Mô hình văn hóa an toàn thông tin kế toán:  Một nghiên cứu thực nghiệm tại Việt Nam

Lam Phạm Trà; Thoa Đậu Thị Kim; Ấn Nguyễn Phước Bảo

doi:10.24311/jabes/2023.34.11.4

Các tác giả

Phạm Trà Lam Đại học Kinh tế Thành phố Hồ Chí Minh Tác giả
Đậu Thị Kim Thoa Đại học Kinh tế Thành phố Hồ Chí Minh Tác giả
Nguyễn Phước Bảo Ấn Đại học Kinh tế Thành phố Hồ Chí Minh Tác giả

DOI:

https://doi.org/10.24311/jabes/2023.34.11.4

Từ khóa:

Văn hóa an toàn thông tin, Hành vi an toàn thông tin, An toàn thông tin kế toán

Tóm tắt

Trong thế giới kỹ thuật số phức tạp, nhiều doanh nghiệp đã đầu tư vào các công nghệ an toàn tiên tiến và các cơ chế khác hỗ trợ cho mục đích an toàn thông tin (Information Security – IS), đặc biệt là thông tin kế toán, bởi sự gia tăng về độ phức tạp và các loại nguy cơ ngày càng gia tăng và biến động không ngừng. Phát triển văn hóa an toàn thông tin (Information Security Culture – ISC) được xem là một biện pháp mang tính hiệu quả cao. Do đó, nghiên cứu này đã phát triển một mô hình cấu trúc gồm các yếu tố của ISC đó là thái độ, nhận thức, năng lực và hành vi an toàn thông tin (Information Security Behavior – ISB). Dữ liệu thu thập từ 181 nhân viên đang đảm nhiệm các công việc liên quan đến kế toán và IS được phân tích bằng kỹ thuật PLS chứng minh rằng nhận thức và năng lực IS chi phối mạnh đến định hướng hành vi an toàn thông tin (Behavior Intention – BI) của nhân viên. Các cấu trúc này của ISC tạo ra những đóng góp đáng kể đến ISB. Những khám phá này đã cung cấp những hiểu biết mới về các yếu tố của ISC, đóng góp cho các nhà quản trị các hàm ý nhằm đạt được các mục tiêu IS kế toán.

Tài liệu tham khảo

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.

Al-Fatlawi, Q. A., Al Farttoosi, D. S., & Almagtome, A. H. (2021). Accounting information security and it governance under cobit 5 framework: A case study. Webology, 18(Special Issue on Information Retrieval and Web Search), 294–310.

Alfawaz, S., Nelson, K., & Mohannak, K. (2010, January). Information security culture: a behaviour compliance conceptual framework. In Proceedings of the 8th Australasian Information Security Conference (AISC 2010) (Vol. 105, pp. 47–55). University of Southern Queensland.

Alhogail, A., & Mirza, A. (2014). A framework of information security culture change. Journal of Theoretical & Applied Information Technology, 64(2), 540–549.

Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383. doi: 10.3390/app11083383

Almagtome, A., Khaghaany, M., & Önce, S. (2020). Corporate governance quality, stakeholders' pressure, and sustainable development: An integrated approach. International Journal of Mathematical Engineering and Management Sciences, 5(6), 1077–1090.

Armstrong, J. S., & Overton, T. S. (1977). Estimating nonresponse bias in mail surveys. Journal of Marketing Research, 14(3), 396–402.

Bawaneh, S. S. (2014). Information security for organizations and accounting information systems a Jordan banking sector case. International Review of Management and Business Research, 3(2), 1174–1188.

Cichowicz, E., Iwanicz-Drozdowska, M., & Kurowski, Ł. (2021). “Every knock is a boost”. Cyber risk behaviour among Poles. Economics and Business Review, 7(4), 94–120.

da Veiga, A. (2018). An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture. Information & Computer Security, 26(5), 584–612.

da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational information security culture - Perspectives from academia and industry. Computers & Security, 92, 101713.

Dandago, K. I., & Rufai, A. S. (2014). Information technology and accounting information system in the Nigerian banking industry. Asian Economic and Financial Review, 4(5), 655–670.

D'Arcy, J., & Greene, G. (2014). Security culture and the employment relationship as drivers of employees’ security compliance. Information Management & Computer Security, 22(5), 474–489.

Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 319–340.

Fishbein, M., & Ajzen, I. (1975). Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research. Reading, MA: Addison-Wesley.

Fornell, C., & Larcker, D. F. (1981). Structural equation models with unobservable variables and measurement error: Algebra and statistics. Journal of Marketing Research, 18, 382–388.

Furnell, S., & Rajendran, A. (2012). Understanding the influences on information security behaviour. Computer Fraud & security, 2012(3), 12–15.

Georgiadou, A., Mouzakitis, S., & Askounis, D. (2021). Designing a cyber-security culture assessment survey targeting critical infrastructures during COVID-19 crisis. International Journal of Network Security & Its Applications, 13(1), 33–50.

Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2020). A cyber-security culture framework for assessing organization readiness. Journal of Computer Information Systems, 62(3), 452–462.

Ghafir, I., Saleem, J., Hammoudeh, M., Faour, H., Prenosil, V., Jaf, S., ... & Baker, T. (2018). Security threats to critical infrastructure: The human factor. The Journal of Supercomputing, 74,

4986–5002.

Sánchez-Caballé, A., Gisbert, C. M., & Esteve-Mon, F. M. (2020). The digital competence of university students: A systematic literature review. Aloma, 38(1), 63–74.

