조직 내 비고의적 보안위반 인식에 영향을 미치는 자발적 및 비자발적 동기요인과 규제권자 압력의 조절효과에 관한 실증연구 (An Empirical Study on Factors Influencing the Awareness of Nonmalicious Security Violation and the Moderating Effects of Regulatory Pressure)

오늘날 기업의 보안 실패는 피해를 입은 기업에게 막대한 비용과, 신뢰와 명성에도 심각한 손상을 주고 심지어 파산에 이르는 등 부정적 결과의 초래로 기업경영에 큰 걸림돌이 되고 있다. 따라서 기업의 정보보안 목적은 불확실한 사건들로부터 보안 사고에 대한 예방을 최소화함으로써 조직 내부의 피해를 저감하는 것이라고 할 수 있다. 최근 이러한 보안과 관련된 공격 및 침해, 위반에 대한 잠재적인 위험 요소에 대한 관심이 확대되면서 기업의 이에 대한 투자가 증가하고 성공적인 보안설계를 위한 적용범위가 구체화되고 있다. 특히 정보보안 오·남용의 위반 행위 및 사고 발생의 원인은 조직의정보보안에 대한 기본적 통제항목이 없기 때문으로 파악되고 있다. 또한 발견된 위반사고의 상당부분(절반 이상)이 비고의적 사고에 의한 결과로 나타나고 있다. 다시 말하면, 조직 보안문제의 모든 사례는 외부의 파괴적 공격과 일반적인 침해의 결과라기보다 비고의적 오용 및 인적 실수 등 종업원의 소홀한 감시와 조직 내 절차의 부재가 그 원인이 되고 있다.
따라서 조직 내 보안의 비고의적 위반에 대한 적절한 프로세스와 일련의 통제 장치의 실행이 필요하다. 이에 본 연구는‘조직은 무엇에 의해 비고의적 보안위반 통제를 위한 노력을 할 수 있는가?’의 주요 연구 질의에 대한 동기와 해답을 실증적 증명을 통해 찾고자 한다. 이와 같은 연구목적 달성을 위해 비고의적 보안위반의 인식제고를 위해 조직의 내재적 요소로 자발적 동기요인(조직의무, 보안위반경험, 업무이점)과 비자발적 동기요인(조직규범, 처벌강도, 보안위협)을 제안하고,비고의적 보안위반에 대한 행동의 수정 및 억제 그리고 이로 인한 성과에 이르기까지 조직(기업)의 관점에서 어떤 영향을미치는지에 대해 이론적으로 타당성을 평가하였다. 또한 규제권자 압력이 보안위반 인식 및 통제와 성과들 간의 관계에서의 어떤 역할을 하는지를 실증적 검정을 통해 본 연구의 차별화를 확보하였다. 제안된 연구모형의 구조방정식 분석결과,자발적 동기의 조직의무, 보안위반경험, 업무이점, 비자발적 동기의 조직규범, 처벌강도는 보안위반인식에 긍정적인 영향을 미치는 것으로 나타났다. 하지만 보안위협은 보안위반인식에 긍정적인 영향을 미치지 않는다는 사실이 확인되었다. 뿐만 아니라 강압적/강제적 속성의 변수인 규제권자 압력의 조절효과 역시 기업의 보안 관리에 있어 중요한 영향을 미치는것으로 나타났다. 이러한 연구결과는 이전 보안위반의 정성적 및 정량적 연구들에서 찾아 볼 수 없었던 내·외적 주요 변수들을 포함하고 있다. 이는 곧 보안사고의 실수적 측면의 손실을 최소화하기 위한 조사를 통해 보안위반에 대한 모니터링 및 진단과 사전 예방적 대응의 근거 마련 등 조직 및 사용자 행동의 관점에서 이론적, 실무적으로 중요한 시사점을 제시할 수 있다.

