Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지

A Study on the influence of firm's Information Security Activities on the Information Security Compliance Intention of Employees

기업의 정보보안 활동이 구성원의 정보보안 준수의도에 미치는 영향 연구

  • 정재원 (연세대학교 일반대학원 기술경영협동과정) ;
  • 이정훈 (연세대학교 정보대학원) ;
  • 김채리 (연세대학교 정보대학원)
  • Received : 2016.11.17
  • Accepted : 2016.12.20
  • Published : 2016.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

An internal and external threat against an information system has increased, and to reduce it, organization has spent a great deal of money and manpower. However, in spite of such investment, security threat and trouble have happened continuously. Organization has conducted information security activity through various policies. The study classified such activities into prevention-oriented activity and control-oriented activity, and researched how information security activity of organization affects members of an organization and obeys information security policy by using health belief model. As a result of the study, prevention-oriented activity has a meaningful impact on seriousness, and this seriousness affects compliance intention for information security. Control-oriented activity has a meaningful impact on benefits, and the benefits have an effect on compliance intention. When an organization conducts prior activities such as education, PR, and monitoring, this organization should emphasize negative results that can happened because of deviation. In addition, in case of exposure and punishment through post activities such as inspection and punishment, if the organization emphasizes the positive effects of exposure and punishment rather than emphasis of negative parts, information security activity will be more effective.

기업의 정보시스템에 대한 내 외부의 위협이 증가되고 있으며 이를 감소시키기 위해 많은 돈과 인력을 투자하고 있다. 하지만 이러한 투자에도 불구하고 보안위협과 사고는 지속적으로 발생하고 있다. 본 연구는 기업의 사고 방지를 위한 다양한 정보보호 활동을 예방 지향적과 억제 지향적으로 구분하고 건강신념모델을 이용하여 기업의 정보보안 활동이 구성원들에게 어떤 영향을 미치고 정보보안 정책을 준수하도록 하는지 연구하였다. 연구결과 예방 지향적 활동은 심각성에, 억제 지향적 활동은 유익성에 유의미한 영향을 주고, 심각성과 유익성은 각각 준수의도에 영향을 주었다. 이러한 결과로 미루어보아, 기업에서 교육, 홍보, 모니터링 등 사전적인 활동을 시행할 경우 미 준수로 발생할 수 있는 부정적인 결과에 대해 강조하여야 하며, 감사, 처벌 등 사후적인 활동을 통해 보안을 유지하고자 할 경우 기업의 의지를 보임으로써 보안 정책을 준수하는 것이 유익할 것이라는 판단을 구성원 스스로 하도록 하는 것이 더욱 효과적인 정보보안 활동이 될 것이다.

Keywords

References

  1. Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Entwisle, S., Graveland, B., McKinney, D., and Mulcahy, J., "Symantec global internet security threat report," White Paper, Symantec Enterprise Security (1), 2009.
  2. Power, R. 2002 CSI/FBI computer crime and security survey, Computer Security Institute, 2002.
  3. 김정덕, "정보보호관리 패러다임 변화에 따른 주요 이슈와 미래 전략," 정보보호학회지, 제23권, 제5호, pp. 5-8. 2013.
  4. Thompson, H. H., Whittaker, J. A., and Andrews, M. "Intrusion detection: Perspectives on the insider threat," Computer Fraud & Security:1), pp 13-15, 2004.
  5. 박종원, "Impact of information security strategy on information security compliance intention,"공주대학교, 2013.
  6. Boss, S., and Kirsch, L, "The last line of defense: motivating employees to follow corporate security guidelines," Proceedings of the 28th International Conference on Information Systems), pp 9-12, 2007.
  7. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS quarterly, Vol. 34, No. 3, pp. 523-548, 2010. https://doi.org/10.2307/25750690
  8. D'Arcy, J., D'Arcy, A., Hovav, D., and Galletta, "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, pp. 79-98, 2009. https://doi.org/10.1287/isre.1070.0160
  9. Straub, D. W., and Welke, R. J., "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, Vol.22, No.4, pp. 441-469, 1998. https://doi.org/10.2307/249551
  10. Straub Jr, D. W., "Effective IS security: An empirical study," Information Systems Research, Vol. 1, No. 3, pp. 255-276, 1990. https://doi.org/10.1287/isre.1.3.255
  11. Piccoli, G., Ahmad, R., and Ives, B., "Web-based virtual learning environments: A research framework and a preliminary assessment of effectiveness in basic IT skills training," MIS quarterly, Vol. 25, No. 4, pp. 401-426, 2001. https://doi.org/10.2307/3250989
  12. Siponen, M., and Vance, A., "NEUTRALIZATION: NEW INSIGHTS INTO THE PROBLEM OF EMPLOYEE INFORMATION SYSTEMS SECURITY POLICY VIOLATIONS," MIS Quarterly, Vol. 34, No. 3, pp. 487-502, 2010. https://doi.org/10.2307/25750688
  13. Cornish, D. B., and Clarke, R. V., "Opportunities, precipitators and criminal decisions: A reply to Wortley's critique of situational crime prevention," Crime prevention studies, Vol.16, pp. 41-96, 2003.
  14. Lebow, R. N., and Stein, J. G., "Deterrence: The elusive dependent variable," World Politics, Vol. 42, No. 3, pp. 336-369, 1990. https://doi.org/10.2307/2010415
  15. Scholz, J. T., "Enforcement Policy and Corporate Misconduct: The Changing Perspective of Deterrence Theory," Law and Contemporary Problems, Vol. 60, No. 3, pp. 253-268, 1997. https://doi.org/10.2307/1192014
  16. Workman, M., and Gathegi, J., "Punishment and ethics deterrents: A study of insider security contravention," Journal of the American Society for Information Science & Technology, Vol.58, No. 2, pp. 212-222, 2007. https://doi.org/10.1002/asi.20474
  17. Becker, M. H., "The health belief model and personal health behavior," Slack, Vol. 2, No. 4, 1974.
  18. Ng, B.-Y., Kankanhalli, A., and Xu, Y. C., "Studying users' computer security behavior: A health belief perspective," Decision Support Systems, Vol. 46, No.4, pp. 815-825, 2009. https://doi.org/10.1016/j.dss.2008.11.010
  19. 임채호, "효과적인 정보보호인식제고 방안," 정보보호학회지, 제16권, 제2호, pp. 30-36, 2006.
  20. 임명성, "조직 구성원들의 정보보안 정책 준수행위 의도에 관한 연구," 디지털융복합연구, 제10권, 제10호, pp. 119-128, 2012. https://doi.org/10.14400/JDPM.2012.10.10.119
  21. 김상현, 송영미, "조직 구성원들의 정보보안 정책준수 동기요인에 관한 연구," e-비즈니스연구, 제12권, 제3호, pp. 327-349, 2011.
  22. Hair, J. F., Multivariate data analysis, 2009.
  23. Fornell, C., and Larcker, D., "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, pp. 39-50, 1981.
  24. NUNNALLY, Jum. C.(1978). Psychometric theory. 1978.