The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

An Empirical Study of Employee's Deviant Behavior for Improving Efficiency of Information Security Governance

정보보호 거버넌스 효율성 제고를 위한 조직원의 정보보호 행위에 관한 실증 연구

  • Kim, Hye Jung (KPMG Samjong Accounting Corp. MCS(Management Consulting Service)) ;
  • Ahn, Joong Ho (Seoul National University. Department of Business Administration)
  • 김혜정 (삼정KPMG 회계법인) ;
  • 안중호 (서울대학교 경영대학 및 경영전문대학원)
  • Received : 2012.11.14
  • Accepted : 2012.12.25
  • Published : 2013.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

For the continuous information security governance, we have to focus on not just technical aspects like access control and DRM, but informal level management like information security(IS) behavior, culture, and personal value. But there are few informal level studies, while many formal level studies of IS governance or technical means. This study is an empirical test that how IS culture, normal beliefs, personal behavior and value affect employee's deviant behavior. And we define a lack of an awareness of value and importance on IS regulations in organizations as "Information Security Anomie" with the concept of anomie, a viewpoint on social organization.

지속적인 정보보호 거버넌스를 위해서는 단순히 접근통제, 문서보안 등 기술적인 측면이 아닌 개인의 보안 행위, 문화, 규범, 개인적 가치 등 비공식적인 정보보호 행위를 관리하는데 초점을 맞추어야 한다. 그러나 많은 연구들이 정보보호 규정과 같은 공식적인 수준의 거버넌스나 기술과 같은 수단에 집중하고 있는 실정이며, 개인의 정보보호 위반 행위와 개인적 신념, 규범, 문화, 개인적 가치 등 비공식적인 수준에 대한 연구는 거의 이루어지지 않고 있다. 이에 본 연구는 정보보호 문화, 규범적 신념, 행위, 가치가 정보보호 규정 위반 행위에 어떠한 영향을 미치는 지에 대해 실증하였다. 또한 본 연구에서는 사회조직적 관점의 아노미 개념을 이용하여 조직 내에서 정보보호 규정의 중요성에 대한 인식 결핍과 정보보호 규정의 가치 결여를 '정보보호 아노미 현상'으로 정의하고, 이를 바탕으로 정보보호 문화, 규범, 행위, 가치가 정보보호 규정 위반 행위에 미치는 영향에 있어 정보보호 아노미 현상이 어떠한 역할을 하는지에 대해 실증분석을 수행하였다.

