The Influence of Sanctions and Protection Motivation on the Intention of Compliance with Information Security Policies: Based on Parameter of Subjective Norm

제재 및 보호동기와 정보보호정책 준수 의도에 관한 연구: 주관적 규범을 매개로

  • 신혁 (한국산업기술보호협회 산업기술보호실)
  • Received : 2019.03.10
  • Accepted : 2019.06.30
  • Published : 2019.06.30


This study applied the Theory of Reasoned Action by Fishbein & Ajzen(1975) as the grounded theory and adopt sanctions of the General Deterrent Theory and protection motivation of the Protection Motivation Theory as the antecedents to discuss the theoretical factors and the cases of application in the field of information security. Then, it adopted subjective norm, a variable of the Theory of Reasoned Action, as a parameter to analyze the causality of sanctions, perceived vulnerability, response cost, and self-efficacy with the intention to follow the information security policies. As a result, all of the antecedents except for sanctions had causality with the intention and subjective norm proved its mediating effect as a parameter between the antecedents and the intention.


  1. 기광도, "법위반에 대한 처벌의 억제효과분석:인지적 측면을 중심으로", 한국형사정책학회, 형사정책 제16권 제2호, pp. 9-35, 2004.
  2. 박찬욱과 이상욱, "인터냇상의 개인정보 보호행동에 관한 연구: 보호동기이론을 중심으로", 한국인터넷정보학회. 제15권 제2호. pp. 171-199, 2015.
  3. 송지준, "SPSS/AMOS 통계분석방법," 21세기사, 2017.
  4. 신혁, 강민형, 이철규, "경영진 역할과 보호동기 요인이 정보보안정책 준수에 미치는 영향:: 계획행동이론을 기반으로", 융합보안논문지, 제18월 제1호, pp.69-84, 2018.
  5. 심준보, 황경태, "은행 IT인력의 정보보호정책 준수에 영향을 미치는 정보보호 대책에 관한 연구", 한국데이타비이스학회, 제 22권, 제2호.
  6. 이정하, 이상용, "금융회사 보안정책의 위반에 영향을 주는 요인 연구: 지각된 고객정보 민감도에 따른 조절효과", 한국데이타베이스학회, 22(4), pp.225-251, 2015.
  7. 이창훈, 하옥현, "기밀유출 방지를 위한 융합보안 관리체계", 융합보안논문지, 제10권 제4호, pp. 61-67, 2010.
  8. 정재원, 이정훈, 김채리, "기업의 정보보안 활동이 구성원의 정보보안 준수 의도에 미치는 영향 연구", 융합보안논문지, 제16권 제7호, pp. 51-59, 2016.
  9. Ajzen, I. "The theory of planned behavior," Organizational Behavior and Human Decision Processes, Vol.50, pp. 179-211. 1991.
  10. Ajzen, I., and Fishbein, M., "Attitude - Behavior Relations: A theoritical analysis and review of empirical research", Psychological Bulletin, 84(5), pp.888-918, 1977.
  11. Aurigemma, S., "A composite framework for behavioral compliance with information security policies," Journal of Organizational and End User Computing, Vol. 25, No. 3, pp. 32-51. 2013.
  12. Aurigemma, S., and Panko, R., "A composite framework for behavioral compliance with information security policies", 2012 45th Hawaii International Conference on System Science, pp. 3248-3257, 2012.
  13. Bankston, W. B,. & Cramer, A. (1974). "Toward a Macro-Sociological Interpretation of General Deterrence", Criminology. 12: 251-280.
  14. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R., "If Someone Is Watching, I'll Do What I'm Asked : Mandatoriness, Control, and Information Security", European Journal of Information Systems, Vol. 18, No. 2, pp. 151-164. 2009,
  15. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information security policy compliance : An empirical study of rationality-based beliefs and information security awareness," MIS quarterly, Vol. 34, No. 3, 2010, pp. 523-548. 2010.
  16. Compeau, D. R. and Higgins, C. A., "Computer Self-Efficacy: Development of a Measure and Initial Test", MIS Quarterly, Vol. 19, No. 2 (1995, Jun.), pp. 189-211.
  17. D'Arcy, J. and Herath, T., "A review and analysis of deterrence theory in the IS security literature : Making sense of the disparate findings", European Journal of Information Systems, 20(6), pp.643-658, 2011.
  18. Fishbein, M. and Ajzen, I., "Belief, attitude, intention and behavior: An introduction to theory and research", Reading, MA: Addison- Wesley, 1975.
  19. Gochman (Ed.), Handbook of health behavior research I: Personal and social determinants", New York, NY: Plenum Press. pp.113-132, 1997.
