Browse > Article
http://dx.doi.org/10.15207/JKCS.2020.11.9.229

A study on the information security compliance and non-compliance causes of organization employees  

Hwang, In-Ho (Department of General Education, Kookmin University)
Hu, Sung-Ho (Department of Psychology, Chung-Ang University)
Publication Information
Journal of the Korea Convergence Society / v.11, no.9, 2020 , pp. 229-242 More about this Journal
Abstract
The purpose of this study is to present the environmental factors of positive and negative aspects that affect the information security compliance intention, and reveals the relationship of the individual's the security compliance intention. The subjects of this study are employees of organizations that apply information security policies and technologies, and effective samples were obtained through surveys. In the process of analysis, the study model was verified through structural equation modeling. The measurement variables consisted of security policy, security system, technical support, work impediment, security non-visibility, compliance intention and organizational commitment and used for analysis. The results confirmed that security compliance factors such as policy, system, technical support, and non-compliance factors, work impediment, respectively, had an impact on organizational commitment, leading to compliance intention. The verification result of the research model suggests the direction of establishing a security compliance strategy for employees to improve the level of information security compliance of the organization.
Keywords
Compliance Intention; Organizational Commitment; Security Policy; Security System; Technical Support; Work Impediment; Security Non-visibility;
Citations & Related Records
Times Cited By KSCI : 4  (Citation Analysis)
연도 인용수 순위
1 I. Hwang, R. Wakefield, S. Kim & T. Kim. (2019). Security awareness: The first step in information security compliance behavior. Journal of Computer Information Systems, 1-12. DOI: 10.1080/08874417.2019.1650676
2 H. Lee & J. Kim. (2018). A convergence study on the structural relationships among emotional labor and work performance of information security professionals. Journal of the Korea Convergence Society, 9(1), 67-74. DOI : 10.15207/JKCS.2018.9.1.067.   DOI
3 R. West. (2008). The psychology of security. Communications of the ACM, 51(4), 34-40. DOI : 10.1145/1330311.1330320.   DOI
4 M. I. Merhi & P. Ahluwalia. (2019). Examining the impact of deterrence factors and norms on resistance to information systems security. Computers in Human Behavior, 92, 37-46. DOI : 10.1016/j.chb.2018.10.031   DOI
5 N. S. Safa, C. Maple, S. Furnell, M. A. Azad, C. Perera, M. Dabbagh & M. Sookhak. (2019). Deterrence and prevention-based model to mitigate information security insider threats in organizations. Future Generation Computer Systems, 97, 587-597. DOI : 10.1016/j.future.2019.03.024.   DOI
6 H. L. Chou & C. Chou. (2016). An analysis of multiple factors relating to teachers' problematic information security behavior. Computers in Human Behavior, 65, 334-345. DOI: 10.1016/j.chb.2016.08.034.   DOI
7 C. Posey, T. L. Roberts & P. B. Lowry. (2015). The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179-214. DOI : 10.1080/07421222.2015.1138374.   DOI
8 Z. Ahmad, T. S. Ong, T. H. Liew & M. Norhashim. (2019). Security monitoring and information security assurance behavior among employees. Information & Computer Security, 27(2), 165-168. DOI : 10.1108/ICS-10-2017-0073   DOI
9 S. Aurigemma & T. Mattson, (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information and Computer Security, 25(4), 421-436. DOI : 10.1108/ICS-11-2016-0089.   DOI
10 J. D'Arcy, T. Herath & M. K. Shoss. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285-318. DOI : 10.2753/MIS0742-1222310210.   DOI
11 I. Hwang & O. Cha. (2018). Examining technostress creators and role stress as potential threats to employees' information security compliance. Computers in Human Behavior, 81, 282-293. DOI : 10.1016/j.chb.2017.12.022.   DOI
12 I. Hwang, D. Kim, T. Kim & S. Kim. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance, Online Information Review, 41(1), 1-17. DOI : 10.1108/OIR-11-2015-0358
13 R. Mowday, L. Porter & R. Steers. (1982). Employee-organizational linkages: The psychology of commitment, absenteeism and turnover. New York: Academic Press.
