The Journal of the Convergence on Culture Technology (문화기술의 융합)

The International Promotion Agency of Culture Technology (국제문화기술진흥원)
권호 표지
DOI QR코드

DOI QR Code

The Effects of information security perceptions of collaborative system managers on intention to use SBOM(Software Bill Of Materials) : Focusing on the Theory of Planned Behavior

협업시스템 담당자의 정보보안 인식이 SBOM(Software Bill Of Materials) 도입 의도에 미치는영향: 계획된 행동이론을 중심으로

  • Received : 2023.07.25
  • Accepted : 2023.09.01
  • Published : 2023.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Advances in technology have made it easier for organizations to share information and collaborate. However, collaboration systems where multiple entities share and access information are vulnerable to security. The concept of Software Bill Of Materials (SBOM) has emerged as a way to strengthen information security by identifying and transparently managing the components of software programs. To promote the adoption of SBOM in Korea, this study investigated the intention to use of collaboration system managers. This study was based on the theory of planned behavior and the integrated technology acceptance theory. The results of this study confirmed that performance expectations from SBOM adoption were an important variable for intention to use, and positive attitudes toward security also had an indirect effect through performance expectations. We found that SBOM adoption has an important causal relationship with performance due to the fact that it is targeted at enterprises, and that positive attitudes toward security and social climate can have a strong effect on intention to use.

기술의 발전은 기업 간 손쉬운 정보공유 및 협업을 가능하게 하였다. 그러나 여러 주체가 정보를 공유하며 접속하는 협업을 위한 시스템은 보안에 취약할 수밖에 없다. SBOM은 소프트웨어 프로그램의 구성요소를 파악하고 투명하게 관리하여 정보보안을 강화하는 방안으로 소프트웨어 자재명세서(Software Bill Of Materials, SBOM)라는 개념으로 등장하였다. 본 연구는 이러한 SBOM의 국내 도입을 촉진하고자 협업시스템 담당자들을 대상으로 도입 의도를 연구하였다. 본 연구는 계획된 행동이론과 통합기술수용이론을 기반으로 하였다. 본 연구 결과, SBOM 도입으로 인한 성과기대가 도입 의도에 미치는 중요한 변수였으며, 보안에 대한 긍정적인 태도 또한 성과기대를 매개하여 간접효과를 나타내는 것으로 확인하였다. SBOM의 도입이 기업을 대상으로 한다는 특성상 성과와 중요한 인과관계가 있으며, 보안에 대한 긍정적인 태도나 사회적 분위기로 도입 의도에 강한 영향을 줄 수 있다는 것을 확인하였다.

