Next Article in Journal
No Tradeoff in Fiber Quality with Increased Cotton Yield Due to Outcross Pollination
Next Article in Special Issue
Human, Technical, and Organizational Drivers Affecting Sustainability of Content Firms through Management and Innovation Capability during COVID-19
Previous Article in Journal
Managing Sustainable Transitions: Institutional Innovations from India
Previous Article in Special Issue
A Smart Surveillance System for People Counting and Tracking Using Particle Flow and Modified SOM
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Sustainable Information Security Behavior Management: An Empirical Approach for the Causes of Employees’ Voice Behavior

1
Entrepreneurship, Kookmin University, Seoul 02707, Korea
2
Management Information System, Kookmin University, Seoul 02707, Korea
*
Author to whom correspondence should be addressed.
Sustainability 2021, 13(11), 6077; https://doi.org/10.3390/su13116077
Submission received: 19 April 2021 / Revised: 14 May 2021 / Accepted: 24 May 2021 / Published: 28 May 2021

Abstract

:
As organizations’ interest in information resources expands, their investments in information security (IS), such as the introduction of IS policies and new technologies, are also expanding. Nevertheless, IS incidents and threats within the organization have not decreased. This study aims to protect organizations’ information assets by maintaining the level of continuous IS behavior of the organization insiders. Moreover, this study suggests a method to induce continuous security behavior of individuals by confirming the relationship between IS-related voice behavior and IS-related organizational justice, which is an action concept that provides continuous opinions to achieve security goals. This study derives research models and hypotheses through previous studies and tests hypotheses through structural equation modeling. The target subjects are members of the organization who introduced the IS policy. A total of 325 samples were secured through the questionnaire method, and hypotheses were verified. Results reveal that voice behavior related to IS is negatively influenced by work impediment and positively influenced by organizational identification. In addition, procedural and information justice that influence prior actions related to IS affect the cause of personal security behavior (work impediment and organizational identification). Additionally, justice sensitivity adjusted the impact relationship between IS-related organizational justice and the cause of security behavior. The study presents the importance of voice behavior in maintaining the level of IS within the organization continuously. Moreover, it has practical implications in that efforts to improve organizational justice and voice behaviors vary according to the level of individual justice sensitivity.

1. Introduction

Information management is recognized as an organization’s growth value; hence, organizations are increasing their interest in the operation and management of information resources. Global organizations are trying to secure the ISO international standard certification (ISO/IEC 27001) related to information security (IS). In the case of Korea, an information protection management system established at the national level based on the Personal Information Protection Act ISMS (IS management system) certification and other efforts are being made. In fact, the IS-related market is growing rapidly, and the global cybersecurity market is expected to grow at an annual average growth rate of 10% from 2020 to 2027, reaching USD 326.4 billion by 2027 [1].
Despite continuous investments such as the introduction of policies and technologies for IS at the organization level, the number of incidents related to IS in organizations has not decreased. In particular, the occurrence of IS incidents decreases the value of an organization; hence, organizations tend to hide when a security incident occurs. Moreover, the actual number of IS incidents internally is higher than those exposed to the outside and continues to increase [2].
Looking at the types of IS incidents worldwide, information-stealing incidents (e.g., malware, hacking, and viruses) that occur through technical intrusion outside the organization account for 60–70% of all security incidents every year. Accidents caused by exposure account for 20–30% of all security incidents each year [2]. Loch et al. [3] classified IS incident types into human/nonhuman and external/internal and mentioned that customized security measures for each characteristic are necessary. Moreover, he said that human-external and nonhuman-internal problems are caused by technical intrusion. Improvement was deemed important for the human-external problem, which was regarded as force majeure because external-inhuman means physical damage due to natural disasters, etc. However, the human-internal problem is said to be a difficult field to control and manage because it only relies on the behavior of the organization insider. Recently, IS accidents by insiders seem to be caused by more various types of information exposure methods (e.g., social networks and external sharing systems) as information sharing systems, for example, are activated to improve the organization’s operation [2]. To improve the level of IS, apart from introducing security technology to prevent external intrusion, paying attention to the behavior of organization members who must apply IS to work is necessary.
Previous studies related to the IS compliance behavior of organization members pointed out the need for the organization to form a motivation for positive and active IS compliance of its members because the compliance behavior of individuals occurs from a psychological viewpoint. In particular, in criminology, psychology, sociology, etc., by incorporating the theory of behavioral changes of individuals belonging to an organization or social group into the field of IS, several scholars presented the preceding motives for prevention of noncompliance with IS or reinforcement of compliant behavior from various perspectives. For example, Bulgurcu et al. [4] and Kajtazi et al. [5] applied the rational choice theory to the field of IS, where individuals are concerned about the cost of noncompliance and security compliance. The decision to comply with IS was made by comprehensively considering the benefits. Meanwhile, Guo et al. [6] and Jaeger et al. [7] used the deterrence theory to predict the severity of penalties for IS noncompliant individuals. In addition, Posey et al. [8] and Wu [9] applied the protection motivation theory, which combines the high threat perception of noncompliance with IS and the individual’s sense of efficacy for coping with the problem. Indeed, the IS motive was formed and led to security action. In other words, IS studies related to individual behavior have high implications in that personal IS forms a specific motive based on the IS-related environment and information provided by the organization, leading to the willingness to comply with security or actual behavior.
In addition, looking at previous research on organizations explaining changes in individual behavior by environmental characteristics, representatively, one can find the theory of IS-related organizational justice. The formation of a sense of justice for an organization increases positive emotions and motivations (i.e., trust and organizational identification) [10] or reduces negative emotions and motivations (i.e., privacy concerns and stress) [11,12]. Moreover, it forms positive attitudes and behavioral intentions toward the organization [13,14] and positively influences the performance of individuals or organizational units within the organization [15,16]. In other words, when the belief that the organization is treating its members fairly arises, the members of the organization form a belief that they are being treated appropriately by the organization, thereby reducing negative motives and raising positive motives to encourage positive behavior in the areas required by the organization. In particular, the concept of justice is becoming more subdivided, and if the distribution of initial results was the central concept of justice [17], the process of action progresses fairly for anyone to proceed with justice (procedural justice). Information on whether the necessary information on requirements is provided fairly to anyone is classified into information justice [12,13,18]. Moreover, even in the same situation, justice is an individual perception. The concept of justice sensitivity, which is judged differently according to an organizational level, has been proposed [19], suggesting various effort factors that influence an individual’s motivational improvement or behavioral change accessible at the organizational level.
However, the field of IS has yet to focus on presenting the types of motivations affecting the behaviors complying with IS, as well as IS-related organizational justice, which is an important concept at the organizational level as it affects the cause of individual behavior [20,21]. An individual’s IS behavior is presented in a few studies in which IS-related organizational justice directly affects the compliance intention by approaching it from an exploratory viewpoint [20,21]. A detailed access to IS-related organizational justice that helps the cause is lacking.
In addition, the organization insiders’ view of IS behavior is also approached based on compliance intention or action, which is the aspect of applying IS to an individual’s work [4,9,22], to continuously improve the level of security compliance within the organization. Apart from the security compliance actions of the individual, proactive opinions that can be reflected in the work to achieve the organization’s security goals, as well as the issues of the introduced IS policy, are presented. Moreover, the concept of action to improve must also be included.
The current study presents the factors affecting voice behavior from the negative and positive aspects by applying voice behavior, which is the concept of actively presenting and acting on security-related opinions for the sustainability of the IS level within the organization. This study confirms that IS-related organizational justice concerning IS, which is an organizational effort factor, affects the cause of security behavior. In detail, the study first suggests organizational identification, which causes voice behavior from the perspective of IS. Second, it presents the IS-related organizational justice factors (procedural justice and information justice) related to IS and checks their impact on organizational identification and consistency. Finally, we want to check the difference in the influence of justice factors on the negative and positive behavior according to the individual’s level of justice sensitivity.
The results of this study suggest a direction of IS-related justice that should be considered at the organizational level to increase the motivation for IS compliance activities of organization insiders. By applying the concept to the IS field, this study presents academic implications as a preceding study of IS-related organizational justice related to IS.