Gioulekas, F., Stamatiadis, E., Tzikas, A., Gounaris, K., Georgiadou, A., Michalitsi-Psarrou, A., ... & Ntanos, C. (2022). A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures. Healthcare, 10(2), 327. doi: 10.3390/healthcare10020327

Hadlington, L., & Murphy, K. (2018). Is media multitasking good for cybersecurity? Exploring the relationship between media multitasking and everyday cognitive failures on self-reported risky cybersecurity behaviors. Cyberpsychology, Behavior, and Social Networking, 21(3), 168–172.

Haeussinger, F., & Kranz, J. (2013). Information security awareness: Its antecedents and mediating effects on security compliant behavior. In Proceedings of the 34th International Conference on Information Systems (ICIS 2013). Milan, Italy.

Hair Jr, J. F., Hult, G. T. M., Ringle, C., & Sarstedt, M. (2016). A primer on partial least squares structural equation modeling (PLS-SEM). Sage Publications.

Hair Jr, J. F., Sarstedt, M., Ringle, C. M., & Gudergan, S. P. (2017). Advanced issues in partial least squares structural equation modeling. Sage Publications.

Henseler, J., Hubona, G., & Ray, P. A. (2016). Using PLS path modeling in new technology research: Updated guidelines. Industrial Management & Data Systems, 116(1), 2–20.

Humaidi, N., & Balakrishnan, V. (2015). The moderating effect of working experience on health information system security policies compliance behaviour. Malaysian Journal of Computer Science, 28(2), 70–92.

Huzaizi, A. H. A., Tajuddin, S. N. A. A., Bahari, K. A., Manan, K. A., & Mubin, N. N. A. (2021). Cyber-security culture towards digital marketing communications among small and medium-sized (SME) entrepreneurs. Asian Culture and History, 13(2), 1–20.

Hwang, I., Wakefield, R., Kim, S., & Kim, T. (2019). Security awareness: The first step in information security compliance behavior. Journal of Computer Information Systems, 61(4), 345–356.

Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267.

Kock, N. (2015). Common method bias in PLS-SEM: A full collinearity assessment approach. International Journal of e-Collaboration, 11(4), 1–10.

Marks, A. (2007). Exploring universities’ information systems security awareness in a changing higher education environment: a comparative case study research. PhD thesis, University of Salford.

McFarland, D. J., & Hamilton, D. (2006). Adding contextual specificity to the technology acceptance model. Computers in Human Behavior, 22(3), 427–447.

Ngo, L., Zhou, W., & Warren, M. (2005). Understanding transition towards information security culture change. Proceeding of the 3rd Australian Computer, Network & Information Forensics [42] Conference, Edith Cowan University, School of Computer and Information Science, 67–73.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, 165–176.

Peteraf, M. A. (1993). The cornerstones of competitive advantage: A resource‐based view. Strategic Management Journal, 14(3), 179–191.

Ponemon. (2018). Cost of data breach study: Impact of business continuity management. Retrieved from https://whitepapers.theregister.com/paper/view/7188/cost-of-data-breach-study-impact-of-business-continuity-management

Poon, W. C. (2008). Users' adoption of e‐banking services: The Malaysian perspective. Journal of Business & Industrial Marketing, 23(1), 59–69.

Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: An exploratory study. Computers & Security, 27(7–8), 241–253.

Ricci, J., Breitinger, F., & Baggili, I. (2019). Survey results on adults and cybersecurity education. Education and Information Technologies, 24, 231–249.

Ruighaver, A. B., Maynard, S. B., & Chang, S. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1), 56–62.

Sas, M., Reniers, G., Ponnet, K., & Hardyns, W. (2021). The impact of training sessions on physical security awareness: Measuring employees’ knowledge, attitude and self-reported behaviour. Safety Science, 144, 105447.

Schrader, P. G., & Lawless, K. A. (2004). The knowledge, attitudes, & behaviors approach how to evaluate performance and learning in complex environments. Performance Improvement, 43(9), 8–15.

Simkin, M. G., Norman, C. A. S., & Rose, J. M. (2014). Core Concepts of Accounting Information Systems. John Wiley & Sons.

Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31–41.

Sulaiman, N. S., Fauzi, M. A., Wider, W., Rajadurai, J., Hussain, S., & Harun, S. A. (2022). Cyber–Information security compliance and violation behaviour in organisations: A systematic review. Social Sciences, 11(9), 386.

Taiwo, J. N. (2016). Effect of ICT on accounting information system and organisational performance: The application of information and communication technology on accounting information system. European Journal of Business and Social Sciences, 5(2), 1–15.

Townsend III, H. E. (2022). An examination of the significance of security knowledge and attitudes on security behavior [Doctoral dissertation, Capella University].

Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387.

Venkatesh, V., & Bala, H. (2008). Technology acceptance model 3 and a research agenda on interventions. Decision Sciences, 39(2), 273–315.

Vroom, C., & von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191–198.

Wang, K., Guo, X., & Yang, D. (2022). Research on the effectiveness of cyber security awareness in ICS risk assessment frameworks. Electronics, 11(10), 1659. doi: 10.3390/electronics11101659

Warkentin, M., Johnston, A. C., Shropshire, J., & Barnett, W. D. (2016). Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 92, 25–35.

Westera, W. (2001). Competences in education: A confusion of tongues. Journal of Curriculum Studies, 33(1), 75–88.

Whitman, M. E., & Mattord, H. J. (2016). Management of information security. Cengage Learning.

Yaokumah, W., Walker, D. O., & Kumah, P. (2019). SETA and security behavior: Mediating role of employee relations, monitoring, and accountability. Journal of Global Information Management, 27(2), 102–121.

Zakaria, O., Gani, A., Nor, M. M., & Anuar, N. B. (2007). Reengineering information security culture formulation through management perspective. International Conference on Electrical Engineering and Informatics, Indonesia. Retrieved from https://www.academia.edu/2612533/Reengineering_Information_Security_Culture_Formulation_Through_Management_Perspective