Sustainable Information Security Behavior Management: An Empirical Approach for the Causes of Employees’ Voice Behavior

As organizations’ interest in information resources expands, their investments in information security (IS), such as the introduction of IS policies and new technologies, are also expanding. Nevertheless, IS incidents and threats within the organization have not decreased. This study aims to protect organizations’ information assets by maintaining the level of continuous IS behavior of the organization insiders. Moreover, this study suggests a method to induce continuous security behavior of individuals by confirming the relationship between IS-related voice behavior and IS-related organizational justice, which is an action concept that provides continuous opinions to achieve security goals. This study derives research models and hypotheses through previous studies and tests hypotheses through structural equation modeling. The target subjects are members of the organization who introduced the IS policy. A total of 325 samples were secured through the questionnaire method, and hypotheses were verified. Results reveal that voice behavior related to IS is negatively influenced by work impediment and positively influenced by organizational identification. In addition, procedural and information justice that influence prior actions related to IS affect the cause of personal security behavior (work impediment and organizational identification). Additionally, justice sensitivity adjusted the impact relationship between IS-related organizational justice and the cause of security behavior. The study presents the importance of voice behavior in maintaining the level of IS within the organization continuously. Moreover, it has practical implications in that efforts to improve organizational justice and voice behaviors vary according to the level of individual justice sensitivity.


Introduction
Information management is recognized as an organization's growth value; hence, organizations are increasing their interest in the operation and management of information resources. Global organizations are trying to secure the ISO international standard certification (ISO/IEC 27001) related to information security (IS). In the case of Korea, an information protection management system established at the national level based on the Personal Information Protection Act ISMS (IS management system) certification and other efforts are being made. In fact, the IS-related market is growing rapidly, and the global cybersecurity market is expected to grow at an annual average growth rate of 10% from 2020 to 2027, reaching USD 326.4 billion by 2027 [1].
Despite continuous investments such as the introduction of policies and technologies for IS at the organization level, the number of incidents related to IS in organizations has not decreased. In particular, the occurrence of IS incidents decreases the value of an organization; hence, organizations tend to hide when a security incident occurs. Moreover, according to an organizational level, has been proposed [19], suggesting various effort factors that influence an individual's motivational improvement or behavioral change accessible at the organizational level.
However, the field of IS has yet to focus on presenting the types of motivations affecting the behaviors complying with IS, as well as IS-related organizational justice, which is an important concept at the organizational level as it affects the cause of individual behavior [20,21]. An individual's IS behavior is presented in a few studies in which ISrelated organizational justice directly affects the compliance intention by approaching it from an exploratory viewpoint [20,21]. A detailed access to IS-related organizational justice that helps the cause is lacking.
In addition, the organization insiders' view of IS behavior is also approached based on compliance intention or action, which is the aspect of applying IS to an individual's work [4,9,22], to continuously improve the level of security compliance within the organization. Apart from the security compliance actions of the individual, proactive opinions that can be reflected in the work to achieve the organization's security goals, as well as the issues of the introduced IS policy, are presented. Moreover, the concept of action to improve must also be included.
The current study presents the factors affecting voice behavior from the negative and positive aspects by applying voice behavior, which is the concept of actively presenting and acting on security-related opinions for the sustainability of the IS level within the organization. This study confirms that IS-related organizational justice concerning IS, which is an organizational effort factor, affects the cause of security behavior. In detail, the study first suggests organizational identification, which causes voice behavior from the perspective of IS. Second, it presents the IS-related organizational justice factors (procedural justice and information justice) related to IS and checks their impact on organizational identification and consistency. Finally, we want to check the difference in the influence of justice factors on the negative and positive behavior according to the individual's level of justice sensitivity.
The results of this study suggest a direction of IS-related justice that should be considered at the organizational level to increase the motivation for IS compliance activities of organization insiders. By applying the concept to the IS field, this study presents academic implications as a preceding study of IS-related organizational justice related to IS.

Information Security-Related Voice Behavior
The threat of information disclosure by an organization insider, irrespective of the person's position or job, can occur anytime, anywhere, with any technical device, as long as the organization's information system is accessible. In fact, insiders were found to be unrelated to IS jobs, for example, general managers, sales workers, and engineers other than IT professionals [2].
West [23] insisted that the problem of organization insiders' compliance with IS should be solved from a psychological viewpoint. He said it could not be controlled and managed [23]. Moreover, in IS, an individual's behavioral outcome is not an incentive for performance, but rather a penalty for noncompliance [6]. In fact, most organizations present sanction indicators for noncompliance behavior rather than performance indicators for IS compliance. Hence, individuals tend to avoid IS activities immediately if those activities are inconvenient or hinder their job performance [9,24]. Therefore, the IS compliance behavior of an organization member is executed by their own compliance decision-making, and individuals tend to decide on the behavior based on the IS compliance motive [25].
Information security compliance behavior refers to the behavior of applying IS activities requested by an organization to an individual's work and organizational life [22]. In other words, IS compliance behavior is the concept of applying the IS-related information obtained from the organization to the scope of one's business actions. This study intends to apply the concept of voice behavior, beyond the observance behavior of the person's point of view, to another person or organization, which is a suggestion to improve the positive view of IS. Voice behavior is defined as constructive change-oriented communication intended to improve the situation [26]. It includes actions that optimize business operations and management within an organization, proactively express opinions constructively to complete a given goal, and express concerns about issues that may negatively affect growth and performance [27,28]. In other words, from the IS perspective, voice behavior suggests the necessity of proactive action to colleagues to achieve IS-related goals within the organization. Moreover, the concept of voice behavior suggests improvement directions for problems that negatively affect the organization's security goals. This is an important perspective. Therefore, this study proposes implications by presenting the effects of individual motivations affecting IS behavior on voice behavior. This study also presents organizational-level effort factors for improving motivation from the perspective of IS-related organizational justice.

