DOI QR코드

DOI QR Code

조직의 정보보안 목표 설정과 공정성이 보안정책 준수의도에 미치는 영향

A Study on the Influence of Organizational Information Security Goal Setting and Justice on Security Policy Compliance Intention

  • Hwang, In-Ho (School of Knowledge-Based Management, Chung-Ang University) ;
  • Kim, Seung-Wook (Department of Business Administration, Pyeong-Taek University)
  • 투고 : 2017.11.30
  • 심사 : 2018.02.20
  • 발행 : 2018.02.28

초록

전 세계적인 정보보안 위협의 증대에 따라 조직들은 보다 전문화된 정보보안 정책 및 시스템을 도입 및 활용에 투자 비중을 높이고 있다. 정보보안은 보안 시스템 및 정책을 이행하는 조직원들의 참여가 무엇보다 필요하며, 조직 내부의 보안 수준을 높이기 위해서는 조직원들의 정보보안 준수의도 향상을 위한 조직의 체계적인 지원이 무엇보다 필요하다. 본 연구는 정보보안 분야에 공정성이론과 목표설정이론을 적용하여 조직원의 정보보안 준수의도를 높이기 위한 매커니즘을 찾는다. 즉, 보안정책 목표설정이 조직원들의 보안관련 공정성 인식수준에 긍정적인 영향을 미치고, 공정성은 준수의도에 긍정적인 영향을 미친다는 연구모델 기반 가설 검증을 실시한다. 연구대상은 정보보안 정책을 도입한 조직의 조직원들이며, 설문조사를 통하여 유효샘플 383개를 수집하였다. 연구가설 검증은 구조방정식 모델링을 실시하였다. 보안정책 목표 요인(목표 난이도, 목표 구체성)이 조직원의 보안관련 공정성 인식을 높이며, 보안관련 공정성(분배, 절차, 그리고 정보 공정성)이 준수의도에 긍정적 영향을 주는 것으로 나타났다. 결과는 조직의 보안 정책에 대한 조직원들의 준수의도 향상을 위한 전략적 접근 방향을 제시한다.

The threat to information security is growing globally. To this, organizations are increasing the weight of adapting and operating the more specialized information security policy and system. Information security requires participation from the employees who execute the security system and policy, and to increase the level of organization's internal security, requires organization's systematic support to improve employees' information security compliance intention. This research finds the mechanism for improving employee's information security compliance intention by applying justice theory and goal setting theory in information security. We use structural equation modeling to verify the research hypothesis, and conducted a survey on the employees of organization with information security policy. In other words, this research performs verification of the research model based hypothesis which claims that security policy goal setting has positive influence on employee's level of security related justice recognition, and claims that justice has positive influence on compliance intention. The object of study is the employees of the organization that adapts information security policy, and 383 valid samples were collected via survey. Structural equation modeling was performed to verify the research hypothesis. The result shows that security policy goal factor (goal difficulty, goal specificity) improves employee's security related justice recognition, and that security related justice (distribution, process, and information justice) has positive influence on compliance intention. The result suggests the strategic approach directions for improving employees' compliance intention on organization's security policy.

