The Journal of Information Systems (한국정보시스템학회지:정보시스템연구)

Korea Association of Information Systems (한국정보시스템학회)
권호 표지
DOI QR코드

DOI QR Code

Information Security of Organization and Employees in Social Exchange Perspective : Using Structure-Conduct-Outcome Framework

SCO Framework을 적용한 조직과 조직원의 정보보안 준수 관계 연구

  • Received : 2019.08.25
  • Accepted : 2019.11.19
  • Published : 2019.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Purpose Issues related to information security have been a crucial topic of interest to researchers and practitioners in the IT/IS field. This study develops a research model based on a Structure-Conduct-Outcome (SCO) framework for the social exchange relationship between employees and organizations regarding information security. Design/methodology/approach In applying an SCO framework to information security, structure and conduct are activities imposed on employees within an organizational context; outcomes are activities that protect information security from an employee. Data were collected from 438 employees working in manufacturing and service firms currently implementing an information security policy in South Korea. Structural equation modeling (SEM) with AMOS 22.0 is used to test the validation of the measurement model and the proposed casual relationships in the research model. Findings The results demonstrate support for the relationships between predicting variables in organization structure (security policy and physical security system) and the outcome variables in organization conduct (top management support, security education program, and security visibility). Results confirm that the three variables in organization conduct had a positive effect on individual outcome (security knowledge and compliance intention).

