Financial firms, especially large scaled firms such as KB bank, NH bank, Samsung Card, Hana SK Card, Hyundai Capital, Shinhan Card, etc. should be securely dealing with the personal financial information. Indeed, people have tended to believe that those big financial companies are relatively safer i...
Financial firms, especially large scaled firms such as KB bank, NH bank, Samsung Card, Hana SK Card, Hyundai Capital, Shinhan Card, etc. should be securely dealing with the personal financial information. Indeed, people have tended to believe that those big financial companies are relatively safer in terms of information security than typical small and medium sized firms in other industries. However, the recent incidents of personal information privacy invasion showed that this may not be true. Financial firms have increased the investment of information protection and security, and they are trying to prevent the information privacy invasion accidents by doing all the necessary efforts. This paper studies how effectively a financial firm will be able to avoid personal financial information privacy invasion that may be deliberately caused by internal staffs. Although there are several literatures relating to information security, to our knowledge, this is the first study to focus on the behavior of internal staffs. The big financial firms are doing variety of information security activities to protect personal information. This study is to confirm what types of such activities actually work well. The primary research model of this paper is based on Theory of Planned Behavior (TPB) that describes the rational choice of human behavior. Also, a variety of activities to protect the personal information of financial firms, especially credit card companies with the most customer information, were modeled by the four-step process Security Action Cycle (SAC) that Straub and Welke (1998) claimed. Through this proposed conceptual research model, we study whether information security activities of each step could suppress personal information abuse. Also, by measuring the morality of internal staffs, we checked whether the act of information privacy invasion caused by internal staff is in fact a serious criminal behavior or just a kind of unethical behavior. In addition, we also checked whether there was the cognition difference of the moral level between internal staffs and the customers. Research subjects were customer call center operators in one of the big credit card company. We have used multiple regression analysis. Our results showed that the punishment of the remedy activities, among the firm's information security activities, had the most obvious effects of preventing the information abuse (or privacy invasion) by internal staff. Somewhat effective tools were the prevention activities that limited the physical accessibility of non-authorities to the system of customers' personal information database. Some examples of the prevention activities are to make the procedure of access rights complex and to enhance security instrument. We also found that 'the unnecessary information searches out of work' as the behavior of information abuse occurred frequently by internal staffs. They perceived these behaviors somewhat minor criminal or just unethical action rather than a serious criminal behavior. Also, there existed the big cognition difference of the moral level between internal staffs and the public (customers). Based on the findings of our research, we should expect that this paper help practically to prevent privacy invasion and to protect personal information properly by raising the effectiveness of information security activities of finance firms. Also, we expect that our suggestions can be utilized to effectively improve personnel management and to cope with internal security threats in the overall information security management system.
Financial firms, especially large scaled firms such as KB bank, NH bank, Samsung Card, Hana SK Card, Hyundai Capital, Shinhan Card, etc. should be securely dealing with the personal financial information. Indeed, people have tended to believe that those big financial companies are relatively safer in terms of information security than typical small and medium sized firms in other industries. However, the recent incidents of personal information privacy invasion showed that this may not be true. Financial firms have increased the investment of information protection and security, and they are trying to prevent the information privacy invasion accidents by doing all the necessary efforts. This paper studies how effectively a financial firm will be able to avoid personal financial information privacy invasion that may be deliberately caused by internal staffs. Although there are several literatures relating to information security, to our knowledge, this is the first study to focus on the behavior of internal staffs. The big financial firms are doing variety of information security activities to protect personal information. This study is to confirm what types of such activities actually work well. The primary research model of this paper is based on Theory of Planned Behavior (TPB) that describes the rational choice of human behavior. Also, a variety of activities to protect the personal information of financial firms, especially credit card companies with the most customer information, were modeled by the four-step process Security Action Cycle (SAC) that Straub and Welke (1998) claimed. Through this proposed conceptual research model, we study whether information security activities of each step could suppress personal information abuse. Also, by measuring the morality of internal staffs, we checked whether the act of information privacy invasion caused by internal staff is in fact a serious criminal behavior or just a kind of unethical behavior. In addition, we also checked whether there was the cognition difference of the moral level between internal staffs and the customers. Research subjects were customer call center operators in one of the big credit card company. We have used multiple regression analysis. Our results showed that the punishment of the remedy activities, among the firm's information security activities, had the most obvious effects of preventing the information abuse (or privacy invasion) by internal staff. Somewhat effective tools were the prevention activities that limited the physical accessibility of non-authorities to the system of customers' personal information database. Some examples of the prevention activities are to make the procedure of access rights complex and to enhance security instrument. We also found that 'the unnecessary information searches out of work' as the behavior of information abuse occurred frequently by internal staffs. They perceived these behaviors somewhat minor criminal or just unethical action rather than a serious criminal behavior. Also, there existed the big cognition difference of the moral level between internal staffs and the public (customers). Based on the findings of our research, we should expect that this paper help practically to prevent privacy invasion and to protect personal information properly by raising the effectiveness of information security activities of finance firms. Also, we expect that our suggestions can be utilized to effectively improve personnel management and to cope with internal security threats in the overall information security management system.
2012년 정보보호예산을 금년보다 30% 늘어난 규모로 책정하였다. 예산은 무엇에 사용되는가?
최근 보도에 따르면 기획재정부가 한국의 2012년 정보보호예산을 금년보다 30% 늘어난 규모로 책정하고 그 예산의 대부분을 개인정보 유출 및 오남용 방지, 정보보호 인프라 구축 등에 주로 사용할 것으로 밝히고 있다[아이뉴스, 2011]. 이 같은 정부의 예산편성은 특히나 올해에 유난히 많았던 개인정보와 관련한 사건사고가 많았기 때문으로 풀이된다.
개인정보의 의미는?
‘개인정보’가 무엇인지 사전적으로 명확히 정의된 의미는 없으며, 단지 다양한 형태로 통용되는 논문들이나 국가별 판례에 따른 법률적 해석이 있을 뿐이다. 이러한 해석들을 참고로 종합해 볼 때 특징적인 개인정보의 의미는 ‘한 사람 그 자체가 다른 사람과 식별이 가능한 중요한 정보’ 정도로 해석할 수가 있을 것이다. 이러한 의미의 개인정보는 지식 정보화 사회의 발전에 따라 유형적 가치는 물론 무형적 가치 또한 증대되고 있으며 현재 사회의 실질적인 핵심가치로써 평가 받고 있다[권영관, 염흥렬, 2009].
내부직원에 의한 정보유출의 가능성을 최소화 하려면 어떤 방법이 있는가?
따라서 금융회사는 업무특성상 내부직원을 고객정보로부터 완벽하게 통제하는 것은 불가능하다. 하지만 물리적으로 정보조회가 가능한 시스템 접근을 제한하거나 정보조회 시스템을 통한 업무 이외에 불필요한 정보조회를 제한할 수 있다면 정보유출의 전제가능성을 최소화할 수 있다. 즉, 기업의 입장에서 현실적으로 불가능하고 아직 실현하지도 않은 내부직원의 정보유출행위를 제한하기 보다는 정보남용과 관련한 업무 이외에 불필요한 정보조회를 제한함으로써 정보유출의 시발점을 통제하고 고객의 프라이버시 침해를 최소화할 수 있는 효과를 볼 수 있을 것이다.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.