Journal of Digital Convergence (디지털융복합연구)

The Society of Digital Policy and Management (한국디지털정책학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Influence of Information Security Compliance Intention of Employee: Theory of Planned Behavior, Justice Theory, and Motivation Theory Applied

조직원의 정보보안 정책 준수의도에 미치는 영향 연구: 계획된 행동이론, 공정성이론, 동기이론의 적용

  • Hwang, In-Ho (School of Knowledge-Based Management, Chung-Ang University) ;
  • Hu, Sung-Ho (Department of Psychology, Chung-Ang University)
  • Received : 2018.01.24
  • Accepted : 2018.03.20
  • Published : 2018.03.28
Download PDF
⟨ Previous Next ⟩

Abstract

Organizations continue to invest in the security of information technology as a means to be more competitive than others in their industry do. However, there is a relatively lack of interest in the information security compliance of employees who implement information security technologies and policies of organization. This study finds mechanisms for enhancing security compliance by applying theory of planned behavior, justice theory, and motivation theory in information security field. We use structural equation modeling to verify the research hypotheses, and conducted a survey on the employees of organization with information security policy. The results showed that organizational justice, sanction, and organizational identification affect the factors of the planned behavior theory and affect the employee's compliance intention. As a result, this research suggested directions for strategic approach for enhancing employee's compliance intention on organization's security policy.

조직은 정보 보안 기술에 대한 지속적인 투자를 통하여 다른 기업들보다 정보자원에 대한 경쟁력을 높이고 있다. 그러나 정보보안 기술 및 정책을 실행에 옮기는 조직원의 정보보안에 대한 관심이 상대적으로 저조하다. 본 연구는 정보보안 분야에 계획된 행동이론, 공정성이론, 그리고 동기이론을 적용하여 조직원의 정보보안 준수의도를 높이기 위한 메커니즘을 찾는다. 연구대상은 정보보안 정책을 도입한 조직의 조직원들이며, 서베이를 통하여 유효샘플 383개를 수집하였다. 연구가설 검증은 구조방정식 모델링을 실시하였다. 결과는 조직공정성, 외재적 동기(제재), 내재적 동기(조직일체화)가 계획된 행동이론의 세부 요인들에 영향을 주고 개인의 정보보안준수의도에 영향을 주는 것으로 나타났다. 분석 결과는 조직의 보안정책에 대한 조직원들의 준수의도 향상을 위한 전략적 접근 방향을 제시한다.

