- 學位論文
An Integration of Organizational Citizenship Behavior and Deterrence Theory in Exploring Information Security Behaviors
An Integration of Organizational Citizenship Behavior and Deterrence Theory in Exploring Information Security Behaviors
摘要
由於近年來資訊安全事故的層出不窮,企業組織對於資訊系統的安全性也日益重視。過去對於資訊系統安全性的研究多數由技術角度出發,然而以社會學與組織層面切入探討資訊安全問題的研究卻相當稀少。此外,在這些有限的資訊安全管理研究當中,儘管目前多數結果無意外的贊同企業資訊安全意識課程(security awareness program)確實有效提升員工對於組織資訊安全政策的遵從性(compliance),然而亦有一些管理者在報章雜誌上對此結論提出質疑。因此,資訊安全意識與資訊安全遵從性的關聯有重新檢視的必要。 本論文旨在探討員工遵從組織資訊安全政策的原因與過程。論文當中除考量了懲罰與承諾對於員工資訊安全政策遵從性的影響外,亦探討了心理契約(psychological contract)從中扮演的角色。本研究透過滾雪球抽樣法收集了203筆有效樣本,並使用PLS方法進行統計分析,得出五點結論:(1)員工的資訊安全意識(security awareness)與其「資訊安全政策遵循性」、「對於資訊安全的承諾」無關,然而對「預期懲罰」(sanctions perception)與「組織公民行為」(organizational citizenship behavior)有正向的顯著關係;(2)員工對於違反資訊安全政策的「預期懲罰」正向影響其「資訊安全政策遵從性」與「組織公民行為」,然而與「資訊安全的承諾」無顯著關係;(3) 員工對「資訊安全的承諾」顯著且正向的影響其「資訊安全政策遵循性」與「組織公民行為」;(4)員工的「組織公民行為」正向顯著影響其「資訊安全政策遵循性」;(5) 「關係型」(relational type)心理契約為「資訊安全意識」與「預期懲罰」關係間的干擾變數。
並列摘要
In this thesis, we proposed a complete picture of IS security compliance both from a positive attitude (commitment and “organizational citizenship behaviors” (OCBs)) to a negative attitude (expectation to sanctions) to understand the procedures for IS security compliance. The moderating effect of “psychological contract” was also examined. By sampling via snowball method, useful data from 203 respondents were collected. Using PLS 3.0 as the tool of data analysis, we concluded that (1) security awareness of employees was not positively related to compliance of security policies and employees’ commitment of information security, but positively impacted on employees’ sanctions perception and OCB; (2) sanctions perception of employees was positively related to compliance of security policies and OCB, but not positively related to employees’ commitment of information security policy; (3) employees’ commitment of information security policy was positively related to compliance of security policies and OCB; (4) OCB was positively related to compliance of security policies; (5) only relational psychological contract type moderated the magnitude of the relationship between security awareness and sanctions perception, but both transactional and relational psychological contract type did not moderate the magnitude of the relationship between security awareness and commitment of information security.