DOI QR코드

DOI QR Code

A Study on Improving the Acceptability of Security Policies among Organizational Members: Based on the Health Belief Model

조직구성원의 보안정책 수용성 향상에 관한 연구: 건강신념모델을 바탕으로

  • 김보영 (인하대학교 대학원 산업보안거버넌스전공) ;
  • 서우종 (인하대학교 경영학과)
  • Received : 2024.09.02
  • Accepted : 2024.09.30
  • Published : 2024.10.30

Abstract

In order to improve the security policy compliance performance of an organization, it is crucial for organizational members to have a strong intention to actively accept these policies. Accordingly, this study proposes a research model based on the Health Belief Model, a key theory in the field of health psychology, with the aim of seeking ways to enhance the acceptability of security policies among organizational members. Data were collected through surveys and analyzed using statistical methods. The results of the study revealed that the perceived security threats and the perception of support for security policy compliance at the organizational level significantly influence the acceptance of security policies through the mediating role of perceived benefits from security policy compliance. Additionally, the study demonstrated that the perceived burden of effort and work disruption associated with complying with security policies, i.e., perceived barriers, has a significant negative impact on the acceptance of security policies. This study holds academic significance as it presents a model that effectively analyzes the cognitive mechanisms influencing the acceptance of security policies by applying the Health Belief Model, originally rooted in healthcare. The analysis results and various implications discussed in this study are expected to provide useful information and insights for developing strategies to enhance the acceptance of security policies among organizational members in the future.

조직의 보안정책 준수성과를 향상시키기 위해서는 조직구성원들이 보안정책을 적극적으로 수용하려는 의도가 중요하다. 이에 따라, 본 연구에서는 조직구성원들의 보안정책 수용성을 향상 시킬 수 있는 방안들을 모색하기 위해 건강심리 분야의 주요 이론인 건강신념모델을 기반으로 연구모형을 개발하였다. 본 연구에서는 설문을 통해 데이터를 수집하였으며, 통계적 기법을 사용하여 데이터를 분석하였다. 그 결과, 본 연구는 조직구성원이 지각하는 보안 위협과 보안정책 준수에 대한 조직의 지원이 보안정책 준수를 통해 얻을 수 있는 이점에 대한 인식(지각된 이익)의 매개역할을 통해 보안정책 수용성에 유의적인 영향을 미친다는 점을 규명할 수 있었다. 또한, 본 연구는 보안정책 준수과정에서 겪게 될 노력 및 업무 지장에 대한 부담감(지각된 장애)이 보안정책 수용성에 유의적으로 부정적인 영향을 미친다는 점도 입증할 수 있었다. 본 연구는 의료보건에 뿌리를 두고 있는 건강신념모델을 적용하여 조직구성원들의 보안정책 수용성에 영향을 미치는 인지적 메커니즘을 효과적으로 분석할 수 있는 모형을 제시했다는 점에서 학술적 의의가 있다. 본 연구에서 논의된 분석 결과와 다양한 시사점들은 향후 조직구성원들의 보안정책 수용성을 높이기 위한 전략을 수립하는 데 유용한 정보와 통찰을 제공할 수 있을 것으로 기대된다.

Keywords

Acknowledgement

이 논문은 2022년 대한민국 교육부와 한국연구재단의 지원에 의해 연구되었음(NRF-2022S1A5C2A03093690). 이 논문은 인하대학교의 지원에 의하여 연구되었음.