키워드

참고문헌

  1. IDC. (2016). Worldwide semiannual security spending guide.
  2. K. D. Loch, H. H. Carr & M. E. Warkentin. (1992). Threats to information systems: today's reality, yesterday's understanding, MIS Quarterly, 16(2), 173-186. https://doi.org/10.2307/249574
  3. Verizon. (2017). 2017 data breach investigations report.
  4. I. Hwang & D. Kim. (2016). The effect of organizational information security environment on the compliance intention of employee, The Journal of Information Systems, 25(2), 51-77. https://doi.org/10.5859/KAIS.2016.25.2.51
  5. D. Kim, I. Hwang & J. Kim. (2016). A study on employee's compliance behavior towards information security policy: A modified triandis model, Journal of Digital Convergence, 14(4), 209-220. https://doi.org/10.14400/JDC.2016.14.4.209
  6. I. Hwang, D. Kim, T. Kim & S. Kim. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance, Online Information Review, 41(1), 1-17.
  7. J. D'Arcy, A. Hovav & D. Galletta. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, Information Systems Research, 20(1), 79-98. https://doi.org/10.1287/isre.1070.0160
  8. T. Herath & H. R. Rao. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness, Decision Support Systems, 47(2), 154-165. https://doi.org/10.1016/j.dss.2009.02.005
  9. B. Bulgurcu, H. Cavusoglu & I. Benbasat. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690
  10. M. Siponen, S. Pahnila & M. A. Mahmood. (2010). Compliance with information security policies: An empirical investigation. Computer, 43(2), 64-71. https://doi.org/10.1109/MC.2010.35
  11. Q. Hu, Z. Xu, T. Dinev & H. Ling. (2011). Does deterrence work in reducing information security policy abuse by employees?, Communications of the ACM, 54(6), 54-60. https://doi.org/10.1145/1953122.1953142
  12. Y. Chen, K. Ramamurthy & K. W. Wen. (2012). Organizations' information security policy compliance: Stick or carrot approach?, Journal of Management Information Systems, 29(3), 157-188. https://doi.org/10.2753/MIS0742-1222290305
  13. C. Park & M. Yim. (2012). An understanding of impact of security countermeasures on persistent policy compliance. Journal of Digital Convergence, 10(4), 23-35. https://doi.org/10.14400/JDPM.2012.10.4.023
  14. A. Vance, M. Siponen & S. Pahnila. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory, Information & Management, 49(3), 190-198. https://doi.org/10.1016/j.im.2012.04.002
  15. I. Hwang & Y. Lee. (2016). The employee's information security policy compliance intention: Theory of planned behavior, goal setting theory, and deterrence theory applied, Journal of Digital Convergence, 14(7), 155-166. https://doi.org/10.14400/JDC.2016.14.7.155
  16. R. H. Moorman. (1991). Relationship between organizational justice and organizational citizenship behaviors: Do fairness perceptions influence employee citizenship?, Journal of Applied Psychology, 76(6), 845-855. https://doi.org/10.1037/0021-9010.76.6.845
  17. J. A. Colquitt. (2001). On the dimensionality of organizational justice: a construct validation of a measure. Journal of Applied Psychology, 86(3), 386-400. https://doi.org/10.1037/0021-9010.86.3.386
  18. M. T. Tsai & N. C. Cheng. (2012). Understanding knowledge sharing between IT professionals-an integration of social cognitive and social exchange theory. Behaviour & Information Technology, 31(11), 1069-1080. https://doi.org/10.1080/0144929X.2010.550320
  19. Y. Zhang, J. A. LePine, B. R. Buckman & F. Wei. (2014). It's not fair… or is it? The role of justice and leadership in explaining work stressor-job performance relationships. Academy of Management Journal, 57(3), 675-697. https://doi.org/10.5465/amj.2011.1110
  20. R. West. (2008). The psychology of security. Communications of the ACM, 51(4), 34-40. https://doi.org/10.1145/1330311.1330320
  21. M. S. Yim. (2012). A path way to increase the intention to comply with information security policy of employees. Journal of Digital Convergence, 10(10), 119-128. https://doi.org/10.14400/JDPM.2012.10.10.119
  22. A. Vance, M. Siponen & S. Pahnila. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory, Information & Management, 49(3), 190-198. https://doi.org/10.1016/j.im.2012.04.002
  23. P. M. Muchinsky. (2006). Psychology applied to work: An introduction to industrial and organizational psychology. Cengage Learning.
  24. P. E. Spector. (2009). Industrial and organizational psychology. Research and. Practice.
