Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

Exploring Effects of Appropriation on the Compliance Intention to Information Security Policy

정보보호 정책의 전유과정이 정보보호 준수의도에 미치는 영향에 대한 탐색적 연구 : 콜센터와 병원 종사자들을 중심으로

  • 오진욱 (한양사이버대학교 해킹보안학과) ;
  • 백승익 (한양대학교 경영대학)
  • Received : 2020.03.03
  • Accepted : 2020.08.31
  • Published : 2020.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

This study explores the process in which employees adopt the information security policy. The results of this study, which surveyed 234 employees in three call centers and four hospitals, show that the employees adapt the information security policy through the social structuring process suggested by the AST model. In particular, this study identifies roles of two appropriation activities (FOA : Faithfulness of Appropriation & COA : Consensus on Appropriation) observed in the social structuring process. Regarding to the interactions between the two appropriation activities, FOA, which indicates a better understanding of the information security policy, is examined as a more critical factor than COA, which indicates the degree of agreement among employees about how to use it. FOA not only has a direct effect on compliance intention toward the information security policy, but also indirectly through COA, whereas COA has only a indirect effect through FOA. This result shows that, in order for a company to successfully implement a new information security policy, it is important for employees to understand its purpose and intention. The adaption of information security policy through two appropriation activities is observed in both hospitals and call centers, but due to the different working environments, there were differences in the preceding variables affecting the appropriation activities. The results of this study are expected to provide guidelines for companies who want to successfully adopt information security policy.