  20. Herath, T., and Rao, H. R., "Encouraging information security hehaviors in organizations: Role of penalities, pressures and perceived effectiveness," Vol.40, pp. 154-165. 2009a.
  21. Herath, T., and Rao, H. R., "Protection motivation and deterrence: A framework for security policy compliance in organizations," European Journal of Information Systems, Vol.18, pp. 106-125. 2009b.
  22. Ifinedo, P., "Information systems security policy compliance: An empirical study of the effects of socialization, influence, and cognition," Information & Management, Vol. 51, No. 1, pp.69-79, 2014.
  23. Ifinedo, P., "Understanding information sustems security policy compliance: An integration of the theory of planned theory and protection motivation theory," Computers and Security, Vol. 31, pp. 83-95. 2012.
  24. Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K., "An integrative study of information systems security effectiveness", International Journal of Information Management, 23(2), pp.139-154, 2003.
  25. Katsikas, S. K., "Health care management and information systems secueiry: Awareness, training or education?' International Journal of Medical Informatics, Vol. 60, No. 2, pp.129-135. 2000.
  26. Lee, J., and Lee Y., "A holistic model of computer abuse within organizations," Information Management & Computer Security, Vol.10, No.2, pp. 57-63. 2002.
  27. Nunnally, J. C., Psychometric Theory, New York, McGrao-Hill, 1978.
  28. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' behavior towards IS security policy compliance," System Sciences, 2007 HICSS 2007 40th Annual Hawaii International Conference on, pp. 156b. 2007a.
  29. Pahnila, S., M Siponen, M., and Mahmood., A., "Which factors explain employees' adherence to information security policies? An empirical study," Pacific Asia Conference on Information Systems(PACIS), 2007b Proceedings,
  30. Rogers, R. W., "A protection Motivation Theory of fear appeals and attitude change," The Journal of Psychology, Vol.91, pp. 93-114. 1975.
  31. Rogers, R. W., & Prentice-Dunn, S. "Protection motivation theory. In D. S., 1997.
  32. Siponen, M., Mahmood, A., and Pahnila, S., "Employees' adherence to information security policies: An empirical field study," Information Management. Vol.51, pp. 217-224. 2014.
  33. Siponen, M., Pahnila, S., and Mahmood, A., "Employees' adherence to information security policies: An empirical study," IFIP International Federation for Information Processing. Vol.232, pp. 133-144. 2007.
  34. Siponen, M., and Vance, A., "Neutralization: New insights into the problem of employee systems security policy violation," MIS Quarterly, Vol.34, No.3, pp. 487-502. 2010.
  35. Sommestad, T., Hallberg, J.,Lundholm, K., and Bengtsson, J., "Variables influencing information security policy compliance." Information Management & Computer Security, Vol.22, No.1, pp. 44-75. 2014.
  36. Son, J. Y., "Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies," Information & Management, Vol.48, pp. 296-302. 2011.
  37. Straub, D. W., "Effective IS security: An empirical study", Information Systems Research, 1(3). pp.255-276, 1990.
  38. Vance, A., "Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations," Management information Systems Quarterly, Vol. 34, Np. 3, pp. 487-502, 2010.
  39. Vance, A., Siponen, M., and Pahnila, S., "Motivating IS security compliance: Insights from habit and protection motivation theory." Vol.49, pp. 190-198. 2012.
  40. Whitman, M. E., "In defense of the realm : Understanding the threats to information security", International Journal of Information Management, 24(1), pp.43-57, 2004.
  41. Zhang. J., Reithel, P. J, and Li, H, "Impact of perceived technical protection on security behavior", International Management & Computer Security, 17(4), pp.330-340, 2009.