Role of Management and Protection Motivation's influence on the Intention of Compliance with Information Security Policies: Based on the Theory of Planned Behavior

경영진 역할과 보호동기 요인이 정보보안정책 준수 의지에 미치는 영향: 계획행동이론을 기반으로

  • 신혁 (건국대학교 신산업융합학과) ;
  • 강민형 (아주대학교 e-비지니스학과) ;
  • 이철규 (건국대학교 신산업융합학과)
  • Received : 2018.02.13
  • Accepted : 2018.03.30
  • Published : 2018.03.31

Abstract

This study examines antecedents of the intention of compliance with information security policies based on Ajzen's Theory of Planned Behavior. The study conducted the following: Verification of casual relations between role of management and protection motivation and the antecedents of planned behavior as parameters to determine the effect on the intention of compliance with information security policy, and comparative analysis between the research model and a competition model. The result of the study disclosed that, in the research model, attitude and subjective norm took an intermediary role on management beliefs, response efficacy, response cost, self-efficacy, and compliance intention, and perceived behavior control on management beliefs, self-efficacy and compliance intention.

본 연구에서는 정보보안정책 준수 의지에 미치는 영향에 대하여 Ajzen(1991)이 제시한 계획행동이론을 토대이론으로 활용하여, 계획행동이론이 정보보안정책 분야에서 활용된 선행연구 사례를 분석하고, 경영진 역할 및 보호동기 요인이 계획행동 선행요인인 태도, 주관적 규범, 지각된 행동조절력을 매개변수로 정보보안정책 준수 의지에 미치는 영향에 대한 인과관계를 검증하고자 연구모형을 설계하여 가설을 검증하고, 경쟁모형을 활용하여 연구모형과 경쟁모형을 비교 검증을 실시하였다. 그 결과 연구모형에서 태도와 주관적 규범은 경영진 신뢰, 반응효용성, 반응비용 및 자기효용성과 준수 의지간의 매개역할을 하고, 지각된 행동조절력은 경영진 신뢰와 자기효용성과 준수 의지간의 매개역할을 하였다. 그리고 경영진 역할, 보호동기 요인과 준수 의지간의 관계를 설명하는 데 있어 매개변수를 활용한 연구모형이 경쟁모형보다 적합도 검증을 통해 우월한 것으로 확인할 수 있었다.

