Journal of the Korea Convergence Society (한국융합학회논문지)

Korea Convergence Society (한국융합학회)
권호 표지
DOI QR코드

DOI QR Code

A study on the information security compliance and non-compliance causes of organization employees

조직구성원의 정보보안 준수 및 미준수 원인에 대한 연구

  • Hwang, In-Ho (Department of General Education, Kookmin University) ;
  • Hu, Sung-Ho (Department of Psychology, Chung-Ang University)
  • Received : 2020.07.16
  • Accepted : 2020.09.20
  • Published : 2020.09.28
Download PDF
⟨ Previous Next ⟩

Abstract

The purpose of this study is to present the environmental factors of positive and negative aspects that affect the information security compliance intention, and reveals the relationship of the individual's the security compliance intention. The subjects of this study are employees of organizations that apply information security policies and technologies, and effective samples were obtained through surveys. In the process of analysis, the study model was verified through structural equation modeling. The measurement variables consisted of security policy, security system, technical support, work impediment, security non-visibility, compliance intention and organizational commitment and used for analysis. The results confirmed that security compliance factors such as policy, system, technical support, and non-compliance factors, work impediment, respectively, had an impact on organizational commitment, leading to compliance intention. The verification result of the research model suggests the direction of establishing a security compliance strategy for employees to improve the level of information security compliance of the organization.

본 연구의 목적은 정보보안 준수의도에 영향을 주는 긍정적, 부정적 측면의 환경적 요인을 제시하고, 개인의 보안 준수의도와의 영향관계를 찾는 것이다. 연구대상은 정보보안 정책 및 기술을 적용하는 조직의 구성원들이며, 설문 조사를 통하여 유효표본을 확보하였다. 분석과정에서 구조방정식모델링을 통해 연구모델에 대한 검증을 하였다. 측정변수는 정보보안 정책, 정보보안 시스템, 정보보안 기술적 지원, 업무장애, 비가시성, 조직몰입, 준수의도로 구성하여 분석에 활용하였다. 결과는 보안 준수요인인 정책, 시스템, 기술적 지원과 미준수 요인인 업무 장애가 각각 조직몰입에 영향을 주었으며, 준수의도로 이어지는 것을 확인하였다. 연구 모델의 검증 결과를 토대로 조직의 정보보안 준수 수준 향상을 위한 구성원들의 보안 준수 전략 수립의 방향성을 제시하였다.

