Browse > Article

Impacts of Punishment and Ethics Training on Information Security Compliance: Focus on the Moderating Role of Organizational Type  

Ahn, Joong-Ho (Graduate School of Business, Seoul National University)
Park, Jun-Hyung (Republic of Korea Army, The 3rd Army Academy)
Sung, Ki-Moon (Republic of Korea Air Force, Korea Air Force Headquarters)
Lee, Jae-Hong (College of Business Administration, Seoul National University)
Publication Information
Information Systems Review / v.12, no.1, 2010 , pp. 23-42 More about this Journal
Abstract
Although organizations are given various benefits with information technologies, they sometimes have suffered fatal damages due to information security incidents now such as computer virus, hacking, counterfeiting, plagiarizing, etc. The fundamentalcauses of information security incidents are closely related to individuals who do not comply with information security policy or rules. The spontaneous self-control of individuals and monitoring for individuals could be the most essential solution for the ongoing observance of information security policy. Thus, the purpose of this study is to analyze effects of punishment and ethics training on compliance of information security policy of individuals in organizations, to determine individual divide among security propensity depending on organization types, and to find the more fundamental solution which leads change of organizational members’ behaviors and self-control. Regardless of the type of organizations, the results of the study suggest that there exist positive effects of punishment and ethics training in all types of organization on compliance of information security rules or regulations. A member of unitary form organization has higher cognition of punishment than a member's cognition of the multi-divisional form organization, while relatively lower awareness of ethics training. Also, a member of public organization has higher awareness of ethics training than a member’s awareness of private organization, while lower cognition of punishment. Finally, the result shows that punishment and ethics training may be major factors which affect information security. It also suggests that organizational security managers have to understand and consider organization member’s propensity relying on organization form and organization characteristics for establishment and enforcement of information security policy.
Keywords
Information Security; Deterrence Theory; Information Security Policy; Information Security Compliance; Organizational Type;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Theoharidou, M., S. Kokolakis, M. Karyda, and E. Kiountouzis, "The insider threat of information systems and the effectiveness of ISO17799", Computers and Security, VoI.24, 2005, pp. 472-484.   DOI   ScienceOn
2 Harrington, S. J., "The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions", MIS Quarterly, Vol.20, 1996, pp. 257-278.   DOI   ScienceOn
3 Kurland, N. B., "Ethical intentions and the theories of reasoned action and planned behavior", Journal of Applied Social Psychology, Vol.25, 1995, pp. 297-313.   DOI   ScienceOn
4 Harrington, S. J., "A test of a person-Issue contingent model of ethical decision making in organizations", Journal of Business Ethics, Vol.16, 1997, pp. 363-375.   DOI   ScienceOn
5 Costa, A. L. and B. Kallick, Assessment in the learning organization: Shifting the paradigm, New York: ASCD Books, 1997.
6 Calluzzo, V. J. and C. J. Cante, "Ethics in information technology and software use", Journal of Business Ethics, Vol.52, 2004, pp. 301-312.
7 Aubert, V., Sociology of law, Baltimore: Penguin Books, 1969.
8 Workman, M. and J. Gathegi, "Punishment and Ethics Deterrents: A Study of Insider Security Contravention", Journal of the American Society for Information Science and Technology, Vol.58, No.2, 2006, pp. 212-222.
9 Benn, S. I. and G. F. Gaus, Public and Private in Social life, New york: Palgrave Macmillan, 1983.
10 Bozeman, B., All Organizations are Public: Comparing Public and Private Organizations, Beard Books, 1987.
11 백승훈, 민천홍, "보안통제와 정책이 기업의 보안체계에 미치는 영향에 대한 탐색적 연구", 한국경영정보학회 2004년 춘계학술대회, 2004, pp. 854-860.
12 윤순봉, 대기업병: 그 실체와 치유방안, 삼성경제연구소, 1994.
13 이순묵, 공변량 구조 분석, 성원사, 1990.
14 채서일, 사회과학조사방법론, 학현사, 1997.
15 하영길, "인터넷 정보보안 기술에 관한 연구", 상업기술연구, 제13호, 2004, pp. 176-187.
16 Ajzen, I., From intentions to actions: A theory of planned behavior, In From cognition to behavior Action-control, J. Kuhl and J. Beckman (Eds.), Heidelberg, Germany: Springer, 1985.
17 Weir, C., "Organizational structure and corporate performance", Management Decision, Vol.33, 1995, pp. 24-32.
18 Wenzel, M., "The social side of sanctions: Personal and social norms as moderators of deterrence", Law and Human Behavior, Vol.28, 2004, pp. 547-567.   DOI
19 홍재영, 대기업병의 증세와 진단, 한국 경영자총협회, 1986.