Keywords

References

  1. IDC. (2016). Worldwide Semiannual Security Spending Guide, 2016.
  2. J. Do & J. Kim. (2014). A study on critical success factors for enterprise security collaboration. Journal of Digital Convergence, 12(10), 235-242. https://doi.org/10.14400/JDC.2014.12.10.235
  3. I. Hwang & O. Cha. (2018). Examining technostress creators and role stress as potential threats to employees' information security compliance. Computers in Human Behavior, 81, 282-293. https://doi.org/10.1016/j.chb.2017.12.022
  4. B. Bulgurcu, H. Cavusoglu & I. Benbasat. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690
  5. A. Vance, M. Siponen & S. Pahnila. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3), 190-198. https://doi.org/10.1016/j.im.2012.04.002
  6. I. Hwang, D. Kim, T. Kim & S. Kim. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance. Online Information Review, 41(1), 1-17.
  7. S. R. Boss, D. F. Galletta, P. B. Lowry, G. D. Moody & P. Polak. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 34(3), 523-548.
  8. D. Kim, I. Hwang & J. Kim. (2016). A study on employee's compliance behavior towards information security policy: A modified triandis model. Journal of Digital Convergence, 14(4), 209-220. https://doi.org/10.14400/JDC.2016.14.4.209
  9. C. Park & M. Yim. (2012). An understanding of impact of security countermeasures on persistent policy compliance. Journal of Digital Convergence, 10(4), 23-35. https://doi.org/10.14400/JDPM.2012.10.4.023
  10. Y. Chen, K. Ramamurthy & K. W. Wen. (2012). Organizations' information security policy compliance: Stick or carrot approach?. Journal of Management Information Systems, 29(3), 157-188. https://doi.org/10.2753/MIS0742-1222290305
  11. J. D'Arcy, A. Hovav & D. Galletta. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98. https://doi.org/10.1287/isre.1070.0160
  12. Q. Hu, Z. Xu, T. Dinev & H. Ling. (2011). Does deterrence work in reducing information security policy abuse by employees?. Communications of the ACM, 54(6), 54-60. https://doi.org/10.1145/1953122.1953142
  13. K. H. Guo & Y. Yuan. (2012). The effects of multilevel sanctions on information security violations: A mediating model. Information & Management, 49(6), 320-326. https://doi.org/10.1016/j.im.2012.08.001
  14. T. Herath & H. R. Rao. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165. https://doi.org/10.1016/j.dss.2009.02.005
  15. J. Y. Son. (2011). Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies. Information & Management, 48(7), 296-302. https://doi.org/10.1016/j.im.2011.07.002
  16. A. B. Ruighaver, S. B. Maynard & S. Chang. (2007). Organizational security culture: extending the end-user perspective. Computers & Security, 26(1), 56-62. https://doi.org/10.1016/j.cose.2006.10.008
  17. J. A. Colquitt. (2001). On the dimensionality of organizational justice: A construct validation of a measure. Journal of Applied Psychology, 86(3), 386-400. https://doi.org/10.1037/0021-9010.86.3.386
  18. Y. Zhang, J. A. LePine, B. R. Buckman & F. Wei. (2014). It's not fair… or is it? The role of justice and leadership in explaining work stressor-job performance relationships. Academy of Management Journal, 57(3), 675-697. https://doi.org/10.5465/amj.2011.1110
  19. R. West. (2008). The psychology of security. Communications of the ACM, 51(4), 34-40. https://doi.org/10.1145/1330311.1330320
  20. K. D. Loch, H. H. Carr & M. E. Warkentin. (1992). Threats to information systems: today's reality. yesterday's understanding, MIS Quarterly, 16(2), 173-186. https://doi.org/10.2307/249574
  21. Verizon. (2016). 2016 Data Breach Investigations Report.
  22. M. Siponen, S. Pahnila & M. A. Mahmood. (2010). Compliance with information security policies: An empirical investigation. Computer, 43(2), 64-71. https://doi.org/10.1109/MC.2010.35
  23. T. Jeong, M. Yim & J. Lee. (2012). A development of comprehensive framework for continuous information security. Journal of Digital Convergence, 10(2), 1-10. https://doi.org/10.14400/JDPM.2012.10.2.001
  24. J. Han & Y. Kim. (2015). Investigating of psychological factors affecting information security compliance intention: Convergent approach to information security and organizational citizenship behavior. Journal of Digital Convergence, 13(8), 133-144. https://doi.org/10.14400/JDC.2015.13.8.133
  25. M. Yim. (2012). A path way to increase the intention to comply with information security policy of employees. Journal of Digital Convergence, 10(10), 119-128. https://doi.org/10.14400/JDPM.2012.10.10.119
  26. I. Hwang & Y. Lee. (2016). The employee's information security policy compliance intention: Theory of planned behavior, goal setting theory, and deterrence theory applied. Journal of Digital Convergence, 14(7), 155-166. https://doi.org/10.14400/JDC.2016.14.7.155
  27. I. Ajzen. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211. https://doi.org/10.1016/0749-5978(91)90020-T