2. Literature Review

2.1. Information Security-Related Voice Behavior

The threat of information disclosure by an organization insider, irrespective of the person’s position or job, can occur anytime, anywhere, with any technical device, as long as the organization’s information system is accessible. In fact, insiders were found to be unrelated to IS jobs, for example, general managers, sales workers, and engineers other than IT professionals [2].
West [23] insisted that the problem of organization insiders’ compliance with IS should be solved from a psychological viewpoint. He said it could not be controlled and managed [23]. Moreover, in IS, an individual’s behavioral outcome is not an incentive for performance, but rather a penalty for noncompliance [6]. In fact, most organizations present sanction indicators for noncompliance behavior rather than performance indicators for IS compliance. Hence, individuals tend to avoid IS activities immediately if those activities are inconvenient or hinder their job performance [9,24]. Therefore, the IS compliance behavior of an organization member is executed by their own compliance decision-making, and individuals tend to decide on the behavior based on the IS compliance motive [25].
Information security compliance behavior refers to the behavior of applying IS activities requested by an organization to an individual’s work and organizational life [22]. In other words, IS compliance behavior is the concept of applying the IS-related information obtained from the organization to the scope of one’s business actions. This study intends to apply the concept of voice behavior, beyond the observance behavior of the person’s point of view, to another person or organization, which is a suggestion to improve the positive view of IS. Voice behavior is defined as constructive change-oriented communication intended to improve the situation [26]. It includes actions that optimize business operations and management within an organization, proactively express opinions constructively to complete a given goal, and express concerns about issues that may negatively affect growth and performance [27,28]. In other words, from the IS perspective, voice behavior suggests the necessity of proactive action to colleagues to achieve IS-related goals within the organization. Moreover, the concept of voice behavior suggests improvement directions for problems that negatively affect the organization’s security goals. This is an important perspective. Therefore, this study proposes implications by presenting the effects of individual motivations affecting IS behavior on voice behavior. This study also presents organizational-level effort factors for improving motivation from the perspective of IS-related organizational justice.

2.2. Information Security-Related Work Impediment

When an organization introduces a new policy or applies an information system for various reasons, such as standardization of work, it increases the work efficiency of members based on a clear organizational process and helps the organization’s eventual growth. Members who must apply IS to their work have difficulty securing the information on new work standards and becoming knowledgeable through experience [29,30]. If a rapid change is introduced in the procedures and applied technologies to achieve work performance, the parties must discard or change their tacit knowledge. Moreover, obtaining additional related information and applying IS to their work through trial and error can cause stress [31,32].
Work impediment is a level in which a new requirement introduced by the application of a specific policy or technology is deemed an obstacle to one’s work [4]. It is a problem that can easily appear in fields that need to be additionally applied [25]. In particular, IS is not the first business goal given to members; it is an additional active goal to manage and protect the information while achieving their performance goals [23]. In other words, IS is not a key indicator of an organization to evaluate its business performance; hence, one can easily deduce that IS activity causes obstacles to work. In addition, IS activities are a concept of control that is contrary to the efficient use of information systems, such as information sharing and knowledge transfer between members, which must be performed to achieve the goals. When perceived as a factor, IS activities tend to be easily avoided [33,34].
When the required activities related to IS are determined to be a hindrance to work, members of the organization can take actions to avoid IS for their natural work efficiency [25]. For example, if the authority to manage documents within the organization is strengthened, members of the organization may restrict information sharing and knowledge transfer activities through SNS, etc., because additional procedures and permission to provide information to others are required. Moreover, additional learning is required because the information system is different than the existing one, making it difficult to proceed with existing tasks. In this case, secretly using other SNS, etc., is possible by avoiding the compliance behavior or using the existing business procedures. Therefore, prior efforts such as providing information to reduce personal work impediment are required because work impediment by IS leads to noncompliance behavior.

2.3. Organizational Identification

Organizational identification is part of the organizational commitment process and is a form of psychological attachment in which members themselves define and accept the characteristics of the organization [35]. In other words, organizational identification helps individuals understand the characteristics of the organization and be attached to the organization, thereby helping them gain a sense of belonging (belonging) and pride as members of the organization [36].
For an individual to have organizational identification, he or she must have a need in terms of self-categorization and self-enhancement [37]. Self-classification means that an individual recognizes that he/she belongs to an organization and has the need to determine his/her position, and self-improvement means that he/she has the need to have a sense of pride or recognition by belonging to an organization. In other words, organizational identification is formed when an individual can find a good reason to belong to an organization [38].
The stronger the organizational identification, the more likely members are to match the meaning of their existence in the organization with the organization [35]. When firmly identified with an organization, individuals are judged to act on behalf of the organization to which they belong [39]. In other words, because one’s own behavior is the same as that of the organization, an individual should exhibit desirable behavior for the organization’s performance and goals; moreover, avoiding factors that could cause problems in the organization is natural. In addition, when a colleague’s behavior does not coincide with the direction of the organization, taking an altruistic behavior, such as improving a colleague’s behavior by approaching it from an organizational viewpoint rather than from an individual perspective, is deemed natural.
In the field of IS, organizational identification also helps organizations achieve their security goals. An individual who is judged to be consistent with the organization judges that the result of his or her actions is the same as that of the organization. Therefore, the goal of a special organization, that is, the IS goal, is the same as that of his or her own [6]. Therefore, the organization must support members so that they can have a sense of belonging with attachment to the organization to comply with IS.

2.4. Information Security-Related Organization Justice

IS-related organizational justice (organization justice) is an awareness of fairness between an organization and individual and behavioral reactions to perception [10]. The basic assumption of IS-related organizational justice is that individuals place a lot of value on fairness in evaluating their course of action and outcome, and that they decide appropriate actions based on justice [40]. Adams [17], who suggested the concept of justice in terms of distribution earlier, suggested that relative deprivation and gratification are important criteria for evaluating justice in mutual exchange relations. In other words, it focused on whether the reward given to an individual fits the principle. Recent studies have suggested that not only is justice related to the distribution of rewards, but also to the importance of procedural processes occurring in the distribution process [41]. In addition, justice in the perspective of additional activities such as organizational information provision and feedback on individual activities is an important viewpoint [21]. In other words, IS-related organizational justice is subdivided into procedural justice and informational justice, as well as distribution justice, and is recognized as IS-related organizational justice at a comprehensive level [13]. This study judges that the provision of clear information related to IS and an understanding of the execution process will have a positive effect on the causes of the behavior of individuals complying with IS and apply the procedural justice and the information justice to the IS field.
Procedural justice is defined as the level of awareness of the fairness in the process by which the presented outcome is determined [42]. Procedural justice refers to the perceived justice of the policies and procedures used to make decisions [43]. Members perceive the process as fair when the decision-making is consistent and accurate, adheres to ethical or moral standards, and suppresses bias [42]. It also recognizes that the process is fairer when individuals influence decision-making or can speak up [44]. Therefore, when individuals understand the process of presenting results, which are rewards for their actions, they are more likely to meet the needs of the organization and are willing to act to achieve their goals [45]. From the perspective of IS, procedural justice is judged to be high when the decision-making process and related activities related to actions such as IS policies and rules are consistent and accurate [21]. In particular, Xue et al. [20] explained procedural justice from the viewpoint of IS punishment: Procedural justice exists when any member of the organization must be punished if he/she does not comply with the standardized IS behavior because the IS punishment process is fair.
Information justice is defined as a perception that provides sufficient information about the people affected by decision-making and the outcomes and procedures [21]. Members judge that information justice is high if sufficient information is shared about the procedure used to determine desirable outcomes, the expected result, and the compensation system, and the information provided is not distorted [43,46]. According to a study by Greenberg [47], when information on the reason for the ban on smoking and the effect of smoking on the members of the organization, as well as a message of interest to the members of the organization, is provided in detail, the members of the organization recognize and accept justice. In other words, if sufficient prior explanation is judged to be fair, it leads to relevant actions. From the perspective of IS, information justice is formed when an organization’s IS policy and rules of conduct are accurately transmitted to members of the organization, and the judgment on the appropriateness of IS-related actions and the expected results are grasped in advance [21]. In particular, Xue et al. [20] considered that information on IS for noncompliance with IS is provided fairly to all members, and that when it leads to actual punishment, members of the organization judge that IS-related justice of the organization is high.

2.5. Justice Sensitivity

Justice is perceived at different levels even in the same situation according to individual characteristics. In other words, the level of perception of justice differs according to the emotional state or values of the evaluator of justice [48]. In addition, when individual values have a pro-social value orientation, they prefer high compensation at the group level. However, when they have individualistic values, they focus on their level of compensation. A tendency to match exists [49].
Previous studies have approached the difference in perception of justice according to individual characteristics from the viewpoint of justice sensitivity. In other words, individuals in an organization have different sensitivity to justice, and they perceive justice differently to influence their behavior [50,51]. Representatively, Schmitt et al. [19] unified and reanalyzed prior studies related to individual sensitivity to justice and presented the sensitivity of three perspectives. Victim sensitivity and observer sensitivity were evaluated according to the subject evaluation of justice. Observer sensitivity and perpetrator sensitivity were presented. They defined justice sensitivity as the level of perception of justice of individuals responding to unfair circumstances [19]. Sensitivity is the sensitivity of being intolerant of unfairly benefiting others in the organization, and the perpetrator’s sensitivity is the intolerance of unfairly benefitting by oneself. This study confirms the effect of the IS-related organizational justice type on IS compliance by applying observer sensitivity, which is deemed unfair if it causes damage to people around the individual. This is because recognizing that the cause of IS-related damage is the characteristic of the organization’s IS behavior is difficult; hence, it is difficult for its security-related behavior to be seen and evaluated by others or organizations [23]. In addition, because IS is approached from the perspective of sanctions, not from the perspective of performance-based incentives [4], employees would react most sensitively to one’s own damage caused by injustice.