Information Security-Related Work Impediment
When an organization introduces a new policy or applies an information system for various reasons, such as standardization of work, it increases the work efficiency of members based on a clear organizational process and helps the organization's eventual growth. Members who must apply IS to their work have difficulty securing the information on new work standards and becoming knowledgeable through experience [29,30]. If a rapid change is introduced in the procedures and applied technologies to achieve work performance, the parties must discard or change their tacit knowledge. Moreover, obtaining additional related information and applying IS to their work through trial and error can cause stress [31,32].
Work impediment is a level in which a new requirement introduced by the application of a specific policy or technology is deemed an obstacle to one's work [4]. It is a problem that can easily appear in fields that need to be additionally applied [25]. In particular, IS is not the first business goal given to members; it is an additional active goal to manage and protect the information while achieving their performance goals [23]. In other words, IS is not a key indicator of an organization to evaluate its business performance; hence, one can easily deduce that IS activity causes obstacles to work. In addition, IS activities are a concept of control that is contrary to the efficient use of information systems, such as information sharing and knowledge transfer between members, which must be performed to achieve the goals. When perceived as a factor, IS activities tend to be easily avoided [33,34].
When the required activities related to IS are determined to be a hindrance to work, members of the organization can take actions to avoid IS for their natural work efficiency [25]. For example, if the authority to manage documents within the organization is strengthened, members of the organization may restrict information sharing and knowledge transfer activities through SNS, etc., because additional procedures and permission to provide information to others are required. Moreover, additional learning is required because the information system is different than the existing one, making it difficult to proceed with existing tasks. In this case, secretly using other SNS, etc., is possible by avoiding the compliance behavior or using the existing business procedures. Therefore, prior efforts such as providing information to reduce personal work impediment are required because work impediment by IS leads to noncompliance behavior.

Organizational Identification
Organizational identification is part of the organizational commitment process and is a form of psychological attachment in which members themselves define and accept the characteristics of the organization [35]. In other words, organizational identification helps individuals understand the characteristics of the organization and be attached to the organization, thereby helping them gain a sense of belonging (belonging) and pride as members of the organization [36].
For an individual to have organizational identification, he or she must have a need in terms of self-categorization and self-enhancement [37]. Self-classification means that an individual recognizes that he/she belongs to an organization and has the need to determine his/her position, and self-improvement means that he/she has the need to have a sense of pride or recognition by belonging to an organization. In other words, organizational identification is formed when an individual can find a good reason to belong to an organization [38].
The stronger the organizational identification, the more likely members are to match the meaning of their existence in the organization with the organization [35]. When firmly identified with an organization, individuals are judged to act on behalf of the organization to which they belong [39]. In other words, because one's own behavior is the same as that of the organization, an individual should exhibit desirable behavior for the organization's performance and goals; moreover, avoiding factors that could cause problems in the organization is natural. In addition, when a colleague's behavior does not coincide with the direction of the organization, taking an altruistic behavior, such as improving a colleague's behavior by approaching it from an organizational viewpoint rather than from an individual perspective, is deemed natural.
In the field of IS, organizational identification also helps organizations achieve their security goals. An individual who is judged to be consistent with the organization judges that the result of his or her actions is the same as that of the organization. Therefore, the goal of a special organization, that is, the IS goal, is the same as that of his or her own [6]. Therefore, the organization must support members so that they can have a sense of belonging with attachment to the organization to comply with IS.

Information Security-Related Organization Justice
IS-related organizational justice (organization justice) is an awareness of fairness between an organization and individual and behavioral reactions to perception [10]. The basic assumption of IS-related organizational justice is that individuals place a lot of value on fairness in evaluating their course of action and outcome, and that they decide appropriate actions based on justice [40]. Adams [17], who suggested the concept of justice in terms of distribution earlier, suggested that relative deprivation and gratification are important criteria for evaluating justice in mutual exchange relations. In other words, it focused on whether the reward given to an individual fits the principle. Recent studies have suggested that not only is justice related to the distribution of rewards, but also to the importance of procedural processes occurring in the distribution process [41]. In addition, justice in the perspective of additional activities such as organizational information provision and feedback on individual activities is an important viewpoint [21]. In other words, IS-related organizational justice is subdivided into procedural justice and informational justice, as well as distribution justice, and is recognized as IS-related organizational justice at a comprehensive level [13]. This study judges that the provision of clear information related to IS and an understanding of the execution process will have a positive effect on the causes of the behavior of individuals complying with IS and apply the procedural justice and the information justice to the IS field.
Procedural justice is defined as the level of awareness of the fairness in the process by which the presented outcome is determined [42]. Procedural justice refers to the perceived justice of the policies and procedures used to make decisions [43]. Members perceive the process as fair when the decision-making is consistent and accurate, adheres to ethical or moral standards, and suppresses bias [42]. It also recognizes that the process is fairer when individuals influence decision-making or can speak up [44]. Therefore, when individuals understand the process of presenting results, which are rewards for their actions, they are more likely to meet the needs of the organization and are willing to act to achieve their goals [45]. From the perspective of IS, procedural justice is judged to be high when the decision-making process and related activities related to actions such as IS policies and rules are consistent and accurate [21]. In particular, Xue et al. [20] explained procedural justice from the viewpoint of IS punishment: Procedural justice exists when any member of the organization must be punished if he/she does not comply with the standardized IS behavior because the IS punishment process is fair.
Information justice is defined as a perception that provides sufficient information about the people affected by decision-making and the outcomes and procedures [21]. Members judge that information justice is high if sufficient information is shared about the procedure used to determine desirable outcomes, the expected result, and the compensation system, and the information provided is not distorted [43,46]. According to a study by Greenberg [47], when information on the reason for the ban on smoking and the effect of smoking on the members of the organization, as well as a message of interest to the members of the organization, is provided in detail, the members of the organization recognize and accept justice. In other words, if sufficient prior explanation is judged to be fair, it leads to relevant actions. From the perspective of IS, information justice is formed when an organization's IS policy and rules of conduct are accurately transmitted to members of the organization, and the judgment on the appropriateness of IS-related actions and the expected results are grasped in advance [21]. In particular, Xue et al. [20] considered that information on IS for noncompliance with IS is provided fairly to all members, and that when it leads to actual punishment, members of the organization judge that IS-related justice of the organization is high.

