The Journal of Information Systems (한국정보시스템학회지:정보시스템연구)

Korea Association of Information Systems (한국정보시스템학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Effect of Learning Activities and Feedback Seeking Behavior toward the End Users' Faithful Appropriation of Information Security System

조직내 최종사용자의 합목적적인 정보보호 시스템 사용 내재화와 학습, 피드백 추구 행동 연구

  • 김민웅 (전남대학교 대학원 전자상거래 협동과정) ;
  • 정기주 (전남대학교 경영대학)
  • Received : 2016.08.16
  • Accepted : 2016.09.21
  • Published : 2016.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Purpose The purpose of this paper is to examine factors and mechanism inducing end users' faithful appropriation of information security behavior through the information security system. This study is also trying to find out the role of Employees' adaptive activities like learning and feedback seeking behavior for the information security in organizations. Design/methodology/approach An empirical study was carried out with a sample of employees working in the financial service company. Employees(n = 268) completed a written questionnaire. Structural equation modeling was used to analyze the data. Findings Results indicated that employees' learning activities and feedback seeking behavior fully mediated the effect of major information security factors toward end users' faithfulness of appropriation of information security systems. In order to increase the level of employees information security behavior in accordance with security guideline, organizations should facilitate interactions that support the feedback seeking process between employees on information security awareness and behavior. Additionally, organizations may reinforce these behaviors by periodical training and adopting bounty hunter systems.

Keywords

References

  1. 강소라, 양희동, 박현여, "GSS 사용과 성과요인 :TAM, TTF, 조직구조화이론(AST)혼합모형," 한국 IT 서비스학회, 제7권, 제1호, 2008, pp.63-87.
  2. 강현철, "구조방정식 모형에서 적합도지수의 해석과 모형적합 전략에 대한 논의," Journal of the Korean Data Analysis Society, Vol. 15, No. 2(B), 2013, pp. 653-668.
  3. 김영렬, "개인정보보호 의식 측정 척도의 개발과 개인정보 중요성에 관한 인지도 조사," 한국산업정보학회논문지, 제15권, 제5호, 2010, pp.259-271.
  4. 김혜리, 김양훈, 장항배, "정보보호 학문 분류체계 설계와 연구동향 메타분석," 2014년 한국경영정보학회 추계학술대회, 2014, pp.533-538.
  5. 노희옥, "지식경영시스템 사용에서의 전유에 관한 연구: 적응구조화 이론을 중심으로," 전남대학교 박사학위 논문, 2008.
  6. 박정국, 김인재, "정보보호의 조직성과에 영향을 미치는 요인에 관한 연구," 인터넷전자상거래연구, 제14권, 제6호, 2014, pp.275-299.
  7. 보안뉴스, 카드회사 고객정보 유출규모 1억건 넘었다, 2014. 1. 8., http://www.boannews.com/media/view.asp?idx=39247&page=110&kind=1&skind=8&search=title&find=
  8. 이장형, 김종원, "보안 및 통제와 정보기술 사용자의 성격의 관계," 정보시스템 연구, 제19권, 제3호, 2010, pp.1-12.
  9. 임명성, "조직구성원들의 정보보안 정책준수행위 의도에 관한 연구," 디지털정책연구, 제10권, 제10호, 2012, pp.119-128.
  10. 임명성, "조직구성원들의 정보보안 정책준수에 영향을 미치는 요인에 관한 연구-금융서비스업을 중심으로," 서비스경영학회지, 제14권, 제1호, 2013, pp.143-171.
  11. 양우섭, "학습조직과 조직유효성의 관계에서 공유가치의 조절효과," 벤처창업연구, 제8권 제1호, 2013, pp.111-125.
  12. 황인호, 김대진, "조직의 정보보안 환경이 조직구성원의 보안준수의도에 미치는 영향," 정보시스템 연구, 제25권, 제2호, 2016, pp.51-77.
  13. Abraham, S., "Information Security Behavior: Factors and Research Directions," Proceedings of the 17th Americas Conference on Information Systems, 2011, Paper 462.