3. Research Model and Hypotheses

3.1. Research Model

This study presents a negative view (organizational identification) and a positive view (organizational identification) of the causes of voice behavior related to IS compliance. Moreover, this study explores the type of IS-related organizational justice concerning IS (procedural justice and information justice) causing the behavior. Further, we check the effect of the factors and the moderating effect of the sensitivity of individual justice. The study model is shown in Figure 1.

3.2. Hypotheses Development

3.2.1. Information Security-Related Organization Justice

IS-related organizational justice is a prerequisite that reduces negative emotions or related behaviors such as stress. Individuals who judge that they are being treated fairly by the organization judge that the organization presents a fair process and results even if the organization presents a somewhat difficult or difficult task or goal. It tends to reduce depression or alleviate work stress [52,53]. In addition, justice increases the level of satisfaction by reducing individual conflicts. Judge and Colquitt [12] considered that the conflict between work and family members is a factor that lowers job satisfaction and increases personal stress, whereas IS-related organizational justice is a prerequisite to alleviating the conflict between work and family. Their research results showed that among IS-related organizational justice, justice of procedures and justice of interactions between members alleviate the conflict between work and family. Conversely, when an injustice exists within the organization, the organization members perceived that the organization unfairly assigns many or nonsense business roles to them, thus creating business stress [41].
Regarding IS, IS-related organizational justice has a positive impact on the level of behavior required by the organization by reducing the formation of negative emotions by individuals within the organization. Hwang and Ahn [54] argued that when an organization supports the provision of information, such as the IS code of conduct, to everyone in advance to learn (information justice), and when applying the same process for IS compliance behavior to everyone (procedural justice), IS-related organizational justice is formed and said to relieve individuals’ work-related stress. Because work impediment caused by IS is also a cause of stress that negatively affects compliance with IS [25], IS-related procedural justice and information justice are the stress that occurs when applying IS to work. We judge that it will alleviate human work impediment and present the following research hypothesis.
Hypothesis 1.
IS-related procedural justice negatively affects IS-related work impediment.
Hypothesis 2.
IS-related information justice negatively affects IS-related work impediment.
IS-related organizational justice posits that the members are fair through relative gratification and positive or negative evaluation of the organization. In this case, individuals are encouraged to think about whether working with the organization is necessary. In other words, the formation of justice or injustice awareness directly affects organizational identification, which is the attachment to the organization and a sense of belonging. If the organization is fair, members have a sense of belonging and pride in the organization, and they judge that the growth of the organization is the same as that of their own. Through this, individuals are more likely to engage in organizational civic behavior, which is an altruistic behavior, beyond the task attainment activity assigned to them in the organization, i.e., in-role behavior [37]. Conversely, if the organization is unfair, it reduces the organizational consistency of the members and leads to negative emotions. In other words, individuals are more likely to judge that their attachment to and belonging to the organization is reduced through the perception that an organization is unfair to them, and they judge the time in the organization to be wasted [39]. Regarding IS, compared to colleagues in the organization in a similar situation to themselves, IS decision-making and action procedures are fair, and information such as manuals and promotional materials for IS-related actions is provided fairly and appropriately. The organization will treat itself fairly in relation to IS, and attachment to the organization will arise. Therefore, the following research hypotheses are presented.
Hypothesis 3.
IS-related procedural justice has a positive effect on organizational identification.
Hypothesis 4.
IS-related information justice has a positive effect on organizational identification.

3.2.2. Intention Information Security-Related Work Impediment

IS-related work impediment is a factor that negatively affects IS compliance behavior. Bulgurcu et al. [4], who applied the rational selection theory to the field of IS, stated that the additional work process and action demands arising from the introduction of security policies result in individual organizational identification. It is a factor that assesses IS in terms of cost; furthermore, it is considered to harm the intention of compliance. Hwang et al. [25] suggested the cause of personal security noncompliance, and it was confirmed that the organizational identification of an individual caused by the introduction of IS policy and technology is a condition that reduces the intention to comply with IS. Therefore, IS-related organizational identification is judged to harm voice behavior, an action concept that actively presents opinions to achieve organizational goals, as well as individual IS compliance behaviors. We present the same research hypothesis.
Hypothesis 5.
IS-related work impediments harm voice behavior.

3.2.3. Organizational Identification

Organizational identification is a situation in which an individual’s attachment to an organization is formed, so individuals with organizational identification have high self-esteem and sense of belonging and are more likely to think and act from an organizational viewpoint rather than an individual’s viewpoint in a specific situation. In other words, organizational identification affects organizational citizenship behavior, the concept of additional support and altruistic actions to colleagues around the organization to achieve performance and goals in addition to the tasks assigned to members [37]. Organizational identification formed by the authentic leadership of the leader increases occupational coping self-efficacy and reduces the intention for turnover [55]. From an IS viewpoint, organizational identification has a positive effect on the behavior of insiders to comply with IS. In an organization’s Internet-use policy, the norms and organizational identification presented by the organization form individual norms and have a positive effect on the organization’s intention to comply with the policies required by the organization [36], and the members of the organization. If the IS goal is matched with one’s own goal, the IS violation intention is lowered [6]. Individuals with strong organizational identification are more likely to positively follow the behaviors required by the organization, that is, the behavior of making more active opinions and trying to minimize negative issues to apply IS to work. Therefore, we believe that this will increase the voice behavior. Therefore, the following research hypothesis is presented.
Hypothesis 6.
Organizational identification positively affects voice behavior.

3.2.4. Justice Sensitivity

Individuals faced with the situation of judging IS-related organizational justice have different influences and attitudes towards justice according to their own level of sensitivity. Gollwitzer et al. [50] researched IS-related organizational justice and justice sensitivity that influence the violation of organizational rules and confirmed that damage sensitivity did not increase the violation behavior in the early stage. In other words, because damage sensitivity is the level of sensitivity of individuals who judge that they should be treated appropriately when they perform an action required by the organization, it reduces the violating behavior when the organization judges that the result is fair. In addition, Schmitt et al. [19] confirmed the influence of justice sensitivity and the formation of attitudes toward the organization and society. Victim sensitivity is strongly accepted when the organization performs fair activities, trusting and defining the organization and its members. We have confirmed that it helps us judge that it is good. In other words, justice sensitivity is the sensitivity of an individual’s evaluation of an organization’s fair activities, and high justice sensitivity is a controlling factor that strengthens the evaluation of the organization’s justice to have a positive or negative attitude [51]. In the field of IS as well, the reason for personal IS compliance of information justice, the concept of clearly providing information necessary for IS actions, and procedural justice, which is an evaluator who makes decisions that occur during the IS process and that all people have fair procedures. We judge that justice sensitivity will reinforce its positive or negative influence; thus, the following research hypotheses are proposed.
Hypothesis 7a.
Justice sensitivity moderates the relationship between procedural justice and IS-related work impediment.
Hypothesis 7b.
Justice sensitivity moderates the relationship between information justice and IS-related work impediment.
Hypothesis 7c.
Justice sensitivity moderates the relationship between procedural justice and organizational identification.
Hypothesis 7d.
Justice sensitivity moderates the relationship between procedural justice and organizational identification.

4. Research Methodology

4.1. Participants and Data Collection

The study suggests negative and positive causes that influence voice behavior from the perspective of members who must comply with the IS policy introduced at the organizational level for information protection. Moreover, a direction to make efforts at the organizational level for voice behavior is proposed. Hypothesis verification was conducted through structural equation modeling after obtaining a sample through a survey.
The subjects of the survey were those who work in organizations that have adopted IS policy and who see tasks that must conduct IS-related actions in their own work and organizational life. Meanwhile, members of the organization’s IS department were excluded. Data in security-related behavior may have some differences because the employees in the information security department know how to bypass the organization’s information security system better than the employees from other departments.
The questionnaire was targeted at office workers taking business administration classes in universities, but only those who had an IS policy in the organization and who conducted related activities were asked to respond. For the questionnaire, the researchers visited directly before class, explained the purpose of the study, and clearly explained that the data were used only for statistical purposes, removing concerns about the exposure of personal information of the survey participants, and then conducted a questionnaire. The questionnaire was obtained, except from those who refused the questionnaire or did not know whether the IS policy was introduced into the organization. A total of 500 copies were distributed, and 355 copies were secured from students who responded that they had an IS policy. Excluding 20 copies with poor responses, we analyzed a final sample of 325 copies. The demographic characteristics of the sample are shown in Table 1.

4.2. Measurement Development

In the study, the questionnaire measuring each variable was derived in two stages and applied to the questionnaire. First, the questions applied to each variable were applied through prior research related to IS or organization, but reorganized according to the characteristics related to IS. IS-related procedural justice was adopted in the Colquitt [13] study, and it was defined as the level to which it is judged that the IS process within the organization is consistent and unbiased, and three items were applied. IS-related information justice was adopted in the Colquitt [13] study, and it was defined as the level to which an organization communicates about IS and explains related information such as activities, and three questions were applied. Organizational identification was adopted in the study of Bulgurcu et al. [4], and it was defined as the level to which it is judged that compliance with the IS requirements would impede work, and three items were applied. Organizational identification was described in Li et al. [36]. It was adopted in the study, and it was defined as the level of awareness that an individual is proud to be a member of the organization and wants to be together, and three items were applied. The voice behavior was adopted in the study of Svendsen and Joensson [28], and it was defined as the behavior of recommending the organization’s activities and information to other members and suggesting improvement opinions, and three items were applied. Justice sensitivity was adopted in the study of Schmitt et al. [19], and it was defined as the level of sensitivity to receiving injustice compared to other people in the organization, and four items were applied.
Second, to increase the content validity of the questionnaire, this study verified the extracted six measurement factors on the items to 10 graduate students attending companies implementing IS policy. The applied questionnaire items are shown in Table 2.