Justice Sensitivity
Justice is perceived at different levels even in the same situation according to individual characteristics. In other words, the level of perception of justice differs according to the emotional state or values of the evaluator of justice [48]. In addition, when individual values have a pro-social value orientation, they prefer high compensation at the group level. However, when they have individualistic values, they focus on their level of compensation. A tendency to match exists [49].
Previous studies have approached the difference in perception of justice according to individual characteristics from the viewpoint of justice sensitivity. In other words, individuals in an organization have different sensitivity to justice, and they perceive justice differently to influence their behavior [50,51]. Representatively, Schmitt et al. [19] unified and reanalyzed prior studies related to individual sensitivity to justice and presented the sensitivity of three perspectives. Victim sensitivity and observer sensitivity were evaluated according to the subject evaluation of justice. Observer sensitivity and perpetrator sensitivity were presented. They defined justice sensitivity as the level of perception of justice of individuals responding to unfair circumstances [19]. Sensitivity is the sensitivity of being intolerant of unfairly benefiting others in the organization, and the perpetrator's sensitivity is the intolerance of unfairly benefitting by oneself. This study confirms the effect of the IS-related organizational justice type on IS compliance by applying observer sensitivity, which is deemed unfair if it causes damage to people around the individual. This is because recognizing that the cause of IS-related damage is the characteristic of the organization's IS behavior is difficult; hence, it is difficult for its security-related behavior to be seen and evaluated by others or organizations [23]. In addition, because IS is approached from the perspective of sanctions, not from the perspective of performance-based incentives [4], employees would react most sensitively to one's own damage caused by injustice.

Research Model
This study presents a negative view (organizational identification) and a positive view (organizational identification) of the causes of voice behavior related to IS compliance. Moreover, this study explores the type of IS-related organizational justice concerning IS (procedural justice and information justice) causing the behavior. Further, we check the effect of the factors and the moderating effect of the sensitivity of individual justice. The study model is shown in Figure 1.

Information Security-Related Organization Justice
IS-related organizational justice is a prerequisite that reduces negative emotions or related behaviors such as stress. Individuals who judge that they are being treated fairly by the organization judge that the organization presents a fair process and results even if the organization presents a somewhat difficult or difficult task or goal. It tends to reduce depression or alleviate work stress [52,53]. In addition, justice increases the level of satisfaction by reducing individual conflicts. Judge and Colquitt [12] considered that the conflict between work and family members is a factor that lowers job satisfaction and increases personal stress, whereas IS-related organizational justice is a prerequisite to alleviating the conflict between work and family. Their research results showed that among IS-related organizational justice, justice of procedures and justice of interactions between members alleviate the conflict between work and family. Conversely, when an injustice exists within the organization, the organization members perceived that the organization unfairly assigns many or nonsense business roles to them, thus creating business stress [41].
Regarding IS, IS-related organizational justice has a positive impact on the level of behavior required by the organization by reducing the formation of negative emotions by individuals within the organization. Hwang and Ahn [54] argued that when an organization supports the provision of information, such as the IS code of conduct, to everyone in advance to learn (information justice), and when applying the same process for IS compliance behavior to everyone (procedural justice), IS-related organizational justice is formed and said to relieve individuals' work-related stress. Because work impediment caused by IS is also a cause of stress that negatively affects compliance with IS [25], IS-related procedural justice and information justice are the stress that occurs when applying IS to work. We judge that it will alleviate human work impediment and present the following research hypothesis. Hypothesis 1. IS-related procedural justice negatively affects IS-related work impediment.

Hypothesis 2. IS-related information justice negatively affects IS-related work impediment.
IS-related organizational justice posits that the members are fair through relative gratification and positive or negative evaluation of the organization. In this case, individuals are encouraged to think about whether working with the organization is necessary. In other words, the formation of justice or injustice awareness directly affects organizational identification, which is the attachment to the organization and a sense of belonging. If the organization is fair, members have a sense of belonging and pride in the organization, and they judge that the growth of the organization is the same as that of their own. Through this, individuals are more likely to engage in organizational civic behavior, which is an altruistic behavior, beyond the task attainment activity assigned to them in the organization, i.e., in-role behavior [37]. Conversely, if the organization is unfair, it reduces the organizational consistency of the members and leads to negative emotions. In other words, individuals are more likely to judge that their attachment to and belonging to the organization is reduced through the perception that an organization is unfair to them, and they judge the time in the organization to be wasted [39]. Regarding IS, compared to colleagues in the organization in a similar situation to themselves, IS decision-making and action procedures are fair, and information such as manuals and promotional materials for IS-related actions is provided fairly and appropriately. The organization will treat itself fairly in relation to IS, and attachment to the organization will arise. Therefore, the following research hypotheses are presented.

