Browse > Article
http://dx.doi.org/10.21219/jitam.2015.22.2.171

A Study on the Information Security Measures Influencing Information Security Policy Compliance Intentions of IT Personnel of Banks  

Shim, Joonbo (동국대학교 서울캠퍼스 경영대학 경영정보학과)
Hwang, K.T. (동국대학교 서울캠퍼스 경영대학 경영정보학과)
Publication Information
Journal of Information Technology Applications and Management / v.22, no.2, 2015 , pp. 171-199 More about this Journal
Abstract
This study proposes the practical information security measures that help IT personnel of banks comply the information security policy. The research model of the study is composed of independent variables (clarity and comprehensiveness of policy, penalty, dedicated security organization, audit, training and education program, and top management support), a dependent variable (information security policy compliance intention), and moderating variables (age and gender). Analyses results show that the information security measures except 'clarity of policy' and 'training and education program' are proven to affect the 'information security policy compliance intention.' In case of moderating variables, age moderated the relationship between top management support and compliance intention, but gender does not show any moderating effect at all. This study analyzes information security measures based solely on the perception of the respondents. Future study may introduce more objective measurement methods such as systematically analyzing the contents of the information security measures instead of asking the respondents' perception. In addition, this study analyzes intention of employees rather than the actual behavior. Future research may analyze the relationship between intention and actual behavior and the factors affecting the relationship.
Keywords
Information Security Policy; Information Security Measures; Compliance Intention;
Citations & Related Records
Times Cited By KSCI : 7  (Citation Analysis)
연도 인용수 순위
1 Ifinedo, P., "Understanding Information Systems Security Policy Compliance : An Integration of the Theory of Planned Behavior and the Protection Motivation Theory", Computers and Security, Vol. 31, No. 1, 2012, pp. 83-95.   DOI
2 ISO, ISO/IEC 27000:2009 Overview and Vocabulary, 2009.
3 Khalid, S., Solimana, K. S., and Janzb, B. D., "An Exploratory Study to Identify the Critical Factors Affecting the Decision to Establish Internet-based Interorganizational Information Systems", Information and Management, Vol. 41, No. 6, 2004, pp. 697-706.   DOI
4 Khan, S. A., Lederer, A. L., and Mirchandani, D. A., "Top Management Support, Collective Mindfulness, and Information Systems Performance", Journal of International Technology and Information Management, Vol. 22, No. 1, 2013, p. 6.
5 Lebek, B., Uffen, J., Breitner, M. H., Neumann, M., and Hohler, B., "Employees' Information Security Awareness and Behavior : A Literature Review", 2013 46th Hawaii International Conference on System Sciences, 2013, pp. 2979-2987.
6 Lee, J. and Lee, Y., "A Holistic Model of Computer Abuse Within Organizations", Information Management and Computer Security, Vol. 10, No. 2, 2002, pp. 57-63.   DOI
7 Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories", Information Management, Vol. 41, No. 6, 2004, pp. 707-718.   DOI
8 Leonard, L. N. K., Cronan, T. P., and Kreie, J., "What Influences IT Ethical Behavior Intentions-Planned Behavior, Reasoned Action, Perceived Importance, Individual Characteristics?", Information Management, Vol. 42, No. 1, 2004, pp. 143-158.   DOI
9 Li, M., Lou, W., and Ren, K., "Data Security and Privacy in Wireless Body Area Networks", Wireless Communications, IEEE, Vol. 17, No. 1, 2010, pp. 51-58.   DOI
10 Lohmeyer, D. F., McCrory, J., and Pogreb, S., "Managing Information Security (Current Research)", The McKinsey Quarterly, 2002, p. 12.