Keywords

References

  1. 곽기영, "R을 이용한 구조방정식모델링 : 매개효과 분석/조절효과분석 및 다중집단분석", 지식경영연구, 제20권, 제2호, 2019, 1-24. https://doi.org/10.15813/kmr.2019.20.2.001
  2. 강현선, "정보보안을 위한 정보보호 관리체계 및 인증체계 분석", 보안공학연구논문지, 제11권, 제6호, 2014, 455-468.
  3. 박민정, 유지은, 채상미, "ISMS-P와 GDPR의 개인정보보호 부문 연계 분석", 한국IT서비스학회지, 제18권, 제2호, 2019, 55-73. https://doi.org/10.9716/KITS.2019.18.2.055
  4. 이준기, 신호경, 최희재, "시스템의 도입과 전유 과정에 영향을 미치는 제도적 압력에 관한 연구 : 병원조직의 모바일 전자의무기록 시스템을 대상으로", Asia Pacific Journal of Information Systems, 제19권, 제2호, 2009, 95-116.
  5. 최동권, 윤현식, "기업의 정보보호 관리가 영업성과와 기업가치에 미치는 영향 : 정보보호 관리체계(ISMS)를 중심으로", 한국디지털콘텐츠학회 논문지, 제20권, 제8호, 2019, 1567-1576.
  6. Ahmadi, H., O. Ibrahim, and M. Nilashi, "Investigating a new framework for hospital information system adoption : a case on Malaysia", Journal of Soft Computing and Decision Support Systems, Vol.2, No.2, 2015, 26-33.
  7. Cao, L., K. Mohan, P. Xu, and B. Ramesh, "A framework for adapting agile development methodologies", European Journal of Information Systems, Vol.18, No.4, 2009, 332-343. https://doi.org/10.1057/ejis.2009.26
  8. Chan, M., I. Woon, and A. Kankanhalli, "Perceptions of information security in the workplace : linking information security climate to compliant behavior", Journal of Information Privacy and Security, Vol.1, No.3, 2005, 18-41. https://doi.org/10.1080/15536548.2005.10855772
  9. Chang, M.K., W. Cheung, C.H. Cheng, and J.H. Yeung, "Understanding ERP system adoption from the user's perspective", International J ournal of Production Economics, Vol.113, No.2, 2008, 928-942. https://doi.org/10.1016/j.ijpe.2007.08.011
  10. Chin, W.W., A. Gopal, and W.D. Salisbury, "Advancing the theory of adaptive structuration : The development of a scale to measure faithfulness of appropriation", Information Systems Research, Vol.8, No.4, 1997, 342-367. https://doi.org/10.1287/isre.8.4.342
  11. Cram, W.A., J. D'arcy, and J.G. Proudfoot, "Seeing the forest and the trees : a meta-analysis of the antecedents to information security policy compliance", MIS Quarterly, Vol. 43, No.2, 2019, 525-554. https://doi.org/10.25300/MISQ/2019/15117
  12. Culnan, M.J., "How did they get my name? : an exploratory investigation of consumer attitudes toward secondary information use", MIS Quarterly, Vol.17, No.3, 1993, 341-363. https://doi.org/10.2307/249775
  13. DeSanctis, G. and M.S. Poole, "Capturing the complexity in advanced technology use : Adaptive structuration theory", Organization Science, Vol.5, No.2, 1994, 121-147. https://doi.org/10.1287/orsc.5.2.121
  14. Figueiredo, M.A.B. and C. Morley, Understanding the appropriation of project management norms : an empirical study in IT projects, In ECIS 2013 : 21st European Conference on Information Systems, 2013.
  15. Giddens, A., The constitution of society : Outline of the theory of structuration, Univ of California Press, 1984.
  16. Goo, J., M.S. Yim, and D.J. Kim, "A path to successful management of employee security compliance : an empirical study of information security climate", IEEE Transactions on Professional Communication, Vol.57, No.4, 2014, 286-308. https://doi.org/10.1109/TPC.2014.2374011
  17. Hackman, J.R. and G.R. Oldham, "Motivation through the design of work : Test of a theory", Organizational Behavior and Human Performance, Vol.16, No.2, 1976, 250-279. https://doi.org/10.1016/0030-5073(76)90016-7
  18. Herath, T. and H.R. Rao, "Protection motivation and deterrence : a framework for security policy compliance in organizations", European Journal of Information Systems, Vol. 18, No.2, 2009, 106-125. https://doi.org/10.1057/ejis.2009.6
  19. Ifinedo, P., "Information systems security policy compliance : An empirical study of the effects of socialisation, influence, and cognition", Information and Management, Vol.51, No.1, 2014, 69-79. https://doi.org/10.1016/j.im.2013.10.001
  20. Karimi, Z. and H.R. Peikar, "Information Security Management : The Impacts of Organizational Commitment and Perceived Consequences of Security Breach on the Intention of Patients' Information Security Violation", Medical Ethics Journal, Vol.13, No.44, 2019, 1-10.
  21. Kim, S.H. and S.Y. Park, "Influencing factors for compliance intention of information security policy", The Journal of Society for e-Business Studies, Vol.16, No.4, 2011, 33-51. https://doi.org/10.7838/jsebs.2011.16.4.033
  22. Ko, E., S.H. Kim, M. Kim, and J.Y. Woo, "Organizational characteristics and the CRM adoption process", Journal of Business Research, Vol.61, No.1, 2008, 65-74. https://doi.org/10.1016/j.jbusres.2006.05.011
  23. Liu, C., J.T. Marchewka, J. Lu, and C.S. Yu, "Beyond concern : a privacy-trust-behavioral intention model of electronic commerce", Information and Management, Vol. 42, No.1, 2004, 127-142. https://doi.org/10.1016/j.im.2004.01.002
  24. Ormond, D., M. Warkentin, and R.E. Crossler, "Integrating Cognition with an Affective Lens to Better Understand Information Security Policy Compliance", Journal of the Association for Information Systems, Vol.20, No. 12, 2019, 1794-1843.
  25. Ruel, H.J., "The non-technical side of office technology : managing the clarity of the spirit and the appropriation of office technology", In Managing the human side of information technology : Challenges and solutions, IGI Global, 2002, 78-104.
  26. Safa, N.S., R. Von Solms, and S. Furnell, "Information security policy compliance model in organizations", Computers and Security, Vol. 56, 2016, 70-82. https://doi.org/10.1016/j.cose.2015.10.006
  27. Salisbury, W.D., W.W. Chin, A. Gopal, and P.R. Newsted, "Better theory through measurement-Developing a scale to capture consensus on appropriation", Information Systems Research, Vol.13, No.1, 2002, 91-103. https://doi.org/10.1287/isre.13.1.91.93
  28. Schmitz, K.W., J.T. Teng, and K.J. Webb, "Capturing the complexity of malleable IT use : Adaptive structuration theory for individuals", MIS Quarterly, Vol.40, No.3, 2016, 663-686. https://doi.org/10.25300/MISQ/2016/40.3.07
  29. Schwieger, D., A. Melcher, C. Ranganathan, and H.J. Wen, "Applying adaptive structuration theory to health information systems adoption : A case study", International Journal of Healthcare Information Systems and Informatics(IJHISI) , Vol.1, No.1, 2006, 78-92. https://doi.org/10.4018/jhisi.2006010106
  30. Shadur, M.A., R. Kienzle, and J.J. Rodwell, "The relationship between organizational climate and employee perceptions of involvement : The importance of support", Group and Organization Management, Vol.24, No.4, 1999, 479-503. https://doi.org/10.1177/1059601199244005
  31. Smith, H.J., S.J. Milberg, and S.J. Burke, "Information privacy : measuring individuals' concerns about organizational practices", MIS Quarterly, Vol.20, No.2, 1996, 167-196. https://doi.org/10.2307/249477
  32. Sun, J., "Why different people prefer different systems for different tasks : An activity perspective on technology adoption in a dynamic user environment", Journal of the American Society for Information Science and Technology, Vol.63, No.1, 2012, 48-63. https://doi.org/10.1002/asi.21670
  33. Wang, P.A., "Information security knowledge and behavior : An adapted model of technology acceptance", In 2010 2nd International Conference on Education Technology and Computer (IEEE) , June, 2010, V2-364.
  34. Yayla, A. and S. Sarkar, "THE DYNAMICS OF INFORMATION SECURITY POLICY ADOPTION", In Proceedings of the 13th Pre-ICIS Workshop on Information Security and Privacy, 2018.
  35. Zeng, W. and M. Koutny, "Modelling and analysis of corporate efficiency and productivity loss associated with enterprise information security technologies", Journal of Information Security and Applications, Vol.49, 2019, 1-11.
  36. Zohar, D. and G. Luria, "A multilevel model of safety climate : cross-level relationships between organization and group-level climates", Journal of Applied Psychology, Vol.90, No. 4, 2005, 616-628. https://doi.org/10.1037/0021-9010.90.4.616