Variables influencing information security policy compliance: A systematic review of quantitative studies

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can b...

[1]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[2]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[3]  Anthony Vance,et al.  Why do employees violate is security policies? : insights from multiple theoretical perspectives , 2010 .

[4]  Steven Furnell,et al.  From security policy to practice: Sending the right messages , 2010 .

[5]  I. Ajzen The theory of planned behavior , 1991 .

[6]  Mark Staples,et al.  Experiences using systematic review guidelines , 2006, J. Syst. Softw..

[7]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[8]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[9]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[10]  Yajiong Xue,et al.  Punishment, Justice, and Compliance in Mandatory IT Settings , 2011, Inf. Syst. Res..

[11]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[12]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[13]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[14]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[15]  David B. Griswold,et al.  Social Control Theory and Delinquency. , 1981 .

[16]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[17]  Tuija Lamsa,et al.  Leadership Styles and Decision-making in Finnish and Swedish Organizations , 2010 .

[18]  V. Grover,et al.  An assessment of survey research in POM: from constructs to theory , 1998 .

[19]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[20]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[21]  L. Kohlberg The Claim to Moral Adequacy of a Highest Stage of Moral Judgment , 1973 .

[22]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[23]  F. Nye,et al.  Family Relationships and Delinquent Behavior , 1959 .

[24]  Izak Benbasat,et al.  Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[25]  Todd M. Dugo,et al.  The Insider Threat to Organizational Information Security: A Structural Model and Empirical Test , 2007 .

[26]  Stephen J. Thoma,et al.  Designing and validating a measure of moral judgment: Stage preference and stage consistency approaches. , 1997 .

[27]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[28]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[29]  Barbara Kitchenham,et al.  Procedures for Performing Systematic Reviews , 2004 .

[30]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[31]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[32]  Izak Benbasat,et al.  Effects of Individual and Organization Based Beliefs and the Moderating Role of Work Experience on Insiders' Good Security Behaviors , 2009, 2009 International Conference on Computational Science and Engineering.

[33]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[34]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[35]  Michele Tarsilla Cochrane Handbook for Systematic Reviews of Interventions , 2010, Journal of MultiDisciplinary Evaluation.

[36]  Shalom H. Schwartz,et al.  Normative explanations of helping behavior: A critique, proposal, and empirical test , 1973 .

[37]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[38]  Fred D. Davis A technology acceptance model for empirically testing new end-user information systems : theory and results , 1985 .

[39]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[40]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[41]  Pearl Brereton,et al.  Lessons from applying the systematic literature review process within the software engineering domain , 2007, J. Syst. Softw..

[42]  Charles D. Barrett Understanding Attitudes and Predicting Social Behavior , 1980 .

[43]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[44]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[45]  Shalom H. Schwartz,et al.  Multimethod Probes of Basic Human Values , 1999 .

[46]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[47]  M. Conner,et al.  Predicting health behaviour : research and practice with social cognition models , 2005 .

[48]  Merrill Warkentin,et al.  The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions , 2010, J. Organ. End User Comput..

[49]  M. Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007 .

[50]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[51]  Betsy Jane Becker,et al.  The Synthesis of Regression Slopes in Meta-Analysis. , 2007, 0801.4442.

[52]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.