Journal of Korea Society of Industrial Information Systems (한국산업정보학회논문지)

Korea Society of Industrial Information Systems (한국산업정보학회)
권호 표지
DOI QR코드

DOI QR Code

The Influence of Security Motivation and Organization Trust on Information Security Compliance: Focusing on Moderation Effects of Work Promotion Focus

정보보안 동기, 조직 신뢰가 정보보안 준수에 미치는 영향: 업무향상초점의 조절효과 분석

  • Received : 2021.02.15
  • Accepted : 2021.05.24
  • Published : 2021.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Investment of organization in information security is increasing, but information security threats within the organization are not decreasing. The purpose of this study is to suggest a direction to increase the information security compliance intention of employees. In detail, the study presents the positive effects of security motivation and organization trust on the information security compliance intention, and presents the moderating effect of work promotion focus. Research model and hypothesis verification are confirmed through structural equation modeling and the study conducted a questionnaire technique to the employees of the organization applying the information security policy for quantitative verification. As a result, information security punishment and value congruence had a positive affect on the compliance intention by mediating organization trust. In addition, work promotion focus had a moderating effect on the positive relationship between the precedent factors on the compliance intention. The research has academic and practical implications from the viewpoint of presenting the factors of the organization's efforts to improve the level of information security compliance by insiders.

정보보안에 대한 투자가 지속적으로 증가하고 있지만, 조직 내부의 보안 위협은 감소하지 않고 있다. 연구 목적은 조직원의 정보보안 준수의도를 높이기 위한 방향을 제시하는 것이다. 세부적으로, 연구는 정보보안 동기와 조직 신뢰가 정보보안 준수의도에 미치는 긍정적인 영향을 제시하고, 업무 향상초점의 조절효과를 확인한다. 연구 모델 및 가설 검증은 구조방정식 모델링을 통해 실시하며, 정량적 검증을 위하여 정보보안 정책을 도입한 조직의 조직원들에게 설문을 실시하였다. 가설 검증 결과, 정보보안 처벌, 가치 일치가 조직 신뢰를 통해 정보보안 준수의도에 긍정적 영향을 미치며, 업무 향상 초점이 처벌, 가치 일치, 조직 신뢰와 준수의도간의 영향 관계에 조절 효과가 있음을 확인하였다. 연구는 내부자의 정보보안 준수 수준 향상을 위한 조직의 노력 요인을 세부적으로 제시하였다는 측면에서 학술적, 실무적 시사점을 가진다.

Keywords

Acknowledgement

이 논문은 2018년 대한민국 교육부와 한국연구재단의 지원을 받아 수행된 연구임(NRF-2018R1D1A1B07050305)

