Journal of the Korea Convergence Society (한국융합학회논문지)

Korea Convergence Society (한국융합학회)
권호 표지
DOI QR코드

DOI QR Code

An Exploratory Research on Factors Influence Perceived Compliance Cost and Information Security Awareness in Small and Medium Enterprise

보안정책 준수 비용과 정보보안 중요성 인식 수준에 미치는 요인에 관한 연구: 중소기업을 중심으로

  • Received : 2018.07.12
  • Accepted : 2018.09.20
  • Published : 2018.09.28
Download PDF
⟨ Previous Next ⟩

Abstract

The ultimate intention of this research is to identify the factors that have a significant effect on the perceived importance of information security as the antecedent of intention to information security policy compliance. We found that the effectiveness of information security training program did not have statistically significant effect on the perceived cost of policy compliance. Second, the effectiveness of information security policy has significant influence on the perceived cost of policy compliance. Third, perceived vulnerability has a significant effect on the perceived cost of policy compliance. Fourth, perceived cost of policy compliance has a significant effect on perceived importance of information security. Fifth, supervisor's attitude toward information security silence has a significant effect on employee silent behavior towards information security. Sixth, communication opportunities towards information security has a significant influence on employee silent behavior towards information security. Finally, it was shown that employee silent behavior towards information security had a significant influence on the perceived importance of information security.

본 연구의 목적은 정보보안 정책 준수 의도의 선행변수인 정보보안에 대한 인지된 중요성에 유의한 영향을 미치는 요인을 규명하는 것이다. 이를 위해 구조방정식 모형을 기반으로 제안 모형을 분석했다. 분석결과, 첫째, 정보보안 교육의 효과성은 정책 준수에 따른 인지된 비용에 통계적으로 유의한 영향을 미치지 못하는 것으로 나타났다. 둘째, 정보보안 정책의 효과성은 정책 준수에 따른 인지된 비용에 유의한 영향을 미치는 것으로 나타났다. 셋째, 인지된 취약성은 정책 준수에 따른 인지된 비용에 유의한 영향을 미치는 것으로 나타났다. 넷째, 정책 준수에 따른 인지된 비용은 정보보안에 대한 인지된 중요성에 유의한 영향을 미치는 것으로 나타났다. 다섯째, 정보보안 침묵에 대한 경영진의 태도는 구성원들의 보안 침묵 행위에 유의한 영향을 미치는 것으로 나타났다. 여섯째, 정보보안에 대한 의사소통 기회는 구성원들의 보안 침묵 행위에 유의한 영향을 미치는 것으로 나타났다. 마지막으로 구성원들의 보안 침묵 행위는 정보보안에 대한 인지된 중요성에 유의한 영향을 미치는 것으로 나타났다.