Keywords

References

  1. W.S. Kang, and H.J. Pang, "Researching technology trends and suggesting future developments for software supply chain security management", Journal of The Korea Institute of Information Security and Cryptology (JKIISC), Vol. 32, No. 5, pp. 21-25, October 2022
  2. H. Cavusoglu, S. Raghunathan, and H. Cavusoglu, "Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems", Information Systems Research, Vol. 20, No. 2, pp. 198-217, February 2009. DOI:10.1287/isre.1080.0180
  3. J.M. Kim, D.H. Kwon, S.H. Joo, and S.H. Joo, "A Study on the Improvement of the National Cyber Security Policy Against the Spread of Ransomware Damage", The Journal Of Korean Institute Of Communications And Information Sciences (J-Kics), Vol. 47, No. 11, pp. 1932-1948, November 2022. DOI:10.7840/kics.2022.47.11.1932
  4. S. Ahmad, and R.G. Schroeder, "The impact of electronic data interchange on delivery performance", Production and operations management, Vol. 10, No. 1, pp. 16-30, January 2001. DOI:10.1111/j.1937-5956.2001.tb00065.x
  5. R. Croson, and K. Donohue, "Impact of POS data sharing on supply chain management: An experimental study", Production and Operations Management, Vol. 12, No. 1, pp. 1-11, January 2003. DOI:10.1111/j.1937-5956.2003.tb00194.x
  6. D. Delen, and B.C. Hardgrave, "RFID for better supplychain management through enhanced information visibility", Production and Operations Management, Vol. 16, No. 5, pp. 613-624, January 2007. DOI:10.1111/j.1937-5956.2007.tb00284.x
  7. J. Whitaker, S. Mithas, and M.S. Krishnan, "A field study of RFID deployment and return expectations", Production and Operations Management, Vol. 16, No. 5, pp. 599-612, January 2007. DOI:10.1111/j.1937-5956.2007.tb00283.x
  8. G.P. Cachon, and M. Fisher, "Supply chain inventory management and the value of shared information", Management science, Vol. 46, No. 8, pp. 1032-1048, August 2000. DOI:10.1287/mnsc.46.8.1032.12029
  9. S. Gavirneni, R. Kapuscinski, and S. Tayur, "Value of information in capacitated supply chains", Management Science, Vol. 45, No. 1, pp. 16-24, January 1999. DOI:10.1287/mnsc.45.1.16
  10. L.H. Newman, Apple's ransomware mess is the future of online extortion, Available fromhttps://www.wired.com/story/apple-mac-lockbit-ransomware-samples/ (accessed May 1, 2023)
  11. S. Kumar, and R.R. Mallipeddi, "Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions", Production and Operations Management, Vol. 31, No. 12, pp. 4488-4500, September 2022. DOI:10.1111/poms.13859
  12. Y. Sheffi, "Supply chain management under the threat of international terrorism", The International Journal of Logistics Management, Vol. 12, No. 2, pp. 1-11, July 2001. DOI:10.1108/09574090110806262
  13. N.R. Joglekar, J. Davies, and E.G. Anderson, "The role of industry studies and public policies in production and operations management", Production and Operations Management, Vol. 25, No. 12, pp. 1977-2001, September 2016. DOI:10.1111/poms.12640
  14. M.J. Baek, and S.H. Sohn , "A Study on the Effect of Information Ethics on the Information Security Awareness and Behavior in Organization", Koreanische Zeitschrift fuer Wirtschaftswissenschaften, Vol. 28, No. 4, pp. 119-145, December 2010
  15. S.J. Lee, and M.J. Lee, "An Exploratory Study on the Information Security Culture Indicator", Informatization Policy, Vol. 15, No. 3, pp. 100-119, October 2008
  16. J.T. Kim, "Analyses of Security Issues and Vulnerability for Healthcare System For Under Internet of Things", The journal of Convergence on Culture Technology (JCCT), Vol. 9, No. 4, pp. 699-706, July 2023. DOI:10.17703/JCCT.2023.9.4.639
  17. S.H. Kim, and S.Y. Park, "Influencing Factors for Compliance Intention of Information Security Policy", The Journal of Society for e-Business Studies, Vol. 16, No. 4, pp. 33-51, November 2011. DOI:10.7838/jsebs.2011.16.4.033