  14. Ajzen, I., "The Theory of Planned Behavior," Organizational Behavior and Human Decision Processes, Vol. 50, No. 2, 1991, pp.179-211. https://doi.org/10.1016/0749-5978(91)90020-T
  15. Albrechtsen, E. & Hovden, J., "Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study," Computers & Security, Vol. 29, No. 4, 2010, pp.432-445. https://doi.org/10.1016/j.cose.2009.12.005
  16. Anderson, C. & Agarwal, R., "Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions," MIS Quarterly, Vol. 34, No. 3, 2010, pp. 613-643. https://doi.org/10.2307/25750694
  17. Anderson, J. C., and Gerbing, D. W., "Structural Equation Modelinig in Practice: A Review and Recommended Two-Step Approach," Psychological Blletin, Vol. 103. No. 3, 1988, pp.411-423. https://doi.org/10.1037/0033-2909.103.3.411
  18. Ashford, S. J., "Feedback-seeking in individual adaptation: A resource perspective," Academy of Management Journal, Vol. 29, No. 3, 1986, pp.465-487. https://doi.org/10.2307/256219
  19. Ashford, S. J., Blatt, R., and VandeWalle, Don., "Reflections on the Looking Glass: A Review of Research on Feedback-Seeking Behavior in Organizations," Journal of Management, Vol. 29, No. 6, 2003, pp.773-799. https://doi.org/10.1016/S0149-2063(03)00079-5
  20. Ashford, S. J., and Tsui, A. S., "Self-Regulation for Managerial Effectiveness: The Role of Active Feedback Seeking," Academy of Management Journal, Vol. 34, No.2, 1991, pp.251-280. https://doi.org/10.2307/256442
  21. Aytes, K., and Connolly T., "A research Model for Investigating Human Behavior Related to Computer Security," Proceedings of the Ninth Americas Conference on Information Systems, 2003, pp. 2027-2031.
  22. Bagozzi, R.P. and Yi, Youjae, "On the Evaluation of Structural Equation Models," Journal of the Academy of Marketing Science, Vol. 16, No. 1, 1988, pp.74-94. https://doi.org/10.1007/BF02723327
  23. Bassellier, G., Benbasat. I., and Reich, B. H., "The influence of business managers' IT competence on championing IT," Information Systmes Research, Vol. 14, No. 4, 2003, pp.317-336. https://doi.org/10.1287/isre.14.4.317.24899
  24. Beatty, R. C., Shun, J. P., and Jones, M., "Factors Influening Corporate Web Site Adoption: a Time-Based Assessment," Information & Management, Vol. 38, No. 6, 2001, pp.337-354. https://doi.org/10.1016/S0378-7206(00)00064-1
  25. Browne, M. W. and R. Cudeck, "Alternative Ways of Assessing Model Fit," Sociological Methods & Research, Vol. 21, No. 2, 1992, pp.230-258. https://doi.org/10.1177/0049124192021002005
  26. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, Vol.34, No. 3, 2010, pp.523-548. https://doi.org/10.2307/25750690
  27. Callister, R. R., Kramer, M. W., and Turban, D. B., "Feedback seeking following career transitions," Academy of Management Journal, Vol. 42, No. 4, 1999, pp. 429-438. https://doi.org/10.2307/257013
  28. Cannoy, S., and Salam., A., "A framework for health care information assurance policy and compliance," Communications of the ACM, Vol. 53, No. 3, 2010, pp.126-131. https://doi.org/10.1145/1666420.1666453
  29. Chan, M., Woon, I., and Kankanhalli, A., "Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy & Security, Vol. 1, No. 3, 2005, pp.18-41. https://doi.org/10.1080/15536548.2005.10855772
  30. Chen, C. C., Shaw, R. S., and Yang, S. C., "Mitigating Information Security Risks by Increasing User Security Awareness: A Case Study of an Information Security Awareness System," Information Technology, Learning, and Performance Journal, Vol. 24, No.1, 2006, pp.1-14.