Keywords

References

  1. 송지준, "SPSS/AMOS 통계분석방법," 21세기사, 2017.
  2. 심준보, 황경태, "은행 IT인력의 정보보호정책 준수에 영향을 미치는 정보보호 대책에 관한 연구", 한국데이타비이스학회, 제22권, 제2호, pp. 171-199, 2015.
  3. 차동옥, "리더십 연구의 최근 동향: CEO 리더십을 중심으로," 인사관리연구, 제29집, 제4권, pp. 205-258. 2005.
  4. Ajzen, I. "The theory of planned behavior," Organizational Behavior and Human Decision Processes, Vol.50, pp. 179-211. 1991, https://doi.org/10.1016/0749-5978(91)90020-T
  5. Aurigemma, S., "A composite framework for behavioral compliance with information security policies," Journal of Organizational and End User Computing, Vol. 25, No. 3, pp. 32-51. 2013. https://doi.org/10.4018/joeuc.2013070103
  6. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R., "If Someone Is Watching, I'll Do What I'm Asked : Mandatoriness, Control, and Information Security", European Journal of Information Systems, Vol. 18, No. 2, pp. 151-164. 2009, https://doi.org/10.1057/ejis.2009.8
  7. Bagozzi, R. P., and Yi, Y., "On the evaluation of structural equation models," Journal of the Academy of Marketing Science, Vol. 16, No. 1, pp. 74-94, 1988. https://doi.org/10.1007/BF02723327
  8. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information security policy compliance : An empirical study of rationality-based beliefs and information security awareness," MIS quarterly, Vol. 34, No. 3, 2010, pp. 523-548. 2010. https://doi.org/10.2307/25750690
  9. Floyd, D. A., Prentice-Dunn, S., and Rogers,R. W., "A meta analysis of research on protection motivation theory," Journal of Applied Social psychology, Vol.30, N0.2, pp. 407-429. 2000. https://doi.org/10.1111/j.1559-1816.2000.tb02323.x
  10. Fornell, C. and Larcker, D. F., "Structural equation models with unobservable Variables and measurement error : Algebra and statistics," Journal of Marketing Research, No. 18, No. 3, pp. 382-388, 1981. https://doi.org/10.1177/002224378101800313
  11. Hambrick, D. C, "Guest editor's introduction: Putting top managers back in the strategy picture," Strategic Management Journal, Vol. 10, special issue, pp. 5-15, 1989. https://doi.org/10.1002/smj.4250100703
  12. Hambrick, D. C., "Upper echelons theory: An update" Academy of management review, Vol. 32, No. 2, pp. 334-343, 2007. https://doi.org/10.5465/amr.2007.24345254
  13. Hambrick, D. C. & Mason, P. A., "Upper echelons: the organization as a reflection of its top managers," Academy of Management Review, Vol. 9, No. 2, pp. 193-206, 1984. https://doi.org/10.5465/amr.1984.4277628
  14. Herath, T., and Rao, H. R., "Encouraging information security hehaviors in organizations: Role of penalities, pressures and perceived effectiveness," Vol.40, pp. 154-165. 2009a. https://doi.org/10.1016/j.dss.2009.02.005
  15. Herath, T., and Rao, H. R., "Protection motivation and deterrence: A framework for security policy compliance in organizations," European Journal of Information Systems, Vol.18, pp. 106-125. 2009b. https://doi.org/10.1057/ejis.2009.6
  16. Hovav, A. and D'Arcy, J., "Applying an Extended Model of Deterrence Across Cultures: An Investigation of information Systems Misuse in the U.S. and South Korea", Information and Management, Vol. 49, No. 2, pp. 99-110. 2012, https://doi.org/10.1016/j.im.2011.12.005
  17. Hu, Q., Dinev, T., and Hart, P., and Cooke D., "Managing employee compliance with information security policies: The critical role of top management and organizational culture," Decision Sciences, Vol.43, No.4, pp. 615-639. 2012. https://doi.org/10.1111/j.1540-5915.2012.00361.x
  18. Ifinedo, P., "Understanding information sustems security policy compliance: An integration of the theory of planned theory and protection motivation theory," Computers and Security, Vol. 31, pp. 83-95. 2012. https://doi.org/10.1016/j.cose.2011.10.007
  19. Jarvenpaa, S. L., and Ives, B., "Executive involvement and participation in te management of information technology," MIS Quarterly, June, pp. 205-227. 1991.
  20. Katsikas, S. K., "Health care management and information systems secueiry: Awareness, training or education?' International Journal of Medical Informatics, Vol.60, No. 2, pp.129-135. 2000. https://doi.org/10.1016/S1386-5056(00)00112-X
  21. Knapp, K. J., Marshall, T. F., Rainet. Jr., K., and Morrow., D. W., "The top information security issues facing organizations: What can government do to help?" Information Security and Risk Management, Sep-Oct, pp. 51-58. 2006.
  22. Lee, J., and Lee Y., "A holistic model of computer abuse within organizations," Information Management & Computer Security, Vol.10, No.2, pp. 57-63. 2002. https://doi.org/10.1108/09685220210424104
  23. Liang, H., Saraf, H., Hu, Q., and Xue, Y., "Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management," MIS Quarterly, Vol.31, No.1, pp. 59-87. 2007. https://doi.org/10.2307/25148781
  24. Nunnally, J. C., Psychometric Theory, New York, McGrao-Hill, 1978.
  25. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' behavior towards IS security policy compliance," System Sciences, 2007 HICSS 2007 40th Annual Hawaii International Conference on, pp. 156b. 2007a.
  26. Pahnila, S., M Siponen, M., and Mahmood., A., "Which factors explain employees' adherence to information security policies? An empirical study," Pacific Asia Conference on Information Systems(PACIS), 2007b Proceedings, aisel.aisnet.org.
  27. Puhakainen, P., and Siponen, M., "Improving employees' colpliance through information systems security training: An action research study" MIS Quarterly, Vol. 34, No.4, pp. 757-778. 2010. https://doi.org/10.2307/25750704
  28. Purvis, R. L., Sambamurthy, V., and Zmud, R. W.,"The assimilation of knowledge platforms in organizations: An empirical investigation," Organization Science; Linthicum, Vol. 12, No. 2, pp. 117-135, 2001. https://doi.org/10.1287/orsc.12.2.117.10115
  29. Rogers, R. W., "A protection Motivation Theory of fear appeals and attitude change," The Journal of Psychology, Vol.91, pp93-114. 1975. https://doi.org/10.1080/00223980.1975.9915803
  30. Safa, N., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., and Herawan, T., "Information security conscious care behavior formation in organizations," Computer & Security, Vol.53, pp. 65-78. 2015. https://doi.org/10.1016/j.cose.2015.05.012
  31. Sharma, R., and Yetton, P., "The contingent effects of management support and task interdependence on successful information systems implementation," MIS Quarterly, Vol.27, No.4, pp. 533-555. 2003 https://doi.org/10.2307/30036548
  32. Siponen, M., Mahmood, A., and Pahnila, S., "Employees' adherence to information security policies: An empirical field study," Information Management. Vol.51, pp. 217-224. 2007.
  33. Siponen, M., Pahnila, S., and Mahmood, A., "Employees' adherence to information security policies: An empirical study," IFIP International Federation for Information Processing. Vol.232, pp. 133-144. 2007.
  34. Siponen, M., and Vance, A., "Neutralization: New insights into the problem of employee systems security policy violation," MIS Quarterly, Vol.34, No.3, pp. 487-502. 2010. https://doi.org/10.2307/25750688
  35. Solms, B. V., and Solms, R. V., "The 10 deadely sins of information security management," Computer & Security, Vol.23, pp 371-376. 2004, https://doi.org/10.1016/j.cose.2004.05.002
  36. Sommestad, T., Hallberg, J.,Lundholm, K., and Bengtsson, J., "Variables influencing information security policy compliance." Information Management & Computer Security, Vol.22, No.1, pp. 44-75. 2014.
  37. Son, J. Y., "Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies," Information & Management, Vol.48, pp. 296-302. 2011. https://doi.org/10.1016/j.im.2011.07.002
  38. Taylor, S., and Todd, P., "Decomposition and crossover effects in the theory of planned behavior: A study of consumer adoption intentions," Intern. J. of Research in marketing, Vol.12, pp. 137-155. 1995. https://doi.org/10.1016/0167-8116(94)00019-K
  39. Taylor, S., and Todd, P., "Understanding information technology usage: A test of competing models," Information Systems Research, Vol.6, No.2, pp. 144-176. 1995. https://doi.org/10.1287/isre.6.2.144
  40. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS security compliance: Insights from habit and protection motivation theory." Vol.49, pp. 190-198. 2012. https://doi.org/10.1016/j.im.2012.04.002
  41. Vance, A., "Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations," Management Information Systems Quarterly, Vol. 34, Np. 3, pp. 487-502, 2010. https://doi.org/10.2307/25750688