Browse > Article
http://dx.doi.org/10.5859/KAIS.2019.28.4.105

Information Security of Organization and Employees in Social Exchange Perspective : Using Structure-Conduct-Outcome Framework  

Hwang, In-Ho (한국산업기술대학교)
Kim, Sanghyun (경북대학교 경영학부)
Publication Information
The Journal of Information Systems / v.28, no.4, 2019 , pp. 105-129 More about this Journal
Abstract
Purpose Issues related to information security have been a crucial topic of interest to researchers and practitioners in the IT/IS field. This study develops a research model based on a Structure-Conduct-Outcome (SCO) framework for the social exchange relationship between employees and organizations regarding information security. Design/methodology/approach In applying an SCO framework to information security, structure and conduct are activities imposed on employees within an organizational context; outcomes are activities that protect information security from an employee. Data were collected from 438 employees working in manufacturing and service firms currently implementing an information security policy in South Korea. Structural equation modeling (SEM) with AMOS 22.0 is used to test the validation of the measurement model and the proposed casual relationships in the research model. Findings The results demonstrate support for the relationships between predicting variables in organization structure (security policy and physical security system) and the outcome variables in organization conduct (top management support, security education program, and security visibility). Results confirm that the three variables in organization conduct had a positive effect on individual outcome (security knowledge and compliance intention).
Keywords
Information Security; Social Exchange Theory; SCO Framework; Compliance Intention; Security Knowledge;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Nunnally, J. C., Psychometric theory (2nd ed.). New York: McGraw-Hill, 1978.
2 Nesheim, T., and Gressgard, L. J., "Knowledge Sharing in a Complex Organization: Antecedents and Safety Effects," Safety Science, Vol. 62, 2014, pp.28-36.   DOI
3 Neal, A., Griffin, M. A., and Hart, P. M., "The Impact of Organizational Climate on Safety Climate and Individual Behavior," Safety Science, Vol. 34, No. 1, 2000, pp.99-109.   DOI
4 Nelson, K. M., and Cooprider, J. G., "The Contribution of Shared Knowledge to IS Group Performance," MIS Quarterly, Vol. 20, No. 4, 1996, pp.409-432.   DOI
5 Pham, H. C., "Information Security Burnout: Identification of Sources and Mitigating Factors from Security Demands and Resources," Journal of Information Security and Applications, Vol. 46, 2019, pp.96-107.   DOI
6 Safa, N. S., Maple, C., Furnell, S., Azad, M. A., Perera, C., Dabbagh, M., and Sookhak, M., "Deterrence and Prevention Based Model to Mitigate Information Security Insider Threats in Organisations," Future Generation Computer Systems, Vol. 97, 2019, pp.587-597.   DOI
7 Said, A. R., Abdullah, H., Uli, J., and Mohamed, Z. A., "Relationship between Organizational Characteristics and Information Security Knowledge Management Implementation," Procedia - Social and Behavioral Sciences, Vol. 123, 2014, pp.433-443.   DOI
8 Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with Information Security Policies: An Empirical Investigation," Computer, Vol. 43, No. 2, 2010, pp.64-71.   DOI
9 Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N., "The Influence of a Good Relationship between the Internal Audit and Information Security Functions on Information Security Outcomes," Accounting, Organizations and Society, Vol. 71, 2018, pp.15-29.   DOI
10 Devaraj, S., Fan, M., and Kohli, R., "Examination of Online Channel Preference: Using the Structure-Conduct-Outcome Framework," Decision Support Systems, Vol. 42, No. 2, 2006, pp.1089-1103.   DOI
11 Da Veiga, A., and Eloff, J. H., "An Information Security Governance Framework," Information Systems Management, Vol. 24, NO.4, 2007, pp.361-372.   DOI
12 Da Veiga, A., and Eloff, J. H., "A Framework and Assessment Instrument for Information Security Culture," Computers & Security, Vol. 29, No. 2, 2010, pp.196-207.   DOI
13 Da Veiga, A., and Martins, N., "Defining and Identifying Dominant Information Security Cultures and Subcultures," Computers & Security, Vol. 70, 2017, pp.72-94.   DOI
14 Emerson, R. M., "Power-Dependence Relations," American Sociological Review, Vol. 27, No. 1, 1962, pp.31-41.   DOI
15 Desouza, K. C., "Facilitating Tacit Knowledge Exchange," Communications of the ACM, Vol. 46, No. 6, 2003, pp.85-88.   DOI
16 Dhillon, G., Oliveira, T., Susarapu, S., and Caldeira, M., "Deciding Between Information Security and Usability: Developing Value Based Objectives," Computers in Human Behavior, Vol. 61, 2016, pp.656-666.   DOI
17 Eisenberger, R., Fasolo, P., and Davis-LaMastro, V., "Perceived Organizational Support and Employee Diligence, Commitment, and Innovation," Journal of Applied Psychology, Vol. 75, No. 1, 1990, pp.51-59.   DOI
18 Emerson, R. M., "Exchange Theory, Part I: A Psychological Basis for Social Exchange," Sociological Theories in Progress, Vol. 2, 1972, pp.38-57.
