DOI QR코드

DOI QR Code

The Influence of Sanctions and Protection Motivation on the Intention of Compliance with Information Security Policies: Based on Parameter of Subjective Norm

제재 및 보호동기와 정보보호정책 준수 의도에 관한 연구: 주관적 규범을 매개로

  • 신혁 (한국산업기술보호협회 산업기술보호실)
  • Received : 2019.03.10
  • Accepted : 2019.06.30
  • Published : 2019.06.30

Abstract

This study applied the Theory of Reasoned Action by Fishbein & Ajzen(1975) as the grounded theory and adopt sanctions of the General Deterrent Theory and protection motivation of the Protection Motivation Theory as the antecedents to discuss the theoretical factors and the cases of application in the field of information security. Then, it adopted subjective norm, a variable of the Theory of Reasoned Action, as a parameter to analyze the causality of sanctions, perceived vulnerability, response cost, and self-efficacy with the intention to follow the information security policies. As a result, all of the antecedents except for sanctions had causality with the intention and subjective norm proved its mediating effect as a parameter between the antecedents and the intention.

본 연구에서는 Fishbein & Ajzen(1975)이 제창한 합리적 행위이론을 근거이론으로 활용하였다. 그리고 억제이론의 구성요인인 제재와 보호동기이론의 보호동기 일부요인을 선행변수로 채택하여 이론적 확인과 정보보호분야에서 인용된 사례를 제시하였다. 합리적 행위이론의 변수인 주관적 규범을 매개변수로 채택하여 제재와 지각된 취약성, 반응비용 및 자기효용성과 정보보호정책 준수 행위 의도간의 인과관계를 분석하였다. 연구가설 검증 결과 제재를 제외한 지각된 취약성, 반응비용과 자기효용성은 행동 의도와 유의미한 인과관계가 있었으며, 주관적 규범은 선행요인과 의도 간에 매개효과를 입증하였다.

