Advanced SearchSearch Tips
The Effect of Organizational Information Security Environment on the Compliance Intention of Employee
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
  • Journal title : The Journal of Information Systems
  • Volume 25, Issue 2,  2016, pp.51-77
  • Publisher : The Korea Association of Information Systems
  • DOI : 10.5859/KAIS.2016.25.2.51
 Title & Authors
The Effect of Organizational Information Security Environment on the Compliance Intention of Employee
Hwang, Inho; Kim, Daejin;
  PDF(new window)
Purpose Organizations invest significant portions of their budgets in fortifying information security. Nevertheless, the security threats by employees are still at large. We discuss methods to reduce security threats that are posed by employees in organization. This study finds antecedent factors that increases or decreases employee's compliance intention. Also, the study suggests organizations' security environmental factors which influences the antecedent factors of compliance intention. Design/methodology/approach The structural equation model is then applied in order to verify this research model and hypothesis. Data were collected on 415 employees working in organizations with an implemented information security policy in South Korea. We analyzed the fitness and validity of the research model via confirmatory factor analysis in order to verify the research hypothesis, then we analyzed structural model, and derived the result. Findings The result shows that organizational commitment and peer behavior increase security compliance intention of employees, while security system anxiety decreases compliance intention. And, organization's physical security system and security communication both have influence on antecedent factors for information security compliance of employees. Our findings help organizations to establish information security strategies that enhance employee security compliance intention.
Compliance Intention;Organizational Commitment;Peer Behavior;Security System Anxiety;Work Impediment;Physical Security System;Security Communication;
 Cited by
김대진, 황인호, 김진수, "조직 구성원의 정보보안정책 준수행도에 대한 연구: 수정된 Triandis 모델의 적용," 디지털정책연구, 제14권, 제4호, pp.209-220.

김종기, "정보시스템 보안의 효과성 모형에 관한 실증적 연구," 정보시스템연구, 제7권 제2호, 1998, pp. 91-108.

김종기, 강다연, 전진환, "패스워드 선택을 위한 사용자의 보안행위의도에 영향을 미치는 요인," 정보시스템연구, 제17권 제1호, 2008, pp. 23-43.

박철주, 임명성, "기술스트레스가 조직원의 보안 인식과 조직성과에 미치는 영향에 관한 연구," 한국정보기술학회논문지, 제10권 제1호, 2012, pp.97-110.

이장형, 김종원, "보안 및 통제와 정보기술 사용자의 성격의 관계," 정보시스템연구, 제19권 제3호, 2010, pp.1-12.

보안뉴스, 대담하고 지능적인 기술유출, 산업보안이 뒷받침돼야, 2015. 5. 14.

황인호, 김대진, 김태하, 김진수, "조직의 정보보안 문화형성이 조직구성원의 보안 지식 및 준수의도에 미치는 영향 연구," Information Systems Review, 제18권, 제1호, 2016, pp.1-23.

Brockner, J., Spreitzer, G., Mishra, A., Hochwarter, W., Pepper, L., and Weinberg, J., "Perceived Control as an Antidote to the Negative Effects of Layoffs on Survivors' Organizational Commitment and Job Performance," Administrative Science Quarterly, Vol. 49, No. 1, 2004, pp.76-100.

Brown, W. S., "Ontological Security, Existential Anxiety and Workplace Privacy," Journal of Business Ethics, Vol. 23, No. 1, 2000, pp.61-65. crossref(new window)

Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance:An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol. 34, No. 3, 2010, pp.523-548.

Carr, N. G., "IT doesn't Matter," Educause Review, Vol. 38, 2003, pp.24-38.

Chan, M., Woon, I., and Kankanhalli, A. "Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy & Security, Vol. 1, No. 3, 2005, pp.18-41. crossref(new window)

Chen, Y., Ramamurthy, K., and Wen, K. W., "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?," Journal of Management Information Systems, Vol. 29, No. 3, 2012, pp.157-188. crossref(new window)

Compeau, D. R., and Higgins, C. A., "Computer Self-Efficacy: Development of a Measure and Initial Test," MIS Quarterly, Vol. 19, No. 2, 1995, pp.189-211. crossref(new window)

D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, 2009, pp.79-98. crossref(new window)

Da Veiga, A., and Eloff, J. H., "A Framework and Assessment Instrument for Information Security Culture," Computers & Security, Vol. 29, No. 2, 2010, pp.196-207. crossref(new window)

Dugo, T., "The Insider Threat to Organizational Information," Auburn University, Auburn, AL., 2007.