5. Analysis Results

5.1. Validity and Reliability

This study verified the hypothesis by applying structural equation modeling and conducting reliability and validity analysis of the six factors composed of multi-items.
First, reliability analysis is a concept of grasping the consistency of measurement factors according to repeated measurements, and the reliability is grasped by using internal consistency. Internal consistency is a method of securing the consistency of items by excluding items that reduce reliability by using Cronbach’s alpha coefficient when a questionnaire of factors is composed of multiple items. Nunnally [56] suggested that Cronbach’s alpha should be 0.7 or higher to secure the reliability of each factor. This study model had six factors, which composed 19 questionnaires. Analysis results using SPSS 21.0 revealed that 18 items excluding the justice sensitivity component (JS4) had internal consistency (Table 3).
Second, feasibility analysis verifies whether the measurement factors are composed of different concepts. Moreover, convergent validity and discriminant validity are verified by applying confirmatory factor analysis. Confirmatory factor analysis was performed by applying AMOS 22.0, and the fitness of the structural model was shown as χ2/df = 1.651, RMR = 0.059, GFI = 0.929, AGFI = 0.902, CFI = 0.979, TLI = 0.974, and RMSEA = 0.045. The suitability requirements were established [57]. Concentration validity is verified by extracting the construct reliability and average variance. The concept reliability should be 0.7 or more and average variance extraction 0.5 or more [58], and the analysis result is required. This was achieved.
In addition, discriminant validity measures the level of independent distinction between factors applied to the study model; it is measured by comparing the values of mean variance extraction and correlation analysis. Fornell and Lacker [59] calculated the discriminant validity of the square root of mean variance extraction and the correlation value of the factors. It was found to exist (Table 4).
In addition, the study applied multi-item-centered questionnaire items for factors to verify the research model and hypothesis. Verification was carried out on the question on the questionnaire regarding respondents’ thoughts on the factors and data were secured. Podsakoff et al. [60] considered that common method convenience is due to various problems in the research process; thus, appropriate techniques must be applied for each situation because each verification technique has little problems. The study confirmed the problem of common method convenience by applying a single-common-method factor that is commonly used. This method checks whether a difference exists by examining the amount of change in measurement items between the structural model to which a single factor is additionally applied and that to which only the factors are applied. The goodness of fit of the structural model without applying a single factor (χ2/df = 1.651, RMR = 0.059, GFI = 0.929, AGFI = 0.902, CFI = 0.979, TLI = 0.974, RMSEA = 0.045) and the goodness of the structural model applying the single model (χ2/df = 1.089, RMR = 0.034, GFI = 0.964, AGFI = 0.940, CFI = 0.998, TLI = 0.997, RMSEA = 0.017) were determined. All were suitable for the recommendation, and the change in the components of the measurement factor was 0.2 or less. The problem of the common method was found to be low.

5.2. Structural Model Assessment

The analysis for verification of a research model based on structural equation modeling proceeds with a three-step procedure: fitness test of the model, path coefficient (β) analysis, and decision coefficient (R2) analysis. First, for the verification of the fitness of the main effect structural model, the fitness analysis criteria previously conducted in the confirmatory factor analysis were applied similarly. The result of the analysis confirmed the suitability of the study model (χ2/df = 1.360, RMR = 0.078, GFI = 0.942, AGFI = 0.923, CFI = 0.984, TLI = 0.982, RMSEA = 0.033).
Second, the research hypothesis was tested. The hypothesis verification confirmed the influence relationship between measurement factors through path coefficient (β) analysis. The results of verifying the research hypothesis derived through the path coefficient analysis (β) are shown in Figure 2 and Table 5. H1 showed that IS-related procedural justice reduces IS organizational identification. Moreover, the results of the hypothesis verification revealed a negative impact relationship between procedural justice and organizational identification (H1: β = −0.391, t-value = −5.542, p < 0.01). The results are similar to the study of Wood et al. [53] in that procedural justice reduced work-related anxiety and depression of individuals in an organization. In other words, when the IS activity process is conducted fairly to everyone, the members judge that all members of the organization, including themselves, put the IS activity into action. Hence, even though additional efforts are required for the IS activity, it is not recognized as an organizational identification. Therefore, organizations should provide awareness to their members that IS compliance behavior is an activity that applies to all.
H2 showed that IS-related information justice reduces IS organizational identification. According to the hypothesis verification result, information justice and organizational identification had a negative impact relationship (H2: β = −0.317, t-value = −4.661, p < 0.01). The results are similar to the study of Tziner and Sharoni [52] in that IS-related organizational justice alleviated work-family conflict by reducing individual stress within the organization. In other words, when IS information is provided fairly in advance so that members of the organization can understand the need for IS, how to act, and procedures, the organizational identification is reduced by recognizing that IS can be applied to work. It means that you can make it. Therefore, the organization must recognize that information justice is high by providing IS-related information to its members in various ways, such as manuals, regulations, and promotional materials.
H3 showed that IS-related procedural justice increases organizational identification. The hypothesis verification result revealed a positive impact relationship between procedural justice and organizational identification (H3: β = 0.417, t-value = 6.041, p < 0.01). The results are similar to the study of Liu and Berry [39] in that organizational injustice decreased organizational identification and raised awareness of time theft. In other words, if a belief exists that the procedures related to IS are being conducted fairly by all members of the organization, the organization member identifies the organization and recognizes its pursued activities to be the same as their goals. Therefore, the organization must establish a sense of unity with the organization by suggesting that the process and method for complying with IS is fair.
Meanwhile, H4 showed that IS-related information justice increases organizational identification. According to the result of hypothesis verification, information justice and organizational identification had a positive impact relationship (H4: β = 0.257, t-value = 3.882, p < 0.01). The results are similar to the study of Zhao et al. [37] in that IS-related organizational justice had a reinforcing effect on the positive effect of compulsory citizenship behavior on organizational identification. In other words, when relevant information such as IS behavior rules, procedures, and expected results are clearly and systematically provided to members, members are aware of information justice and have a sense of unity with the organization. Therefore, the organization must systematically provide information related to IS to form the mind that members want to share with the organization’s vision and goals.
H5 states that IS-related work impediment reduces voice behavior. The results of hypothesis verification revealed a negative impact relationship between work impediment and voice behavior (H5: β = −0.431, t-value = −7.102, p < 0.01). The results are similar to the study of Bulgurcu et al. [4] in that the higher the organizational identification, which is a factor in the aspect of IS compliance, the more negatively the attitude was affected and the intention to comply with IS was decreased. In other words, IS-related organizational identification views difficulty in achieving one’s work goals by taking the additional effort and time for IS actions; therefore, the higher the organizational identification, the more individuals avoid or suggest IS-related actions. Therefore, organizations must recognize that the introduction of IS policies does not impede the individual’s work, and because IS-related procedures and information justice can reduce organizational identification, security activities are carried out fairly for members of the organization. Hence, recognizing losses is essential.
H6 showed that organizational identification enhances voice behavior, and the results of the hypothesis verification revealed a positive impact relationship between organizational identification and voice behavior (H6: β = 0.235, t-value = 4.149, p < 0.01). These results are similar to the study of Li et al. [36] in that organizational norms and organizational identification had a positive effect on the intention to comply with Internet-use policies by raising individual norms. In other words, organizational identification is a perception that a person wants to stay together based on a positive belief in an organization, and members with higher organizational identification tend to want to adhere to the organization’s goals. In the field of IS as well, organizational identification affects voice behavior related to IS towards other people or organizations, so organizational efforts to enhance IS-related organizational justice for improvement of organizational identification are required.
Finally, in order to measure the influence of the preceding variables on the outcome variable in the structural model, the coefficient of determination (R2) for each outcome variable was analyzed. Voice behavior was found to have 32.8% explanatory power by work impediment and organizational identification. The work impediment was found to have 39.5% explanatory power by procedural justice and information justice, and organizational identification was found to have 36.2% explanatory power by procedural justice and information justice.