Intention Information Security-Related Work Impediment
IS-related work impediment is a factor that negatively affects IS compliance behavior. Bulgurcu et al. [4], who applied the rational selection theory to the field of IS, stated that the additional work process and action demands arising from the introduction of security policies result in individual organizational identification. It is a factor that assesses IS in terms of cost; furthermore, it is considered to harm the intention of compliance. Hwang et al. [25] suggested the cause of personal security noncompliance, and it was confirmed that the organizational identification of an individual caused by the introduction of IS policy and technology is a condition that reduces the intention to comply with IS. Therefore, IS-related organizational identification is judged to harm voice behavior, an action concept that actively presents opinions to achieve organizational goals, as well as individual IS compliance behaviors. We present the same research hypothesis.
Hypothesis 5. IS-related work impediments harm voice behavior.

Organizational Identification
Organizational identification is a situation in which an individual's attachment to an organization is formed, so individuals with organizational identification have high selfesteem and sense of belonging and are more likely to think and act from an organizational viewpoint rather than an individual's viewpoint in a specific situation. In other words, organizational identification affects organizational citizenship behavior, the concept of additional support and altruistic actions to colleagues around the organization to achieve performance and goals in addition to the tasks assigned to members [37]. Organizational identification formed by the authentic leadership of the leader increases occupational coping self-efficacy and reduces the intention for turnover [55]. From an IS viewpoint, organizational identification has a positive effect on the behavior of insiders to comply with IS. In an organization's Internet-use policy, the norms and organizational identification presented by the organization form individual norms and have a positive effect on the organization's intention to comply with the policies required by the organization [36], and the members of the organization. If the IS goal is matched with one's own goal, the IS violation intention is lowered [6]. Individuals with strong organizational identification are more likely to positively follow the behaviors required by the organization, that is, the behavior of making more active opinions and trying to minimize negative issues to apply IS to work. Therefore, we believe that this will increase the voice behavior. Therefore, the following research hypothesis is presented.

Hypothesis 6.
Organizational identification positively affects voice behavior.

Justice Sensitivity
Individuals faced with the situation of judging IS-related organizational justice have different influences and attitudes towards justice according to their own level of sensitivity. Gollwitzer et al. [50] researched IS-related organizational justice and justice sensitivity that influence the violation of organizational rules and confirmed that damage sensitivity did not increase the violation behavior in the early stage. In other words, because damage sensitivity is the level of sensitivity of individuals who judge that they should be treated appropriately when they perform an action required by the organization, it reduces the violating behavior when the organization judges that the result is fair. In addition, Schmitt et al. [19] confirmed the influence of justice sensitivity and the formation of attitudes toward the organization and society. Victim sensitivity is strongly accepted when the organization performs fair activities, trusting and defining the organization and its members. We have confirmed that it helps us judge that it is good. In other words, justice sensitivity is the sensitivity of an individual's evaluation of an organization's fair activities, and high justice sensitivity is a controlling factor that strengthens the evaluation of the organization's justice to have a positive or negative attitude [51]. In the field of IS as well, the reason for personal IS compliance of information justice, the concept of clearly providing information necessary for IS actions, and procedural justice, which is an evaluator who makes decisions that occur during the IS process and that all people have fair procedures. We judge that justice sensitivity will reinforce its positive or negative influence; thus, the following research hypotheses are proposed.
Hypothesis 7a. Justice sensitivity moderates the relationship between procedural justice and IS-related work impediment.
Hypothesis 7b. Justice sensitivity moderates the relationship between information justice and IS-related work impediment.
Hypothesis 7c. Justice sensitivity moderates the relationship between procedural justice and organizational identification.
Hypothesis 7d. Justice sensitivity moderates the relationship between procedural justice and organizational identification.

Participants and Data Collection
The study suggests negative and positive causes that influence voice behavior from the perspective of members who must comply with the IS policy introduced at the organizational level for information protection. Moreover, a direction to make efforts at the organizational level for voice behavior is proposed. Hypothesis verification was conducted through structural equation modeling after obtaining a sample through a survey.
The subjects of the survey were those who work in organizations that have adopted IS policy and who see tasks that must conduct IS-related actions in their own work and organizational life. Meanwhile, members of the organization's IS department were excluded. Data in security-related behavior may have some differences because the employees in the information security department know how to bypass the organization's information security system better than the employees from other departments.
The questionnaire was targeted at office workers taking business administration classes in universities, but only those who had an IS policy in the organization and who conducted related activities were asked to respond. For the questionnaire, the researchers visited directly before class, explained the purpose of the study, and clearly explained that the data were used only for statistical purposes, removing concerns about the exposure of personal information of the survey participants, and then conducted a questionnaire. The questionnaire was obtained, except from those who refused the questionnaire or did not know whether the IS policy was introduced into the organization. A total of 500 copies were distributed, and 355 copies were secured from students who responded that they had an IS policy. Excluding 20 copies with poor responses, we analyzed a final sample of 325 copies. The demographic characteristics of the sample are shown in Table 1.