  31. Chin, W. W., Gopal, A., and Salisbury, W. D., "Advancing the Theory of Adaptive Structuration: The Development of a Scale to Measure Faithfulness of Appropriation," Information Systems Research, Vol. 8, No. 4, 1997, pp. 342-367. https://doi.org/10.1287/isre.8.4.342
  32. Compeau, D. R., and Higgins, C. A., "Computer self-efficacy: Development of a measure and initial test," MIS quarterly, Vol. 19, No. 2, 1995, pp. 189-211. https://doi.org/10.2307/249688
  33. D'Arcy, J., Hovav, A., and Galletta, D., "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, Vol. 20, No. 1, 2009, pp.79-98. https://doi.org/10.1287/isre.1070.0160
  34. Davis, F. D., "User acceptance of information technology : System characteristics, user perceptions and behavioral impacts," International Journal of Man-Machine Studies, Vol. 38, No. 3, 1993, pp.475-487. https://doi.org/10.1006/imms.1993.1022
  35. DeSanctis, G., and Poole, M. S., "Capturing the Complexity in Advanced Technology Use: Adaptive Structuration Theory," Organization Science, Vol 5. No. 2, 1994, pp.121-147. https://doi.org/10.1287/orsc.5.2.121
  36. Dinev, T., and Hu, Q., "The centrality of awareness in the formation of user behavioral intention toward protective information technologies," Journal of the Association for Information Systems, Vol. 8, No. 7, 2007, pp.386-408. https://doi.org/10.17705/1jais.00133
  37. Frank, J., Shamir, B., and Briggs, W., "Security-related behavior of PC users' in Organizations," Information & Management, Vol. 21, No. 3, 1991, pp. 127-135. https://doi.org/10.1016/0378-7206(91)90059-B
  38. Gattiker, U., & Kelley, U., "Morality and Computers: Attitudes and Differences in Judgments," Information Systems Research, Vol. 10, No. 3, 1999, pp. 233-254. https://doi.org/10.1287/isre.10.3.233
  39. Goel, S., and Chengalur-Smith, I. N., "Metrics for Characterizing the Form of Security Policies," Journal of Strategic Information Systems, Vol. 19, 2010, pp.281-295. https://doi.org/10.1016/j.jsis.2010.10.002
  40. Haeussinger, F. J., and Kranz, J. J., "Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior," International Conference on Information Systems, 2013, pp.1-16.
  41. Hagen, J. M., Albrechtsen, E., and Hovden, J., "Implementation and effectiveness of organizational information security measures," Information Management & Computer Security, Vol. 16, No. 4, 2008, pp.377-397. https://doi.org/10.1108/09685220810908796
  42. Helin, S., and J. Sandstrom, "An inquiry into the study of corporate codes of ethics," Journal of Business Ethics, Vol. 75, No. 3, 2007, pp.253-271. https://doi.org/10.1007/s10551-006-9251-x
  43. Herath, T., and Rao, H. R., "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations," European Journal of Information Systems, Vol. 18, 2009, pp.106-125. https://doi.org/10.1057/ejis.2009.6
  44. Hu, Q., Xu, Z., Dinev, T., and Ling, H., "Does Deterrence Work in Reducing Information Security Polity Abuse by Employee?," Communications of the ACM, Vol. 54, No. 6, 2011, pp.54-60. https://doi.org/10.1145/1953122.1953142
  45. Hu, Q., Dinev, T., Hart, P., and Cooke, D., "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture," Decision Science, Vol. 43, No. 4, 2012, pp. 615-659. https://doi.org/10.1111/j.1540-5915.2012.00361.x
  46. Hurtz, G. M., and Williams, K. J., "Attitudinal and motivational antecedents of participation in voluntary employee development activities," Journal of Applied Psychology, Vol. 94, No. 3, 2009, pp.635-653. https://doi.org/10.1037/a0014580
  47. Ifinedo, P., "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory," Computers & Security, Vol. 31. No. 1, 2012, pp.83-95. https://doi.org/10.1016/j.cose.2011.10.007
  48. Johnston, A., and Warkentin, M., "Fear Appeals and Information Security Behaviors: An Empirical Study," MIS Quarterly, Vol. 34, No. 3, 2010, pp.549-566. https://doi.org/10.2307/25750691
  49. Kankanhalli, A., Teo, H., Bernard, C.Y., and Tan, K. W., "An integrative study of information systems security effectiveness," International Journal of Information Management, Vol. 23, No. 2, 2003, pp.139-154. https://doi.org/10.1016/S0268-4012(02)00105-6
  50. Knapp, K.J., Marshall, T. E., Rainer, R. K., and Ford, F.N., "Information security: management's effect on culture and policy," Information Management & Computer Security, Vol. 14, No. 1, 2006, pp.24-36. https://doi.org/10.1108/09685220610648355
  51. Kruger, H., and Kearney, W., "A prototype for assessing information security awareness," Computers & Security, Vol. 25. No. 4, 2006, pp.289-296. https://doi.org/10.1016/j.cose.2006.02.008
  52. Leach, J., "Improving User Security Behavior," Computers & Security, Vol. 22, No. 8, 2003, pp.685-692. https://doi.org/10.1016/S0167-4048(03)00007-5
  53. Lebek, B., Uffen, J., Breitner, M. H., Neumann, M., and Hohler, B., "Employees' Information Security Awareness and Behavior: A Literature Review," 2013 46th Hawaii International Conference on System Sciences, 2013, pp. 2979-2987.