5.3. Assessment of Moderation Effects

H7 confirmed the influence of justice sensitivity on the relationship between the four factors, as justice sensitivity controls the relationship between the type of IS-related justice, IS-related work impediment, and organizational identification. When the controlling variable is continuous, the verification of the moderating effect through structural equation modeling is performed through the analysis of the interaction effect of the target factors. Applying the orthogonalizing approach of Lin et al. [61], we performed a moderation effect analysis, and the results are presented in Table 6.
H7a showed that justice sensitivity controls the relationship between procedural justice and organizational identification, and hypothesis verification showed a moderating effect of justice sensitivity (H7a: β = 0.263, t-value = 4.791, p < 0.01). Meanwhile, H7b showed that justice sensitivity controls the relationship between information justice and organizational identification, and hypothesis verification revealed a moderating effect of justice sensitivity (H7b: β = 0.204, t-value = 3.908, p < 0.01). H7c showed that justice sensitivity controls the relationship between procedural justice and organizational identification, and hypothesis verification revealed a moderating effect of justice sensitivity (H7c: β = −0.165, t-value = −3.089, p < 0.01). Meanwhile, H7d showed that justice sensitivity controls the relationship between information justice and organizational identification, and hypothesis verification revealed a moderating effect of justice sensitivity (H7d: β = −0.163, t-value = −3.091, p < 0.01).
To illustrate the moderation effects, simple slopes were plotted following the procedure by Dawson [62] (see Figure 3 and Figure 4).
Justice sensitivity was found to control the negative relationship between procedural justice and organizational identification (H7a), and the negative relationship between information justice and organizational identification (H7b). In particular, when the procedural justice and information justice were high, the group difference by justice sensitivity was not large, but when the procedural justice and information justice were low, the high justice sensitivity group caused less organizational identification than the low justice group. In other words, the higher the justice sensitivity, the higher the level of organizational identification reduction due to IS-related organizational justice.
In addition, justice sensitivity was found to control the positive relationship between procedural justice and organizational identification (H7c), and between information justice and organizational identification (H7d). In particular, when the procedural justice and information justice were high, the group difference by justice sensitivity was not large, but when the procedural justice and information justice were low, the high justice sensitivity group significantly increased organizational identification compared to the low justice group. In other words, the higher the justice sensitivity, the higher the organizational identification by IS-related organizational justice.

6. Conclusions

6.1. Summary

Over the past year, COVID-19 has made a huge difference for people around the world. In order to curb the COVID-19 spread, the governments established strategies to minimize human encounters and enforced implementation on all members of society. In particular, movement between countries became difficult, and only minimal contact was allowed among people. Many employees have been required to work from home, resulting in the growing popularity of online meeting systems such as Zoom. The online system has made it possible to view the organization’s work through the organization’s information-sharing activities. However, it increases the possibility of information exposure, making it more challenging to secure information [63,64]. In particular, in situations outside the scope of the organization’s control, such as working from home, the security behavior of the organizational members is bound to depend on the individual’s perception and behavior of security. Thus, insiders’ information security compliance management becomes more critical [65].
In this situation, this study presented a constructive security opinion beyond the information security compliance behavior of the members themselves. Moreover, it suggested a direction to increase the information security suggestion behavior, a concept that actively demands security actions from neighboring colleagues. In other words, the suggestion behavior is a concept of acting that is helpful to the organization beyond the self. It is a viewpoint that can enhance security awareness that may be caused by the external environment of an organization such as COVID-19. In detail, the study presented factors that positively and negatively influence information security suggestion behavior. The study also confirmed the relationship between the organization’s information security-related procedures, information fairness, and process sensitivity. In other words, the study presented a direction for establishing an information security strategy that organizations around the world can commonly consider as a coping method for organizational members that are difficult to control in the security environment, such as online or working from home.

6.2. Implications

This study has the following implications from the academic perspective.
First, the study applied the concept of voice behavior, not the concept of compliance and noncompliance, to the field of IS, and determined behavior factors or outcome concepts related to IS compliance, which was applied in the existing IS field as an outcome variable. Voice behavior goes beyond compliance behavior, which is the concept of applying the behavior required by the organization to one’s own work, actively presenting opinions on the organization’s goals, pointing out issues that make it difficult to achieve the goals, and achieving performance for a specific organizational goal. This is an action concept that strives to achieve; therefore, those who apply voice behavior to work show a level of behavior that attempts to respond altruistically to a problem. The study applied voice behavior, which is a behavioral concept from a constructive perspective, to the IS field. In other words, when an organization introduces an IS policy and requests security actions from its members, they are action factors that not only apply IS to its own business but also find additional problems in the security policy, and thus, the level of security from the perspective of the entire organization is increased. Therefore, the research has high academic implications in the aspect of applying voice behavior, a concept that extends IS-related behavior from the perspective of the organization in the security field.
Second, the factors affecting the organization’s compliance with IS were presented from the positive and negative aspects, and the effect on voice behavior related to IS was confirmed. In detail, the study determined that the employee’s work disorder that may occur due to the introduction of IS will reduce voice behavior. We also determined that organizational identification, a concept that explains the increased sense of belonging and pride due to attachment to the organization, enhances voice behavior. This study confirmed the influence relationship. In particular, organizational identification is a problem with the introduction of a stricter IS policy, and individuals may have difficulty in changing or deleting internal knowledge applied for existing business performance due to IS-related actions. When organizational identification occurs due to the application of IS rules, the voice behavior related to IS inside the organization is avoided by generating stress. In addition, organizational identification helps organizations determine that specific goals are the same among organizations and individuals. Individuals for whom organizational identification is formed show a willingness to make more efforts for the organization, which is confirmed as voice behavior. Therefore, the study has academic implications by presenting the preceding factors of voice behavior as the cause of IS compliance/noncompliance, affecting voice behavior.
Third, the study applied IS-related organizational justice to the IS field but presented procedural and information justice that influence individual’s security-related behavior. In detail, IS-related procedural justice is the concept of whether the decision-making and processing procedures related to the IS behavior of the members are fair, whereas IS-related information justice is the expected result of the IS behavior by the members affected by the IS policy and rules. It is the concept of whether you are being provided with accurate information about the process of actions and actions. As IS-related procedural and information justice increase, justice also increases organizational identification and reduces negative emotions such as organizational identification. This is because members of the organization can perform standardized security actions in performing their work in the organization. Therefore, this study has academic implications by confirming that IS-related organizational justice is a factor affecting security behavior of individuals in the context of the IS field.
Finally, the study confirmed that justice sensitivity controls the effect of IS-related organizational justice on IS-related behavioral causes. In particular, the study applied the sensitivity of victims. The organization cannot easily recognize the noncompliance behavior of individuals due to the IS characteristics, and the security policy is operated from the viewpoint of sanctions. Therefore, the sensitivity to self-damage is the most appropriate factor for IS. Moreover, justice sensitivity is a level of sensitivity to the injustice received by individuals in an organization. It helps to avoid the organization’s required behavior when judged to be unfair and implement the organization’s request when judged to be fair. The study confirmed that this sensitivity to justice reinforces the relationship between IS-related organizational justice and the cause of security behavior in the field of IS. This study has academic implications in that justice sensitivity is suggested to be an important decision-making characteristic of an individual’s viewpoint.
This study has the following implications from a practical point of view.
First, the study applied voice behavior, a concept that suggests active opinions for achieving the organization’s sustainable IS goal beyond the organization’s IS compliance behavior. To improve the level of compliance with IS within the organization, both the person who conducts IS-related actions in the work and an altruistic and proactive action can improve policies or regulations according to the characteristics of the organization. The behavior of colleagues must also be changed. In other words, securing and improving various opinions of members to improve the level of sustainable IS within the organization are essential, as well as voice behavior. Therefore, this study has practical implications in that it presents the consequential behavior of members necessary for achieving the IS level within the organization and for continuous improvement. Moreover, when the use of information systems outside of the organization increased due to COVID-19, the concept of trying to achieve the goal with neighboring colleagues beyond the organizational members’ voluntary information security actions was applied to information security. This is greatly significant in terms of expanding the purpose of security actions that appear within organizations.
Second, the study presented the leading factors influencing voice behavior toward the sustainability perspective of the IS compliance level within the organization from negative and positive aspects. A typical negative view is organizational identification by IS. Security policies, rules, and technologies introduced for information asset management are inconvenient activities that require additional effort and time for members who need to apply IS to their work. The larger the scale of resources that members put into their work for IS, the more difficult it is to achieve work performance and avoid IS activities. Therefore, when introducing IS, the organization should consider whether the changes in the existing work process of its members can be minimized; the organization should also act on IS. Moreover, a representative positive view is organizational identification, which is an individual’s attachment to the organization. People with high consistency have a sense of belonging and self-esteem, so they tend to voluntarily do the activities that the organization pursues. Therefore, the organization must establish and provide a system of vision, goals, and performance that are in line with organization members. Moreover, they should grow together for a sense of unity within the organization. The study confirmed the effects of work impediment and organizational identification affecting IS voice behavior. The results suggest practical implications for organizations to introduce and apply IS policies and technologies from the perspective of members.
Third, the study confirmed that IS-related organizational justice affects individual security behavior in the IS field. In particular, perceptions of the information and procedural justice affecting the security behavior of individuals are prerequisites that significantly affect organizational identification. IS-related information justice is a concept that arises when an individual from an organization provides systematic and clear information for other members to understand and reasonably judge IS-related rules, action procedures, and expected results. Therefore, the organization should distribute manuals and carry out IS-related public relations and campaigns so that members understand the necessity of security activities and action procedures before applying IS activities to work. In addition, IS-related procedural justice is formed when IS rules and policy-related decision-making procedures are judged as fair. To increase procedural justice, the organization should consistently and clearly establish a standardized security policy for everyone’s knowledge. In addition, procedural justice is heightened when members have the opportunity to present IS-related opinions; therefore, the organization provides an online and offline opinion route through which members can actively present IS-related opinions. IS policies that are suitable for organizational characteristics must be applied by strongly reflecting them. Therefore, the study has practical implications in presenting the directions for establishing fairness related to information security for the members’ positive security behavior, whose external activities are increasing due to physical constraints.
Finally, the study confirmed that the level of justice sensitivity, which varies between individuals, controls the relationship between IS-related organizational justice concerning IS and the factors of IS behavior. Moreover, this study presented practical implications. The justice sensitivity applied in this study was victim sensitivity, which refers to the level of sensitivity to the victims of the unfair behavior of the organization. Most IS policies introduced by organizations are approached from a deterrence point of view, and hence, individuals have a greater sense of loss when faced with an unfair situation. However, if the situation is judged to be fair, one’s belief in the organization grows even more. Hence, we confirmed that the higher the justice sensitivity, the stronger the mitigation relationship between IS-related organizational justice and work impediment, and the reinforced relationship between IS-related organizational justice and organizational identification. The organization should further strengthen the method of improving the level of internal IS via justice by grasping the thoughts of the members of the organization in advance. Therefore, the research has practical implications in the aspect of suggesting a difference in the influence of justice due to individual differences. Thus, the organization must present the strategic direction to be established to improve the security behavior of its members.