Keywords

References

  1. Grandviewresearch. (2019). Cyber security market size, share & trends analysis report by component, by security type, by solution, by service, by deployment, by organization, by application, and segment Forecasts. 2019 - 2025. https://www.globenewswire.com
  2. Gartner. (2019). A look at cyber-security spending in 2019: Where budgets are increasing and why.
  3. Verizon. (2019). 2019 data breach investigations report.
  4. J. D'Arcy & P. L. Teh. (2019). Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management, 56(7), 103151. DOI : 10.1016/j.im.2019.02.006.
  5. I. Hwang, R. Wakefield, S. Kim & T. Kim. (2019). Security awareness: The first step in information security compliance behavior. Journal of Computer Information Systems, 1-12. DOI: 10.1080/08874417.2019.1650676
  6. H. Lee & J. Kim. (2018). A convergence study on the structural relationships among emotional labor and work performance of information security professionals. Journal of the Korea Convergence Society, 9(1), 67-74. DOI : 10.15207/JKCS.2018.9.1.067.
  7. R. West. (2008). The psychology of security. Communications of the ACM, 51(4), 34-40. DOI : 10.1145/1330311.1330320.
  8. M. I. Merhi & P. Ahluwalia. (2019). Examining the impact of deterrence factors and norms on resistance to information systems security. Computers in Human Behavior, 92, 37-46. DOI : 10.1016/j.chb.2018.10.031
  9. N. S. Safa, C. Maple, S. Furnell, M. A. Azad, C. Perera, M. Dabbagh & M. Sookhak. (2019). Deterrence and prevention-based model to mitigate information security insider threats in organizations. Future Generation Computer Systems, 97, 587-597. DOI : 10.1016/j.future.2019.03.024.
  10. H. L. Chou & C. Chou. (2016). An analysis of multiple factors relating to teachers' problematic information security behavior. Computers in Human Behavior, 65, 334-345. DOI: 10.1016/j.chb.2016.08.034.
  11. C. Posey, T. L. Roberts & P. B. Lowry. (2015). The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179-214. DOI : 10.1080/07421222.2015.1138374.
  12. Z. Ahmad, T. S. Ong, T. H. Liew & M. Norhashim. (2019). Security monitoring and information security assurance behavior among employees. Information & Computer Security, 27(2), 165-168. DOI : 10.1108/ICS-10-2017-0073
  13. S. Aurigemma & T. Mattson, (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information and Computer Security, 25(4), 421-436. DOI : 10.1108/ICS-11-2016-0089.
  14. J. D'Arcy, T. Herath & M. K. Shoss. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285-318. DOI : 10.2753/MIS0742-1222310210.
  15. I. Hwang & O. Cha. (2018). Examining technostress creators and role stress as potential threats to employees' information security compliance. Computers in Human Behavior, 81, 282-293. DOI : 10.1016/j.chb.2017.12.022.
  16. I. Hwang, D. Kim, T. Kim & S. Kim. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance, Online Information Review, 41(1), 1-17. DOI : 10.1108/OIR-11-2015-0358
  17. B. Bulgurcu, H. Cavusoglu & I. Benbasat. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690
  18. N. S. Safa & R. Von Solms. (2016). An information security knowledge sharing model in organizations, Computers in Human Behavior, 57, 442-451. DOI : 10.1016/j.chb.2015.12.037
  19. L. J. Williams & S. E. Anderson. (1991). Job satisfaction and organizational commitment as predictors of organizational citizenship and in-role behaviors. Journal of Management, 17(3), 601-617. DOI : 10.1177/014920639101700305.
  20. R. Mowday, L. Porter & R. Steers. (1982). Employee-organizational linkages: The psychology of commitment, absenteeism and turnover. New York: Academic Press.
  21. N. J. Allen & J. P. Meyer. (1996). Affective, continuance, and normative commitment to the organization: An examination of construct validity. Journal of Vocational Behavior, 49(3), 252-276. DOI : 10.1006/jvbe.1996.0043.
  22. J. P. Meyer, D. J. Stanley, L. Herscovitch & L. Topolnytsky. (2002). Affective, continuance, and normative commitment to the organization: A meta-analysis of antecedents, correlates, and consequences. Journal of Vocational Behavior, 61(1), 20-52. DOI : 10.1006/jvbe.2001.1842.
  23. N. S. Safa, C. Maple, T. Watson & R. Von Solms. (2018). Motivation and opportunity based model to reduce information security insider threats in organizations. Journal of Information Security and Applications, 40, 247-257. DOI : 10.1016/j.jisa.2017.11.001.
  24. T. Herath & H. R. Rao. (2009). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18(2), 106-125. DOI : 10.1057/ejis.2009.6.