References

  1. Agarwal, V. (2013). Investigating the Convergent Validity of Organizational Trust. Journal of Communication Management, 17(1), 24-39. DOI : 10.1108/13632541311300133.
  2. Boss, S., Galletta, D., Lowry, P. B., Moody, G. D. and Polak, P. (2015). What Do Systems Users have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors, MIS Quarterly, 39(4), 837-864. https://doi.org/10.25300/MISQ/2015/39.4.5
  3. Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness, MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690
  4. Burns, A. J. (2021). Protecting Organizational Information Assets: Exploring the Influence of Regulatory Focus on Rational Choices, In Proceedings of the 54th Hawaii International Conference on System Sciences (p. 5228).
  5. Cazier, J. A., Shao, B. B. and Louis, R. D. S. (2007). Sharing Information and Building Trust through Value Congruence, Information Systems Frontiers, 9(5), 515-529. DOI : 10.1007/s10796-007-9051-6.
  6. Chang, K. C., Hsu, Y. T., Hsu, C. L. and Sung, Y. K. (2019). Effect of Tangibilization Cues on Consumer Purchase Intention in the Social Media Context: Regulatory Focus Perspective and the Moderating Role of Perceived Trust, Telematics and Informatics, 44, Advance online publication. DOI : 10.1016/j.tele.2019.101265
  7. Chatman, J. A. (1989). Improving Interactional Organizational Research: A Model of Person-Organization Fit, Academy of management Review, 14(3), 333-349. DOI : 10.5465/amr.1989.4279063.
  8. Chen, Y., Ramamurthy, K. and Wen, K. W. (2012). Organizations' Information Security Policy Compliance: Stick or Carrot Approach? Journal of Management Information Systems, 29(3), 157-188. DOI : 10.2753/MIS0742-1222290305.
  9. D'Arcy, J., Hovav, A. and Galletta, D. (2009). User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach, Information Systems Research, 20(1), 79-98. DOI : 10.1287/isre.1070.0160.
  10. Fornell, C. and Larcker, D. F. (1981). Evaluating Structural Equation Models with Unobservable Variables and Measurement Error, Journal of Marketing Research, 18(1), 39-50. DOI: 10.2307/3151312.
  11. Gillespie, N. and Dietz, G. (2009). Trust Repair After an Organization-Level Failure, Academy of Management Review, 34(1), 127-145. DOI : 10.5465/amr.2009.35713319.
  12. Gino, F. and Margolis, J. D. (2011). Bringing Ethics into Focus: How Regulatory Focus and Risk Preferences Influence (un) Ethical Behavior, Organizational Behavior and Human Decision Processes, 115(2), 145-156. DOI : 10.1016/j.obhdp.2011.01.006.
  13. Grandviewresearch. (2019). Cyber Security Market Size, Share & Trends Analysis Report by Component, by Security Type, by Solution, by Service, by Deployment, by Organization, by Application, and Segment Forecasts, 2019 - 2025. https://www.globenewswire.com.
  14. Guo, K. H. and Yuan, Y. (2012). The Effects of Multilevel Sanctions on Information Security Violations: A Mediating Model, Information & Management, 49(6), 320-326. DOI : 10.1016/j.im.2012.08.001.
  15. Guo, K. H., Yuan, Y., Archer, N. P. and Connelly, C. E. (2011). Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model, Journal of Management Information Systems, 28(2), 203-236. DOI : 10.2753/MIS0742-1222280208.
  16. Herath, T. and Rao, H. R. (2009). Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness, Decision Support Systems, 47(2), 154-165. DOI : 10.1016/j.dss.2009.02.005.
  17. Higgins, E. T. (1997). Beyond Pleasure and Pain, American Psychologist, 52(12), 1280-1300. DOI : 10.1037/0003-066X.52.12.1280.
  18. Hoyle, R. H. and Kenny, D. A., (1999). Sample Size, Reliability, and Tests of Statistical Mediation, Statistical Strategies for Small Sample Research, 1, 195-222.
  19. Hwang, I. (2020). A Study on the Mitigation of Information Security Avoid Behavior: From Goal Setting, Justice, Trust perspective, Journal of Digital Convergence, 18(12), 217-229. DOI : 10.14400/JDC.2020.18.12.217.
  20. Hwang, I., and Cha, O., (2018). Examining Technostress Creators and Role Stress as Potential Threats to Employees' Information Security Compliance, Computers in Human Behavior, 81, 282-293. DOI : 10.1016/j.chb.2017.12.022.
  21. Hwang, I., Kim, D., Kim, T. and Kim, S. (2017). Why Not Comply with Information Security? An Empirical Approach for the Causes of Non-compliance, Online Information Review, 41(1), 2-18. DOI : 10.1108/OIR-11-2015-0358.
  22. Keller, P. A. (2006). Regulatory Focus and Efficacy of Health Messages, Journal of Consumer Research, 33(1), 109-114. DOI : 10.1086/504141.