6.3. Limitations and Future Research

The study secured high academic and practical implications by explaining the relationship between information justice related to IS, the cause of security behavior, and voice behavior. However, the research has limitations in the following aspects, which need to be supplemented in future research.
First, the study measured the IS justice established by the organization through the questionnaire technique, and the cause of individual behavior and voice behavior for workers in organizations with IS policies. Put differently, the impact relationship was confirmed by measuring the organizational and personal perspectives on IS by individuals at the time of the response. However, justice, the concept of an organizational unit, must be measured more objectively. For example, if we compare organizations with high and low justice through comparisons between members of similar companies, we believe that more accurate and practical implications for sustainable behavior can be obtained.
Moreover, to grasp the level of understanding about the organization’s information security policy more accurately, an indicator that can measure the information security policy level must be developed and measured. For example, by using the ISO/IEC 27000 series or the COBIT guidelines [66,67], we may grasp the level of more explicit policy awareness of the organizational members by deriving the indicators from the perspective of the end-users.
Second, the study confirmed the level of personal sensitivity to justice from an exploratory point of view. Schmitt et al. (2005) applied justice sensitivity to the IS field and applied victim sensitivity. However, it can have detailed implications when the differences in the influences among other factors are compared. In addition, each scholar suggests different sensitivity due to differences in perspective. Earlier, Huseman et al. [68] classified justice sensitivity into “benevolent,” “equity sensitive,” and “entitled.” We believe that it can have practical implications.
Finally, this study presented the factors affecting voice behavior in the single collective aspect of an organization with an IS policy. However, we believe that there will be differences in the level of information and the perception of compliance with information security by departments within the organization. For example, the competencies for using information systems differ between the information security/IT department and the sales/production department. Moreover, the need to comply with information security may be judged differently. In fact, organizational theory, sociology, and psychology provide evidence of the difference in the behavior of members, which varies according to organizational characteristics such as individualism-collectivism and organizational culture and atmosphere [69]. In future research, more detailed IS compliance directions for each group must be presented through research based on the group characteristics of these organizations.

