Browse > Article
http://dx.doi.org/10.9716/KITS.2020.19.5.015

Exploring Effects of Appropriation on the Compliance Intention to Information Security Policy  

Oh, Jinwouk (한양사이버대학교 해킹보안학과)
Baek, Seung Ik (한양대학교 경영대학)
Publication Information
Journal of Information Technology Services / v.19, no.5, 2020 , pp. 15-31 More about this Journal
Abstract
This study explores the process in which employees adopt the information security policy. The results of this study, which surveyed 234 employees in three call centers and four hospitals, show that the employees adapt the information security policy through the social structuring process suggested by the AST model. In particular, this study identifies roles of two appropriation activities (FOA : Faithfulness of Appropriation & COA : Consensus on Appropriation) observed in the social structuring process. Regarding to the interactions between the two appropriation activities, FOA, which indicates a better understanding of the information security policy, is examined as a more critical factor than COA, which indicates the degree of agreement among employees about how to use it. FOA not only has a direct effect on compliance intention toward the information security policy, but also indirectly through COA, whereas COA has only a indirect effect through FOA. This result shows that, in order for a company to successfully implement a new information security policy, it is important for employees to understand its purpose and intention. The adaption of information security policy through two appropriation activities is observed in both hospitals and call centers, but due to the different working environments, there were differences in the preceding variables affecting the appropriation activities. The results of this study are expected to provide guidelines for companies who want to successfully adopt information security policy.
Keywords
Information Security Policy; Adaptive Structuration Theory; Appropriation; Concern for Information Privacy; Security Knowledge; Job Characteristics;
Citations & Related Records
Times Cited By KSCI : 5  (Citation Analysis)
연도 인용수 순위
1 곽기영, "R을 이용한 구조방정식모델링 : 매개효과 분석/조절효과분석 및 다중집단분석", 지식경영연구, 제20권, 제2호, 2019, 1-24.   DOI
2 강현선, "정보보안을 위한 정보보호 관리체계 및 인증체계 분석", 보안공학연구논문지, 제11권, 제6호, 2014, 455-468.
3 박민정, 유지은, 채상미, "ISMS-P와 GDPR의 개인정보보호 부문 연계 분석", 한국IT서비스학회지, 제18권, 제2호, 2019, 55-73.   DOI
4 이준기, 신호경, 최희재, "시스템의 도입과 전유 과정에 영향을 미치는 제도적 압력에 관한 연구 : 병원조직의 모바일 전자의무기록 시스템을 대상으로", Asia Pacific Journal of Information Systems, 제19권, 제2호, 2009, 95-116.
5 최동권, 윤현식, "기업의 정보보호 관리가 영업성과와 기업가치에 미치는 영향 : 정보보호 관리체계(ISMS)를 중심으로", 한국디지털콘텐츠학회 논문지, 제20권, 제8호, 2019, 1567-1576.
6 Chang, M.K., W. Cheung, C.H. Cheng, and J.H. Yeung, "Understanding ERP system adoption from the user's perspective", International J ournal of Production Economics, Vol.113, No.2, 2008, 928-942.   DOI
7 Ahmadi, H., O. Ibrahim, and M. Nilashi, "Investigating a new framework for hospital information system adoption : a case on Malaysia", Journal of Soft Computing and Decision Support Systems, Vol.2, No.2, 2015, 26-33.
8 Cao, L., K. Mohan, P. Xu, and B. Ramesh, "A framework for adapting agile development methodologies", European Journal of Information Systems, Vol.18, No.4, 2009, 332-343.   DOI
9 Chan, M., I. Woon, and A. Kankanhalli, "Perceptions of information security in the workplace : linking information security climate to compliant behavior", Journal of Information Privacy and Security, Vol.1, No.3, 2005, 18-41.   DOI
10 Chin, W.W., A. Gopal, and W.D. Salisbury, "Advancing the theory of adaptive structuration : The development of a scale to measure faithfulness of appropriation", Information Systems Research, Vol.8, No.4, 1997, 342-367.   DOI
11 Cram, W.A., J. D'arcy, and J.G. Proudfoot, "Seeing the forest and the trees : a meta-analysis of the antecedents to information security policy compliance", MIS Quarterly, Vol. 43, No.2, 2019, 525-554.   DOI
12 Culnan, M.J., "How did they get my name? : an exploratory investigation of consumer attitudes toward secondary information use", MIS Quarterly, Vol.17, No.3, 1993, 341-363.   DOI
13 DeSanctis, G. and M.S. Poole, "Capturing the complexity in advanced technology use : Adaptive structuration theory", Organization Science, Vol.5, No.2, 1994, 121-147.   DOI
14 Ifinedo, P., "Information systems security policy compliance : An empirical study of the effects of socialisation, influence, and cognition", Information and Management, Vol.51, No.1, 2014, 69-79.   DOI
15 Figueiredo, M.A.B. and C. Morley, Understanding the appropriation of project management norms : an empirical study in IT projects, In ECIS 2013 : 21st European Conference on Information Systems, 2013.