11 Meredith, S. L., "Comparative Perspectives on Human Gender Development and Evolution", American Journal of Physical Anthropology, Vol. 156, No. S59, 2015, pp. 72-97.   DOI
12 Merete, J., Eirik, H., and Hovden, A. J., "Implementation and Effectiveness of Organizational Information Security Measures", Information Management and Computer Security, Vol. 16, No. 4, 2008, pp. 377-397.   DOI
13 Mobley, W. H., Griffeth, R. W., Han, H. H., and Meglino, B. M., "Review and Conceptual Analysis of the Employee Turnover Process", Psychological Bulletin, Vol. 86, No. 3, 1979, pp. 493-522.   DOI
14 Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A., "What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules and Quest; An Empirical Study", European Journal of Information Systems, Vol. 18, No. 2, 2009, pp. 126-139.   DOI
15 Pahnila, S., Siponen, M., and Mahmood, A., "Employees' Behavior Towards Is Security Policy Compliance", Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007, pp. 156-166.
16 Peace, A. G., Galletta, D. F., and Thong, J. Y. L., "Software Piracy in the Workplace : A Model and Empirical Test", Journal of Management Information Systems, Vol. 20, No. 1, 2003. pp. 153-177.   DOI
17 김상현, 송영미, "조직 구성원들이 정보보안 준수 동기요인에 관한 연구", e-비즈니스 연구, 제12권 제5호, 2011, pp. 327-349.
18 강다연, 장명희, "정보보안 정책 준수가 정보 보안능력 및 행동에 미치는 영향 분석 : 해운항만조직 구성원을 대상으로", 한국항만경제학회지, 제30권 제1호, 2014, pp. 97-118.
19 교육과학기술부, 정보보안 모범사례 가이드, 2011.
20 금융위원회 전자금융과, 금융감독원 IT감독국, "금융전산 보안 강화 종합대책", 2013.
21 김상훈, 박선영, "정보보안 정책 준수 의도에 대한 영향요인", 한국전자거래학회지, 제16권 제4호, 2011, pp. 33-51.   DOI
22 김지수, 김종배, 신용태, "조직 내 정보보호 최고책임자(CISO)의 역할인식이 정보보호 성과에 미치는 영향에 관한 연구", 경영컨설팅연구, 제12권 제4호, 2012, pp. 21-34.
23 Rosemann, M. and Vessey, I., "Toward Improving the Relevance of Information Systems Research to Practice : The Role of Applicability Checks", MIS Quarterly, Vol. 32, No. 1, 2008, pp. 1-22.   DOI
24 Pogarsky, G. and Piquero, A. R., "Studying the Reach of Deterrence : Can Deterrence Theory Help Explain Police Misconduct?", Journal of Criminal Justice, Vol. 32, No. 4, 2004, pp. 371-386.   DOI
25 PricewaterhouseCoopers, "Global State of Information Security Survey 2011", http://www.pwc.com/gx/en/information-security-survey/pdf/giss-2011-survey-report.pdf, July 25, 2012.
26 Ransbotham, S. and Mitra, S., "Choice and Chance : A Conceptual Model of Paths to Information Security Compromise", Information Systems Research, Vol. 20, No. 1, 2009, pp. 121-139.   DOI
27 Sari, P. K. and Trianasari, N., "Information Security Awareness Measurement with Confirmatory Factor Analysis", 2014 International Symposium on Technology Management and Emerging Technologies(ISTMET 2014), 2014, pp. 218-223.
28 Siponen, M. T., "A Conceptual Foundation for Organizational Information Security Awareness", Information Management and Computer Security, Vol. 8, No. 1, 2000, pp. 31-41.   DOI
29 Siponen, M., Vance, A., and Willison, R., "New Insights into the Problem of Software Piracy : The Effects of Neutralization, Shame, and Moral Beliefs", Information and Management, Vol. 49, No. 7, 2012, pp. 334-341.   DOI
30 Solms, R., "Information security management( 3) : the Code of Practice for Information Security Management (BS 7799)", Information Management and Computer Security, Vol. 6, No. 5, 1998, pp. 224-225.   DOI
31 Richardson, R., "CSI Computer Crime and Security Survey", Computer Security Institute, Vol. 1, 2008, pp. 1-30.
32 보안뉴스, "개정 전자금융거래법! 꼭 체크해야 할 8개 보안조항", 보안뉴스, 2014. 12. 9.
33 박종원, 김현규, "정보보안 전략과 보안준수 의도의 관계에 관한 연구모델개발을 위한 탐색적 연구", 한국경영정보학회 추계학술대회, 2012, pp. 559-564.