Author Contributions

As the main contributors, W.J.L. outlined and collected the data, conducted the analysis and discussion, and performed the literature review. I.H. reorganized the manuscript; conducted an additional literature review; conceptualized the work, research design, and discussion; and completed a reference check. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Grand View Research. Cyber Security Market Size, Share & Trends Analysis Report by Component, by Security Type, by Solution, by Service, by Deployment, by Organization, by Application, and Segment Forecasts, 2019–2025. 2019. Available online: https://www.globenewswire.com (accessed on 30 April 2021).
  2. Verizon. 2020 Data Breach Investigations Report. 2020. Available online: https://enterprise.verizon.com (accessed on 30 July 2020).
  3. Loch, K.D.; Carr, H.H.; Warkentin, M.E. Threats to information systems: Today’s reality, yesterday’s understanding. MIS Q. 1992, 16, 173–186. [Google Scholar] [CrossRef] [Green Version]
  4. Bulgurcu, B.; Cavusoglu, H.; Benbasat, I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Q. 2010, 34, 523–548. [Google Scholar] [CrossRef] [Green Version]
  5. Kajtazi, M.; Cavusoglu, H.; Benbasat, I.; Haftor, D. Escalation of commitment as an antecedent to noncompliance with information security policy. Inf. Comput. Secur. 2018, 26, 171–193. [Google Scholar] [CrossRef] [Green Version]
  6. Guo, K.H.; Yuan, Y.; Archer, N.P.; Connelly, C.E. Understanding nonmalicious security violations in the workplace: A composite behavior model. J. Manag. Inf. Syst. 2011, 28, 203–236. [Google Scholar] [CrossRef] [Green Version]
  7. Jaeger, L.; Eckhardt, A.; Kroenung, J. The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis. Inf. Manag. 2021, 58, 103318. [Google Scholar] [CrossRef]
  8. Posey, C.; Roberts, T.L.; Lowry, P.B. The impact of organizational commitment on insiders’ motivation to protect organizational information assets. J. Manag. Inf. Syst. 2015, 32, 179–214. [Google Scholar] [CrossRef]
  9. Wu, D. Empirical study of knowledge withholding in cyberspace: Integrating protection motivation theory and theory of reasoned behavior. Comput. Hum. Behav. 2020, 105, 106229. [Google Scholar] [CrossRef]
  10. Tsai, M.-T.; Cheng, N.-C. Understanding knowledge sharing between IT professionals an integration of social cognitive and social exchange theory. Behav. Inf. Technol. 2012, 31, 1069–1080. [Google Scholar] [CrossRef]
  11. Alam, M.A. Techno-stress and productivity: Survey evidence from the aviation industry. J. Air Transp. Manag. 2016, 50, 62–70. [Google Scholar] [CrossRef]
  12. Judge, T.A.; Colquitt, J.A. Organizational justice and stress: The mediating role of work-family conflict. J. Appl. Psychol. 2004, 89, 395–404. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  13. Colquitt, J.A. On the dimensionality of organizational justice: A construct validation of a measure. J. Appl. Psychol. 2001, 86, 386–400. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  14. Yoon, C. Theory of planned behavior and ethics theory in digital piracy: An integrated model. J. Bus. Ethic. 2010, 100, 405–417. [Google Scholar] [CrossRef]
  15. Gori, A.; Topino, E.; Palazzeschi, L.; Di Fabio, A. How can organizational justice contribute to job satisfaction? A chained mediation model. Sustainability 2020, 12, 7902. [Google Scholar] [CrossRef]
  16. Zhang, Y.; LePine, J.A.; Buckman, B.R.; Wei, F. It’s not fair or is it? The role of justice and leadership in explaining work stressor–job performance relationships. Acad. Manag. J. 2014, 57, 675–697. [Google Scholar] [CrossRef]
  17. Adams, J.S. Inequity in social exchange. In Advances in Experimental Social Psychology; Elsevier BV: Amsterdam, The Netherlands, 1965; Volume 2, pp. 267–299. [Google Scholar]
  18. Ding, M.C.; Lii, Y.S. Handling online service recovery: Effects of perceived justice on online games. Telemat. Inform. 2016, 33, 881–895. [Google Scholar] [CrossRef]
  19. Schmitt, M.; Gollwitzer, M.; Maes, J.; Arbach, D. Justice sensitivity. Eur. J. Psychol. Assess. 2005, 21, 202–211. [Google Scholar] [CrossRef]
  20. Xue, Y.; Liang, H.; Wu, L. Punishment, justice, and compliance in mandatory IT settings. Inf. Syst. Res. 2011, 22, 400–414. [Google Scholar] [CrossRef]
  21. Li, H.; Sarathy, R.; Zhang, J.; Luo, X. Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Inf. Syst. J. 2014, 24, 479–502. [Google Scholar] [CrossRef]
  22. Safa, N.S.; Maple, C.; Furnell, S.; Azad, M.A.; Perera, C.; Dabbagh, M.; Sookhak, M. Deterrence and prevention-based model to mitigate information security insider threats in organisations. Future Gener. Comput. Syst. 2019, 97, 587–597. [Google Scholar] [CrossRef]
  23. West, R. The psychology of security. Commun. ACM 2008, 51, 34–40. [Google Scholar] [CrossRef]
  24. Dong, K.; Ali, R.; Dominic, P.; Ali, S. The effect of organizational information security climate on information security policy compliance: The mediating effect of social bonding towards healthcare nurses. Sustainability 2021, 13, 2800. [Google Scholar] [CrossRef]
  25. Hwang, I.; Kim, D.; Kim, T.; Kim, S. Why not comply with information security? An empirical approach for the causes of non-compliance. Online Inf. Rev. 2017, 41, 2–18. [Google Scholar] [CrossRef]
  26. Van Dyne, L.; LePine, J.A. Helping and voice extra-role behaviors: Evidence of construct and predictive validity. Acad. Manag. J. 1998, 41, 108–119. [Google Scholar]
  27. Song, J.; Wu, J.; Gu, J. Voice behavior and creative performance moderated by stressors. J. Manag. Psychol. 2017, 32, 177–192. [Google Scholar] [CrossRef]
  28. Svendsen, M.; Joensson, T.S. Transformational leadership and change related voice behavior. Leadersh. Organ. Dev. J. 2016, 37, 357–368. [Google Scholar] [CrossRef]
  29. Tarafdar, M.; Tu, Q.; Ragu-Nathan, B.S.; Ragu-Nathan, T.S. The impact of technostress on role stress and productivity. J. Manag. Inf. Syst. 2007, 24, 301–328. [Google Scholar] [CrossRef]
  30. Ragu-Nathan, T.S.; Tarafdar, M.; Ragu-Nathan, B.S.; Tu, Q. The consequences of technostress for end users in organizations: Conceptual development and empirical validation. Inf. Syst. Res. 2008, 19, 417–433. [Google Scholar] [CrossRef] [Green Version]
  31. Huang, Y.-H.; Sung, C.-Y.; Chen, W.; Liu, S.-S. Relationships between social support, social status perception, social identity, work stress, and safety behavior of construction site management personnel. Sustainability 2021, 13, 3184. [Google Scholar] [CrossRef]
  32. Tarafdar, M.; Bolman Pullins, E.; Ragu-Nathan, T.S. Examining impacts of technostress on the professional salesperson’s behavioural performance. Leadersh. Organ. Dev. J. 2014, 34, 51–69. [Google Scholar] [CrossRef]
  33. D’Arcy, J.; Teh, P.L. Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Inf. Manag. 2019, 56, 103151. [Google Scholar] [CrossRef]
  34. Hwang, I.; Cha, O. Examining technostress creators and role stress as potential threats to employees’ information security compliance. Comput. Hum. Behav. 2018, 81, 282–293. [Google Scholar] [CrossRef]
  35. Graham, K.A.; Resick, C.J.; Margolis, J.A.; Shao, P.; Hargis, M.B.; Kiker, J.D. Egoistic norms, organizational identification, and the perceived ethicality of unethical pro-organizational behavior: A moral maturation perspective. Hum. Relat. 2020, 73, 1249–1277. [Google Scholar] [CrossRef]
  36. Li, H.; Zhang, J.; Sarathy, R. Understanding compliance with internet use policy from the perspective of rational choice theory. Decis. Support. Syst. 2010, 48, 635–645. [Google Scholar] [CrossRef]
  37. Zhao, H.; Peng, Z.; Chen, H.K. Compulsory citizenship behavior and organizational citizenship behavior: The role of organizational identification and perceived interactional justice. J. Psychol. 2014, 148, 177–196. [Google Scholar] [CrossRef]
  38. Smidts, A.; Pruyn, A.; van Riel, C. The impact of employee communication and perceived external prestige on organization identification. Acad. Manag. J. 2001, 44, 1051–1062. [Google Scholar]
  39. Liu, Y.; Berry, C.M. Identity, moral, and equity perspectives on the relationship between experienced injustice and time theft. J. Bus. Ethic. 2013, 118, 73–83. [Google Scholar] [CrossRef]
  40. Greenberg, J. Organizational justice: Yesterday, today, and tomorrow. J. Manag. 1990, 16, 399–432. [Google Scholar] [CrossRef]
  41. Ceylan, A.; Sulu, S. Work alienation as a mediator of the relationship of procedural injustice to job stress. South. East. Eur. J. Econ. Bus. 2010, 5, 65–74. [Google Scholar] [CrossRef] [Green Version]
  42. Chou, T.-Y.; Chou, S.-C.T.; Jiang, J.J.; Klein, G. The organizational citizenship behavior of IS personnel: Does organizational justice matter? Inf. Manag. 2013, 50, 105–111. [Google Scholar] [CrossRef]
  43. Muchinsky, P.M. Psychology Applied to Work: An Introduction to Industrial and Organizational Osychology; Wadsworth/Thomson Learning: Belmont, CA, USA, 2012. [Google Scholar]
  44. Kim, M.; Beehr, T.A. Making the case for procedural justice: Employees thrive and work hard. J. Manag. Psychol. 2020, 35, 100–114. [Google Scholar] [CrossRef] [Green Version]
  45. Zhang, H.; Agarwal, N.C. The mediating roles of organizational justice on the relationships between HR practices and workplace outcomes: An investigation in China. Int. J. Hum. Resour. Manag. 2009, 20, 676–693. [Google Scholar] [CrossRef]
  46. Lee, C.; Ha, B.C. Interactional justice, informational quality, and sustainable supply chain management: A comparison of domestic and multinational pharmaceutical companies. Sustainability 2021, 13, 998. [Google Scholar] [CrossRef]
  47. Greenberg, J. Using socially fair treatment to promote acceptance of a worksite smoking ban. J. Appl. Psychol. 1994, 79, 288–297. [Google Scholar] [CrossRef] [PubMed]
  48. Cropanzano, R.; Paddock, E.L.; Rupp, D.E.; Bagger, J.; Baldwin, A. How regulatory focus impacts the process-by-outcome interaction for perceived fairness and emotions. Organ. Behav. Hum. Decis. Process. 2008, 105, 36–51. [Google Scholar] [CrossRef]
  49. Van Lange, P.A. The Pursuit of joint outcomes and equality in outcomes: An integrative model of social value orientation. J. Pers. Soc. Psychol. 1999, 77, 337–349. [Google Scholar] [CrossRef]
  50. Gollwitzer, M.; Rothmund, T.; Pfeiffer, A.; Ensenbach, C. Why and when justice sensitivity leads to pro-and antisocial behavior. J. Res. Pers. 2009, 43, 999–1005. [Google Scholar] [CrossRef]
  51. Schmitt, M.; Dörfel, M. Procedural injustice at work, justice sensitivity, job satisfaction and psychosomatic well-being. Eur. J. Soc. Psychol. 1999, 29, 443–453. [Google Scholar] [CrossRef]