19 Emerson, R. M., "Social Exchange Theory," Annual Review of Sociology, Vol. 2, 1976, pp.335-362.   DOI
20 Fornell, C., and Larcker, D. F., "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, Vol. 18, No. 1, 1981, pp.39-50.   DOI
21 Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information & Management, Vol. 41, No. 6, 2004, pp.707-718.   DOI
22 KBresearch, KB Knowledge Vitamin: Recent Information Security Trend of Financial Institution and Outlook, 2015.
23 Knapp, K. J., Morris, R. F., Marshall, T. E., and Byrd, T. A., "Information Security Policy: An Organizational-Level Process Model," Computers & Security, Vol. 28, No. 7, 2009, pp.493-508.   DOI
24 Kwok, L. F., and Longley, D., "Information Security Management and Modelling," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.30-40.   DOI
25 Mary MacNeil, C., "Exploring the Supervisor Role as a Facilitator of Knowledge Sharing in Teams," Journal of European Industrial Training, Vol. 28, No. 1, 2004, pp.93-102.   DOI
26 Lee, J., and Lee, Y., "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, Vol. 10, No. 2, 2002, pp.57-63.   DOI
27 Loch, K. D., Carr, H. H., and Warkentin, M. E., "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, 1992, pp.173-186.   DOI
28 Lowry, P. B., and Moody, G. D., "Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies," Information Systems Journal, Vol. 25, No. 5, 2015, pp.433-463.   DOI
29 Molm, L. D., "Structure, Action, and Outcomes: The Dynamics of Power in Social Exchange," American Sociological Review, Vol. 55, No. 3, 1990, pp.427-447.   DOI
30 Moore, G. C., and Benbasat, I., "Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation," Information Systems Research, Vol. 2, No. 3, 1991, pp.192-222.   DOI
31 Verizon, Verizon 2016 Data Breach Investigations Report, 2016.
32 Straub, D. W., and Welke, R. J., "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, Vol. 22, No. 4, 1998, pp.441-464.   DOI
33 Thibaut, J. W., and Kelley, H. H., The Social Psychology of Groups. New York: Wiley, 1959.
34 Thomson, K., and van Niekerk, J., "Combating Information Security Apathy by Encouraging Prosocial Organisational Behaviour," Information Management & Computer Security, Vol. 20, No. 1, 2012, pp.39-46.   DOI
35 Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory," Information & Management, Vol. 49, No. 3, 2012, pp.190-198.   DOI
36 Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly, Vol. 27, No. 3, 2003, pp.425-478.   DOI
37 Von Solms, R., "Information Security Management: Why Standards are Important," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.50-58.   DOI
38 Vroom, C., and Von Solms, R., "Towards Information Security Behavioural Compliance," Computers & Security, Vol. 23, No. 3, 2004, pp.191-198.   DOI
39 Wang, P. A., "Information Security Knowledge and Behavior: An Adapted Model of Technology Acceptance," In Education Technology and Computer (ICETC), 2010 2nd International Conference on (Vol. 2, pp. V2-364). IEEE, 2010, June.
40 Warkentin, M., and Willison. R., "Behavioral and Policy Issues in Information Systems Security: The Insider Threat," European Journal of Information Systems, Vol. 18, 2009, pp.101-105.   DOI
41 West, R., "The Psychology of Security," Communications of the ACM, Vol. 51, No. 4, 2008, pp.34-40.   DOI
42 Hwang, I., Kim, D., Kim, T., and Kim, S., "Why Not Comply with Information Security? An Empirical Approach for the Causes of Non-compliance," Online Information Review, Vol. 41, No. 1, 2017, pp.2-18.   DOI
43 Geyskens, I., Steenkamp, J. B. E., and Kumar, N., "A Meta-Analysis of Satisfaction in Marketing Channel Relationships," Journal of Marketing Research, Vol. 36, No. 2, 1999, pp.223-238.   DOI
44 Griffin, M. A., and Neal, A., "Perceptions of Safety at Work: A Framework for Linking Safety Climate to Safety Performance, Knowledge, and Motivation," Journal of Occupational Health Psychology, Vol. 5, No. 3, 2000, pp.347-358.   DOI
45 Herath, T., and Rao, H. R., "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems, Vol. 47, No. 2, 2009, pp.154-165.   DOI
46 Hendricks, J., Exchange Theory in Aging. In G. Maddox (Eds.), The Encyclopedia of Aging (2nd eds.). New York: Springer, 1995.