Ernest Chang, S. and Lin, C. S., "Exploring Organizational Culture for Information Security Management," Industrial Management & Data Systems, Vol. 107, No. 3, 2007, pp.438-458. crossref(new window)

Faily, S., and Flechais, I., "Designing and Aligning e-Science Security Culture with Design," Information Management & Computer Security, Vol. 18, No. 5, 2000, pp.339-349.

Fornell, C., and Larcker, D. F., "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, Vol. 18, No. 1, 1981, pp.39-50. crossref(new window)

Gartner, Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware, 2014,

Guo, K. H., Yuan, Y., Archer, N. P. and Connelly, C. E., "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model," Journal of Management Information Systems, Vol. 28, No. 2, 2011, pp.203-236. crossref(new window)

Herath, T., and Rao, H. R., "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems, Vol. 47, No. 2, 2009a, pp.154-165. crossref(new window)

Herath, T., and Rao, H. R., "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations," European Journal of Information Systems, Vol. 18, No. 2, 2009b, pp.106-125. crossref(new window)

Hu, Q., Xu, Z., Dinev, T., and Ling, H., "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?," Communications of the ACM, Vol. 54, No. 6, 2011, pp.54-60.

Ifinedo, P., "Understanding Information Systems Security Policy Compliance:An Integration of the Theory of Planned Behavior and the Protection Motivation Theory," Computers & Security, Vol. 31, No. 1, 2012, pp.83-95. crossref(new window)

Jimenez-Castillo, D., and Sanchez-Perez, M., "Nurturing Employee Market Knowledge Absorptive Capacity through Unified Internal Communication and Integrated Information Technology," Information & Management, Vol. 50, No. 2, 2013, pp.76-86. crossref(new window)

Johnston, A. C., and Warkentin, M., "Fear Appeals and Information Security Behaviors: An Empirical Study," MIS Quarterly, Vol. 34, No. 3, 2010, pp.549-566.

Knapp, K. J., Morris, R. F., Marshall, T. E., and Byrd, T. A., "Information Security Policy: An Organizational-Level Process Model," Computers & Security, Vol. 28, No. 7, 2009, pp.493-508. crossref(new window)

Kwok, L. F., and Longley, D., "Information Security Management and Modelling," Information Management & Computer Security, Vol. 7, No. 1, 1999, pp.30-40. crossref(new window)

Lee, J., and Lee, Y., "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, Vol. 10, No. 2, 2002, pp.57-63. crossref(new window)

Lee, S. M., Lee, S. G., and Yoo, S., "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information & Management, Vol. 41, No. 6, 2004, pp.707-718. crossref(new window)

Lee, Y., and Larsen, K. R., "Threat or Coping Appraisal: Determinants of SMB Executives' Decision to Adopt Anti-Malware Software," European Journal of Information Systems, Vol. 18, No. 2, 2009, pp.177-187. crossref(new window)

Li, H., Zhang, J., and Sarathy, R., "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory," Decision Support Systems, Vol. 48, No. 4, 2010, pp.635-645. crossref(new window)

Loch, K. D., Carr, H. H., and Warkentin, M. E., "Threats to Information Systems:Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol. 16, No. 2, 1992, pp.173-186. crossref(new window)

Moore, G. C., and Benbasat, I., "Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation," Information Systems Research, Vol. 2, No. 3, 1991, pp.192-222. crossref(new window)

Murrell, A. J., and Sprinkle, J., "The Impact of Negative Attitudes toward Computers on Employees' Satisfaction and Commitment within a Small Company," Computers in Human Behavior, Vol. 9, No. 1, 1993, pp.57-63. crossref(new window)

Nunnally, J. C., "Psychometric theory (2nd ed.)," New York: McGraw-Hill, 1978.

Padayachee, K., "Taxonomy of Compliant Information Security Behavior," Computers & Security, Vol. 31, No. 5, 2012, pp.673-680. crossref(new window)

Pahnila, S., Siponen, M., and Mahmood, A., "Employees' Behavior towards IS Security Policy Compliance," In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on (pp. 156b-156b). IEEE, 2007.