Keywords

References

  1. 기광도, "법위반에 대한 처벌의 억제효과분석:인지적 측면을 중심으로", 한국형사정책학회, 형사정책 제16권 제2호, pp. 9-35, 2004.
  2. 박찬욱과 이상욱, "인터냇상의 개인정보 보호행동에 관한 연구: 보호동기이론을 중심으로", 한국인터넷정보학회. 제15권 제2호. pp. 171-199, 2015.
  3. 송지준, "SPSS/AMOS 통계분석방법," 21세기사, 2017.
  4. 신혁, 강민형, 이철규, "경영진 역할과 보호동기 요인이 정보보안정책 준수에 미치는 영향:: 계획행동이론을 기반으로", 융합보안논문지, 제18월 제1호, pp.69-84, 2018.
  5. 심준보, 황경태, "은행 IT인력의 정보보호정책 준수에 영향을 미치는 정보보호 대책에 관한 연구", 한국데이타비이스학회, 제 22권, 제2호.
  6. 이정하, 이상용, "금융회사 보안정책의 위반에 영향을 주는 요인 연구: 지각된 고객정보 민감도에 따른 조절효과", 한국데이타베이스학회, 22(4), pp.225-251, 2015.
  7. 이창훈, 하옥현, "기밀유출 방지를 위한 융합보안 관리체계", 융합보안논문지, 제10권 제4호, pp. 61-67, 2010.
  8. 정재원, 이정훈, 김채리, "기업의 정보보안 활동이 구성원의 정보보안 준수 의도에 미치는 영향 연구", 융합보안논문지, 제16권 제7호, pp. 51-59, 2016.
  9. Ajzen, I. "The theory of planned behavior," Organizational Behavior and Human Decision Processes, Vol.50, pp. 179-211. 1991. https://doi.org/10.1016/0749-5978(91)90020-T
  10. Ajzen, I., and Fishbein, M., "Attitude - Behavior Relations: A theoritical analysis and review of empirical research", Psychological Bulletin, 84(5), pp.888-918, 1977. https://doi.org/10.1037/0033-2909.84.5.888
  11. Aurigemma, S., "A composite framework for behavioral compliance with information security policies," Journal of Organizational and End User Computing, Vol. 25, No. 3, pp. 32-51. 2013. https://doi.org/10.4018/joeuc.2013070103
  12. Aurigemma, S., and Panko, R., "A composite framework for behavioral compliance with information security policies", 2012 45th Hawaii International Conference on System Science, pp. 3248-3257, 2012.
  13. Bankston, W. B,. & Cramer, A. (1974). "Toward a Macro-Sociological Interpretation of General Deterrence", Criminology. 12: 251-280. https://doi.org/10.1111/j.1745-9125.1974.tb00635.x
  14. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R., "If Someone Is Watching, I'll Do What I'm Asked : Mandatoriness, Control, and Information Security", European Journal of Information Systems, Vol. 18, No. 2, pp. 151-164. 2009, https://doi.org/10.1057/ejis.2009.8
  15. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information security policy compliance : An empirical study of rationality-based beliefs and information security awareness," MIS quarterly, Vol. 34, No. 3, 2010, pp. 523-548. 2010. https://doi.org/10.2307/25750690
  16. Compeau, D. R. and Higgins, C. A., "Computer Self-Efficacy: Development of a Measure and Initial Test", MIS Quarterly, Vol. 19, No. 2 (1995, Jun.), pp. 189-211. https://doi.org/10.2307/249688
  17. D'Arcy, J. and Herath, T., "A review and analysis of deterrence theory in the IS security literature : Making sense of the disparate findings", European Journal of Information Systems, 20(6), pp.643-658, 2011. https://doi.org/10.1057/ejis.2011.23
  18. Fishbein, M. and Ajzen, I., "Belief, attitude, intention and behavior: An introduction to theory and research", Reading, MA: Addison- Wesley, 1975.
  19. Gochman (Ed.), Handbook of health behavior research I: Personal and social determinants", New York, NY: Plenum Press. pp.113-132, 1997.
  20. Herath, T., and Rao, H. R., "Encouraging information security hehaviors in organizations: Role of penalities, pressures and perceived effectiveness," Vol.40, pp. 154-165. 2009a. https://doi.org/10.1016/j.dss.2009.02.005
  21. Herath, T., and Rao, H. R., "Protection motivation and deterrence: A framework for security policy compliance in organizations," European Journal of Information Systems, Vol.18, pp. 106-125. 2009b. https://doi.org/10.1057/ejis.2009.6
  22. Ifinedo, P., "Information systems security policy compliance: An empirical study of the effects of socialization, influence, and cognition," Information & Management, Vol. 51, No. 1, pp.69-79, 2014. https://doi.org/10.1016/j.im.2013.10.001
  23. Ifinedo, P., "Understanding information sustems security policy compliance: An integration of the theory of planned theory and protection motivation theory," Computers and Security, Vol. 31, pp. 83-95. 2012. https://doi.org/10.1016/j.cose.2011.10.007
  24. Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An integrative study of information systems security effectiveness", International Journal of Information Management, 23(2), pp.139-154, 2003. https://doi.org/10.1016/S0268-4012(02)00105-6
  25. Katsikas, S. K., "Health care management and information systems secueiry: Awareness, training or education?' International Journal of Medical Informatics, Vol. 60, No. 2, pp.129-135. 2000. https://doi.org/10.1016/S1386-5056(00)00112-X
  26. Lee, J., and Lee Y., "A holistic model of computer abuse within organizations," Information Management & Computer Security, Vol.10, No.2, pp. 57-63. 2002. https://doi.org/10.1108/09685220210424104
  27. Nunnally, J. C., Psychometric Theory, New York, McGrao-Hill, 1978.
  28. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' behavior towards IS security policy compliance," System Sciences, 2007 HICSS 2007 40th Annual Hawaii International Conference on, pp. 156b. 2007a.
  29. Pahnila, S., M Siponen, M., and Mahmood., A., "Which factors explain employees' adherence to information security policies? An empirical study," Pacific Asia Conference on Information Systems(PACIS), 2007b Proceedings, aisel.aisnet.org.
  30. Rogers, R. W., "A protection Motivation Theory of fear appeals and attitude change," The Journal of Psychology, Vol.91, pp. 93-114. 1975. https://doi.org/10.1080/00223980.1975.9915803
  31. Rogers, R. W., & Prentice-Dunn, S. "Protection motivation theory. In D. S., 1997.
  32. Siponen, M., Mahmood, A., and Pahnila, S., "Employees' adherence to information security policies: An empirical field study," Information Management. Vol.51, pp. 217-224. 2014. https://doi.org/10.1016/j.im.2013.08.006
  33. Siponen, M., Pahnila, S., and Mahmood, A., "Employees' adherence to information security policies: An empirical study," IFIP International Federation for Information Processing. Vol.232, pp. 133-144. 2007. https://doi.org/10.1007/978-0-387-72367-9_12
  34. Siponen, M., and Vance, A., "Neutralization: New insights into the problem of employee systems security policy violation," MIS Quarterly, Vol.34, No.3, pp. 487-502. 2010. https://doi.org/10.2307/25750688
  35. Sommestad, T., Hallberg, J.,Lundholm, K., and Bengtsson, J., "Variables influencing information security policy compliance." Information Management & Computer Security, Vol.22, No.1, pp. 44-75. 2014.
  36. Son, J. Y., "Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies," Information & Management, Vol.48, pp. 296-302. 2011. https://doi.org/10.1016/j.im.2011.07.002
  37. Straub, D. W., "Effective IS security: An empirical study", Information Systems Research, 1(3). pp.255-276, 1990. https://doi.org/10.1287/isre.1.3.255
  38. Vance, A., "Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations," Management information Systems Quarterly, Vol. 34, Np. 3, pp. 487-502, 2010. https://doi.org/10.2307/25750688
  39. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS security compliance: Insights from habit and protection motivation theory." Vol.49, pp. 190-198. 2012. https://doi.org/10.1016/j.im.2012.04.002
  40. Whitman, M. E., "In defense of the realm : Understanding the threats to information security", International Journal of Information Management, 24(1), pp.43-57, 2004. https://doi.org/10.1016/j.ijinfomgt.2003.12.003
  41. Zhang. J., Reithel, P. J, and Li, H, "Impact of perceived technical protection on security behavior", International Management & Computer Security, 17(4), pp.330-340, 2009. https://doi.org/10.1108/09685220910993980