References

  1. Ahn, H. J., Kim, S. J. and Kwon, D. S. (2016). A Study on Security Independent Behavior in Social Game Using Expanded Health Belief Model, Management & Information Systems Review, 35(2), 99-118.
  2. Boannews. (2023). Insiders: The Other Culprits Behind Security Breaches and Data Leaks... The Threat is Within, https://m.boannews.com/html/detail.html?idx=115440 (Accessed on July. 21th, 2024).
  3. Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010). Information Security Policy Compliance: an Empirical Study of Rationality-Based Beliefs and Information Security Awareness, M IS Quarterly, 34(3), 523-548.
  4. Cho, S. B., Kwon, D. S. and Lee, M. Y. (2014). A Study on the Information Security Behavior of Corporations Using Health Belief Model, Asia Pacific Journal of Small Business, 36(2), 241-263.
  5. Chung, W. (2017). A Study of Policy Acceptance-Based on the Case of the Korea-China Free Trade Agreement (FTA), The Korean Journal of Advertising and Public Relations, 19(3), 99-135. https://doi.org/10.16914/kjapr.2017.19.3.99
  6. Douglass, R. B. (1977). Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research, Philosophy & Rhetoric, 10(2), 130-132.
  7. Etnews. (2023). 25 Trillion Won Lost to Industrial Technology Leaks Over 5 Years... Only 9 Prison Sentences, https://www.etnews.com/20230930000014 (Accessed on July. 21th, 2024).
  8. Fornell, C. and Larcker, D. F. (1981). Evaluation Structural Equation Models with Unobservable Variables and Measurement Error, Journal of Marketing Research, 18(1), 39-50. https://doi.org/10.1177/002224378101800104
  9. GTT Korea. (2024). 56% of Insider Security Incidents Due to 'Negligence', https://www.gttkorea.com/news/articleView.html?idxno=9139 (Accessed on July. 21th, 2024).
  10. Guo, K. H. (2013). Security-Related Behavior in Using Information Systems in the Workplace: A Review and Synthesis, Computers & Security, 32, 242-251. https://doi.org/10.1016/j.cose.2012.10.003
  11. Hair, J. F., Hult, G. T. M., Ringle, C. M. and Sarstedt, M. (2022). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM ) (3rd ed.), Thousand Oaks, CA: Sage Publication Inc.
  12. Hair, J. F., Ringle, C. M. and Sarstedt, M. (2011). PLS-SEM: Indeed a Silver Bullet, Journal of Marketing Theory and Practice, 19, 139-151. https://doi.org/10.2753/MTP1069-6679190202
  13. Hair, J. F., Ringle, C. M. and Sarstedt, M. (2015). A New Criterion for Assessing Discriminant Validity in Variance-Based Structural Equation Modeling, Journal of the Academy of Marketing Science, 43(1), 115-135. https://doi.org/10.1007/s11747-014-0403-8
  14. Hair, J. F., Sarstedt, M., Hopkins, L. and Kuppelwieser, V. G. (2014). Partial Least Squares Structural Equation Modeling (PLS-SEM): An Emerging Tool in Business Research, European Business Review, 26(2), 106-121. https://doi.org/10.1108/EBR-10-2013-0128
  15. Hair, J. F., Sarstedt, M., Ringle, C. M. and Gudergan, S. P. (2018). Advanced Issues in Partial Least Squares Structural Equation Modeling, Thousand Oaks, CA: Sage Publication Inc.
  16. Hankyung. (2023). Semiconductor Secrets Leaked to China: Samsung Employee Under Investigation for Hundreds of Billions in Bribes, https://www.hankyung.com/article/202312157871i (Accessed on July. 21th, 2024).
  17. Heo, J. and Ahn, S. (2020). Effects of Biased Awareness of Security Policies on Security Compliance Behavior, The Journal of Korean Association of Computer Education, 23(1), 63-75. https://doi.org/10.32431/kace.2020.23.1.006
  18. Hong, M. J., Lee, Y. J., Lee, K. M., Heo, J. and Yoon, N. (2022). Factors Influencing COVID-19 Vaccination Intention among Korean College Students, Korean Journal of Health Education and Promotion, 39(1), 1-10.
  19. Hwang, I. (2021). A Study on the Effects of Organization Justice and Organization Trust on Mitigation of Techno-stress Related to Information Security, Journal of the Korea Academia-Industrial Cooperation Society, 22(7), 435-448. https://doi.org/10.5762/KAIS.2021.22.7.435
  20. Hwang, I. and Hu, S. (2021). The Influence of Security Motivation and Organization Trust on Information Security Compliance: Focusing on Moderation Effects of Work Promotion Focus, Journal of Korea Society of Industrial Information Systems, 26(3), 23-39.