14 B. Bulgurcu, H. Cavusoglu & I. Benbasat. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly, 34(3), 523-548.   DOI
15 N. S. Safa & R. Von Solms. (2016). An information security knowledge sharing model in organizations, Computers in Human Behavior, 57, 442-451. DOI : 10.1016/j.chb.2015.12.037   DOI
16 L. J. Williams & S. E. Anderson. (1991). Job satisfaction and organizational commitment as predictors of organizational citizenship and in-role behaviors. Journal of Management, 17(3), 601-617. DOI : 10.1177/014920639101700305.   DOI
17 N. J. Allen & J. P. Meyer. (1996). Affective, continuance, and normative commitment to the organization: An examination of construct validity. Journal of Vocational Behavior, 49(3), 252-276. DOI : 10.1006/jvbe.1996.0043.   DOI
18 J. P. Meyer, D. J. Stanley, L. Herscovitch & L. Topolnytsky. (2002). Affective, continuance, and normative commitment to the organization: A meta-analysis of antecedents, correlates, and consequences. Journal of Vocational Behavior, 61(1), 20-52. DOI : 10.1006/jvbe.2001.1842.   DOI
19 T. Herath & H. R. Rao. (2009). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18(2), 106-125. DOI : 10.1057/ejis.2009.6.   DOI
20 N. S. Safa, C. Maple, T. Watson & R. Von Solms. (2018). Motivation and opportunity based model to reduce information security insider threats in organizations. Journal of Information Security and Applications, 40, 247-257. DOI : 10.1016/j.jisa.2017.11.001.   DOI
21 S. Sharma & M. Warkentin. (2019). Do I really belong?: Impact of employment status on information security policy compliance. Computers & Security, 87, 101397. DOI : 10.1016/j.cose.2018.09.005.   DOI
22 M. E. Whitman. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1), 43-57. DOI : 10.1016/j.ijinfomgt.2003.12.003.   DOI
23 J. D'Arcy, A. Hovav & D. Galletta. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, Information Systems Research, 20(1), 79-98. DOI : 10.1287/isre.1070.0160   DOI
24 M. Yim. (2018). An exploratory research on factors influence perceived compliance cost and information security awareness in small and medium enterprise, Journal of the Korea Convergence Society, 9(9), 69-81, DOI : 10.15207/JKCS.2018.9.9.069.   DOI
25 K. J. Knapp, R. F. Morris Jr, T. E. Marshall & T. A. Byrd. (2009). Information security policy: An organizational-level process model. Computers & security, 28(7), 493-508. DOI : 10.1016/j.cose.2009.07.001.   DOI
26 K. Chung & E. Chang. (2005). Family-friendly polices and employee's organizational commitment, Family and Culure, 17(1), 59-84
27 S. C. Eaton. (2003). If you can use them: Flexibility policies, organizational commitment, and perceived performance. Industrial Relations: A Journal of Economy and Society, 42(2), 145-167. DOI : 10.1111/1468-232X.00285   DOI
28 E. Y. Yildirim, G. Akalp, S. Aytac & N. Bayram. (2011). Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. International Journal of Information Management, 31(4), 360-365. DOI : 10.1016/j.ijinfomgt.2010.10.006.   DOI
29 L. F. Kwok & D. Longley. (1999). Information security management and modeling. Information Management & Computer Security, 7(1), 30-39. DOI : 10.1108/09685229910255179.   DOI
30 A. McCormac, T. Zwaans, K. Parsons, D. Calic, M. Butavicius & M. Pattinson. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151-156. DOI : 10.1016/j.chb.2016.11.065.   DOI
31 A. Da Veiga & J. H. Eloff. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196-207. DOI : 10.1016/j.cose.2009.09.002.   DOI
32 P. Shum, L. Bove & S. Auh. (2008). Employees' affective commitment to change. European Journal of Marketing, 42(11/12), 1346-1371. DOI : 10.1108/03090560810903709.   DOI
33 I. Cardoso & M. Caldeira. (2012). Users' commitment in information system implementation: The role of technological frames. In Mediterranean Conference on Information Systems (pp. 254-266). Springer, Berlin, Heidelberg.
34 A. M. Fuglseth & O. Sorebo. (2014). The effects of technostress within the context of employee use of ICT. Computers in Human Behavior, 40, 161-170. DOI : 10.1016/j.chb.2014.07.040.   DOI
35 T. S. Ragu-Nathan, M. Tarafdar, B. S. Ragu-Nathan & Q. Tu. (2008). The consequences of technostress for end users in organizations: Conceptual development and empirical validation. Information Systems Research, 19(4), 417-433. DOI : 10.1287/isre.1070.0165.   DOI
36 M. Siponen, S. Pahnila & M. A. Mahmood. (2010). Compliance with information security policies: An empirical investigation. Computer, 43(2), 64-71. DOI : 10.1109/MC.2010.35.   DOI
37 M. Tarafdar, Q. Tu, T. S. Ragu-Nathan & B. S. Ragu-Nathan. (2011). Crossing to the dark side: Examining creators, outcomes, and inhibitors of technostress. Communications of the ACM, 54(9), 113-120. DOI : 10.1145/1995376.1995403.   DOI
38 R. K. Jena. (2015). Technostress in ICT enabled collaborative learning environment: An empirical study among Indian academician. Computers in Human Behavior, 51, 1116-1123. DOI: 10.1016/j.chb.2015.03.020.   DOI
39 N. G. Carr. (2003), IT doesn't matter. Harvard Business Review, 81(5), 41-49.
40 L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen & A. Vance. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126-139. DOI : 10.1057/ejis.2009.10.   DOI
41 M. Aryeetey & A. Sanda. (2012). Understanding Employees' Perspective of Quality of Work Life Indicators in Ghanaian Organizations. International Journal of Contemporary Business Studies, 3(3), 17-30.
42 S. M. Lee, S. G. Lee & S. Yoo. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6), 707-718. DOI : 10.1016/j.im.2003.08.008   DOI
43 J. C. Nunnally. (1978). Psychometric theory (2nd ed.). New York: McGraw-Hill.
44 B. H. Wixom & H. J. Watson. (2001). An empirical investigation of the factors affecting data warehousing success. MIS Quarterly, 25(1), 17-41. DOI : 10.2307/3250957.   DOI
45 J. D'Arcy & P. L. Teh. (2019). Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management, 56(7), 103151. DOI : 10.1016/j.im.2019.02.006.   DOI
46 C. Fornell & D. F. Larcker. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50. DOI: 10.2307/3151312.   DOI
47 P. M. Podsakoff, S. B. MacKenzie, J. Y. Lee & N. P. Podsakoff. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879-903. DOI : 10.1037/0021-9010.88.5.879.   DOI
48 Grandviewresearch. (2019). Cyber security market size, share & trends analysis report by component, by security type, by solution, by service, by deployment, by organization, by application, and segment Forecasts. 2019 - 2025. https://www.globenewswire.com
49 Gartner. (2019). A look at cyber-security spending in 2019: Where budgets are increasing and why.
50 Verizon. (2019). 2019 data breach investigations report.