Keywords

References

  1. 박철주, 임명성, "기술스트레스가 정보보안에 미치는 영향에 관한 연구," 디지털융복합연구, 제10권, 제5호, 2012, pp.37-51. https://doi.org/10.14400/JDPM.2012.10.5.037
  2. 유인진, 박도형 "중소기업 프로파일링 분석을 통한 기술유출 방지 및 보호 모형 연구," 정보시스템연구, 제27권, 제1호, 2018, pp.171-191.
  3. 최경선, 안현철, "개인적.사회적 요인을 고려한 가상 공동체에서의 지식 공유 모형," 정보시스템연구, 제28권, 제5호, 2019, pp.41-72.
  4. 황인호, 김대진, "조직의 정보보안 환경이 조직구성원의 보안 준수의도에 미치는 영향," 정보시스템연구, 제25권, 제2호, 2016, pp.51-77.
  5. Armeli, S., Eisenberger, R., Fasolo, P., and Lynch, P., "Perceived Organizational Support and Police Performance: The Moderating Influence of Socioemotional Needs," Journal of Applied Psychology, Vol. 83, No. 2, 1998, pp.288-297. https://doi.org/10.1037/0021-9010.83.2.288
  6. Bang, Y., Lee, D. J., Bae, Y. S., and Ahn, J. H., "Improving Information Security Management: An Analysis of ID-password Usage and a New Login Vulnerability Measure," International Journal of Information Management, Vol. 32, No. 5, 2012, pp.409-418. https://doi.org/10.1016/j.ijinfomgt.2012.01.001
  7. Boss, S., Galletta, D., Lowry, P. B., Moody, G. D., and Polak, P., "What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Security Behaviors," MIS Quarterly, Vol. 39, No. 4, 2015, pp.837-864. https://doi.org/10.25300/MISQ/2015/39.4.5
  8. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol. 34, No. 3, 2010, pp.523-548. https://doi.org/10.2307/25750690
  9. Carr, N. G., "IT doesn't Matter," Educause Review, Vol. 38, 2003, pp.24-38.
  10. Cegarra-Navarro, J. G., Cepeda-Carrion, G., and Eldridge, S., "Balancing Technology and Physician-patient Knowledge Through an Unlearning Context," International Journal of Information Management, Vol. 31, No. 5, 2011, pp.420-427. https://doi.org/10.1016/j.ijinfomgt.2010.12.006
  11. Chen, Y., Ramamurthy, K., and Wen, K. W., "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?," Journal of Management Information Systems, Vol. 29, No. 3, 2012, pp.157-188. https://doi.org/10.2753/MIS0742-1222290305
  12. Chou, H. L., and Chou, C., "An Analysis of Multiple Factors Relating to Teachers' Problematic Information Security Behavior," Computers in Human Behavior, Vol. 65, 2016, pp.334-345. https://doi.org/10.1016/j.chb.2016.08.034
  13. Cook, K. S., Emerson, R. M., Gillmore, M. R., and Yamagishi, T., "The Distribution of Power in Exchange Networks: Theory and Experimental Results," American Journal of Sociology, Vol. 89, No. 2, 1983, pp.275-305. https://doi.org/10.1086/227866
  14. D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, 2009, pp.79-98. https://doi.org/10.1287/isre.1070.0160
  15. Devaraj, S., Fan, M., and Kohli, R., "Examination of Online Channel Preference: Using the Structure-Conduct-Outcome Framework," Decision Support Systems, Vol. 42, No. 2, 2006, pp.1089-1103. https://doi.org/10.1016/j.dss.2005.09.004
  16. Da Veiga, A., and Eloff, J. H., "An Information Security Governance Framework," Information Systems Management, Vol. 24, NO.4, 2007, pp.361-372. https://doi.org/10.1080/10580530701586136
  17. Da Veiga, A., and Eloff, J. H., "A Framework and Assessment Instrument for Information Security Culture," Computers & Security, Vol. 29, No. 2, 2010, pp.196-207. https://doi.org/10.1016/j.cose.2009.09.002
  18. Da Veiga, A., and Martins, N., "Defining and Identifying Dominant Information Security Cultures and Subcultures," Computers & Security, Vol. 70, 2017, pp.72-94. https://doi.org/10.1016/j.cose.2017.05.002
  19. Desouza, K. C., "Facilitating Tacit Knowledge Exchange," Communications of the ACM, Vol. 46, No. 6, 2003, pp.85-88. https://doi.org/10.1145/777313.777317
  20. Dhillon, G., Oliveira, T., Susarapu, S., and Caldeira, M., "Deciding Between Information Security and Usability: Developing Value Based Objectives," Computers in Human Behavior, Vol. 61, 2016, pp.656-666. https://doi.org/10.1016/j.chb.2016.03.068
  21. Eisenberger, R., Fasolo, P., and Davis-LaMastro, V., "Perceived Organizational Support and Employee Diligence, Commitment, and Innovation," Journal of Applied Psychology, Vol. 75, No. 1, 1990, pp.51-59. https://doi.org/10.1037/0021-9010.75.1.51
  22. Emerson, R. M., "Power-Dependence Relations," American Sociological Review, Vol. 27, No. 1, 1962, pp.31-41. https://doi.org/10.2307/2089716
  23. Emerson, R. M., "Exchange Theory, Part I: A Psychological Basis for Social Exchange," Sociological Theories in Progress, Vol. 2, 1972, pp.38-57.