47 Hwang, I., and Cha, O., "Examining Technostress Creators and Role Stress as Potential Threats to Employees' Information Security Compliance," Computers in Human Behavior, Vol. 81, 2018, pp.282-293.   DOI
48 Jacobs, R., and Washington, C., "Employee Development and Organizational Performance: A Review of Literature and Directions for Future Research," Human Resource Development International, Vol. 6, No. 3, 2003, pp.343-354.   DOI
49 Jiang, J. C., Chen, C. A., and Wang, C. C., "Knowledge and Trust in E-consumers' Online Shopping Behavior," In Electronic Commerce and Security, 2008 International Symposium on IEEE, 2008, pp.652-656.
50 Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An Integrative Study of Information Systems Security Effectiveness," International Journal of Information Management, Vol. 23, No. 2, 2003, pp.139-154.   DOI
51 Boss, S., Galletta, D., Lowry, P. B., Moody, G. D., and Polak, P., "What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Security Behaviors," MIS Quarterly, Vol. 39, No. 4, 2015, pp.837-864.   DOI
52 Whitman, M. E., "In Defense of the Realm: Understanding the Threats to Information Security," International Journal of Information Management, Vol. 24, No. 1, 2004, pp.43-57.   DOI
53 Whitman, M. E., Townsend, A. M., and Aalberts, R. J., "Information Systems Security and the Need for Policy," In Information Security Management: Global Challenges in the New Millennium, 2001, pp.9-18.
54 Wixom, B. H., and Watson, H. J., "An Empirical Investigation of the Factors Affecting Data Warehousing Success," MIS Quarterly, Vol. 25, No. 1, 2001, pp.17-41.   DOI
55 박철주, 임명성, "기술스트레스가 정보보안에 미치는 영향에 관한 연구," 디지털융복합연구, 제10권, 제5호, 2012, pp.37-51.   DOI
56 유인진, 박도형 "중소기업 프로파일링 분석을 통한 기술유출 방지 및 보호 모형 연구," 정보시스템연구, 제27권, 제1호, 2018, pp.171-191.
57 최경선, 안현철, "개인적.사회적 요인을 고려한 가상 공동체에서의 지식 공유 모형," 정보시스템연구, 제28권, 제5호, 2019, pp.41-72.
58 황인호, 김대진, "조직의 정보보안 환경이 조직구성원의 보안 준수의도에 미치는 영향," 정보시스템연구, 제25권, 제2호, 2016, pp.51-77.
59 Armeli, S., Eisenberger, R., Fasolo, P., and Lynch, P., "Perceived Organizational Support and Police Performance: The Moderating Influence of Socioemotional Needs," Journal of Applied Psychology, Vol. 83, No. 2, 1998, pp.288-297.   DOI
60 Bang, Y., Lee, D. J., Bae, Y. S., and Ahn, J. H., "Improving Information Security Management: An Analysis of ID-password Usage and a New Login Vulnerability Measure," International Journal of Information Management, Vol. 32, No. 5, 2012, pp.409-418.   DOI
61 Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol. 34, No. 3, 2010, pp.523-548.   DOI
62 Carr, N. G., "IT doesn't Matter," Educause Review, Vol. 38, 2003, pp.24-38.
63 Cegarra-Navarro, J. G., Cepeda-Carrion, G., and Eldridge, S., "Balancing Technology and Physician-patient Knowledge Through an Unlearning Context," International Journal of Information Management, Vol. 31, No. 5, 2011, pp.420-427.   DOI
64 Chen, Y., Ramamurthy, K., and Wen, K. W., "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?," Journal of Management Information Systems, Vol. 29, No. 3, 2012, pp.157-188.   DOI
65 D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, 2009, pp.79-98.   DOI
66 Chou, H. L., and Chou, C., "An Analysis of Multiple Factors Relating to Teachers' Problematic Information Security Behavior," Computers in Human Behavior, Vol. 65, 2016, pp.334-345.   DOI
67 Cook, K. S., Emerson, R. M., Gillmore, M. R., and Yamagishi, T., "The Distribution of Power in Exchange Networks: Theory and Experimental Results," American Journal of Sociology, Vol. 89, No. 2, 1983, pp.275-305.   DOI