16 Giddens, A., The constitution of society : Outline of the theory of structuration, Univ of California Press, 1984.
17 Goo, J., M.S. Yim, and D.J. Kim, "A path to successful management of employee security compliance : an empirical study of information security climate", IEEE Transactions on Professional Communication, Vol.57, No.4, 2014, 286-308.   DOI
18 Hackman, J.R. and G.R. Oldham, "Motivation through the design of work : Test of a theory", Organizational Behavior and Human Performance, Vol.16, No.2, 1976, 250-279.   DOI
19 Herath, T. and H.R. Rao, "Protection motivation and deterrence : a framework for security policy compliance in organizations", European Journal of Information Systems, Vol. 18, No.2, 2009, 106-125.   DOI
20 Karimi, Z. and H.R. Peikar, "Information Security Management : The Impacts of Organizational Commitment and Perceived Consequences of Security Breach on the Intention of Patients' Information Security Violation", Medical Ethics Journal, Vol.13, No.44, 2019, 1-10.
21 Safa, N.S., R. Von Solms, and S. Furnell, "Information security policy compliance model in organizations", Computers and Security, Vol. 56, 2016, 70-82.   DOI
22 Kim, S.H. and S.Y. Park, "Influencing factors for compliance intention of information security policy", The Journal of Society for e-Business Studies, Vol.16, No.4, 2011, 33-51.   DOI
23 Ko, E., S.H. Kim, M. Kim, and J.Y. Woo, "Organizational characteristics and the CRM adoption process", Journal of Business Research, Vol.61, No.1, 2008, 65-74.   DOI
24 Liu, C., J.T. Marchewka, J. Lu, and C.S. Yu, "Beyond concern : a privacy-trust-behavioral intention model of electronic commerce", Information and Management, Vol. 42, No.1, 2004, 127-142.   DOI
25 Ormond, D., M. Warkentin, and R.E. Crossler, "Integrating Cognition with an Affective Lens to Better Understand Information Security Policy Compliance", Journal of the Association for Information Systems, Vol.20, No. 12, 2019, 1794-1843.
26 Ruel, H.J., "The non-technical side of office technology : managing the clarity of the spirit and the appropriation of office technology", In Managing the human side of information technology : Challenges and solutions, IGI Global, 2002, 78-104.
27 Salisbury, W.D., W.W. Chin, A. Gopal, and P.R. Newsted, "Better theory through measurement-Developing a scale to capture consensus on appropriation", Information Systems Research, Vol.13, No.1, 2002, 91-103.   DOI
28 Schmitz, K.W., J.T. Teng, and K.J. Webb, "Capturing the complexity of malleable IT use : Adaptive structuration theory for individuals", MIS Quarterly, Vol.40, No.3, 2016, 663-686.   DOI
29 Shadur, M.A., R. Kienzle, and J.J. Rodwell, "The relationship between organizational climate and employee perceptions of involvement : The importance of support", Group and Organization Management, Vol.24, No.4, 1999, 479-503.   DOI
30 Schwieger, D., A. Melcher, C. Ranganathan, and H.J. Wen, "Applying adaptive structuration theory to health information systems adoption : A case study", International Journal of Healthcare Information Systems and Informatics(IJHISI) , Vol.1, No.1, 2006, 78-92.   DOI
31 Smith, H.J., S.J. Milberg, and S.J. Burke, "Information privacy : measuring individuals' concerns about organizational practices", MIS Quarterly, Vol.20, No.2, 1996, 167-196.   DOI
32 Zeng, W. and M. Koutny, "Modelling and analysis of corporate efficiency and productivity loss associated with enterprise information security technologies", Journal of Information Security and Applications, Vol.49, 2019, 1-11.
33 Sun, J., "Why different people prefer different systems for different tasks : An activity perspective on technology adoption in a dynamic user environment", Journal of the American Society for Information Science and Technology, Vol.63, No.1, 2012, 48-63.   DOI
34 Wang, P.A., "Information security knowledge and behavior : An adapted model of technology acceptance", In 2010 2nd International Conference on Education Technology and Computer (IEEE) , June, 2010, V2-364.
35 Yayla, A. and S. Sarkar, "THE DYNAMICS OF INFORMATION SECURITY POLICY ADOPTION", In Proceedings of the 13th Pre-ICIS Workshop on Information Security and Privacy, 2018.
36 Zohar, D. and G. Luria, "A multilevel model of safety climate : cross-level relationships between organization and group-level climates", Journal of Applied Psychology, Vol.90, No. 4, 2005, 616-628.   DOI