  24. Emerson, R. M., "Social Exchange Theory," Annual Review of Sociology, Vol. 2, 1976, pp.335-362. https://doi.org/10.1146/annurev.so.02.080176.002003
  25. Fornell, C., and Larcker, D. F., "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, Vol. 18, No. 1, 1981, pp.39-50. https://doi.org/10.1177/002224378101800104
  26. Geyskens, I., Steenkamp, J. B. E., and Kumar, N., "A Meta-Analysis of Satisfaction in Marketing Channel Relationships," Journal of Marketing Research, Vol. 36, No. 2, 1999, pp.223-238. https://doi.org/10.1177/002224379903600207
  27. Griffin, M. A., and Neal, A., "Perceptions of Safety at Work: A Framework for Linking Safety Climate to Safety Performance, Knowledge, and Motivation," Journal of Occupational Health Psychology, Vol. 5, No. 3, 2000, pp.347-358. https://doi.org/10.1037/1076-8998.5.3.347
  28. Herath, T., and Rao, H. R., "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems, Vol. 47, No. 2, 2009, pp.154-165. https://doi.org/10.1016/j.dss.2009.02.005
  29. Hendricks, J., Exchange Theory in Aging. In G. Maddox (Eds.), The Encyclopedia of Aging (2nd eds.). New York: Springer, 1995.
  30. Hwang, I., and Cha, O., "Examining Technostress Creators and Role Stress as Potential Threats to Employees' Information Security Compliance," Computers in Human Behavior, Vol. 81, 2018, pp.282-293. https://doi.org/10.1016/j.chb.2017.12.022
  31. Hwang, I., Kim, D., Kim, T., and Kim, S., "Why Not Comply with Information Security? An Empirical Approach for the Causes of Non-compliance," Online Information Review, Vol. 41, No. 1, 2017, pp.2-18. https://doi.org/10.1108/OIR-11-2015-0358
  32. Jacobs, R., and Washington, C., "Employee Development and Organizational Performance: A Review of Literature and Directions for Future Research," Human Resource Development International, Vol. 6, No. 3, 2003, pp.343-354. https://doi.org/10.1080/13678860110096211
  33. Jiang, J. C., Chen, C. A., and Wang, C. C., "Knowledge and Trust in E-consumers' Online Shopping Behavior," In Electronic Commerce and Security, 2008 International Symposium on IEEE, 2008, pp.652-656.
  34. Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An Integrative Study of Information Systems Security Effectiveness," International Journal of Information Management, Vol. 23, No. 2, 2003, pp.139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  35. KBresearch, KB Knowledge Vitamin: Recent Information Security Trend of Financial Institution and Outlook, 2015.
  36. Knapp, K. J., Morris, R. F., Marshall, T. E., and Byrd, T. A., "Information Security Policy: An Organizational-Level Process Model," Computers & Security, Vol. 28, No. 7, 2009, pp.493-508. https://doi.org/10.1016/j.cose.2009.07.001
  37. Kwok, L. F., and Longley, D., "Information Security Management and Modelling," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.30-40. https://doi.org/10.1108/09685229910255179
  38. Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information & Management, Vol. 41, No. 6, 2004, pp.707-718. https://doi.org/10.1016/j.im.2003.08.008
  39. Lee, J., and Lee, Y., "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, Vol. 10, No. 2, 2002, pp.57-63. https://doi.org/10.1108/09685220210424104
  40. Loch, K. D., Carr, H. H., and Warkentin, M. E., "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, 1992, pp.173-186. https://doi.org/10.2307/249574
  41. Lowry, P. B., and Moody, G. D., "Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies," Information Systems Journal, Vol. 25, No. 5, 2015, pp.433-463. https://doi.org/10.1111/isj.12043
  42. Mary MacNeil, C., "Exploring the Supervisor Role as a Facilitator of Knowledge Sharing in Teams," Journal of European Industrial Training, Vol. 28, No. 1, 2004, pp.93-102. https://doi.org/10.1108/03090590410513901
  43. Molm, L. D., "Structure, Action, and Outcomes: The Dynamics of Power in Social Exchange," American Sociological Review, Vol. 55, No. 3, 1990, pp.427-447. https://doi.org/10.2307/2095767
  44. Moore, G. C., and Benbasat, I., "Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation," Information Systems Research, Vol. 2, No. 3, 1991, pp.192-222. https://doi.org/10.1287/isre.2.3.192
  45. Nunnally, J. C., Psychometric theory (2nd ed.). New York: McGraw-Hill, 1978.
