[Abstract]
With the recent utilization of information technology to secure competitive advantage, information system holds a key post in the business sector. Hence, minimizing information loss is the core competitive advantage that determines the ultimate fate of organizations, and information security is a crucial element for businesses.
Small and medium-sized organizations are also introducing various information technology and IT systems in order to secure competitiveness. Behind the information solution, however, lie a number of other issues: Lack of prevention systems and awareness of adverse effects of information technology as well as the possibility of leakage, allows exposure to even more risk. Numerous cases related to information security leakage have been reported both at home and abroad, stressing the need for constant alertness; thus, for small-medium companies to grow beyond survival, there must exist informationization as well as consideration of the possible detrimental effects of informationization, including preventative measures for such effects.
However, most companies introduce technical elements only as measures for information security, and subsequent measures for individuals within an organization are minimal. This is due largely to a lack of consideration of situational factors, such as corporal culture and environment; thus, information security should begin from companies' recognition of its undeniable importance. The fundamental issue of information security is based on human will and behavior; to protect information and system, it is important to configure effective policies-which is a management aspect, rather than a technical one-and motivate members of organizations to exercise the system.
The effectiveness of information security measures used by many companies today has not yet been verified; furthermore, consideration of members of organizations, from a private perspective, is insufficient.
Therefore, the study conducted empirical verification on the effect of behavior and information security awareness on a personal level, of the members of organization on information security performance, such that there should be a change of consciousness among members of small-medium companies in implementing information security of organizations in a new management environment.
In particular, the study broke away from the old fragmentary perspective that the information security awareness of members will lead information security performance, and presumed that information security awareness will influence information security behavior and also affect information security performance. To prove the affect of information security awareness on information security behavior, the study used rational behavior hypothesis correction, an intention-based model from the perspectives of cognitive behavior theories and social psychology, TPB (Theory of Planned Behavior), and TAM (Technology Acceptance Model). Cognitive behavior theories and intention-based models of sociological perspective suggest that human reasoning or cognition influence human emotion and behavior; based on these theories, the study applied the relations of information security awareness and information security behavior as a framework, presuming that the awareness people have of information security results in behavioral consequences.
The study conducted a survey targeting small-to-medium-sized companies with less than 1,000 employees, and the survey respondents were members of organizations. While many previous studies have focused on the IT or information security personnel of companies, the survey conducted in this study targeted general members of organizations, including IT personnel, considering the expansion of the use of information systems.
To verify the effects of the information security awareness of members of organizations on information security behavior of the company through information security awareness, we utilized structural equation modeling. For analyzing the causality of study variables, AMOS 18.0-which provides model-related assessment data-was used by estimating the computational results of unknown variables, thus confirming the goodness of fit of the models.
Hence, the study used structural equation modeling in order to statistically verify the human relations between independent variable (information security awareness), parameters (information security behavior) and subordination variables (information security performance) included in the study model.
The result of the first analysis of the study shows a significant difference in the path analysis of information security awareness and information security behavior.
It suggests that in order to induce information security behavior of members of an organization, information security awareness promotion should be carried out in advance.
However, the study showed a gap between the information security awareness and the information security behavior of respondents. While the respondents have relatively higher information security awareness and specialization, the study shows low information security behavior. That is, the results show that compared to the information security level of respondents, they have a low information security behavior level. Therefore, measures to increase information security behavior are required in addition to security education for remedial measures.
Second, the study showed that the information security behavior of organization members reduces the frequency of information security incidents and loss caused by incidents of organizations. Hence, based on the preceding research that information security awareness and information security behavior will affect information security performance, the study has proved that the information security of organizations is affected by psychological and behavioral factors of members. Unlike preceding research conducted under the assumption that awareness will affect performance, seeing information security awareness and behavior in the same line, the study confirmed that information security awareness affects information security performance through behavior.
Through the study result, we confirmed that improvement of information security awareness affects information security behavior, and when the level of information security behavior of organization members is improved, it will also enhance information security performance. As such, information security of organizations can be achieved when the level of information security awareness of members improves and from awareness to action. Ultimately, for successful information security in an organization, information security action is required through information security awareness promotion reaching every member.
For an organization to effectively implement information security management, information security awareness promotion for members is indispensable. With companies¡¯ recent increased reliance on information technology, each member of organizations is required to practice information security awareness promotion and information security behavior in order to embody successful information security, as information loss will directly affect organizations performances.
The study result demonstrates the reason behind the direct affect of information security awareness of an individual on information security performance shows the importance of the roles of members of organizations. Consequently, companies desperately need measures for members of organizations¡¯ spontaneous security information awareness, which will also protect technology - crucial information assets of companies. The study therefore, may suggest a foundation to find rational operation methods and configure information security direction according to behavior and awareness promotion on a personal level among members, and contribute further to decision making as well as effective information security investment.