  23. Kim, J., Kim, K. and Park, H. (2018). The Impact of Family-Friendly Corporate Culture on Employees' Behavior, Journal of the Korea Industrial Information Systems Research. 23(2), 75-92. DOI : 10.9723/jksiis.2018.23.2.075.
  24. Kristof-Brown, A. L., Zimmerman, R. D. and Johnson, E. C. (2005). Consequences of Individuals' Fit at Work: A Meta-Analysis of Person-Job, Person-Organization, Person-Group, and Person-Superior Fit, Personnel psychology, 58(2), 281-342. DOI : 10.1111/j.1744-6570.2005.00672.x.
  25. Lau, D. C., Liu, J. and Fu, P. P. (2007). Feeling Trusted by Business Leaders in China: Antecedents and the Mediating Role of Value Congruence, Asia Pacific Journal of Management, 24(3), 321-340. DOI 10.1007/s10490-006-9026-z.
  26. Liang, H., Xue, Y. and Wu, L. (2013). Ensuring Employees' it Compliance: Carrot or Stick?, Information Systems Research, 24(2), 279-294. DOI : 10.1287/isre.1120.0427.
  27. Little, T. D., Bovaird, J. A. and Widaman, K. F. (2006). On the Merits of Orthogonalizing Powered and Product Terms: Implications for Modeling Interactions among Latent Variables, Structural Equation Modeling, 13(4), 497-519. DOI: 10.1207/s15328007sem1304_1.
  28. Lowry, P. B., Posey, C., Bennett, R. B. J. and Roberts, T. L. (2015). Leveraging Fairness and Reactance Theories to Deter Reactive Computer Abuse Following Enhanced Organisational Information Security Policies: An Empirical Study of the Influence of Counterfactual Reasoning and Organisational Trust, Information Systems Journal, 25(3), 193-273. DOI : 10.1111/isj.12063.
  29. Mayer, R. C., Davis, J. H. and Schoorman, F. D. (1995). An Integrative Model of Organizational Trust, Academy of Management Review, 20(3), 709-734. DOI : 10.5465/amr.1995.9508080335
  30. Mulder, L. B., Verboon, P. and De Cremer, D. (2009). Sanctions and Moral Judgments: The Moderating Effect of Sanction Severity and Trust in Authorities, European Journal of Social Psychology, 39(2), 255-269. DOI : 10.1002/ejsp.506.
  31. Nachmias, D. (1985). Determinants of Trust within the Federal Bureaucracy. In Rosenbloom, D. H. (Eds), Public Personnel Policy: The Politics of Civil Service, New York: Associated Faculty Press, Port Washington, 133-143.
  32. Neubert, M. J., Kacmar, K. M., Carlson, D. S., Chonko, L. B. and Roberts, J. A. (2008). Regulatory Focus as a Mediator of the Influence of Initiating Structure and Servant Leadership on Employee Behavior, Journal of Applied Psychology, 93(6), 1220-1233. DOI : 10.1037/a0012695.
  33. Nunnally, J. C. (1978). Psychometric Theory (2nd ed.), New York: McGraw-Hill.
  34. Park, K. (2019). A Study on the Influence of the Perception of Personal Information Security of Youth on Security Attitude and Security Behavior, Journal of the Korea Industrial Information Systems Research, 24(4), 79-98. DOI : 10.9723/jksiis.2019.24.4.079.
  35. Pinder, C. C. (1998), Work Motivation in Organizational Behavior, Upper Saddle River, NJ: Prentice Hall.
  36. Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y. and Podsakoff, N. P. (2003). Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies, Journal of Applied Psychology, 88(5), 879-903. DOI : 10.1037/0021-9010.88.5.879.
  37. Safa, N. S. and von Solms, R. (2016). An Information Security Knowledge Sharing Model in Organizations, Computers in Human Behavior, 57, 442-451. DOI : 10.1016/j.chb.2015.12.037.
  38. Son, J. Y. (2011). Out of Fear or Desire? Toward a better Understanding of Employees' Motivation to Follow IS Security Policies, Information & Management, 48(7), 296-302. DOI : 10.1016/j.im.2011.07.002.
  39. van der Werff, L., Legood, A., Buckley, F., Weibel, A. and de Cremer, D. (2019). Trust Motivation: The Self-Regulatory Processes Underlying Trust Decisions, Organizational Psychology Review, 9(2-3), 99-123. DOI : 10.1177/2041386619873616.
  40. Vance, A., Siponen, M. and Pahnila, S. (2012). Motivating IS Security compliance: Insights from Habit and Protection Motivation Theory, Information & Management, 49(3-4), 190-198. DOI : 10.1016/j.im.2012.04.002.
  41. Verizon. (2020). Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir.
  42. West, R. (2008). The Psychology of Security, Communications of the ACM, 51(4), 34-40. DOI : 10.1145/1330311.1330320.
  43. Wixom, B. H. and Watson, H. J. (2001). An Empirical Investigation of the Factors Affecting Data Warehousing Success, MIS Quarterly, 25(1), 17-41. DOI : 10.2307/3250957.