  21. ITBizNews. (2023). Considerations When Establishing Cybersecurity Operations Policies: 'Both Security Enhancements and Human Factors are Crucial', https://www.itbiznews.com/news/articleView.html?idxno=94563#google_vignette (Accessed on July. 21th, 2024).
  22. Jang, C. and Sung, W. (2022). A Study on Policy Acceptance Intention to Use Artificial Intelligence-Based Public Services: Focusing on the Influence of Individual Perception & Digital Literacy Level, Informatization Policy, 29(1), 60-83. https://doi.org/10.22693/NIAIP.2022.29.1.060
  23. Janz, N. K. and Becker, M. H. (1984). The Health Belief Model A Decade Later, Health Education Quarterly, 11(1), 1-47.
  24. Jee, B. S., Fan, L., Lee, S. C. and Suh, Y. H. (2011). Personal Information Protection Behavior for Information Quality: Health Psychology Theory Perspectives, Journal of the Korean Society for Quality Management, 39(3), 432-443.
  25. Jo, S. C. and Han, Y. J. (2020). A Study on the Effect of Health Belief Factors on the Acceptance of Mobile Healthcare: Focusing on Mediating Effects of Perceived Usefulness, Regional Industry Review, 43(2), 263-280. https://doi.org/10.33932/rir.43.2.12
  26. Jung, J., Lee, J. H. and Kim, C. R. (2016). A Study on the Influence of Firm's Information Security Activities on the Information Security Compliance Intention of Employees, Convergence Security Journal, 16(7), 51-59.
  27. Kang, D. and Chang, M. (2014). An Analysis of Compliance with Information Security Policy Effects on Information Security Ability and Behavior: Focused on Workers of Shipping and Port Organization, Journal of Korea Port Economic Association, 30(1), 97-118.
  28. Kim, D. J., Hwang, I. H. and Kim, J. S. (2016). A Study on Employee's Compliance Behavior towards Information Security Policy: A Modified Triandis Model, Journal of Digital Convergence, 14(4), 209-220. https://doi.org/10.14400/JDC.2016.14.4.209
  29. Kim, H. H., Kang, H. and Choi, Y. J. (2017). A Study on The Effects of HRM in Industrial Security on Job Attitude, Korean Journal of Industrial Security, 7(2), 7-31.
  30. Kim, J. and Lim, S. H. (2016). A Preliminary Research on the Impact of Perception of Personal Information Leakage Incidents on the Behavior of Individual Information Management in the Mobile Banking Contexts, Journal of The Korea Institute of Information Security & Cryptology, 26(3), 735-744. https://doi.org/10.13089/JKIISC.2016.26.3.735
  31. Kim, J. and Suh, W. (2024). An Empirical Study for Enhancing Security Training Effectiveness: From the Perspective of Transfer of Training Theory, Korean Security Journal, 78, 1-28.
  32. Kim, J. K. and Jeon J. H. (2006). A Security Behavior Intention Model for Controlling Computer Viruses, Informatization Policy, 13(3), 174-196.
  33. Kim, J. K. and Kang, D. Y. (2008). The Effects of Security Policies, Security Awareness and Individual Characteristics on Password Security Effectiveness, Journal of the Korea Institute of Information Security & Cryptology, 18(4), 123-133.
  34. Kim, M. J. and Lee, S. B. (2017). The Effect of the Innovativeness of Delivery Application Users on Perceived Traits, Satisfaction, and Continuous Usage Intention: Using the Extended Technology Acceptance Model (ETAM), International Journal of Tourism and Hospitality Research, 31(1), 199-214.
  35. Kim, S. and Song, Y. (2011). An Empirical Study on Motivational Factors Influencing Information Security Policy Compliance and Security Behavior of End Users (employees) in Organizations, The e-Business Studies, 12(3), 327-349. https://doi.org/10.15719/GEBA.12.3.201109.327
  36. Kim, S. W. and Kim, J. H. (2003). An Exploratory Study for Development of Learning Transfer Model in Corporate Training, Journal of Corporate Education and Talent Research, 5(1), 83-105.
  37. Kruger, H. A. and Kearney, W. D. (2006). A Prototype for Assessing Information Security Awareness, Computers & Security, 25(4), 289-296. https://doi.org/10.1016/j.cose.2006.02.008
  38. Kwon, Y. and Shin, J. H. (2006). A Study on the Effects of Transfer on Training of Hotel Employees, Journal of Hospitality and Tourism Studies, 8(2), 27-43.
  39. Lee, B. K., Oh, H. J., Shin, K. A. and Ko, J. Y. (2008). The Effect of Media Campaign as a Cue to Action on Influenza Prevention Behavior: Extending Health Belief Model, The Korean Journal of Advertising and Public Relations, 10(4), 108-138.