  25. T. A. Judge & J. A. Colquitt. (2004). Organizational justice and stress: the mediating role of work-family conflict. Journal of Applied Psychology, 89(3), 395-404. https://doi.org/10.1037/0021-9010.89.3.395
  26. H. Li, R. Sarathy, J. Zhang & X. Luo. (2014). Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal, 24(6), 479-502. https://doi.org/10.1111/isj.12037
  27. Z. Ouyang, J. Sang, P. Li, P & J. Peng. (2015). Organizational justice and job insecurity as mediators of the effect of emotional intelligence on job satisfaction: A study from China. Personality and Individual Differences, 76, 147-152. https://doi.org/10.1016/j.paid.2014.12.004
  28. C. B. Meyer. (2001). Allocation processes in mergers and acquisitions: An organizational justice perspective. British Journal of Management, 12(1), 47-66. https://doi.org/10.1111/1467-8551.00185
  29. S. W. Hystad, K. J. Mearns & J. Eid. (2014). Moral disengagement as a mechanism between perceptions of organisational injustice and deviant work behaviours. Safety Science, 68, 138-145. https://doi.org/10.1016/j.ssci.2014.03.012
  30. J. Y. Son & J. Park. (2016). Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns. International Journal of Information Management, 36(3), 309-321. https://doi.org/10.1016/j.ijinfomgt.2015.12.005
  31. H. Zhang & N. C. Agarwal. (2009). The mediating roles of organizational justice on the relationships between HR practices and workplace outcomes: an investigation in China. The International Journal of Human Resource Management, 20(3), 676-693. https://doi.org/10.1080/09585190802707482
  32. E. A. Locke & G. P. Latham. (2006). New directions in goal-setting theory. Current Directions in Psychological Science, 15(5), 265-268. https://doi.org/10.1111/j.1467-8721.2006.00449.x
  33. E. A. Locke & G. P. Latham (2002). Building a practically useful theory of goal setting and task motivation: A 35-year odyssey. American Psychologist, 57(9), 705-717. https://doi.org/10.1037/0003-066X.57.9.705
  34. B. E. Wright & B. S. Davis. (2003). Job satisfaction in the public sector: The role of the work environment. The American Review of Public Administration, 33(1), 70-90. https://doi.org/10.1177/0275074002250254
  35. B. E. Wright. (2004). The role of work context in work motivation: A public sector application of goal and social cognitive theories. Journal of Public Administration Research and Theory, 14(1), 59-78. https://doi.org/10.1093/jopart/muh004
  36. J. M. Diefendorff & G. A. Seaton, G. A. (2015). Work motivation. International encyclopedia of the social & behavioral sciences, 2nd edn. Elsevier, Oxford, pp.680-686.
  37. C. C. Pinder. (1998). Work motivation in organizational behavior, Upper Saddle River, NJ: Prentice Hall.
  38. E. A. Locke & G. P. Latham. (1990). Work motivation and satisfaction: Light at the end of the tunnel. Psychological Science, 1(4), 240-246. https://doi.org/10.1111/j.1467-9280.1990.tb00207.x
  39. A. B. Ruighaver, S. B. Maynard & S. Chang. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1), 56-62. https://doi.org/10.1016/j.cose.2006.10.008
  40. I. Koskosas. (2008). Goal setting and trust in a security management context. Information Security Journal: A Global Perspective, 17(3), 151-161. https://doi.org/10.1080/19393550802290337
  41. A. Li & A. B. Butler. (2004). The effects of participation in goal setting and goal rationales on goal commitment: An exploration of justice mediators. Journal of Business and Psychology, 19(1), 37-51. https://doi.org/10.1023/B:JOBU.0000040271.74443.22
  42. Y. Chen, K. Ramamurthy, & K. W. Wen. (2012). Organizations' information security policy compliance: Stick or carrot approach?. Journal of Management Information Systems, 29(3), 157-188. https://doi.org/10.2753/MIS0742-1222290305
  43. J. C. Nunnally. (1978). Psychometric theory (2nd ed.). New York: McGraw-Hill.
  44. B. H. Wixom & H. J. Watson. (2001). An empirical investigation of the factors affecting data warehousing success. MIS Quarterly, 25(1), 17-41. https://doi.org/10.2307/3250957
  45. C. Fornell & D. F. Larcker. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50. https://doi.org/10.2307/3151312
  46. P. M. Podsakoff, S. B. MacKenzie, J. Y. Lee & N. P. Podsakoff. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879-903. https://doi.org/10.1037/0021-9010.88.5.879
  47. L. J. Williams & S. E. Anderson. (1994). An alternative approach to method effects by using latent-variable models: Applications in organizational behavior research. Journal of Applied Psychology, 79(3), 323-331. https://doi.org/10.1037/0021-9010.79.3.323