Keywords

References

  1. Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005), Analysis of End User Security Behaviors, Computers & Security, 24(2), 124-133. https://doi.org/10.1016/j.cose.2004.07.001
  2. Liang, H., & Xue, Y. (2010), Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective, Journal of the Association for Information Systems, 11(7), 394-413. https://doi.org/10.17705/1jais.00232
  3. Safa, N. S., Von Solms, R., & Furnell, S. (2016), Information Security Policy Compliance Model in Organizations, Computers & Security, 56, 1-13. https://doi.org/10.1016/j.cose.2015.09.009
  4. Bulgurcu, B., Cavusoglu, H., & Banbasat, I. (2010), Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness, MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690
  5. Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013), Future Directions for Behavioral Information Security Research, Computers & Security, 32, 90-101. https://doi.org/10.1016/j.cose.2012.09.010
  6. D'Arcy, J., & Hovav, A. (2007), Deterring Internal Information Systems Misuse, Communications of the ACM, 50(10), 113-117. https://doi.org/10.1145/1290958.1290971
  7. Ifinedo, P. (2012), Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory, Computers & Security, 31, 83-95. https://doi.org/10.1016/j.cose.2011.10.007
  8. Goel, S., & Chengalur-Smith, I., (2010), Metrics for Characterizing the Form of Security Policies, Journal of Strategic Information Systems, 19(4), 281-295. https://doi.org/10.1016/j.jsis.2010.10.002
  9. Van Dyne, L., Ang, S., & Botero, I. C. (2003), Conceptualizing Employee Silence and Employee Voice as Multidimensional Constructs, Journal of Management Studies, 40(6), 1359-1392. https://doi.org/10.1111/1467-6486.00384
  10. Pinder, C. C., & Harlos, K. P. 2001, Employee Silence: Quiescence and Acquiescence as Responses to Perceived Injustice. In Rowland, K. M., & Rerris, G. R. (eds), Research in Personnel and Human Resources Management, 20, New York: JAI Press, 331-369.
  11. Morrison, E. W., & Milliken, F. J. (2000), Organizational Silence: A Barrier to Change and Development in a Pluralistic World, Academy of Management Review, 25, 706-725. https://doi.org/10.5465/amr.2000.3707697
  12. Soomro, Z. A., Shah, M. H., & Ahmed, J. 2016, Information Security Management Needs More Holistic Approach: A Literature Review, International Journal of Information Management, Vol. 36, pp. 215-225. https://doi.org/10.1016/j.ijinfomgt.2015.11.009
  13. Knapp, K. J., & Ferrante, C. J. (2012), Policy Awareness, Enforcement and Maintenance: Critical to Information Security Effectiveness in Organizations, Journal of Management Policy and Practice, 13(5), 66-80.
  14. Puhakainen, P., & Siponen, M. (2010), Improving Employees' Compliance through Information Systems Security Training: An Action Research Study, MIS Quarterly, 34(4), 757-778. https://doi.org/10.2307/25750704
  15. Mishra, S., & Chasalow, L. (2011), Information Security Effectiveness: A Research Framework, Issues in Information Systems, 12(1), 246-255.
  16. Stewart, A. (2004), On Risk: Perception and Direction, Computers & Security, 23, 362-370. https://doi.org/10.1016/j.cose.2004.05.003
  17. Zhang, J., Reithel, B. J., & Li, H. (2009), Impact of Perceived Technical Protection on Security Behaviors, Information Management & Computer Security, 17(4), 330-340. https://doi.org/10.1108/09685220910993980
  18. Gopal, R. D., & Sanders, G. L. (1997), Preventative and Deterrent Controls for Software Piracy, Journal of Management Information Systems, 13(4), 29-47. https://doi.org/10.1080/07421222.1997.11518141
  19. Wiant, T. L. (2003), Policy and its Impact on Medical Record Security, Unpublished Doctoral Dissertation, University of Kentucky, Lexington.
  20. Foltz, C. B. (2000), The Impact of Deterrent Countermeasures upon Individual Intent to Commit Misuse: A Behavioral Approach, Unpublished Doctoral Dissertation, University of Arkansas, Fayetteville.
  21. Harrington, S. J. (1996), The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions, MIS Quarterly, 20(3), 257-278. https://doi.org/10.2307/249656
  22. Lee, S. M., Lee, S. -G., & Yoo, S. (2004), An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories, Information and Management, 41(6), 707-718. https://doi.org/10.1016/j.im.2003.08.008
  23. Knapp, K. J., Marshall, T. E., Rainer, Jr., R. K., & Ford, F. N. (2007), Information Security Effectiveness: Conceptualization and Validation of a Theory, International Journal of Information Security and Privacy, 1(2), 37-60. https://doi.org/10.4018/jisp.2007040103
  24. Chan, M., Woon, I., & Kankanhalli, A. (2005), Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior, Journal of Information Privacy and Security, 1(3).
  25. Siponen, M. T. (2000), A Conceptual Foundation for Organizational Information Security Awareness, Information Management & Computer Security, 8(1), 31-41. https://doi.org/10.1108/09685220010371394
  26. Vakola, M., & Bouradas, D., (2005), Antecedents and Consequences of Organisational Silence: An Empirical Investigation, Employee Relations, 27(5), 441-458. https://doi.org/10.1108/01425450510611997
  27. Vroom, C., & von Solms, R. (2004), Towards Information Security Behavioural Compliance, Computer & Security, 23, 191-198. https://doi.org/10.1016/j.cose.2004.01.012
  28. Kankanhalli, H., Teo, H. -H., Tan, B. C. Y., & Wei, K. -K. (2003), An Integrative Study of Information Systems Security Effectiveness, International Journal of Information Management, 23(2), 139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  29. Leonard, L. N. K., Cronan, T. P., & Kreie, J. (2004), What Influences IT Ethical Behavior Intentions- Planned Behavior, Reasoned Action, Perceived Importance, or Individual Characteristics?, Information & Management, 42, 143-158. https://doi.org/10.1016/j.im.2003.12.008
  30. Churchill, G. A. (1979), A Paradigm for Developing Better Measures of Marketing Constructs, Journal of Marketing, 9(4), 168-178.
  31. Moore, G. C., & Benbasat, I. (1991), Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation, Information Systems Research, 2(3), 192-222. https://doi.org/10.1287/isre.2.3.192
  32. Workman, M., Bommer, W. H., & Straub, D. (2008), Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test, Computers in Human Behavior, 24(6), 2799-2816. https://doi.org/10.1016/j.chb.2008.04.005
  33. Barclay, D., Higgins, C., & Thompson, R. (1995), The Partial Least Squares (PLS) Approach to Causal Modeling: Personal Computer Adoption and Use as an Illustration, Technology Studies, 2(2), 285-309.
  34. Gefen, D., & Straub, D. (2005), A Practical Guide to Factorial Validity Using PLS-graph: Tutorial and Annotated Example, Communications of the AIS, 16(5), 91-109.
  35. Chin, W. W., & Sambamurthy, V. (1994), The Effects of Group Attitudes toward Alternative GDSS Designs on the Decision-Making Performance of Computer- Supported Groups, Decision Sciences, 25(2), 215-241. https://doi.org/10.1111/j.1540-5915.1994.tb01840.x
  36. Hair, J. F., Black, B., Babin, B., & Anderson, R. E. (2010), Multivariate Data Analysis, 7th eds., Upper Saddle River, NJ, PrenticeHall.
  37. Cronbach, L. J. (1951), Coefficient Alpha and the Internal Structure of Tests, Psychometrika, 16, 297-334. https://doi.org/10.1007/BF02310555
  38. Fornell, C., & Larker, D. F. (1981), Evaluating Structural Equation Models with Unobservable Variables and Measurement Error, Journal of Marketing Research, 18(1), 39-50. https://doi.org/10.2307/3151312
  39. Nunnally, J. C. 1978, Psychometric Theory, New York, NY: McGraw-Hill.
  40. Cook, T. D., & Campbell, D. T. (1979), Quasi-Experimentation: Design and Analysis Issues for Field Setting, Boston, MA: Houghton Mifflin.
  41. Grant, R. A. (1989), Building and Testing a Causal Model of an Information Technology's Impact, Proceedings of the Ten International Conference on Information Systems, December 4-6, Boston, MA, 173-184.
  42. Fornell, C. (1982), A Second Generation of Multivariate Analysis: Methods, 1, New York, NY: Praeger.
  43. Chin, W. W. (1998), Issues and Opinion on Structural Equation Modeling, MIS Quarterly, 22(1), vii-xvi.
  44. Gefen, D., Straub, D. W., & Boudreau, M. C. (2000), Structural Equation Modeling and Regression: Guidelines for Research Practice, Communications of the AIS, 4, 1-77.