  25. S. Sharma & M. Warkentin. (2019). Do I really belong?: Impact of employment status on information security policy compliance. Computers & Security, 87, 101397. DOI : 10.1016/j.cose.2018.09.005.
  26. M. E. Whitman. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1), 43-57. DOI : 10.1016/j.ijinfomgt.2003.12.003.
  27. J. D'Arcy, A. Hovav & D. Galletta. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, Information Systems Research, 20(1), 79-98. DOI : 10.1287/isre.1070.0160
  28. M. Yim. (2018). An exploratory research on factors influence perceived compliance cost and information security awareness in small and medium enterprise, Journal of the Korea Convergence Society, 9(9), 69-81, DOI : 10.15207/JKCS.2018.9.9.069.
  29. K. J. Knapp, R. F. Morris Jr, T. E. Marshall & T. A. Byrd. (2009). Information security policy: An organizational-level process model. Computers & security, 28(7), 493-508. DOI : 10.1016/j.cose.2009.07.001.
  30. K. Chung & E. Chang. (2005). Family-friendly polices and employee's organizational commitment, Family and Culure, 17(1), 59-84
  31. S. C. Eaton. (2003). If you can use them: Flexibility policies, organizational commitment, and perceived performance. Industrial Relations: A Journal of Economy and Society, 42(2), 145-167. DOI : 10.1111/1468-232X.00285
  32. L. F. Kwok & D. Longley. (1999). Information security management and modeling. Information Management & Computer Security, 7(1), 30-39. DOI : 10.1108/09685229910255179.
  33. A. McCormac, T. Zwaans, K. Parsons, D. Calic, M. Butavicius & M. Pattinson. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151-156. DOI : 10.1016/j.chb.2016.11.065.
  34. E. Y. Yildirim, G. Akalp, S. Aytac & N. Bayram. (2011). Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. International Journal of Information Management, 31(4), 360-365. DOI : 10.1016/j.ijinfomgt.2010.10.006.
  35. A. Da Veiga & J. H. Eloff. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196-207. DOI : 10.1016/j.cose.2009.09.002.
  36. P. Shum, L. Bove & S. Auh. (2008). Employees' affective commitment to change. European Journal of Marketing, 42(11/12), 1346-1371. DOI : 10.1108/03090560810903709.
  37. I. Cardoso & M. Caldeira. (2012). Users' commitment in information system implementation: The role of technological frames. In Mediterranean Conference on Information Systems (pp. 254-266). Springer, Berlin, Heidelberg.
  38. A. M. Fuglseth & O. Sorebo. (2014). The effects of technostress within the context of employee use of ICT. Computers in Human Behavior, 40, 161-170. DOI : 10.1016/j.chb.2014.07.040.
  39. T. S. Ragu-Nathan, M. Tarafdar, B. S. Ragu-Nathan & Q. Tu. (2008). The consequences of technostress for end users in organizations: Conceptual development and empirical validation. Information Systems Research, 19(4), 417-433. DOI : 10.1287/isre.1070.0165.
  40. M. Tarafdar, Q. Tu, T. S. Ragu-Nathan & B. S. Ragu-Nathan. (2011). Crossing to the dark side: Examining creators, outcomes, and inhibitors of technostress. Communications of the ACM, 54(9), 113-120. DOI : 10.1145/1995376.1995403.
  41. R. K. Jena. (2015). Technostress in ICT enabled collaborative learning environment: An empirical study among Indian academician. Computers in Human Behavior, 51, 1116-1123. DOI: 10.1016/j.chb.2015.03.020.
  42. N. G. Carr. (2003), IT doesn't matter. Harvard Business Review, 81(5), 41-49.
  43. L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen & A. Vance. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126-139. DOI : 10.1057/ejis.2009.10.
  44. M. Siponen, S. Pahnila & M. A. Mahmood. (2010). Compliance with information security policies: An empirical investigation. Computer, 43(2), 64-71. DOI : 10.1109/MC.2010.35.
  45. M. Aryeetey & A. Sanda. (2012). Understanding Employees' Perspective of Quality of Work Life Indicators in Ghanaian Organizations. International Journal of Contemporary Business Studies, 3(3), 17-30.
  46. S. M. Lee, S. G. Lee & S. Yoo. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6), 707-718. DOI : 10.1016/j.im.2003.08.008
  47. J. C. Nunnally. (1978). Psychometric theory (2nd ed.). New York: McGraw-Hill.
  48. B. H. Wixom & H. J. Watson. (2001). An empirical investigation of the factors affecting data warehousing success. MIS Quarterly, 25(1), 17-41. DOI : 10.2307/3250957.
  49. C. Fornell & D. F. Larcker. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50. DOI: 10.2307/3151312.
  50. P. M. Podsakoff, S. B. MacKenzie, J. Y. Lee & N. P. Podsakoff. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879-903. DOI : 10.1037/0021-9010.88.5.879.