  54. Lee, J. and Lee Y., "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, Vol. 10 No. 2, 2002, pp. 57-63. https://doi.org/10.1108/09685220210424104
  55. Lee, S. M., Lee, S. G., and Yoo, S.,"An Integrative model of computer abuse based on social control and general deterrence theories," Information Management, Vol. 41, No. 2, 2004, pp. 114-121.
  56. Leonard, L. N. K., Cronan, T. P., Kreie, J., "What are influences of ethical behavior intentions-planned behavior, reasoned action, perceived importance, or individual characteristics?," Information & Management, Vol. 42, No. 1, 2004, pp.143-158. https://doi.org/10.1016/j.im.2003.12.008
  57. Liang, H., and Xue, Y., "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective," Journal of the Association for Information Systems, Vol. 11, No, 7, 2010, pp.394-413. https://doi.org/10.17705/1jais.00232
  58. Loch, K. D., Conger, S., "Evaluating ethical decision making and computer use," Communications of the ACM, Vol. 39, No. 7, 1996, pp.74-83. https://doi.org/10.1145/233977.233999
  59. Luker, N. W., "Do You Trust Your Employees?," Security Management, Vol. 34, No. 9, 1990, pp.127-130.
  60. Ng, B. Y., Kankanhalli, A., Xu, Y.C., "Studying users' computer security behavior: a health belief perspective," Decision Support Systems, Vol. 46 No. 4, 2009, pp.815-825. https://doi.org/10.1016/j.dss.2008.11.010
  61. Pahnila, S., Siponen, M., and Mahmood, A., "Employees' Behavior Towards IS Security Policy Compliance," Proceedings of the 40th Annual Hawaii International Conference on System Science, 2007, pp.156-166.
  62. Poole, Marshall Scott., "Adaptive Structuration Theory," A first look of Communication Theory 7th edition Ch. 18, Mcgrawhill, 2008.
  63. Poole, S., and DeSanctis, G., "Understanding the Use of Group Decision Support Systems: The Theory of Adaptive Structuration," in J.Fulkand C.Steinfield (Eds.), Organizations and Communication Technology ,Sage, Newbury Park, CA, 1990, pp.173-193.
  64. Potosky D., "A field study of computer efficacy beliefs as an outcome of training: the role of computer playfulness, computer knowledge, and performance during training," Computers in Human Behavior, Vol. 18, No. 3, 2002, pp.241-55. https://doi.org/10.1016/S0747-5632(01)00050-4
  65. Proctor P. E. & Byrnes F. C., "The Secured Enterprise: Protecting Your Information Assets," Prentice Hall, Upper Saddle River, 2002.
