Journal of Navigation and Port Research (한국항해항만학회지)

Korean Institute of Navigation and Port Research (한국항해항만학회)
권호 표지
DOI QR코드

DOI QR Code

Factors Affecting the Information Security Awareness and Perceived Information Security Risk of Employees of Port Companies

항만기업 종사자들의 정보보안인식과 지각된 정보보안위험에 영향을 미치는 요인

  • Chang, Myung-Hee (Division of Shipping Management, Korea Maritime University) ;
  • Kang, Da-Yeon (Department of Shipping Management, Graduate School of Korea Maritime University)
  • 장명희 (한국해양대학교 해운경영학부) ;
  • 강다연 (한국해양대학교 대학원 해운경영학과)
  • Received : 2012.02.20
  • Accepted : 2012.04.25
  • Published : 2012.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

The purpose of the present study is to empirically examine factors that affect the information security awareness and perceived information security risk of employees of port companies. In particular, in order to identify factors that affect the perceived information security risks, we investigated the relation of assets, threats, and vulnerabilities to it, using the risk analysis methodology. With A total of 252 valid questionnaires, we also performed the structural equation modeling analysis using AMOS. It was found that first, there was no meaningful relationship between the information assets and the perceived information security risk in the case of employees of port companies. Second, threats and vulnerabilities turned out to have positive influences on the perceived information security risk. Finally, there was a positive relationship not only between the information security awareness and the information security education, but also between the information security awareness and the intention of information security. However, there was no meaningful relationship between the information security concern and the information security awareness.

본 연구의 목적은 항만기업 종사자들의 정보보안인식정도와 지각된 정보보안위험 정도에 영향을 미치는 요인들이 어떤 것들이 있는지를 실증 분석하는 것이다. 특히, 지각된 정보보안위험에 영향을 미치는 요인을 파악하기 위하여 위험분석방법론을 토대로 자산, 위협, 취약성과의 관계를 분석하였다. 252개의 유효설문을 대상으로 AMOS를 이용한 구조방정식 모형 분석을 하였다. 연구결과를 보면, 첫째, 항만기업 종사자의 경우 정보자산은 지각된 정보보안위험에 유의하지 않은 결과로 분석되었다. 둘째, 위협, 취약성은 지각된 정보보안위험에 유의한 영향을 미치는 것으로 나타났다. 마지막으로, 정보보안인식과 정보보안교육, 정보보안인식과 정보보안의도와의 관계는 유의하게 분석되었다. 그러나 정보보안관심도는 정보보안인식에 유의하지 않은 것으로 분석되었다.