34 박철주, 임명성, "보안 대책이 지속적 보안 정책 준수에 미치는 영향", 디지털정책연구, 제10권, 제4호, 2012, pp. 23-35.
35 배병렬, LISREL 구조방정식 모델-이해와 활용, 청람, 2005년.
36 신윤정, "저출산 시대의 가사 노동 및 자녀 돌봄 시간 변화와 시사점", 보건.복지 Issue and Focus, 2015.
37 신현구, 이주락, "조직공정성이 산업보안담당자의 보안정책 준수의지에 미치는 영향", 한국경호경비학회, 제39권, 2014, pp. 241-268.
38 안중호, 박준형, 성기문, 이재홍, "처벌과 윤리교육이 정보보안 준수에 미치는 영향 : 조직유형의 조절효과를 중심으로", Information Systems Review, Vol. 12, No. 1, 2010, pp. 23-42.
39 위키백과, "정보보안", http://ko.wikipedia.org/w/index.php?title=%EC%A0%95% EB%B3%B4_%EB%B3%B4%EC%95%88&oldid=13061197, 2015. 2. 1.
40 임명성, "조직 구성원들의 정책 준수행위 의도에 관한 연구", 디지털정책연구, 제10권 제10호, 2012, pp. 119-228.
41 임명성, "정보보안 정책의 채택이 구성원들의 보안정책 준수 행위에 미치는 영향에 관한 연구", 디지털정책연구, 제11권 제1호, 2013, pp. 27-38.
42 임명성, "조직 구성원들의 정보보안 정책 준수에 영향을 미치는 요인에 관한 연구 -금융서비스업을 중심으로", 서비스경영학회지, 제14권 제1호, 2013, pp. 143-171.
43 임명성, 한군희, "정보보안 정책준수에 영향을 미치는 요인 : 위험보상이론 관점에서", The Journal of Digital Policy and Management, Vol. 11, No. 10, 2013, pp. 153-168.
44 장명희, 강다연, "항만지업 종사자들의 정보보안인식과 지각된 정보보안위험에 영향을 미치는 요인", 한국항해항만학회지, 제36권 제3호, 2012, pp. 261-271.   DOI
45 Srinivasan, S., "Information Security Policies and Controls for a Trusted Environment", Information Systems Control Journal, No. 2, 2008.
46 Sandhu, R. S. and Samarati, P., "Access Control : Principle and Practice", Communications Magazine, IEEE, Vol. 32, No. 9, 1994, pp. 40-48.
47 Son, J. Y., "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies", Information and Management, Vol. 48, No. 7, 2011, pp. 296-302.   DOI
48 Spears, J. L. and Barki, H., "User Participation in Information Systems Security Risk Management", MIS Quarterly, Vol. 34, No. 3, 2010, pp. 503-522.   DOI
49 Steel, R. P., "Turnover Theory at the Empirical Interface : Problems of Fit and Functions", Academy of Management Review, Vol. 27, No. 3, 2002, pp. 346-360.   DOI
50 Stemberger, M. I., Manfreda, A., and Kovacic, A., "Achieving top management support with business knowledge and role of IT/IS personnel", International Journal of Information Management, Vol. 31, No. 5, 2011, pp. 428-436.   DOI
51 Straub, D., "Effective IS Security : An Empirical Study", Information Systems Research, Vol. 1, No. 3, 1990, pp. 255-276.   DOI
52 Tomarken, A. J. and Waller, N. G., "Structural Equation Modeling : Strengths, Limitations, and Misconceptions", Annu. Rev. Clin. Psychol., Vol. 1, 2005, pp. 31-65.   DOI
53 Tariq, M. A., Brynielsson, J., and Artman, H., "The Security Awareness Paradox : A Case Study", 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining(ASONAM 2014), 2014, pp. 704-711.
54 Ajzen, I., "The Theory of Planned Behavior", Organizational Behavior and Human Decision Processes, Vol. 50, No. 2, 1991, pp. 179-211.   DOI
55 황경태, 정보시스템 감사- IT 거버넌스의 핵심수단, 탑북스, 2011.