Measurement Development
In the study, the questionnaire measuring each variable was derived in two stages and applied to the questionnaire. First, the questions applied to each variable were applied through prior research related to IS or organization, but reorganized according to the characteristics related to IS. IS-related procedural justice was adopted in the Colquitt [13] study, and it was defined as the level to which it is judged that the IS process within the organization is consistent and unbiased, and three items were applied. IS-related information justice was adopted in the Colquitt [13] study, and it was defined as the level to which an organization communicates about IS and explains related information such as activities, and three questions were applied. Organizational identification was adopted in the study of Bulgurcu et al. [4], and it was defined as the level to which it is judged that compliance with the IS requirements would impede work, and three items were applied. Organizational identification was described in Li et al. [36]. It was adopted in the study, and it was defined as the level of awareness that an individual is proud to be a member of the organization and wants to be together, and three items were applied. The voice behavior was adopted in the study of Svendsen and Joensson [28], and it was defined as the behavior of recommending the organization's activities and information to other members and suggesting improvement opinions, and three items were applied. Justice sensitivity was adopted in the study of Schmitt et al. [19], and it was defined as the level of sensitivity to receiving injustice compared to other people in the organization, and four items were applied.
Second, to increase the content validity of the questionnaire, this study verified the extracted six measurement factors on the items to 10 graduate students attending companies implementing IS policy. The applied questionnaire items are shown in Table 2.

Validity and Reliability
This study verified the hypothesis by applying structural equation modeling and conducting reliability and validity analysis of the six factors composed of multi-items.
First, reliability analysis is a concept of grasping the consistency of measurement factors according to repeated measurements, and the reliability is grasped by using internal consistency. Internal consistency is a method of securing the consistency of items by excluding items that reduce reliability by using Cronbach's alpha coefficient when a questionnaire of factors is composed of multiple items. Nunnally [56] suggested that Cronbach's alpha should be 0.7 or higher to secure the reliability of each factor. This study model had six factors, which composed 19 questionnaires. Analysis results using SPSS 21.0 revealed that 18 items excluding the justice sensitivity component (JS4) had internal consistency (Table 3).
Second, feasibility analysis verifies whether the measurement factors are composed of different concepts. Moreover, convergent validity and discriminant validity are verified by applying confirmatory factor analysis. Confirmatory factor analysis was performed by applying AMOS 22.0, and the fitness of the structural model was shown as χ 2 /df = 1.651, RMR = 0.059, GFI = 0.929, AGFI = 0.902, CFI = 0.979, TLI = 0.974, and RMSEA = 0.045. The suitability requirements were established [57]. Concentration validity is verified by extracting the construct reliability and average variance. The concept reliability should be 0.7 or more and average variance extraction 0.5 or more [58], and the analysis result is required. This was achieved. In addition, discriminant validity measures the level of independent distinction between factors applied to the study model; it is measured by comparing the values of mean variance extraction and correlation analysis. Fornell and Lacker [59] calculated the discriminant validity of the square root of mean variance extraction and the correlation value of the factors. It was found to exist (Table 4). In addition, the study applied multi-item-centered questionnaire items for factors to verify the research model and hypothesis. Verification was carried out on the question on the questionnaire regarding respondents' thoughts on the factors and data were secured. Podsakoff et al. [60] considered that common method convenience is due to various problems in the research process; thus, appropriate techniques must be applied for each situation because each verification technique has little problems. The study confirmed the problem of common method convenience by applying a single-common-method factor that is commonly used. This method checks whether a difference exists by examining the amount of change in measurement items between the structural model to which a single factor is additionally applied and that to which only the factors are applied. The goodness of fit of the structural model without applying a single factor (χ 2 /df = 1.651, RMR = 0.059, GFI = 0.929, AGFI = 0.902, CFI = 0.979, TLI = 0.974, RMSEA = 0.045) and the goodness of the structural model applying the single model (χ 2 /df = 1.089, RMR = 0.034, GFI = 0.964, AGFI = 0.940, CFI = 0.998, TLI = 0.997, RMSEA = 0.017) were determined. All were suitable for the recommendation, and the change in the components of the measurement factor was 0.2 or less. The problem of the common method was found to be low.