Rogers, R. W., "A Protection Motivation Theory of Fear Appeals and Attitude Change," Journal of Psychology, Vol. 91, No. 1, 1975, pp.93-114. crossref(new window)

Simon, H. A., "Bounded Rationality in Social Science: Today and Tomorrow," Mind & Society, Vol. 1, No. 1, 2000, pp.25-39. crossref(new window)

Simonson, M. R., Maurer, M., Montag-Torardi, M., and Whitaker, M., "Development of a Standardized Test of Computer Literacy and a Computer Anxiety Index," Journal of Educational Computing Research, Vol. 3, No. 2, 1987, pp.231-247. crossref(new window)

Sims, C. A., "Implications of Rational Inattention," Journal of Monetary Economics, Vol. 50, No. 3, 2003, pp.665-690. crossref(new window)

Sinkula, J. M., "Market Information Processing and Organizational Learning," The Journal of Marketing, Vol. 58, No. 1, 1994, pp.35-45. crossref(new window)

Siponen, M., Pahnila, S., and Mahmood, M. A., "Compliance with Information Security Policies: An Empirical Investigation," Computer, Vol. 43, No. 2, 2010, pp.64-71.

Siponen, M., and Vance, A., "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations," MIS Quarterly, Vol. 34, No. 3, 2010, pp.487-502.

Son, J. Y., "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies," Information & Management, Vol. 48, No. 7, 2011, pp.296-302. crossref(new window)

Stanton, J. M., Stam, K. R., Guzman, I., and Caldera, C., "Examining the Linkage between Organizational Commitment and Information Security," In IEEE International Conference on Systems Man and Cybernetics, Vol. 3, 2003, October, pp. 2501-2506.

Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J., "Analysis of End User Security Behaviors," Computers & Security, Vol. 24, No. 2, 2005, pp.124-133. crossref(new window)

Steers, R., "Antecedents and Outcomes of Organizational Commitment," Administrative Science Quarterly, Vol. 22, No.1, 1977, pp.46-56. crossref(new window)

Straub, D. W., and Welke, R. J., "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, Vol. 22, No. 4, 1998, pp.441-464. crossref(new window)

Tarafdar, M., Tu, Q., Ragu-Nathan, B. S., and Ragu-Nathan, T. S., "The Impact of Technostress on Role Stress and Productivity," Journal of Management Information Systems, Vol. 24, No.1, 2007, pp.301-328. crossref(new window)

Todd, P. M., and Gigerenzer, G., "Bounding Rationality to the World," Journal of Economic Psychology, Vol. 24, No. 2, 2003, pp.143-165. crossref(new window)

Vance, A., Siponen, M., and Pahnila, S., "Motivating IS Security Compliance:Insights from Habit and Protection Motivation Theory," Information & Management, Vol. 49, No. 3, 2012, pp.190-198. crossref(new window)

Venkatesh, V., "Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model," Information Systems Research, Vol. 11, No. 4, 2000, pp.342-365. crossref(new window)

Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly, Vol. 27, No. 3, 2003, pp.425-478.

Verizon., Verizon 2013 Data Breach Investigations Report, 2013.

Walpole, R. E., Myers, R. H., Myers, S. L., and Ye, K., Probability and statistics for engineers and scientists (Vol. 5). New York: Macmillan, 1993.

Wang, P. A., "Information Security Knowledge and Behavior: An Adapted Model of Technology Acceptance," In Education Technology and Computer (ICETC), 2010 2nd International Conference on (Vol. 2, pp. V2-364). IEEE, 2010, June.

West, R., "The Psychology of Security," Communications of the ACM, Vol. 51, No. 4, 2008, pp.34-40.

Whitman, M. E., "In Defense of the Realm: Understanding the Threats to Information Security," International Journal of Information Management, Vol. 24, No. 1, 2004, pp.43-57. crossref(new window)

Williams, L. J., and Anderson, S. E., "Job Satisfaction and Organizational Commitment as Predictors of Organizational Citizenship and In-role Behaviors," Journal of Management, Vol. 17, No. 3, 1991, pp.601-617.

Wixom, B. H., and Watson, H. J., "An Empirical Investigation of the Factors Affecting Data Warehousing Success," MIS Quarterly, Vol. 25, No. 1, 2001, pp.17-41. crossref(new window)

Zhang, J., Reithel, B. J., and Li, H,. "Impact of Perceived Technical Protection on Security Behaviors," Information Management & Computer Security, Vol. 17, No. 4, 2009, pp.330-340. crossref(new window)