  66. Rhee, H. S., Kim, C., and Ryu, Y.U., "Self-efficacy in information security: Its influence on end users' information security practice behavior," Computers & Security, Vol. 28, No. 8, 2009, pp. 1-11. https://doi.org/10.1016/j.cose.2008.11.004
  67. Sambamurthy, V., and Chin, W. W., "The Effects of Group Attitudes Toward GDSS Designs on the Decision-Making Performance of Computer-Supported Groups," Decision Science, Vol. 25, No. 2, 1994, pp.215-241. https://doi.org/10.1111/j.1540-5915.1994.tb01840.x
  68. Siponen, M., "A Conceptual Foundation for Organizational Information Security Awareness," Information Management & Computer Security, Vol. 8, No. 1, 2000, pp.31-41. https://doi.org/10.1108/09685220010371394
  69. Siponen, M., and Vance, A., "Neutralization: New Insights into the Problem of Employee information Systems Security Policy Violations," MIS Quarterly, Vol. 34 No. 3, 2010, pp.487-502. https://doi.org/10.2307/25750688
  70. Spears, J. L., and Barki, H., "User Participation in Information Systems Security Risk Management," MIS Quarterly, Vol. 34, No. 3, 2010, pp.503-522. https://doi.org/10.2307/25750689
  71. Stanton, J. M., Stam, K. R., Guzman, I., & Caldera, C., "Examining the linkage between organizational commitment and information security," Proceedings of the IEEE Systems, Man and Cybernetics Conference, 2003.
  72. Stanton, J. M., Stam, R. K, Mastrangelo, P and Jolton, J., "Analysis of End User Security Behavior," Computers & Security, Vol. 24, No. 2, 2004, pp. 124-133. https://doi.org/10.1016/j.cose.2004.07.001
  73. Straub, D.W., and Welke, R.J., "Coping with systems risks: security planning models for management decision making," MIS Quarterly, Vol. 22, No. 4, 1998, pp. 441-469. https://doi.org/10.2307/249551
  74. Thomson. M. E., and Von Solms, R., "Information security awareness: educating your users effectively," Information Management & Computer Security, Vol. 6, No. 4, 1998, pp.167-173. https://doi.org/10.1108/09685229810227649
  75. Thomson, K-L., von Solms, R., and Louw, L., "Cultivating an Organizational Information Security Culture," Computer Fraud & Security, Vol. 2006, No. 10, 2006, pp. 7-11. https://doi.org/10.1016/S1361-3723(06)70430-4
  76. Torkzadeh, R., Pflughoeft, K., and Hall, L., "Computer self-efficacy, training effectiveness and user attitudes: an empirical study," Behavior and Information Technology, Vol. 18, No. 4, 1999, pp.299-309. https://doi.org/10.1080/014492999119039
  77. Tsohou, A., Kokolakis, S., Karyda, M., and Kiountouzis, E., "Investigating information security awareness: Research and practice gaps," Information Security Journal: A Global Perspective, Vol. 17, No. 5-6, 2008, pp.207-227. https://doi.org/10.1080/19393550802492487
  78. Van Dyne, L., and LePine, J. A., "Helping and Voice Extra-Role Behaviors: Evidence of Construct and Predictive Validity," The Academy of Management Journal, Vol. 41, No. 1, 1998, pp.108-119. https://doi.org/10.2307/256902
  79. Wheeler, B. C., and Valacich, J. S., "Facilitation, GSS, and Training as Sources of Process Restrictiveness and Guidance for Structured Decision Making: An Empirical Assessment," Information Systems Research, Vol. 7, No. 4, 1996, pp.429-450. https://doi.org/10.1287/isre.7.4.429
  80. Wood, R., and Bandura, A., "Social cognitive theory of organizational management," Academy of Management Review, Vol. 14, No. 3, 1989, pp.361-384. https://doi.org/10.5465/amr.1989.4279067
  81. Workman, M., Bommer, W.H., Straub, D., "Security lapses and the omission of information security measures: an empirical test of the threat control model," Journal of Computers in Human Behavior, Vol. 24. No. 6, 2008, pp.2799-2816. https://doi.org/10.1016/j.chb.2008.04.005
  82. Zafar, H., and Clark, J. G., "Current State of Information Security Research In IS," Communications of the Association for Information Systems, Vol. 24, Article 34, 2009, pp.557-596.