Structural Model Assessment
The analysis for verification of a research model based on structural equation modeling proceeds with a three-step procedure: fitness test of the model, path coefficient (β) analysis, and decision coefficient (R 2 ) analysis. First, for the verification of the fitness of the main effect structural model, the fitness analysis criteria previously conducted in the confirmatory factor analysis were applied similarly. The result of the analysis confirmed the suitability of the study model (χ 2 /df = 1.360, RMR = 0.078, GFI = 0.942, AGFI = 0.923, CFI = 0.984, TLI = 0.982, RMSEA = 0.033).
Second, the research hypothesis was tested. The hypothesis verification confirmed the influence relationship between measurement factors through path coefficient (β) analysis. The results of verifying the research hypothesis derived through the path coefficient analysis (β) are shown in Figure 2 and Table 5. H1 showed that IS-related procedural justice reduces IS organizational identification. Moreover, the results of the hypothesis verification revealed a negative impact relationship between procedural justice and organizational identification (H1: β = −0.391, t-value = −5.542, p < 0.01). The results are similar to the study of Wood et al. [53] in that procedural justice reduced work-related anxiety and depression of individuals in an organization. In other words, when the IS activity process is conducted fairly to everyone, the members judge that all members of the organization, including themselves, put the IS activity into action. Hence, even though additional efforts are required for the IS activity, it is not recognized as an organizational identification. Therefore, organizations should provide awareness to their members that IS compliance behavior is an activity that applies to all. H2 showed that IS-related information justice reduces IS organizational identification. According to the hypothesis verification result, information justice and organizational identification had a negative impact relationship (H2: β = −0.317, t-value = −4.661, p < 0.01). The results are similar to the study of Tziner and Sharoni [52] in that IS-related organizational justice alleviated work-family conflict by reducing individual stress within the organization. In other words, when IS information is provided fairly in advance so that members of the organization can understand the need for IS, how to act, and procedures, the organizational identification is reduced by recognizing that IS can be applied to work. It means that you can make it. Therefore, the organization must recognize that information justice is high by providing IS-related information to its members in various ways, such as manuals, regulations, and promotional materials. H3 showed that IS-related procedural justice increases organizational identification. The hypothesis verification result revealed a positive impact relationship between procedural justice and organizational identification (H3: β = 0.417, t-value = 6.041, p < 0.01). The results are similar to the study of Liu and Berry [39] in that organizational injustice decreased organizational identification and raised awareness of time theft. In other words, if a belief exists that the procedures related to IS are being conducted fairly by all members of the organization, the organization member identifies the organization and recognizes its pursued activities to be the same as their goals. Therefore, the organization must establish a sense of unity with the organization by suggesting that the process and method for complying with IS is fair.
Meanwhile, H4 showed that IS-related information justice increases organizational identification. According to the result of hypothesis verification, information justice and organizational identification had a positive impact relationship (H4: β = 0.257, t-value = 3.882, p < 0.01). The results are similar to the study of Zhao et al. [37] in that IS-related organizational justice had a reinforcing effect on the positive effect of compulsory citizenship behavior on organizational identification. In other words, when relevant information such as IS behavior rules, procedures, and expected results are clearly and systematically provided to members, members are aware of information justice and have a sense of unity with the organization. Therefore, the organization must systematically provide information related to IS to form the mind that members want to share with the organization's vision and goals.
H5 states that IS-related work impediment reduces voice behavior. The results of hypothesis verification revealed a negative impact relationship between work impediment and voice behavior (H5: β = −0.431, t-value = −7.102, p < 0.01). The results are similar to the study of Bulgurcu et al. [4] in that the higher the organizational identification, which is a factor in the aspect of IS compliance, the more negatively the attitude was affected and the intention to comply with IS was decreased. In other words, IS-related organizational identification views difficulty in achieving one's work goals by taking the additional effort and time for IS actions; therefore, the higher the organizational identification, the more individuals avoid or suggest IS-related actions. Therefore, organizations must recognize that the introduction of IS policies does not impede the individual's work, and because ISrelated procedures and information justice can reduce organizational identification, security activities are carried out fairly for members of the organization. Hence, recognizing losses is essential.
H6 showed that organizational identification enhances voice behavior, and the results of the hypothesis verification revealed a positive impact relationship between organizational identification and voice behavior (H6: β = 0.235, t-value = 4.149, p < 0.01). These results are similar to the study of Li et al. [36] in that organizational norms and organizational identification had a positive effect on the intention to comply with Internet-use policies by raising individual norms. In other words, organizational identification is a perception that a person wants to stay together based on a positive belief in an organization, and members with higher organizational identification tend to want to adhere to the organization's goals. In the field of IS as well, organizational identification affects voice behavior related to IS towards other people or organizations, so organizational efforts to enhance IS-related organizational justice for improvement of organizational identification are required.
Finally, in order to measure the influence of the preceding variables on the outcome variable in the structural model, the coefficient of determination (R 2 ) for each outcome variable was analyzed. Voice behavior was found to have 32.8% explanatory power by work impediment and organizational identification. The work impediment was found to have 39.5% explanatory power by procedural justice and information justice, and organizational identification was found to have 36.2% explanatory power by procedural justice and information justice.

Assessment of Moderation Effects
H7 confirmed the influence of justice sensitivity on the relationship between the four factors, as justice sensitivity controls the relationship between the type of IS-related justice, IS-related work impediment, and organizational identification. When the controlling variable is continuous, the verification of the moderating effect through structural equation modeling is performed through the analysis of the interaction effect of the target factors. Applying the orthogonalizing approach of Lin et al. [61], we performed a moderation effect analysis, and the results are presented in Table 6. H7a showed that justice sensitivity controls the relationship between procedural justice and organizational identification, and hypothesis verification showed a moderating effect of justice sensitivity (H7a: β = 0.263, t-value = 4.791, p < 0.01). Meanwhile, H7b showed that justice sensitivity controls the relationship between information justice and organizational identification, and hypothesis verification revealed a moderating effect of justice sensitivity (H7b: β = 0.204, t-value = 3.908, p < 0.01). H7c showed that justice sensitivity controls the relationship between procedural justice and organizational identifi-cation, and hypothesis verification revealed a moderating effect of justice sensitivity (H7c: β = −0.165, t-value = −3.089, p < 0.01). Meanwhile, H7d showed that justice sensitivity controls the relationship between information justice and organizational identification, and hypothesis verification revealed a moderating effect of justice sensitivity (H7d: β = −0.163, t-value = −3.091, p < 0.01).
To illustrate the moderation effects, simple slopes were plotted following the procedure by Dawson [62] (see Figures 3 and 4).  Justice sensitivity was found to control the negative relationship between procedural justice and organizational identification (H7a), and the negative relationship between information justice and organizational identification (H7b). In particular, when the procedural justice and information justice were high, the group difference by justice sensitivity was not large, but when the procedural justice and information justice were low, the high justice sensitivity group caused less organizational identification than the low justice group. In other words, the higher the justice sensitivity, the higher the level of organizational identification reduction due to IS-related organizational justice.
In addition, justice sensitivity was found to control the positive relationship between procedural justice and organizational identification (H7c), and between information justice and organizational identification (H7d). In particular, when the procedural justice and information justice were high, the group difference by justice sensitivity was not large, but when the procedural justice and information justice were low, the high justice sensitivity group significantly increased organizational identification compared to the low justice group. In other words, the higher the justice sensitivity, the higher the organizational identification by IS-related organizational justice.