Today, many enterprises perceive the risk of information security as a big obstacle in the process of advancement into knowledge information society. In other words, modern companies enjoy various benefits from information, but at the same time they are exposed to various dysfunctions and risks (e.g., cyber terror, the leakage of personal information and important assets, etc.) by external sources. Failures in security of companies’ resources may bring social and financial damages, which may lead to the extinction of the company. In particular, incidents related with information security more frequently results from internal factors, and consequently internal risks are perceived as fatal to organizations. Most of security related incidents are caused by insufficient vigilance on employees, such as lack of loyalty of employees, moral hazard and non-intentional misuse and mistakes, and the absence of the development of detailed indexes.
Thus, issues related to end-users’ behaviors regarding of security have attracted much interest for researchers to explain the successful management of security. No matter what security system is in place, there are potential and incidental possibilities that end users can make a mistake. Moreover, even if end-users have no intention to violate security policies at organization,their mistakes are evaluated as crucial factors in the dimension of loss of information and information related security incidents. Even small and trivial mistakes in security related matters would result in a big and fatal consequency for a organization. However, even with this reality, researches related to information security management has been inconsistent and scant. Prior studies only focus on conventional security, including physical and technical security design and construction, investment effects and decision making for information system security, development and standardization of information security indexes,role and maturity of information security policies, and information security and risk management.
Therefore, there is a need to carry out a series of appropriate control means for nonmalicious violation of information security within organizations.
In this regard, this study was conducted as a part of attempts for identifying the motivation to manage nonmalicious security violation of organizations and for proposing a possible answer for the following research question: “What makes an organization increase awareness of nonmalicious security violation, and what are the processes of information security management (ISM)?” In addition, this study suggested the role of regulatory influence on the processes of information security management. Particularly, this study focuses on the impacts of voluntary motivation and involuntary motivation of an organization as main categories on awareness of nonmalicious security violation that influences control of nonmalicious security violation and excepted benefits of information security. Voluntary motivation includes organizational commitment,experience of security violation, and relative advantage for job performance while involuntary motivation includes workgroup norm, perceived sanctions, and perceived threat. Furthermore,this study is meaningful in that it is differentiated from other studies through the empirical verification of how the regulatory pressure makes effects on awareness of nonmalicious security violation, control and performance. Thus, the following hypotheses were tested: Hypothesis 1: Organizational Commitment will have a positive effect on Awareness of Nonmalicious Security Violation Hypothesis 2: Experience of Security Violation will have a positive effect on Awareness of Nonmalicious Security Violation Hypothesis 3: Relative Advantage for Job Performance will have a positive effect on Awareness of Nonmalicious Security Violation Hypothesis 4: Workgroup Norm will have a positive effect on Awareness of Nonmalicious Security Violation Hypothesis 5: Perceived Sanctions will have a positive effect on Awareness of Nonmalicious Security Violation Hypothesis 6: Perceived Threat will have a positive effect on Awareness of Nonmalicious Security Violation Hypothesis 7a: Regulatory Pressure moderates the relationship between Awareness of Nonmalicious Security Violation and Control of Nonmalicious Security Violation Hypothesis 7b: Regulatory Pressure moderates the relationship between Awareness of Nonmalicious Security Violation and Expected Benefits of Information Security Hypothesis 7c: Regulatory Pressure moderates the relationship between Control of Nonmalicious Security Violation and Expected Benefits of Information Security Hypothesis 8a: Awareness of Nonmalicious Security Violation will have a positive effect on Control of Nonmalicious Security Violation Hypothesis 8b: Awareness of Nonmalicious Security Violation will have a positive effect on Expected Benefits of Information Security Hypothesis 9: Control of Nonmalicious Security Violation will have a positive effect on Expected Benefits of Information Security To induce the research results, 319 responses were collected from employees of domestic companies which were operating information system security activities. Structural Equation Modeling(SEM) approach was used to verify both measurement and structural model. The results showed that all constructs in voluntary and involuntary motivation with exception of perceived threat, had a significant effect on awareness of nonmalicious security violation,which then had a significant effect on control of nonmalicious security violation and excepted benefits of information security. In addition, the moderating effect of regulatory pressure was indicated to have significant influence upon the process of controlling the nonmalicious security violation. The implications of the findings suggest the theoretical and practical implication for minimizing a losses in the mistake-based aspect of security incident through monitoring and diagnosis on security violation.