Keywords

References

  1. Anderson, C., "Creating conscientious cybercitizen : An examination of home computer user attitudes and intentions towards security," Conference on Information Systems Technology(CIST)/ INFORMS, San Francisco, California. 2005.
  2. Ardichvili, A., Page, V., and Wentling, T., "Motivation and barriers to participation in virtual knowledge-sharing communities of practice," Journal of Knowledge Management, Vol. 7, No. 1, pp. 64-77, 2003. https://doi.org/10.1108/13673270310463626
  3. Bagozzi, R. P. and Yi, Y., "On the evaluation of structural equation models," Journal of the Academy of Marketing Science, Vol. 16, No. 2, pp. 74-94, 1988. https://doi.org/10.1007/BF02723327
  4. Campbell, J. P., Dunnette, M. D., Lawler, E. E. III., and Weick, K, Jr., Managerial behavior, performance and effectiveness, McGraw-Hill, New York, 1970.
  5. Campbell, J. P. and Beaty, E. E., Organizational Climate : Its Measurement and Relationship to Work Group Performance. Paper presented at the Annual meeting of the American Psychological Association, Washington D. C., 1971.
  6. Chan, M., Woon, I., and Kankanhalli, A., "Perceptions of information security at the workplace : Linking information security climate to Compliant Behavior," Journal of Information Privacy and Security, Vol. 1, No. 3, pp. 18-41, 2005. https://doi.org/10.1080/15536548.2005.10855772
  7. Chin, W. W., "Issues and opinion on structural equation modeling," MIS Quarterly, Vol. 22, No. 1, pp. pp.vii-xvi, 1998.
  8. Chin, W. W., Marcolin, B. L., and Newsted, P. R., "A partial least squares latent variable modeling approach for measuring interaction effects : Results from a monte carlo simulation study and voice mail emotion/adoption study," Paper presented at the Proceedings of the Seventeenth International Conference on Information Systems, Cleveland, Ohio, 1996.
  9. Cialdini, R. B., Reno, R. R., and Kallgren, C. A., "A focus theory of normative conduct : Recycling the concept of norms to reduce littering in public places," Journal of Personality and Social Psychology, Vol. 58, No. 6, pp. 1015-1026, 1990. https://doi.org/10.1037/0022-3514.58.6.1015
  10. Cloward, R. A., "Illegitimate means, anomie, and deviant behavior," Americal Sociological Review, Vol. 24, No. 2, pp. 164-176, 1959. https://doi.org/10.2307/2089427
  11. Cohen, J., Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, NJ : Lawrence Erlbaum, 1988.
  12. Cotterman, W. and Senn, J., Challenges and strategies for research in information systems development, John Wiley & Sons, 1992.
  13. Culnan, M., Bentley survey on consumers and internet security : Summary of findings, http://www.bentley.edu/events/iscw200 4/survey_findings.pdf, 2004.
  14. Dhillon, G. and Backhouse, J., "Current directions in IS security research : Towards socio-organizational perspectives," Information Systems Journal, Vol. 11, No. 2, pp. 127-153, 2001. https://doi.org/10.1046/j.1365-2575.2001.00099.x
  15. Dinev, T., Goo, J., Hu, Q., Nam, K., "User behavior toward preventive technologies cultural differences between the United States and South Korea," ECIS 2006 Proceedings. Paper 9. http://aisel.aisnet. org/ecis2006/9, 2006.
  16. Durbin, R., "Deviant behavior and social structure : Continuities in social theory," American Sociological Review, Vol. 24, No. 2, pp. 147-164, 1959. https://doi.org/10.2307/2089426
  17. Fornell, C. and Larcker, D. F., "Evaluating structural equation models with unobservable variables and measurement error," Journal of Marketing Research, Vol. 18, No. 1, pp. 39-50, 1981. https://doi.org/10.2307/3151312
  18. Gordineer, J., "Blended threats : A new era in anti-virus protection," Information Systems Security, Vol. 12, No. 3, pp. 45-47, 2003. https://doi.org/10.1201/1086/43327.12.3.20030701/43626.7
  19. Hayes, B. E., Perander, J., Smecko, T., and Trask, J., "Measuring perceptions of workplace safety : Development and validation of work safety scale," Journal of Safety Research Vol. 29, No. 3, pp. 145-161, 1998. https://doi.org/10.1016/S0022-4375(98)00011-5
  20. Herath, T. and Rao H. R, "Encouraging information security behaviors in organizations : Role of penalties, pressures and perceived effectiveness," Decision Support Systems, Vol. 47, pp. 154-165, 2009. https://doi.org/10.1016/j.dss.2009.02.005
  21. Kankanhalli, A., Teo, H. -H., Tan, B. C. Y., and Wei, K. -K., "An integrative study of information systems security effectiveness," International Journal of Information Management, Vol. 23, No. 2, pp. 139-154, 2003. https://doi.org/10.1016/S0268-4012(02)00105-6
  22. Kreps, D. M., "The interaction between norms and economic incentives," AEA Papers and Proceedings, 1997.