20 황윤철, "체계적인 보안 정책 관리를 위한 계층적 보안 모델 설계", 컴퓨터 정보통신 연구, 제9권, 제1호, 2001, pp. 21-32.
21 Akers, R. L., M. D. Krohn, L. Lanza-Kaduce, and M. Rodosevich, "Social learning and deviant behavior: A specific test of a general theory", American Sociological Review, Vol.44, 1979, pp. 636-655.   DOI   ScienceOn
22 문태영, 대기업병과 치유방안에 관한 연구, 건국대학교, 1996.
23 WilIiamson,. O. E., Markets and Hierarchies: Analysis and Antitrust Implications, New York: Macmillan Press, 1975.
24 Straub, D. W. and R. J. Welke, "Coping with systems risk: Security planning models for management decision-making", MIS Quarterly, Vol.22, 1998, pp. 441-469.   DOI   ScienceOn
25 김미희, 이명진, 채기준, 김호원, "센서 네트워크에서 AODV 라우팅 정보 변조공격에 대한 분석", 정보처리학회논문지, 제14-C권, 제3호, 통권 제113호, 2007, pp. 229-238.   과학기술학회마을
26 김원형, 공기업과 민간기업간 조직풍토 비교분석, 대전대학교 사회과학연구소, 1996.
27 김종기, 전진환, 임호섭, "정보보안정책, 보안통제 및 사용자특성이 정보보안효과에 미치는 영향: 컴퓨터 바이러스를 중심으로", 정보시스템연구, 제15권, 제1호, 2006, pp. 145-168.
28 Straub, D. W. and W. D. Nance, "Discovering and disciplining computer abuse in organizations: A field study", MIS Quarterly, Vol.14, 1990, pp. 45-60.   DOI   ScienceOn
29 Tapp, J. L. and L. Kohlberg, Developing senses of law and legal justice, In Law, justice, and the individual in society: Psychological and legal issues, J. L. Tapp and F. J. Levine (eds.), New York: Holt, Rinehart and Winston, 1977.
30 Straub, D. W., "Effective IS security: An empirical study", Information Systems Research, Vol.1, 1990, pp. 255-276.   DOI
31 Robbins, S. P., Organization Theory: Structure, Design and Applications, Third Edition, Prentice Hall, 1990.
32 Scholtz, J. T., "Enforcement policy and corporate misconduct: The changing perspective of deterrence theory", Law and Contemporary Problems, Vol.60, 1997, pp. 253-268.   DOI   ScienceOn
33 Simpson, P. M., D. Banerjee, and C. L. Simpson, "Softlifting: A model of motivating factors", Journal of Business Ethics, Vol.13, 1994, pp. 431-438.   DOI   ScienceOn
34 SANS, "The SANS security policy project", Bethesda, MD: SANS Institute(URL: http://www.sans.org/resources/policies), 2005.
35 Sasse, M. A., "Usability and trust in information systems", Cyber Trust and Crime Prevention Project, University College London, 2004, pp. 1-18.
36 Schein, E. H., Organizational Culture and Leadership, San Francisco, CA: Jossey-Bass, 1985.
37 Peace, A., G. Graham, F. Dennis, and J. Y. L. Thong, "Software piracy in the workplace: A model and empirical test", Journal of Management Information Systems, Vol.20, 2003, pp. 153-177.   DOI
38 Rahim, M. M. D., A. H. Seyal, and M. N. Rahman, "Factors affecting softlifing intention of computing students: An empirical study", Journal of Educational Computing Research, Vol.24, 2001, pp. 385-405.   DOI   ScienceOn
39 NIST, An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12, National Institute of Standards and Technology, 1995.
40 O'Donoghue, T. and M. Rabin, "The economics of immediate gratification", Journal of Behavioral Decision Making, Vol.13, 2000, pp. 233-250.   DOI   ScienceOn
41 Hoffer, J. A. and D. W. Straub, "The 9 to 5 underground: Are you policing computer crimes?", Sloan Management Review, Vol.30, 1989, pp. 35-43.
42 Lee, J. and Lee, Y., "A holistic model of computer abuse within organizations", Information Management and Computer Security, Vol.10, 2002, pp. 57-63.   DOI   ScienceOn
43 Hsu, M. H. and F. Y. Kuo, "An investigation of volitional control in information ethics", Behavior and Information Technology, Vol.22, 2003, pp. 53-62.   DOI   ScienceOn
44 Kankanhalli, A., H. H. Teo, B. C. Y. Tan, and K. K. Wei, "An integrative study of information systems security effectiveness", International Journal of Information Management, Vol.23, 2003, pp. 139-154.   DOI   ScienceOn