This study focuses on the banks in which both dependency on IT and information security threat are high, and proposes the practical information security measures that help IT personnel of banks comply the information security policy.
The research model of the study is composed of independent variables (clarity and comprehensiveness of policy, penalty, dedicated security organization, audit, training and education program, and top management support), a dependent variable (information security policy compliance intention), and moderating variables (age and gender).
A total of 411 questionnaires is collected from 3 major banks. Of these, 40 uncompleted questionnaires are excluded and the remaining 371 questionnaires are utilized for the analyses.
Results show that the information security measures except ''clarity of policy'' and ''training and education program'' are proven to affect the ''information security policy compliance intention''. In case of moderating variables, age moderated the relationship between top management support and compliance intention, but gender does not show any moderating effect at all.
Implication of the findings are as follows:
First, in case of information security policy, compliance intention is affected by the contents rather than the form of policy. Therefore, it is important to include all the necessary elements of information security into the policy.
Establishing a dedicated security department is an important security measure to ensure compliance intention of employees. Under the leadership of CISO, which is a mandatory requirement for banks, a dedicated security department should perform information security related works more effectively.
Both penalty and audit affect the compliance intention. Even though they are negative measures, they can effectively deter employees from deviating from the policy.
Surprisingly, training and education program is found to be not significant in affecting compliance intention. However, the program is still an important information security measure and it is necessary to establish a good program and provide it continuously.
Finally, top management support is found to be a good measure to induce compliance intention of employees. However, top management support shows strong effects on relatively old employees. Accordingly, when top management show interest in and support for information security, it would be better for them to utilize the old employee group to diffuse the awareness across the organization.
This study has a number of limitations. First, this study analyzes information security measures based solely on the perception of the respondents. Future study may introduce more objective measurement methods such as systematically analyzing the contents of the information security measures instead of asking the respondents’ perception. Second, this study analyzes intention of employees rather than the actual behavior. A person with solid intention may not actually behave. Therefore, future research may analyze the relationship between intention and actual behavior and the factors affecting the relationship.