  28. J. Cox. (2012). Information systems user security: A structured model of the knowing-doing gap. Computers in Human Behavior, 28(5), 1849-1858. https://doi.org/10.1016/j.chb.2012.05.003
  29. N. S. Safa, M. Sookhak, R. Von Solms, S. Furnell, N. A. Ghani & T. Herawan. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78. https://doi.org/10.1016/j.cose.2015.05.012
  30. J. Zhang, B. J. Reithel & H. Li. (2009). Impact of perceived technical protection on security behaviors. Information Management & Computer Security, 17(4), 330-340. https://doi.org/10.1108/09685220910993980
  31. A. C. Johnston & M. Warkentin (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549-566. https://doi.org/10.2307/25750691
  32. W. R. Flores & M. Ekstedt. (2016). Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Computers & Security, 59, 26-44. https://doi.org/10.1016/j.cose.2016.01.004
  33. N. S. Safa & R. Von Solms. (2016). An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, 442-451. https://doi.org/10.1016/j.chb.2015.12.037
  34. M. Siponen, M. A. Mahmood & S. Pahnila. (2014). Employees' adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224. https://doi.org/10.1016/j.im.2013.08.006
  35. C. Posey, T. L. Roberts & P. B. Lowry (2015). The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179-214. https://doi.org/10.1080/07421222.2015.1138374
  36. H. L. Chou, & C. Chou. (2016). An analysis of multiple factors relating to teachers' problematic information security behavior. Computers in Human Behavior, 65, 334-345. https://doi.org/10.1016/j.chb.2016.08.034
  37. R. Cropanzano, L. Paddock, D. E. Rupp, J. Bagger & A. Baldwin. (2008). How regulatory focus impacts the process-by-outcome interaction for perceived fairness and emotions. Organizational Behavior and Human Decision Processes, 105(1), 36-51. https://doi.org/10.1016/j.obhdp.2006.06.003
  38. P. M. Muchinsky. (2006). Psychology Applied to Work: An Introduction to Industrial and Organizational Psychology. Cengage Learning.
  39. P. E. Spector. (2008). Industrial and Organizational Psychology. Research and. Practice.
  40. T. A. Judge & J. A. Colquitt. (2004). Organizational justice and stress: The mediating role of work-family conflict. Journal of Applied Psychology, 89(3), 395-404. https://doi.org/10.1037/0021-9010.89.3.395
  41. J. R. Fu, P. H. Ju & C. W. Hsu. (2015). Understanding why consumers engage in electronic word-of-mouth communication: Perspectives from theory of planned behavior and justice theory. Electronic Commerce Research and Applications, 14(6), 616-630. https://doi.org/10.1016/j.elerap.2015.09.003
  42. H. Zhang & N. C. Agarwal. (2009). The mediating roles of organizational justice on the relationships between HR practices and workplace outcomes: an investigation in China. The International Journal of Human Resource Management, 20(3), 676-693. https://doi.org/10.1080/09585190802707482
  43. M. L. Ambrose & M. Schminke. (2009). The role of overall justice judgments in organizational justice research: a test of mediation. Journal of Applied Psychology, 94(2), 491-500. https://doi.org/10.1037/a0013203
  44. T. Y. Chou, T. C. Seng-cho, J. J. Jiang & G. Klein. (2013). The organizational citizenship behavior of IS personnel: Does organizational justice matter?. Information & Management, 50(2), 105-111. https://doi.org/10.1016/j.im.2013.02.002
  45. O. Demirtas. (2015). Ethical leadership influence at organizations: Evidence from the field. Journal of Business Ethics, 126(2), 273-284. https://doi.org/10.1007/s10551-013-1950-5
  46. C. Yoon. (2011). Theory of planned behavior and ethics theory in digital piracy: An integrated model. Journal of Business Ethics, 100(3), 405-417. https://doi.org/10.1007/s10551-010-0687-7
  47. C. C. Pinder. (1998), Work motivation in organizational behavior. Upper Saddle River, NJ: Prentice Hall.
  48. E. M. Fair, & L. Silvestri. (1992). Effects of rewards, competition and outcome on intrinsic motivation. Journal of Instructional Psychology, 19(1), 3.
  49. K. H. Guo, Y. Yuan, N. P. Archer & C. E. Connelly. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203-236. https://doi.org/10.2753/MIS0742-1222280208
  50. H. Li, J. Zhang & R. Sarathy. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635-645. https://doi.org/10.1016/j.dss.2009.12.005
  51. J. E. Dutton, J. M. Dukerich & C. V. Harquail. (1994). Organizational images and member identification. Administrative Science Quarterly, 39(2), 239-263. https://doi.org/10.2307/2393235
  52. J. C. Nunnally. (1978). Psychometric theory (2nd ed.). New York: McGraw-Hill.
  53. B. H. Wixom & H. J. Watson. (2001). An empirical investigation of the factors affecting data warehousing success. MIS Quarterly, 25(1), 17-41. https://doi.org/10.2307/3250957
  54. C. Fornell & D. F. Larcker. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50. https://doi.org/10.2307/3151312