Summary
Over the past year, COVID-19 has made a huge difference for people around the world. In order to curb the COVID-19 spread, the governments established strategies to minimize human encounters and enforced implementation on all members of society. In particular, movement between countries became difficult, and only minimal contact was allowed among people. Many employees have been required to work from home, resulting in the growing popularity of online meeting systems such as Zoom. The online system has made it possible to view the organization's work through the organization's informationsharing activities. However, it increases the possibility of information exposure, making it more challenging to secure information [63,64]. In particular, in situations outside the scope of the organization's control, such as working from home, the security behavior of the organizational members is bound to depend on the individual's perception and behavior of security. Thus, insiders' information security compliance management becomes more critical [65].
In this situation, this study presented a constructive security opinion beyond the information security compliance behavior of the members themselves. Moreover, it suggested a direction to increase the information security suggestion behavior, a concept that actively demands security actions from neighboring colleagues. In other words, the suggestion behavior is a concept of acting that is helpful to the organization beyond the self. It is a viewpoint that can enhance security awareness that may be caused by the external environment of an organization such as COVID-19. In detail, the study presented factors that positively and negatively influence information security suggestion behavior. The study also confirmed the relationship between the organization's information security-related procedures, information fairness, and process sensitivity. In other words, the study presented a direction for establishing an information security strategy that organizations around the world can commonly consider as a coping method for organizational members that are difficult to control in the security environment, such as online or working from home.

Implications
This study has the following implications from the academic perspective. First, the study applied the concept of voice behavior, not the concept of compliance and noncompliance, to the field of IS, and determined behavior factors or outcome concepts related to IS compliance, which was applied in the existing IS field as an outcome variable. Voice behavior goes beyond compliance behavior, which is the concept of applying the behavior required by the organization to one's own work, actively presenting opinions on the organization's goals, pointing out issues that make it difficult to achieve the goals, and achieving performance for a specific organizational goal. This is an action concept that strives to achieve; therefore, those who apply voice behavior to work show a level of behavior that attempts to respond altruistically to a problem. The study applied voice behavior, which is a behavioral concept from a constructive perspective, to the IS field. In other words, when an organization introduces an IS policy and requests security actions from its members, they are action factors that not only apply IS to its own business but also find additional problems in the security policy, and thus, the level of security from the perspective of the entire organization is increased. Therefore, the research has high academic implications in the aspect of applying voice behavior, a concept that extends IS-related behavior from the perspective of the organization in the security field.
Second, the factors affecting the organization's compliance with IS were presented from the positive and negative aspects, and the effect on voice behavior related to IS was confirmed. In detail, the study determined that the employee's work disorder that may occur due to the introduction of IS will reduce voice behavior. We also determined that organizational identification, a concept that explains the increased sense of belonging and pride due to attachment to the organization, enhances voice behavior. This study confirmed the influence relationship. In particular, organizational identification is a problem with the introduction of a stricter IS policy, and individuals may have difficulty in changing or deleting internal knowledge applied for existing business performance due to IS-related actions. When organizational identification occurs due to the application of IS rules, the voice behavior related to IS inside the organization is avoided by generating stress. In addition, organizational identification helps organizations determine that specific goals are the same among organizations and individuals. Individuals for whom organizational identification is formed show a willingness to make more efforts for the organization, which is confirmed as voice behavior. Therefore, the study has academic implications by presenting the preceding factors of voice behavior as the cause of IS compliance/noncompliance, affecting voice behavior.
Third, the study applied IS-related organizational justice to the IS field but presented procedural and information justice that influence individual's security-related behavior. In detail, IS-related procedural justice is the concept of whether the decision-making and processing procedures related to the IS behavior of the members are fair, whereas IS-related information justice is the expected result of the IS behavior by the members affected by the IS policy and rules. It is the concept of whether you are being provided with accurate information about the process of actions and actions. As IS-related procedural and information justice increase, justice also increases organizational identification and reduces negative emotions such as organizational identification. This is because members of the organization can perform standardized security actions in performing their work in the organization. Therefore, this study has academic implications by confirming that IS-related organizational justice is a factor affecting security behavior of individuals in the context of the IS field.
Finally, the study confirmed that justice sensitivity controls the effect of IS-related organizational justice on IS-related behavioral causes. In particular, the study applied the sensitivity of victims. The organization cannot easily recognize the noncompliance behavior of individuals due to the IS characteristics, and the security policy is operated from the viewpoint of sanctions. Therefore, the sensitivity to self-damage is the most appropriate factor for IS. Moreover, justice sensitivity is a level of sensitivity to the injustice received by individuals in an organization. It helps to avoid the organization's required behavior when judged to be unfair and implement the organization's request when judged to be fair. The study confirmed that this sensitivity to justice reinforces the relationship between IS-related organizational justice and the cause of security behavior in the field of IS. This study has academic implications in that justice sensitivity is suggested to be an important decision-making characteristic of an individual's viewpoint.
This study has the following implications from a practical point of view. First, the study applied voice behavior, a concept that suggests active opinions for achieving the organization's sustainable IS goal beyond the organization's IS compliance behavior. To improve the level of compliance with IS within the organization, both the person who conducts IS-related actions in the work and an altruistic and proactive action can improve policies or regulations according to the characteristics of the organization. The behavior of colleagues must also be changed. In other words, securing and improving various opinions of members to improve the level of sustainable IS within the organization are essential, as well as voice behavior. Therefore, this study has practical implications in that it presents the consequential behavior of members necessary for achieving the IS level within the organization and for continuous improvement. Moreover, when the use of information systems outside of the organization increased due to COVID-19, the concept of trying to achieve the goal with neighboring colleagues beyond the organizational members' voluntary information security actions was applied to information security. This is greatly significant in terms of expanding the purpose of security actions that appear within organizations.
Second, the study presented the leading factors influencing voice behavior toward the sustainability perspective of the IS compliance level within the organization from negative and positive aspects. A typical negative view is organizational identification by IS. Security policies, rules, and technologies introduced for information asset management are inconvenient activities that require additional effort and time for members who need to apply IS to their work. The larger the scale of resources that members put into their work for IS, the more difficult it is to achieve work performance and avoid IS activities. Therefore, when introducing IS, the organization should consider whether the changes in the existing work process of its members can be minimized; the organization should also act on IS. Moreover, a representative positive view is organizational identification, which is an individual's attachment to the organization. People with high consistency have a sense of belonging and self-esteem, so they tend to voluntarily do the activities that the organization pursues. Therefore, the organization must establish and provide a system of vision, goals, and performance that are in line with organization members. Moreover, they should grow together for a sense of unity within the organization. The study confirmed the effects of work impediment and organizational identification affecting IS voice behavior. The results suggest practical implications for organizations to introduce and apply IS policies and technologies from the perspective of members.
Third, the study confirmed that IS-related organizational justice affects individual security behavior in the IS field. In particular, perceptions of the information and procedural justice affecting the security behavior of individuals are prerequisites that significantly affect organizational identification. IS-related information justice is a concept that arises when an individual from an organization provides systematic and clear information for other members to understand and reasonably judge IS-related rules, action procedures, and expected results. Therefore, the organization should distribute manuals and carry out IS-related public relations and campaigns so that members understand the necessity of security activities and action procedures before applying IS activities to work. In addition, IS-related procedural justice is formed when IS rules and policy-related decision-making procedures are judged as fair. To increase procedural justice, the organization should consistently and clearly establish a standardized security policy for everyone's knowledge. In addition, procedural justice is heightened when members have the opportunity to present IS-related opinions; therefore, the organization provides an online and offline opinion route through which members can actively present IS-related opinions. IS policies that are suitable for organizational characteristics must be applied by strongly reflecting them. Therefore, the study has practical implications in presenting the directions for establishing fairness related to information security for the members' positive security behavior, whose external activities are increasing due to physical constraints.
Finally, the study confirmed that the level of justice sensitivity, which varies between individuals, controls the relationship between IS-related organizational justice concerning IS and the factors of IS behavior. Moreover, this study presented practical implications. The justice sensitivity applied in this study was victim sensitivity, which refers to the level of sensitivity to the victims of the unfair behavior of the organization. Most IS policies introduced by organizations are approached from a deterrence point of view, and hence, individuals have a greater sense of loss when faced with an unfair situation. However, if the situation is judged to be fair, one's belief in the organization grows even more. Hence, we confirmed that the higher the justice sensitivity, the stronger the mitigation relationship between IS-related organizational justice and work impediment, and the reinforced relationship between IS-related organizational justice and organizational identification. The organization should further strengthen the method of improving the level of internal IS via justice by grasping the thoughts of the members of the organization in advance. Therefore, the research has practical implications in the aspect of suggesting a difference in the influence of justice due to individual differences. Thus, the organization must present the strategic direction to be established to improve the security behavior of its members.