  18. J.E. YOO, "A Study on the Application of Cybersecurity by Design of Critical Infrastructure", The journal of Convergence on Culture Technology (JCCT), Vol. 7, No. 1, pp. 674-681, February 2021. DOI:10.17703/JCCT.2021.7.1.397
  19. N. Choi, D. Kim, J. Goo, and J. Goo, "Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action", Information Management & Computer Security, Vol. 16, No. 5, pp. 484-501, November 2008. DOI:10.1108/09685220810920558
  20. T. Dinev, and Q. Hu, "The centrality of awareness in the formation of user behavioral intention toward protective information technologies", Journal of the Association for Information Systems, Vol. 8, No. 7, pp. 23, July 2007. DOI:10.17705/1jais.00133
  21. A. Arora, V. Wright, and C. Garman, "Strengthening the Security of Operational Technology: Understanding Contemporary Bill of Materials", JCIP The Journal of Critical Infrastructure Policy, Vol. 3, No. 1, pp. 111, Spring/Summer 2022. DOI:10.18278/jcip.3.1.8
  22. R. Anderson, Why information security is hard - an economic perspective, Seventeenth Annual Computer Security Applications Conference, New Orleans, LA, USA, pp. 358-365, December 2001. DOI:10.1109/ACSAC.2001.991552
  23. R. Schmidt and T. Duffy, Non-interfering software distribution, Paris: Data Systems in Aerospace-DASIA, Vol. 97, No. 409, PP. 351-358, May 1997.
  24. P.M. Fangman, L.H. Gerhardstein and B.J. Homer, Federal Emergency Management Information System (FEMIS): Bill of Materials (BOM) for FEMIS (version 1.4.5. No. PNL10689-Ver. 1.4.5.), Richland, WA: Pacific Northwest National Laboratory, June 1998. DOI:10.2172/663230
  25. N. Zahan, E. Lin, M. Tamanna, and M. Tamanna, "Software Bills of Materials Are Required. Are We There Yet?", IEEE Security & Privacy, Vol. 21, No. 2, pp. 81-88, April 2023. DOI:10.1109/MSEC.2023.3237100
  26. M. Fishbein and I. Ajzen, Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research, Reading, MA: Addison-Wesley, May 1975.
  27. S.H. Yoo, Y.J. Park, H.M. Kang, and H.M. Kang, "The Effect of Motivation for Emoticon Use on Behavior of Purchasing Paid Emoticon: Focused on Theory of Planned Behavior", The journal of Convergence on Culture Technology (JCCT), Vol. 7, No. 2, pp. 395-404, May 2021. DOI:10.17703/JCCT.2021.7.2.39
  28. J.J. Chun, "A Study on Manufacturing Innovation in the Jewelry Industry through Automated Systems", The journal of Convergence on Culture Technology (JCCT), Vol. 6, No. 4, pp. 123-130, November 2020. DOI:10.17703/JCCT.2020.6.4.12
  29. B. Sparks, "Planning a wine tourism vacation? Factors that help to predict tourist behavioural intentions", Tourism management, Vol. 28, No. 5, pp. 1180-1192, October 2007. DOI:10.1016/j.tourman.2006.11.003
  30. I. Ajzen, and M. Fishbein, "Attitudes and the attitude-behavior relation: Reasoned and automatic processes", European review of social psychology, Vol. 11, No. 1, pp. 1-33, April 2001. DOI:10.1080/14792779943000116
  31. J.C. Oh, "A Study on the Impulsive Buying of Digital Contents Using Theory of Planned Behavior :Focused on Sensation Seeking Tendency", Journal of The Korean Academic Association of Business Administration Presentation Conference, pp. 477-504, November 2007
  32. I. Ajzen, "The theory of planned behavior", Organizational behavior and human decision processes, Vol. 50, No. 2, pp. 179-211, December 1991. DOI:10.1016/0749-5978(91)90020-T
  33. A. Bandura, "Self-efficacy: toward a unifying theory of behavioral change", Psychological review, Vol. 84, No. 2, pp. 191, 1977. DOI:10.1037/0033-295X.84.2.191
  34. D.W. Hahn, and M.K. Rhee, "Explaining Drinking and Driving : An Application of Theory of Planned Behavior", Korean Journal of Social and Personality Psychology, Vol. 15, No. 2, pp. 141-158, August 2001