56 Gendered Innovation, "지나치게 성별 차이를 강조하면 문제가 될 수 있다", , 2015. 5. 1.
57 Nellycw, "우리나라 은행 순위 및 종류", 2015. 2. 17..
58 Bauer, S., Bernroider, E. W. N., and Chudzikowski, K., "End User Information Security Awareness Programs for Improving Information Security in Banking Organizations : Preliminary Results from an Exploratory Study", Proceedings of the Eighth Pre-ICIS Workshop on Information Security and Privacy(SIGSEC), 2013, pp. 33-49.
59 Bentler, P. M., "Comparative Fit Indexes in Structural Models", Psychological Bulletin, Vol. 107, No. 2, 1990, pp. 238-246.   DOI
60 Blakley, B., McDermott, E., and Geer, D., "Information Security is Information Risk Management", Proceedings of the 2001 workshop on New security paradigms, ACM, 2001, pp. 97-104.
61 Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R., "If Someone Is Watching, I'll Do What I'm Asked : Mandatoriness, Control, and Information Security", European Journal of Information Systems, Vol. 18, No. 2, 2009, pp. 151-164.   DOI
62 Brancheau, J. C., Janz, B. D., and Wetherbe, J. C., Key Issues in Information Sstems Mnagement : 1994-1995 SIM Delphi Results", MIS Quarterly, Vol. 20, No. 2, 1996, pp. 225-242.   DOI
63 Vroom, C. and Solms, R. von, "Towards Information Security Behavioural Compliance", Computers and Security, Vol. 23, No. 3, 2004, pp. 191-198.   DOI
64 Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E., "Analyzing Trajectories of Information Security Awareness", Information Technology and People, Vol. 25, No. 3, 2012, pp. 327-352.   DOI
65 Vance, A. and Siponen, M. T., "IS Security Policy Violations : A Rational Choice Perspective", Journal of Organizational and End User Computing (JOEUC), Vol. 24. No. 1, 2012, pp. 21-41.   DOI
66 Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance : Insights From Habit and Protection Motivation Theory", Information and Management, Vol. 49, No. 3, 2012, pp. 190-198.   DOI
67 Wenzel, M., "The Social Side of Sanctions : Personal and Social Norms as Moderators of Deterrence", Law and Human Behavior, Vol. 28, No. 5, 2004, p. 547.   DOI
68 Wong, W. I. and Hines, M., "Preferences for Pink and Blue : The Development of Color Preferences as a Distinct Gender-Typed Behavior in Toddlers", Archives of Sexual Behavior, 2015, pp. 1-12.
69 Workman, M., Bommer, W. H., and Straub, D., "Security Lapses and the Omission of Information Security Measures : A Threat Control Model and Empirical Test", Computers in Human Behavior, Vol. 24, 2008, pp. 2799-2816.   DOI
70 Yildirima, E. Y., Akalpa, G., Aytacb, S., and Bayramb, N., "Factors Influencing Information Security Management in Small- and Medium-sized Enterprises : A Case Study from Turkey", International Journal of Information Management, Vol. 31, 2011, pp. 360-365.   DOI
71 Zmud, B., "Editor's Comments", Management Information Systems Quarterly, Vol. 22, No. 3, 1998, p. 1.   DOI
72 Cavusoglu, H., Mishra, B., and Raghunathan, S., "A Model for Evaluating IT Security Investments", Communications of the ACM, Vol. 47, No. 7, 2004, pp. 87-92.   DOI
73 Brockman, B. K. and Morgan, R. M., "The Moderating Effect of Organizational Cohesiveness in Knowledge Use and New Product Development", Journal of the Academy of Marketing Science, Vol. 34, No. 3, 2006, pp. 295-307.   DOI
74 Browne, M. W. and Cudeck, R., "Alternative Ways of Assessing Model Fit", Sage Focus Editions, Vol. 154, 1993, pp. 136-136.
