pp.1-23, 2016.
  21. I. Ajzen, "The Theory of Planned Behavior", Organizational Behavior and Human Decision Processes, Vol. 50, No. 2, pp.179-211, 1991. https://doi.org/10.1016/0749-5978(91)90020-T
  22. A. C. Johnston, and M. Warkentin, "Fear Appeals and Information Security Behaviors: An Empirical Study", MIS Quarterly, Vol. 34, No. 3, pp.549-566, 2010. https://doi.org/10.2307/25750691
  23. N. S. Safa, M. Sookhak, R. Von Solms, S. Furnell, N. A. Ghani, and T. Herawan, "Information Security Conscious Care Behaviour Formation in Organizations", Computers & Security, Vol. 53, pp.65-78, 2015. https://doi.org/10.1016/j.cose.2015.05.012
  24. T. Dugo, "The Insider Threat to Organizational Information Security: A Structural Model and Empirical Test", Auburn University, Auburn, AL, 2007.
  25. W. R. Flores, and M. Ekstedt, "Shaping Intention to Resist Social Engineering through Transformational Leadership, Information Security Culture and Awareness", Computers & Security, Vol. 59, pp.26-44, 2016. https://doi.org/10.1016/j.cose.2016.01.004
  26. P. Ifinedo, "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory", Computers & Security, Vol. 31, No. 1, pp.83-95, 2012. https://doi.org/10.1016/j.cose.2011.10.007
  27. E. A. Locke, and G. P. Latham, "New Directions in Goal Setting Theory", Current Directions in Psychological Science, Vol. 15, No. 5, pp.265-268, 2006. https://doi.org/10.1111/j.1467-8721.2006.00449.x
  28. C. C. Pinder, Work Motivation in Organizational Behavior. Upper Saddle River, NJ: Prentice Hall, 1998.
  29. R. D. Pritchard, S. D. Jones, P. L. Roth, K. K. Stuebing, and S. E. Ekeberg, "Effects of Group Feedback, Goal Setting, and Incentives on Organizational Productivity", Journal of Applied Psychology, Vol. 73, No. 2, pp.337-358, 1988. https://doi.org/10.1037/0021-9010.73.2.337
  30. J. M. Diefendorff, and G. A. Seaton, Work Motivation. International Encyclopedia of the Social & Behavioral Sciences, 2nd edn. Elsevier, Oxford, pp.680-686, 2015.
  31. R. Vollmeyer, B. D. Burns, and K. J. Holyoak, "The Impact of Goal Specificity on Strategy Use and the Acquisition of Problem Structure", Cognitive Science, Vol. 20, No. 1, pp.75-100, 1996. https://doi.org/10.1207/s15516709cog2001_3
  32. E. A. Locke, and G. P. Latham, "Work Motivation and Satisfaction: Light at the End of the Tunnel", Psychological Science, Vol. 1, No. 4, pp.240-246, 1990. https://doi.org/10.1111/j.1467-9280.1990.tb00207.x
  33. A. Bandura, and D. Cervone, "Self-Evaluative and Self-Efficacy Mechanisms Governing the Motivational Effects of Goal Systems", Journal of Personality and Social Psychology, Vol. 45, No, 5, pp.1017-1028, 1983. https://doi.org/10.1037/0022-3514.45.5.1017
  34. K. H. Guo, Y. Yuan, N. P. Archer, and C. E. Connelly, "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model", Journal of Management Information Systems, Vol. 28, No. 2, pp.203-236, 2011. https://doi.org/10.2753/MIS0742-1222280208
  35. J. Y. Son, "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies", Information & Management, Vol. 48, No. 7, pp.296-302, 2011. https://doi.org/10.1016/j.im.2011.07.002
  36. Y. Chen, K. Ramamurthy, and K. W. Wen, "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?", Journal of Management Information Systems, Vol. 29, No. 3, pp.157-188, 2012. https://doi.org/10.2753/MIS0742-1222290305
  37. N. S. Safa, and R. Von Solms, "An Information Security Knowledge Sharing Model in Organizations", Computers in Human Behavior, Vol. 57, pp.442-451, 2016. https://doi.org/10.1016/j.chb.2015.12.037
  38. Y. Xue, H. Liang, and L. Wu, "Punishment, Justice, and Compliance in Mandatory IT Settings", Information Systems Research, Vol. 22, No. 2, pp.400-414, 2011. https://doi.org/10.1287/isre.1090.0266
  39. J. Zhang, B. J. Reithel, and H. Li, "Impact of Perceived Technical Protection on Security Behaviors", Information Management & Computer Security, Vol. 17, No. 4, pp.330-340, 2009. https://doi.org/10.1108/09685220910993980
  40. B. E. Wright, "The Role of Work Context in Work Motivation: A Public Sector Application of Goal and Social Cognitive Theories", Journal of Public Administration Research and Theory, Vol. 14, No. 1, pp.59-78, 2004. https://doi.org/10.1093/jopart/muh004
  41. J. C. Nunnally, Psychometric theory (2nd ed.). New York: McGraw-Hill, 1978.
  42. B. H. Wixom, and H. J. Watson, "An Empirical Investigation of the Factors Affecting Data Warehousing Success", MIS Quarterly, Vol. 25, No. 1, pp.17-41, 2001. https://doi.org/10.2307/3250957
  43. C. Fornell, and D. F. Larcker, "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error", Journal of Marketing Research, Vol. 18, No. 1, pp.39-50, 1981. https://doi.org/10.2307/3151312
  44. H. H. Harman, Modern Factor Analysis, University of Chicago Press, 1976.
  45. P. Podsakoff, S. MacKenzie, J. Lee, and N. Podsakoff, "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies", Journal of Applied Psychology, Vol. 88, No. 5, pp.879-903, 2003. https://doi.org/10.1037/0021-9010.88.5.879
  46. L. J. Williams, and S. E. Anderson, "An Alternative Approach to Method Effects by Using Latent-Variable Models: Applications in Organizational Behavior Research", Journal of Applied Psychology, Vol. 79, No. 3, pp.323-331, 1994. https://doi.org/10.1037/0021-9010.79.3.323
  47. E. T. Higgins, "Beyond Pleasure and Pain", American Psychologist, Vol. 52, No. 12, pp.1280-1300, 1997. https://doi.org/10.1037/0003-066X.52.12.1280