  35. F.D. Davis, "Perceived usefulness, perceived ease of use, and user acceptance of information technology", MIS quarterly, Vol. 13, No. 3, pp. 319-340, September 1989. DOI:10.2307/249008
  36. V. Venkatesh, M.G. Morris, G.B. Davis, and G.B. Davis, "User acceptance of information technology: Toward a unified view", MIS quarterly, Vol. 27, No. 3, pp. 425-478, August 2003 https://doi.org/10.2307/30036540
  37. Y.S. Choi, "US Software Supply Chain Security Policy Trends: Focusing on SBOM Case", ReviewOf Kiisc, Vol. 32, No. 5, pp. 7-14, October 2022
  38. B.S. Suh, G.H. Hwang, and S.K. Kim, "A Study on the Factors Affecting the Intention to Adapt PMO in Public Sectors", Journal of Digital Convergence, Vol. 12, No. 5, pp. 159-169, May 2014. DOI:10.14400/JDC.2014.12.5.159
  39. M.H. Ahn, and C.M. Heo, "The Effect of Technical Characteristics of Smart Farm on Acceptance Intention by Mediating Effect of Effort Expectation", Journal of Digital Convergence, Vol. 17, No. 6, pp. 145-157, June 2019. DOI:10.14400/JDC.2019.17.6.145
  40. K.A. Park, "A Study on the Influence of the Perception of Personal Information Security of Youth on Security Attitude and Security Behavior", Journal of Korea Society of Industrial Information Systems, Vol. 24, No. 4, pp. 79-98, August 2019. DOI:10.9723/jksiis.2019.24.4.079
  41. D.H. Jun, S.h. Jang, J.J. Lee, and J.J. Lee, "A Study of IT Maintenance Outsourcing Service Factors of Local Governments: Based on AHP Analysis Method", Journal of Information Technology Services (JITS), Vol. 21, No. 3, pp. 43-61, June 2022. DOI:10.9716/KITS.2022.21.3.043
  42. K.S. Kang, and H.Y. Kwon, "A Study on Influence of Information Security Stress and Behavioral Intention for Characteristic factors of Information Security Policy Perceived by Employee", The Journal of The Institute of Internet, Broadcasting and Communication (JIIBC), Vol. 16, No. 6, pp. 243-253, December 2016. DOI:10.7236/JIIBC.2016.16.6.243
  43. M.J. Baek, and S.H. Sohn , "A Study on the Effect of Information Security Awareness and Behavior on the Information Security Performance in Small and Medium Sized Organization", The Korea Association of Small Business Studies, Vol. 33, No. 2, pp. 113-132, June 2011
  44. D.H. Kim, S.D. Park, S.J. Kim, and S.J. Kim, "A Study on Establishment of Cyber Threat Information Sharing System Focusing on U.S. Cases", Journal of convergence security, Vol. 17, No. 2, pp. 53-68, june 2017
  45. D.Y. Chang, and C.K. Lee, "A Study of Use Intention of Chatbot Using the Extended Theory of Planned Behavior: Focusing on the Role of Interaction", Journal of Tourism and Leisure Research, Vol. 31, No. 8, pp. 433-454, August 2019 https://doi.org/10.31336/JTLR.2019.8.31.8.433
  46. M.R. Hamid, W. Sami, and M.M. Sidek, "Discriminant Validity Assessment: Use of Fornell & Larcker criterion versus HTMT Criterion", Journal of Physics: Conference Series, Vol. 890, No. 1, pp. 8-10, August 2017. DOI:10.1088/1742-6596/890/1/012163
  47. J. Hulland, "Use of partial least squares (PLS) in strategic management research: A review of four recent studies", Strategic management journal, Vol. 20, No. 2, pp. 195-204, February 1999. DOI:10.1002/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7
  48. C. Fornell, and D.F. Larcker, "Evaluating structural equation models with unobservable variables and measurement error", Journal of marketing research, Vol. 18, No. 1, pp. 39-50, February 1981. DOI:10.1177/002224378101800104
  49. M.S. Sodhi, B. Son, and C.S. Tang, "Researchers' perspectives on supply chain risk management", Production and Operations Management, Vol. 21, No. 1, pp. 1-13, June 2012. DOI:10.1111/ j.1937-5956.2011.01251.x
  50. Z. Liu, Q. Wang, and Y. Tang, "Design of a cosimulation platform with hardware-in-the-loop for cyber-attacks on cyber-physical power systems", IEEE Access, Vol. 8, pp. 95997-96005, May 2020. DOI:10.1109/ACCESS.2020.2995743