75 Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance : An Empirical Study of Rationality-based Beliefs and Information Security Awareness", MIS Quarterly, Vol. 34, No. 3, 2010, pp. 523-548.   DOI
76 Chan, M., Woon I., and Kankanhalli A., "Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior", Journal of Information Privacy and Security, Vol. 1, No. 3, 2005, pp. 18-41.   DOI
77 Chang, A. J.-T. and Yeh, Q.-J., "On Security Preparations Against Possible IS Threats Across Industries", Information Management and Computer Security, Vol. 14, No. 4, 2006, pp. 343-360.   DOI
78 Cheng, L., Li, Y., Li, W., Holm, E., and Zhai, Q., "Understanding the Violation of IS Security Policy in Organizations : An Integrated Model Based on Social Control and Deterrence Theory", Computers and Security, Vol. 39, 2013, pp. 447-459.   DOI
79 CNSS, CNSSI-4014 Information Assurance Training Standard for Information Systems Security Officers, 2010.
80 Crossler, R. E., Johnston, A. C., Lowry, P. B., Hud, Q., Warkentin, M., and Baskerville, R., "Future Directions for Behavioral Information Security Research", Computers and Security, Vol. 32, 2013, pp. 90-101.   DOI
81 D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse : a Deterrence Perspective", Information Systems Research, Vol. 20, No. 1, 2009, pp. 79-98.   DOI
82 Doherty, N. F., Anastasakis, L., and Fulford, H., "The Information Security Policy Unpacked : A Critical Study of the Content of University Policies", International Journal of Information Management, Vol. 29, No. 6, 2009, pp. 449-457.   DOI
83 Feng, T. and Zhao, G., "Top Management Support, Inter-organizational Relationships and External Involvement", Industrial Management and Data Systems, Vol. 114, No. 4, 2014, pp. 526-549.   DOI
84 Fornell, C. and Larcker, D. F., "Structural Equation Models with Unobservable Variables and Measurement Error : Algebra and Statistics", Journal of Marketing Research, No. 18, No. 3, 1981, pp. 382-388.   DOI
85 Furnell, S. and Thomson, K.-L., "From Culture to Disobedience : Recognising the Varying User Acceptance of IT Security", Computer Fraud and Security, No. 2, 2009, pp. 5-10.
86 George, D. and Mallery, P., SPSS for Windows Step by Step : A Simple Guide and Reference. 11.0 update (4th ed.), 2003, Boston : Allyn and Bacon.
87 Goel, S. and Chengalur-Smith, I. N., "Metrics for Characterizing the Form of Security Policies", The Journal of Strategic Information Systems, Vol. 19, No. 4, 2010, pp. 281-295.   DOI
88 Haeussinger, F. J. and Kranz, J. J., "Information Security Awareness : Its Antecedents and Mediating Effects on Security Compliant Behavior", International Conference on Information Systems, 2013, pp. 1-16.
89 Gundu, T. and Flowerday, S. V., "Ignorance to Awareness : Towards an Information Security Awareness Process", SAIEE Africa Research Journal, Vol. 104, No. 2, 2013, pp. 69-79.
90 Guo, K. H., "Security-related Behavior in Using Information Systems in the Workplace : A Review and Synthesis", Computers and Security, Vol. 32, 2013, pp. 242-251.   DOI
91 Hagen, J. M., Albrechtsen, E., and Hovden, J., "Implementation and Effectiveness of Organizational Information Security Measures", Information Management and Computer Security, Vol. 16, No. 4, 2008, pp. 377-397.   DOI
92 Hansch, N. and Benenson, Z., "Specifying IT Security Awareness", 25th International Workshop on Database and Expert Systems Applications, 2014, pp. 326-330.
93 Herath, T. and Rao, H. R., "Encouraging Information Security Behaviors in Organizations : Role of Penalties, Pressures and Perceived Effectiveness", Decision Support Systems, Vol. 47, No. 2, 2009, pp. 154-165.   DOI
94 Hovav, A. and D'Arcy, J., "Applying an Extended Model of Deterrence Across Cultures : An Investigation of information Systems Misuse in the U.S. and South Korea", Information and Management, Vol. 49, No. 2, 2012, pp. 99-110.   DOI
95 Hu, Q., Dinev, T., Hart, P., and Cooke, D., "Managing Employee Compliance with Information Security Policies : The Critical Role of Top Management and Organizational Culture", Decision Sciences, Vol. 43, No. 4, 2012, pp. 615-659.   DOI