  46. Nesheim, T., and Gressgard, L. J., "Knowledge Sharing in a Complex Organization: Antecedents and Safety Effects," Safety Science, Vol. 62, 2014, pp.28-36. https://doi.org/10.1016/j.ssci.2013.07.018
  47. Neal, A., Griffin, M. A., and Hart, P. M., "The Impact of Organizational Climate on Safety Climate and Individual Behavior," Safety Science, Vol. 34, No. 1, 2000, pp.99-109. https://doi.org/10.1016/S0925-7535(00)00008-4
  48. Nelson, K. M., and Cooprider, J. G., "The Contribution of Shared Knowledge to IS Group Performance," MIS Quarterly, Vol. 20, No. 4, 1996, pp.409-432. https://doi.org/10.2307/249562
  49. Pham, H. C., "Information Security Burnout: Identification of Sources and Mitigating Factors from Security Demands and Resources," Journal of Information Security and Applications, Vol. 46, 2019, pp.96-107. https://doi.org/10.1016/j.jisa.2019.03.012
  50. Safa, N. S., Maple, C., Furnell, S., Azad, M. A., Perera, C., Dabbagh, M., and Sookhak, M., "Deterrence and Prevention Based Model to Mitigate Information Security Insider Threats in Organisations," Future Generation Computer Systems, Vol. 97, 2019, pp.587-597. https://doi.org/10.1016/j.future.2019.03.024
  51. Said, A. R., Abdullah, H., Uli, J., and Mohamed, Z. A., "Relationship between Organizational Characteristics and Information Security Knowledge Management Implementation," Procedia - Social and Behavioral Sciences, Vol. 123, 2014, pp.433-443. https://doi.org/10.1016/j.sbspro.2014.01.1442
  52. Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with Information Security Policies: An Empirical Investigation," Computer, Vol. 43, No. 2, 2010, pp.64-71. https://doi.org/10.1109/MC.2010.35
  53. Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N., "The Influence of a Good Relationship between the Internal Audit and Information Security Functions on Information Security Outcomes," Accounting, Organizations and Society, Vol. 71, 2018, pp.15-29. https://doi.org/10.1016/j.aos.2018.04.005
  54. Straub, D. W., and Welke, R. J., "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, Vol. 22, No. 4, 1998, pp.441-464. https://doi.org/10.2307/249551
  55. Thibaut, J. W., and Kelley, H. H., The Social Psychology of Groups. New York: Wiley, 1959.
  56. Thomson, K., and van Niekerk, J., "Combating Information Security Apathy by Encouraging Prosocial Organisational Behaviour," Information Management & Computer Security, Vol. 20, No. 1, 2012, pp.39-46. https://doi.org/10.1108/09685221211219191
  57. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory," Information & Management, Vol. 49, No. 3, 2012, pp.190-198. https://doi.org/10.1016/j.im.2012.04.002
  58. Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly, Vol. 27, No. 3, 2003, pp.425-478. https://doi.org/10.2307/30036540
  59. Verizon, Verizon 2016 Data Breach Investigations Report, 2016.
  60. Von Solms, R., "Information Security Management: Why Standards are Important," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.50-58. https://doi.org/10.1108/09685229910255223
  61. Vroom, C., and Von Solms, R., "Towards Information Security Behavioural Compliance," Computers & Security, Vol. 23, No. 3, 2004, pp.191-198. https://doi.org/10.1016/j.cose.2004.01.012
  62. Wang, P. A., "Information Security Knowledge and Behavior: An Adapted Model of Technology Acceptance," In Education Technology and Computer (ICETC), 2010 2nd International Conference on (Vol. 2, pp. V2-364). IEEE, 2010, June.
  63. Warkentin, M., and Willison. R., "Behavioral and Policy Issues in Information Systems Security: The Insider Threat," European Journal of Information Systems, Vol. 18, 2009, pp.101-105. https://doi.org/10.1057/ejis.2009.12
  64. West, R., "The Psychology of Security," Communications of the ACM, Vol. 51, No. 4, 2008, pp.34-40. https://doi.org/10.1145/1330311.1330320
  65. Whitman, M. E., "In Defense of the Realm: Understanding the Threats to Information Security," International Journal of Information Management, Vol. 24, No. 1, 2004, pp.43-57. https://doi.org/10.1016/j.ijinfomgt.2003.12.003
  66. Whitman, M. E., Townsend, A. M., and Aalberts, R. J., "Information Systems Security and the Need for Policy," In Information Security Management: Global Challenges in the New Millennium, 2001, pp.9-18.
  67. Wixom, B. H., and Watson, H. J., "An Empirical Investigation of the Factors Affecting Data Warehousing Success," MIS Quarterly, Vol. 25, No. 1, 2001, pp.17-41. https://doi.org/10.2307/3250957