Keywords

References

  1. 김수엽, 최종희, 김찬호(2009), 항만물류보안산업의 발전방안 연구, 한국해양수산개발원
  2. 김정덕(2000), ISO 정보기술 보안관리지침 표준화동향, 한국정보보호진흥원
  3. 노순동(2004), "기업체의 효율적인 보안관리 모델", 산업보안논총 창간호, pp. 79-101.
  4. 문용은, 박유진(2002), "IS 아웃소싱의 위험과 아웃소싱의 정도에 관한 연구", 정보시스템 연구 11권 1호, pp. 1-28.
  5. 박준경, 김범수, 조성우(2011), "기업 정보보호 활동을 위한 조직 구성원들의 태도와 주요 영향 요인", 경영학연구 40 권 4호, pp. 955-985.
  6. 엄정호(2003), "정보시스템의 체계적인 위험관리를 위한 실용적인 위험감소 방법론에 관한 연구", 정보처리학회논문지 10권 C호, pp. 125-132.
  7. 이문구(2004), "정보시스템 보안관리를 위한 위험분석 방법론", 전자공학회논문지 41권 6호, pp. 13-22.
  8. 이민섭(2003) "정규학교에서의 정보보호 교육 강화 방안", 정보보호학회지 13권 6호, pp. 67-78.
  9. 이재원, 류형근, 안정흠(2010), "국내물류기업의 물류보안 인식에 관한 연구", 한국항해항만학회지 34권 1호, pp. 45-50.
  10. 이홍걸(2009), "주요 컨테이너 터미널의 정보보호 수준 평가에 관한 연구", 한국항해항만학회지 33권 10호, pp. 735-742.
  11. 임채호(2006) "효과적인 정보보호인식제고방안", 정보보호학회지 16권 2호, pp. 30-36.
  12. 정우리(2012), "해상보안관리 분석모델 개발에 관한 연구", 한국항해항만학회지 36권 1호, pp. 9-14.
  13. 정보통신부(2010), 국가정보보호백서
  14. 홍일유, 이종삼(2000), "국내기업의 정보시스템 보안위협 인식에 관한 연구", 경영학회지 27권 2-1호, pp. 157-185.
  15. Broderick, J.S.(2001), "Information Security Management -When Should it be Managed?", Information Security Technical Report, Vol.6, No.3, pp. 12-18.
  16. BSI(2005), Code of Practices for Information Security Management. London: British Standards Institution.
  17. Choi, N., Kim, D and Whitmore, A.(2008), "Knowing is Doing", Information Management & Computer Security, Vol.16, No.5, pp. 484-501. https://doi.org/10.1108/09685220810920558
  18. CMU/SEI(1999), Operationally Critical Threat, Asset, Vulnerability Evaluation(OCTAVE) Framework, Ver. 1.0, CMU/SEI-99-TR-017. Carnegie Mellon University/ Software Engineering Institute, June.
  19. CSE(1996), Guide to Security Risk Management for IT Systems, Communications Security Establishment, Government of Canada.
  20. Dhillon, G. and Backhouse, J.(2000), "Information System Security Management in the New Millennium", Communications of the ACM, Vol.43, No.7, pp. 125-128. https://doi.org/10.1145/341852.341877
  21. Finne, T.(1998), "A Conceptual Framework for Information Security Management", Computers & Security, Vol.17, No.4, pp. 303-307. https://doi.org/10.1016/S0167-4048(98)80010-2
  22. Haller, S. C(2002), "PRIVACY: WHAT Every Manager Should Know", The Information Management Journal, Vol.36, No.3, pp. 33-44.
  23. Hawkins, S., Yen, D.C. and Chou, D.C.(2000), "Awareness and Challenges of Internet Security", Information Management & Computer Security, Vol. 8, No.3, pp. 131-143. https://doi.org/10.1108/09685220010372564
  24. ISO/IEC(2005), Guideline for the Management of IT Security(GMITS), International Organization for Standardization/International Electrotechnical Commission.
  25. Loch, K.D., Carr, H.H. and Warkentin, M.E.(1992), "Threats to Information Systems: Today's Reality, Yesterday's Understanding", MIS Quarterly, Vol.16, No.2, pp. 173-186. https://doi.org/10.2307/249574
  26. McCoy, C and Fowler, R.T.(2004), "You are the Key to Security :Establishing a Successful Security Awareness Program", ACM SIGUCCS Conference, No.32, pp .346-349.
  27. NIST(2001), Security Self-Assessment Guide for Information Technology Systems. Special Publication 800-26.
  28. NIST(2002), Risk Management Guide for Information Technology Systems. Special Publication 800-30.
  29. Nosworthy, J. D.(2000), "Implementing Information Security in the 21st Century-Do You Have the Balancing Factors?", Computers & Security, Vol.19, No.4, pp. 337-347. https://doi.org/10.1016/S0167-4048(00)04021-9
  30. Petrova, K., Sinclair, R.(2003), "Expanding the Understanding: Transactions and Security Awareness for Business Students", New Zealand Journal of Applied Computing and Information Technology, Vol.7, No.1, pp. 82-88.
  31. Pounder, C.(2003), "Security with Unfortunate Side Effects", Computers & Security, Vol.22, No.2, pp. 115-118. https://doi.org/10.1016/S0167-4048(03)00206-2
  32. Rainer, R., Snyder, C. and Carr, H.(1991), "Risk Analysis for Information Technology", Journal of Management Information System, Vol.8, No.1, pp. 129-147. https://doi.org/10.1080/07421222.1991.11517914
  33. Rezgui, Y. and Marks, A.(2008), "Information Security Awareness in Higher Education: an Exploratory Study", Computers & Security, Vol.27, No.7, pp. 241-253. https://doi.org/10.1016/j.cose.2008.07.008
  34. Ronald, C., Curtis, C. and Aaron, J.(2007), "Phishing for User Security Awareness", Computer & Security, Vol.26, pp. 73-80. https://doi.org/10.1016/j.cose.2006.10.009
  35. Spurling, P.(1995), "Promoting Security Awareness and Commitment", Information Management & Computer Security, Vol.3, No.2, pp. 20-26.
  36. Straub, D. and Nance, W.(1990), "Discovering and Disciplining Computer Abuse in Organizations: A Field Study", MIS Quarterly, Vol.14, No.1, pp. 45-60. https://doi.org/10.2307/249307
  37. White, S.(1998), "Open Problems in Computer Virus Research", Virus Bulletin Conference, Oct 22.

Cited by

  1. The Effects of User's Security Awareness on Password Security Behavior vol.14, pp.2, 2013, https://doi.org/10.9728/dcs.2013.14.2.179