  52. Tziner, A.; Sharoni, G. Organizational citizenship behavior, organizational justice, job stress, and work-family conflict: Examination of their interrelationships with respondents from a non-western culture. J. Work. Organ. Psychol. 2014, 30, 35–42. [Google Scholar]
  53. Wood, S.; Braeken, J.; Niven, K. Discrimination and well-being in organizations: Testing the differential power and organizational justice theories of workplace aggression. J. Bus. Ethics. 2013, 115, 617–634. [Google Scholar] [CrossRef]
  54. Hwang, I.; Ahn, S. The Effect of organizational justice on information security-related role stress and negative behaviors. J. Kor. Soc. Comp. Inf. 2019, 24, 87–98. [Google Scholar]
  55. Fallatah, F.; Laschinger, H.K.; Read, E.A. The effects of authentic leadership, organizational identification, and occupational coping self-efficacy on new graduate nurses’ job turnover intentions in Canada. Nurs. Outlook 2017, 65, 172–183. [Google Scholar] [CrossRef]
  56. Nunnally, J.C. Psychometric theory, 2nd ed.; McGraw-Hill: New York, NY, USA, 1994; ISBN 007047849X. [Google Scholar]
  57. Bentler, P.M. Comparative fit indexes in structural models. Psychol. Bull. 1990, 107, 238–246. [Google Scholar] [CrossRef] [PubMed]
  58. Wixom, B.H.; Watson, H.J. An empirical investigation of the factors affecting data warehousing success. MIS Q. 2001, 25, 17. [Google Scholar] [CrossRef]
  59. Fornell, C.; Larcker, D.F. Evaluating structural equation models with unobservable variables and measurement Error. J. Mark. Res. 1981, 18, 39–50. [Google Scholar] [CrossRef]
  60. Podsakoff, P.M.; MacKenzie, S.B.; Lee, J.Y.; Podsakoff, N.P. Common method biases in behavioral research: A critical review of the literature and recommended remedies. J. Appl. Psychol. 2003, 88, 879–903. [Google Scholar] [CrossRef] [PubMed]
  61. Lin, G.C.; Wen, Z.; Marsh, H.W.; Lin, H.S. Structural equation models of latent interactions: Clarification of orthogonalizing and double-mean-centering strategies. Struct. Equ. Model. A Multidiscip. J. 2010, 17, 374–391. [Google Scholar] [CrossRef]
  62. Dawson, J.F. Moderation in management research: What, why, when, and how. J. Bus. Psychol. 2014, 29, 1–19. [Google Scholar] [CrossRef]
  63. Taghva, M. The effect of security awareness on compliance with security regulations by teleworkers in the period of COVID-19 epidemic. Manag. Res. 2021, 13, 179–204. [Google Scholar]
  64. Tang, Z.; Miller, A.S.; Zhou, Z.; Warkentin, M. Does government social media promote users’ information security behavior towards COVID-19 scams? Cultivation effects and protective motivations. Gov. Inf. Q. 2021, 38, 101572. [Google Scholar] [CrossRef]
  65. Prasetyo, Y.T.; Castillo, A.M.; Salonga, L.J.; Sia, J.A.; Seneta, J.A. Factors affecting perceived effectiveness of COVID-19 prevention measures among Filipinos during enhanced community quarantine in Luzon, Philippines: Integrating protection motivation theory and extended theory of planned behavior. Int. J. Infect. Dis. 2020, 99, 312–323. [Google Scholar] [CrossRef]
  66. Ali, R.; Dominic, P.; Ali, S.; Rehman, M.; Sohail, A. Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Appl. Sci. 2021, 11, 3383. [Google Scholar] [CrossRef]
  67. Merchan-Lima, J.; Astudillo-Salinas, F.; Tello-Oquendo, L.; Sanchez, F.; Lopez-Fonseca, G.; Quiroz, D. Information security management frameworks and strategies in higher education institutions: A systematic review. Ann. Telecommun. 2021, 76, 255–270. [Google Scholar] [CrossRef]
  68. Huseman, C.R.; Hatfield, D.J.; Miles, E.W. A new perspective on equity theory: The equity sensitivity construct. Acad. Manag. Rev. 1987, 12, 222–234. [Google Scholar] [CrossRef] [Green Version]
  69. Vance, A.; Siponen, M.T.; Straub, D.W. Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inf. Manag. 2020, 57, 103212. [Google Scholar] [CrossRef]
Figure 1. Research model and proposed hypotheses. IS: information security. “+” implies positive effect & “−” implies negative effect.
Figure 1. Research model and proposed hypotheses. IS: information security. “+” implies positive effect & “−” implies negative effect.
Sustainability 13 06077 g001
Figure 2. Results of the structural model. IS: information security. **: p < 0.01.
Figure 2. Results of the structural model. IS: information security. **: p < 0.01.
Sustainability 13 06077 g002
Figure 3. Moderation effect of justice sensitivity (H7a, H7b).
Figure 3. Moderation effect of justice sensitivity (H7a, H7b).
Sustainability 13 06077 g003
Figure 4. Moderation effect of justice sensitivity (H7c, H7d).
Figure 4. Moderation effect of justice sensitivity (H7c, H7d).
Sustainability 13 06077 g004
Table 1. Demographic characteristics.
Table 1. Demographic characteristics.
Demographic CategoriesFrequencyPercentage (%)
TypeManufacturer5717.5
Service26882.5
GenderMale20563.1
Female12036.9
Job PositionStaff10532.3
Assistant Manager9228.3
Manager9529.2
General Manager3310.2
DepartmentManagement Support6620.3
Marketing and Sales18757.5
Research and Development134.0
Production164.9
Technical Support144.3
Other298.9
Total325100.0
Table 2. Item descriptions and reliability.
Table 2. Item descriptions and reliability.
ConstructsItems #ItemsReferences
IS-related procedural
justice
PJ1
PJ2
PJ3
Organization’s IS process influences the result of my IS behavior.
Organization’s IS process is applied consistently.
Organization’s IS process is applied without prejudice.
[13]
IS-related information
justice
IJ1
IJ2
IJ3
Organization communicates about IS.
Organization clearly explains the IS process.
Organization provides details about IS compliance.
[13]
IS-related work impedimentWI1
WI2
WI3
Complying with the requirements of the security policy slows down my response time to my peers, customers, managers, etc.
Complying with the requirements of the security policy hinders my productivity at work.
Complying with the requirements of the security policy impedes my efficiency at work.
[4]
Organization identificationOI1
OI2
OI3
I am proud to be an employee of my organization.
I am glad I chose to work for my organization rather than another company.
I am willing to put in a great deal of effort beyond that normally expected to help my organization be successful.
[36]
IS-related voice
behavior
VB1
VB2
VB3
I provide and recommend opinions for our organization’s IS.
I encourage my colleagues to participate in issues affecting our organization’s IS.
I give an idea of a change to our organization’s IS policy.
[28]
Justice
sensitivity
JS1
JS2
JS3
JS4
JS5
I cannot stand it for long when I have to fix the consequences of others’ carelessness.
I feel disappointed when I have fewer opportunities to develop my skills than others.
It pisses me off when others get better than me.
I rebel for a long time when others are being treated better than me (dropped).
[19]
Table 3. Results for construct validity and reliability.
Table 3. Results for construct validity and reliability.
ConstructItemMeanStd. Dev.Factor LoadingCronbach’s AlphaCRAVE
IS-related procedural justicePJ1
PJ2
PJ3
5.357
5.277
5.477
1.260
1.231
1.190
0.802
0.781
0.820
0.8610.9730.924
IS-related information justiceIJ1
IJ2
IJ3
5.326
5.246
5.335
1.273
1.296
1.277
0.844
0.803
0.823
0.8890.9770.934
IS-related work impedimentWI1
WI2
WI3
2.748
2.791
2.818
1.138
1.227
1.083
0.801
0.819
0.805
0.8890.9800.943
Organization identificationOI1
OI2
OI3
5.111
5.108
5.166
1.165
1.138
1.126
0.841
0.881
0.865
0.9150.9860.958
IS-related voice behaviorVB1
VB2
VB3
4.905
4.954
4.908
1.165
1.109
1.154
0.856
0.851
0.878
0.9220.9870.962
Justice sensitivityJS1
JS2
JS3
5.206
4.858
5.138
1.246
1.295
1.330
0.779
0.795
0.811
0.8390.9750.906
Note: CR: composite reliability; AVE: average variance extracted.
Table 4. Results for discriminant validity.
Table 4. Results for discriminant validity.
Construct123456
IS-related procedural justice0.961
IS-related information justice0.518 **0.966
IS-related work impediment−0.521 **−0.487 **0.971
Organization identification0.532 **0.461 **−0.397 **0.979
IS-related voice behavior0.412 **0.461 **−0.460 **0.349 **0.981
Justice sensitivity0.467 **0.489 **−0.517 **0.425 **0.503 **0.952
Note: ** p < 0.01; values in bold type along the diagonal indicate the square root of the AVE.
Table 5. Summary of hypothesis tests.
Table 5. Summary of hypothesis tests.
HypothesisPathPath Coefficientt-ValueResult
H1Procedural Justice → Work Impediment−0.391−5.542 **Supported
H2Information Justice → Work Impediment−0.317−4.661 **Supported
H3Procedural Justice → Organizational Identification0.4176.041 **Supported
H4Information Justice → Organizational Identification0.2573.882 **Supported
H5Work Impediment → Voice Behavior−0.431−7.102 **Supported
H6Organizational Identification → Voice Behavior0.2354.149 **Supported
**: p < 0.01.
Table 6. Summary of moderating effect tests.
Table 6. Summary of moderating effect tests.
HypothesisPathPath Coefficientt-ValueResult
H7aProcedural Justice → Work Impediment−0.383−5.830 **Supported
Justice Sensitivity → Work Impediment−0.341−5.116 **
Procedural Justice X Justice Sensitivity
→ Work Impediment
0.2634.791 **
H7bInformation Justice → Work Impediment−0.33−5.035 **Supported
Justice Sensitivity → Work Impediment−0.361−5.196 **
Information Justice X Justice Sensitivity
→ Work Impediment
0.2043.908 **
H7cProcedural Justice → Organizational Identification0.4316.420 **Supported
Justice Sensitivity → Organizational Identification0.2463.745 **
Procedural Justice X Justice Sensitivity
→ Organizational Identification
−0.165−3.089 **
H7dInformation Justice → Organizational Identification0.3314.968 **Supported
Justice Sensitivity → Organizational Identification0.2934.240 **
Information Justice X Justice Sensitivity
→ Organizational Identification
−0.163−3.091 **
Note: Robust S.E. in parentheses * p < 0.05, ** p < 0.01
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Lee, W.J.; Hwang, I. Sustainable Information Security Behavior Management: An Empirical Approach for the Causes of Employees’ Voice Behavior. Sustainability 2021, 13, 6077. https://doi.org/10.3390/su13116077

AMA Style

Lee WJ, Hwang I. Sustainable Information Security Behavior Management: An Empirical Approach for the Causes of Employees’ Voice Behavior. Sustainability. 2021; 13(11):6077. https://doi.org/10.3390/su13116077

Chicago/Turabian Style

Lee, Woo Jin, and Inho Hwang. 2021. "Sustainable Information Security Behavior Management: An Empirical Approach for the Causes of Employees’ Voice Behavior" Sustainability 13, no. 11: 6077. https://doi.org/10.3390/su13116077

APA Style

Lee, W. J., & Hwang, I. (2021). Sustainable Information Security Behavior Management: An Empirical Approach for the Causes of Employees’ Voice Behavior. Sustainability, 13(11), 6077. https://doi.org/10.3390/su13116077

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop