• The Journal of Information Systems
• /
• v.28 no.4
• /
• pp.105-129
• /
• 2019

Purpose Issues related to information security have been a crucial topic of interest to researchers and practitioners in the IT/IS field. This study develops a research model based on a Structure-Conduct-Outcome (SCO) framework for the social exchange relationship between employees and organizations regarding information security. Design/methodology/approach In applying an SCO framework to information security, structure and conduct are activities imposed on employees within an organizational context; outcomes are activities that protect information security from an employee. Data were collected from 438 employees working in manufacturing and service firms currently implementing an information security policy in South Korea. Structural equation modeling (SEM) with AMOS 22.0 is used to test the validation of the measurement model and the proposed casual relationships in the research model. Findings The results demonstrate support for the relationships between predicting variables in organization structure (security policy and physical security system) and the outcome variables in organization conduct (top management support, security education program, and security visibility). Results confirm that the three variables in organization conduct had a positive effect on individual outcome (security knowledge and compliance intention).

• Journal of Information Technology Applications and Management
• /
• v.22 no.4
• /
• pp.225-251
• /
• 2015

This paper analyzed factors for employees to violate information security policy in financial companies based on the theory of reasoned action (TRA), general deterrence theory (GDT), and information security awareness and moderating effects of perceived sensitivity of customer information. Using the 376 samples that were collected through both online and offline surveys, statistical tests were performed. We found that the perceived severity of sanction and information security policy support to information policy violation attitude and subjective norm but the perceived certainty of sanction and general information security awareness support to only subjective norm. Also, the moderating effects of perceived sensitivity of customer information against information policy violation attitude and subjective norm were supported. Academic implications of this study are expected to be the basis for future research on information security policy violations of financial companies; Employees' perceived sanctions and information security policy awareness have an impact on the subjective norm significantly. Practical implications are that it can provide a guide to establish information security management strategies for information security compliance; when implementing information security awareness training for employees to deter violations by emphasizing the sensitivity of customer information, a company should make their employees recognize that the customer information is very sensitive data.

• Information Systems Review
• /
• v.12 no.1
• /
• pp.23-42
• /
• 2010

Although organizations are given various benefits with information technologies, they sometimes have suffered fatal damages due to information security incidents now such as computer virus, hacking, counterfeiting, plagiarizing, etc. The fundamentalcauses of information security incidents are closely related to individuals who do not comply with information security policy or rules. The spontaneous self-control of individuals and monitoring for individuals could be the most essential solution for the ongoing observance of information security policy. Thus, the purpose of this study is to analyze effects of punishment and ethics training on compliance of information security policy of individuals in organizations, to determine individual divide among security propensity depending on organization types, and to find the more fundamental solution which leads change of organizational members’ behaviors and self-control. Regardless of the type of organizations, the results of the study suggest that there exist positive effects of punishment and ethics training in all types of organization on compliance of information security rules or regulations. A member of unitary form organization has higher cognition of punishment than a member's cognition of the multi-divisional form organization, while relatively lower awareness of ethics training. Also, a member of public organization has higher awareness of ethics training than a member’s awareness of private organization, while lower cognition of punishment. Finally, the result shows that punishment and ethics training may be major factors which affect information security. It also suggests that organizational security managers have to understand and consider organization member’s propensity relying on organization form and organization characteristics for establishment and enforcement of information security policy.

• Informatization Policy
• /
• v.25 no.1
• /
• pp.99-114
• /
• 2018

In the past, organizations tended to focus on physical and technical aspects of managing corporate's information security (IS), rather than the aspect of human resources related to IS. Recently, increasing security incidents caused by organization members raise the issue of how to improve employees' compliance with security policies. This study conducted a field experiment to examine the effect of security awareness training and technical security services on employee's security behaviors. In Study 1, the number of spam opening cases were measured right after the IS training and re-measured three months later. In Study 2, a spam warning message was provided and then the number of employees' spam opening cases were counted to find out the effect of security services. It was found that both the IS training and the technical IS service were effective; they significantly decreased spam opening rates. However, the training effect did not last longer than three months. These findings suggest that organizations need to consider providing regular training programs and supplementary technical services to improve employees' compliance with security policies.

• Journal of Platform Technology
• /
• v.11 no.1
• /
• pp.23-37
• /
• 2023

As the importance of R&D increases amid the paradigm of technology hegemony competition, countries around the world are increasing investment in R&D, at the same time, making effrots to portect R&D. Centering to technology-leading countries, such as Korea, the United States and Japan, they reorganize research security regulations to protect national R&D; however, the burden of compliance for researcher and research institutes is still high. Korea enacted the National R&D Innovation Act and the Enforcement Decree of the same Act to establish an integrated and systematic research security support system, but research institutes and researchers still lack understanding and practice of research security. In order to strengthen researcher's research security compliance, this study organized information requirements for each security management area through domestic and foreign research security laws and prior research analysis, and designed research security information requirements items centered on researchers. The designed information requirements are meaningful in that they were designed by considering both the management area and the stage of R&D, focusing on researchers performing R&D in the field. Based on the designed information requirements items, it is expected that systematic security management will be possible at the research site, which will ease the security burden of researchers and improve research security compliance at the research and development site.