  40. Lee, D. H., Kim, T. S. and Jun, H. J. (2018). Factors that Affect the Intention of Password Security Behavior, Journal of the Korea Institute of Information Security & Cryptology, 28(1), 187-198.
  41. Lee, J. C. (2010). The Effects of Perceived Organizational Support on Affective Commitment, Turnover Intention and Organizational Citizenship Behavior, Korean Journal of Business Administration, 23(2), 893-908.
  42. Lee, K. H., Han, K. S. and Jung, J. S. (2016). A Study of Influencing Factors for Compliance Intention of Personal Information Protection Policy of Public Institution Employees, Entrue Journal of Information Technology, 15(1), 75-94.
  43. Lee, M. J., Chung, J. S. and Park, G. S. (2014). The Influence of the Perceived Risk, Perceived Usefulness, and Transparency in the Development of Nuclear Power on Public Acceptability: Using the Trust of Korea Hydro and Nuclear Power (KHNP) Company as a Mediator, Korean Corporation Management Association, 21(4), 253-279.
  44. Lee, S. C. and Kwon, Y. J. (2011). The Effect of the Organizational and Individual Characteristics on the Acceptance of the Revised Acts on the Industrial Relations in the Public Institutions: Focused on the Multiple Unions System, Korean Public Administration Quarterly, 23(3), 671-692.
  45. Lim, C. H. (2006). Effective Strategies for Enhancing Information Security Awareness, Korea Institute of Information Security & Cryptology, 16(2), 30-36.
  46. Malhotra, N. K., Kim, S. S. and Agarwal, J. (2004). Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model, Information Systems Research, 15(4), 336-355.
  47. Ng, B. Y., Kankanhalli, A. and Xu, Y. C. (2009). Studying Users' Computer Security Behavior: A Health Belief Perspective, Decision Support Systems, 46(4), 815-825.
  48. Park, C. J. and Yim, M. S. (2012a). An Investigation into the Role of Technostress in Information Security Context, Journal of Digital Convergence, 10(5), 37-51.
  49. Park, C. J. and Yim, M. S. (2012b). An Understanding of Impact of Security Countermeasures on Persistent Policy Compliance, Journal of Digital Convergence, 10(4), 23-35. https://doi.org/10.14400/JDPM.2012.10.4.023
  50. Park, K. (2019). A Study on the Influence of the Perception of Personal Information Security of Youth on Security Attitude and Security Behavior, Journal of Korea Society of Industrial Information Systems, 24(4), 79-98.
  51. Piaw, C. Y. (2023). A Step By Step Guide PLS-SEM Data Analysis Using SmartPLS 4, Researchtree Education.
  52. Rosenstock, I. M. (1974). Historical Origins of the Health Belief Model, Health Education Monographs, 2(4), 329.
  53. Rosenstock, I. M. (2005). Why People Use Health Services, The Milbank Quarterly, 83(4).
  54. Shin, S. M., Kim, S. J. and Kwon, D. S. (2016). Study on Personal Information Protection Behavior in Social Network Service Using Health Belief Model, Journal of the Korea Institute of Information Security & Cryptology, 26(6), 1619-1637. https://doi.org/10.13089/JKIISC.2016.26.6.1619
  55. Soh, H. C. and Kim, J. K. (2017). Influence of Information Security Activities of Financial Companies on Information Security Awareness and Information Security Self Confidence: Focusing on the Mediating Effect of Information Security Awareness, Journal of Korea Society of Industrial Information Systems, 22(4), 45-64.
  56. Sosik, J. J., Kahai, S. S. and Piovoso, M. J. (2009). Silver Bullet or Voodoo Statistics? A Primer for Using the Partial Least Squares Data Analytic Technique in Group and Organization Research, Group & Organization Management, 34(1), 5-36. https://doi.org/10.1177/1059601108329198
  57. Suh, K. H. (2020). Verification of a Theory of Planned Behavior Model of Medication Adherence in Korean Adults: Focused on Moderating Effects of Optimistic or Present Bias Delay Discounting, The Korean Journal of Health Psychology, 25(5), 1007-1024.
  58. Sung, W. (2013). A Study on the Acceptance Factors of Smart Work Policy in Korea: Using the User Survey of Smart Work Center, Korean Policy Studies Review, 22(1), 331-359.
  59. Yang, E. H. and Chung, J. S. (2006). In Search of Diagnostic Tools for Learning Transfer, Journal of Corporate Education, 8(2), 101-122.
  60. Yim, M. S. (2013). The Effect of Characteristics of Information Security Policy on Security Policy Compliance Intention of Employees, Journal of Digital Convergence, 11(1), 27-38. https://doi.org/10.14400/JDPM.2013.11.1.027