  23. Lee, S. J., Yoo, W. J., Jung, D. W., and Lee, D. M., "The effects of entrepreneurship and leadership of small and medium companies on organizational effectiveness : Focusing on the effect of Anomie," Journal of the Korea Management Engineers Society, Vol. 15, No. 2. pp. 159-176, 2010.
  24. McCoy, B., Stephens, G., and Stevens K. J., "An investigation of the impact of corporate culture on employee information systems security behavior," ACIS Proceedings, 2009.
  25. Merton, R. K., "Social conformity, deviation, and opportunity structure : A comment on the contributions of Durbin and Cloward," American Sociological Review, Vol. 24, No. 2, pp. 177-189, 1959. https://doi.org/10.2307/2089428
  26. Mishra, S. and Dhillon, G., "Information systems security governance research : A behavioral perspective," 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference, New York, USA, 2007.
  27. Neal, A. and Griffin, M. A., "Perceptions of safety at work : Developing a model to link organizational safety climate and individual behavior," Paper presented to the 12th Annual Conference of the Society for Industrial and Organizational Psychology, St. Louis, MO, 1997.
  28. Park, J. K., Kim, B. S., and Cho, S. W., "Primary factors affecting corporate employees' attitudes toward Information Security," Korean Management Review, Vol. 40, No. 4, pp. 955-985, 2011.
  29. Post, G. V. and Kagan, A., "Evaluating information security tradeoffs : Restructuring access can interfere with user tasks," Computers and Security, Vol. 26, No. 3, pp. 229-237, 2007. https://doi.org/10.1016/j.cose.2006.10.004
  30. Schnake, M. E., "An Empirical assessment of the effects of affective response in the measurement of organizational climate," Personnel Psychology, Vol. 36, No. 4, pp. 791-804, 1983. https://doi.org/10.1111/j.1744-6570.1983.tb00513.x
  31. Schneider, E. K., The Hadley circulation of the Earth's atmosphere. Ph.D thesis, Harvard University, 1975.
  32. Sheeran, P. and Orbell, S., "Augmenting the theory of planned behavior : Roles for anticipated regret and descriptive norms," Journal of Applied Social Pshchology, Vol. 29, No. 10, pp. 2107-2142, 1999. https://doi.org/10.1111/j.1559-1816.1999.tb02298.x
  33. Susan Kusmaski and Thomas Kusmaski, 가치중심의 리더십, 학지사, 2000.
  34. Sutinen, J. G. and Kuperan, K., "A socioeconomic theory of regulatory compliance," International Journal of Social Economics, Vol. 26, No. 1/2/3, pp. 174-193, 1999. https://doi.org/10.1108/03068299910229569
  35. Tenenhaus, M., Vinzi, V. E., Chatelin, Y.-M., and Lauro, C., "PLS path modeling," Computational Statistics and Data Analysis, Vol. 48, No. 1, pp. 159-205, 2005. https://doi.org/10.1016/j.csda.2004.03.005
  36. Thompson, R. L., Higgins, C. A., and Howell, J. M., "Influence of experience on personal computer utilization," Journal of Management Information Systems, Vol. 11, No. 1, pp. 167-187, 1994.
  37. Van de Ven, Andrew H., Ferry, D. L., Measuring and assessing organizations. NY : John Wiley, 1980.
  38. Venkatesh, V. and Brown, S., "A longitudinal investigation of personal computers in homes : Adoption determinants and emerging challenges," MIS Quarterly, Vol. 25, No. 1, pp. 71-102, 2001. https://doi.org/10.2307/3250959
  39. Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., "User acceptance of information technology : Toward a unified view," MIS Quarterly, Vol. 27, No. 3, pp. 425-478, 2003.
  40. Vroom, C. and von Solms, R., "Towards information security behavioral compliance," Computers and Security, Vol. 23, No. 3, pp. 191-198, 2004. https://doi.org/10.1016/j.cose.2004.01.012
  41. Wasko, M. M. and Faraj, S., "It is what one does : Why people participate and help others in electronic communities of practices," Journal of Strategic Information Systems, Vol. 9, pp. 155-173, 2000. https://doi.org/10.1016/S0963-8687(00)00045-7

Cited by

  1. A Study on the Effects of Earnings Management in Outside Directors System for Information Security Company vol.19, pp.2, 2014, https://doi.org/10.7838/jsebs.2014.19.2.143
  2. Small Business Technological Assets Protection Factors Analysis Using Logistic Regression Analysis vol.20, pp.3, 2015, https://doi.org/10.7838/jsebs.2015.20.3.001
  3. Comparison of Information Security Controls by Leadership of Top Management vol.19, pp.1, 2014, https://doi.org/10.7838/jsebs.2014.19.1.063
  4. 해운항만조직의 정보보안이행이 정보보안성과에 미치는 영향 vol.40, pp.4, 2013, https://doi.org/10.5394/kinpr.2016.40.4.213
  5. 중소기업 기술 유출에 대한 조기경보시스템 개발에 대한 연구 vol.23, pp.1, 2017, https://doi.org/10.13088/jiis.2017.23.1.143
  6. 조직 구성원들의 보안정책 위반에 관한 연구 vol.25, pp.3, 2013, https://doi.org/10.22693/niaip.2018.25.3.095