• The Journal of Society for e-Business Studies
• /
• v.16 no.4
• /
• pp.33-51
• /
• 2011

This research derived the influencing factors for employees' compliance with the information security policy in organizations on the basis of Neutralization Theory, Theory of Planned Behavior and Protection Motivation Theory. To empirically analyze the research model and the hypotheses, data were collected by conducting web survey, 194 of 207 questionnaires were available. The test of causal model was conducted by PLS. Reliability, validity and model fit were found to be statistically significant. the results of hypotheses tests showed that seven ones of eight hypotheses could be accepted. The theoretical implications of this study are as follows : 1) this study is expected to play a role of baseline for future research about employee compliance with the information security policy, 2) this study attempted interdisciplinary approach through combining psychology and information system security research, and 3) it suggested concrete operational definitions of influencing factors for information security policy compliance through comprehensive theoretical review. Also, this study has some practical implications. First, it can provide the guideline to support the successful execution of the strategic establishment for implement of information system security policies in organizations. Second, it is proved that the need for conducting education and training program suppressing employees. neutralization psychology to violate information security policy should be emphasized in the organizations.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1293-1308
• /
• 2014

The cause of privacy extrusion in credit card company at 2014 is usage of the original data in test system. By Electronic banking supervision regulations of the Financial Supervisory Service and Information Security business best practices of Finance information technology (IT) sector, the data to identify the customer in the test system should be used to convert. Following this guidelines, Financial firms use converted customer identificaion data by loading in test system. However, there is some risks that may be introduced unintentionally by user mistake or lack of administrative or technical security in the process of testing. also control and risk management processes for those risks did not studied. These situations are conducive to increasing the compliance violation possibility of supervisory institution. So in this paper, we present and prove the process to eliminate the compliance violation possibility of supervisory institution by controlling and managing the unidentified conversion customer identification data and check the effectiveness of the process.

• Journal of the Korea Convergence Society
• /
• v.12 no.1
• /
• pp.211-218
• /
• 2021

This study is composed of a convergence research design plan as the necessity of information security field dealing with human factors are raised. The purpose of this study is to analyze the effectiveness of the aspect of information security on the cognitive process related to security policy. The research method consisted of the cross-design of the availability dimension and the culture dimension, and the information security process was measured with information security awareness, response efficacy, compliance behavioral intention, and information security behavior. As a result of the study, the dimension of availability had a significant effect on response efficacy, and it was found that the influence of the case-based condition was greater than that of the statistics-based condition. The cultural dimension had a significant effect on information security awareness, response efficacy, compliance behavioral intention, and information security behavior, and the influence of the homogeneity condition was found to be greater than that of the diversity condition. The proposed research model was verified as a multiple mediation model reconstructed with measurement variables. In addition, the discussion describes the necessity of an information security strategy in consideration of individual factors and organizational characteristics.

• Journal of Information Technology Services
• /
• v.19 no.5
• /
• pp.15-31
• /
• 2020

This study explores the process in which employees adopt the information security policy. The results of this study, which surveyed 234 employees in three call centers and four hospitals, show that the employees adapt the information security policy through the social structuring process suggested by the AST model. In particular, this study identifies roles of two appropriation activities (FOA : Faithfulness of Appropriation & COA : Consensus on Appropriation) observed in the social structuring process. Regarding to the interactions between the two appropriation activities, FOA, which indicates a better understanding of the information security policy, is examined as a more critical factor than COA, which indicates the degree of agreement among employees about how to use it. FOA not only has a direct effect on compliance intention toward the information security policy, but also indirectly through COA, whereas COA has only a indirect effect through FOA. This result shows that, in order for a company to successfully implement a new information security policy, it is important for employees to understand its purpose and intention. The adaption of information security policy through two appropriation activities is observed in both hospitals and call centers, but due to the different working environments, there were differences in the preceding variables affecting the appropriation activities. The results of this study are expected to provide guidelines for companies who want to successfully adopt information security policy.

• International Journal of Computer Science & Network Security
• /
• v.24 no.3
• /
• pp.142-150
• /
• 2024

A conceptual model represents an understanding of a system that is going to be developed, which in this research, a driving simulation software to study driver behavior at signalised intersections. Therefore, video observation was conducted to study driver compliance behaviour within the dilemma zone at signalised intersection, with regards to driver's distance from the stop line during yellow light interval. The video was analysed using Thematic Analysis and the data extracted from it was analysed using Chi-Square Independent Test. The Thematic Analysis revealed two major themes which were traffic situation and driver compliance behaviour. Traffic situation is defined as traffic surrounding the driver, such as no car in front and behind, car in front, and car behind. Meanwhile, the Chi-Square Test result indicates that within the dilemma zone, there was a significant relationship between driver compliance behaviour and driver's distance from the stop line during yellow light interval. The closer the drivers were to the stop line, the more likely they were going to comply. In contrast, drivers showed higher non-compliant behavior when further away from stop line. This finding could help in the development of conceptual model of driving simulation with purpose in studying driver behavior.