Limitations and Future Research
The study secured high academic and practical implications by explaining the relationship between information justice related to IS, the cause of security behavior, and voice behavior. However, the research has limitations in the following aspects, which need to be supplemented in future research.
First, the study measured the IS justice established by the organization through the questionnaire technique, and the cause of individual behavior and voice behavior for workers in organizations with IS policies. Put differently, the impact relationship was confirmed by measuring the organizational and personal perspectives on IS by individuals at the time of the response. However, justice, the concept of an organizational unit, must be measured more objectively. For example, if we compare organizations with high and low justice through comparisons between members of similar companies, we believe that more accurate and practical implications for sustainable behavior can be obtained. Moreover, to grasp the level of understanding about the organization's information security policy more accurately, an indicator that can measure the information security policy level must be developed and measured. For example, by using the ISO/IEC 27000 series or the COBIT guidelines [66,67], we may grasp the level of more explicit policy awareness of the organizational members by deriving the indicators from the perspective of the end-users.
Second, the study confirmed the level of personal sensitivity to justice from an exploratory point of view. Schmitt et al. (2005) applied justice sensitivity to the IS field and applied victim sensitivity. However, it can have detailed implications when the differences in the influences among other factors are compared. In addition, each scholar suggests different sensitivity due to differences in perspective. Earlier, Huseman et al. [68] classified justice sensitivity into "benevolent," "equity sensitive," and "entitled." We believe that it can have practical implications.
Finally, this study presented the factors affecting voice behavior in the single collective aspect of an organization with an IS policy. However, we believe that there will be differences in the level of information and the perception of compliance with information security by departments within the organization. For example, the competencies for using information systems differ between the information security/IT department and the sales/production department. Moreover, the need to comply with information security may be judged differently. In fact, organizational theory, sociology, and psychology provide evidence of the difference in the behavior of members, which varies according to organizational characteristics such as individualism-collectivism and organizational culture and atmosphere [69]. In future research, more detailed IS compliance directions for each group must be presented through research based on the group characteristics of these organizations.

Conflicts of Interest:
The authors declare no conflict of interest.