INFORMATION SECURITY POLICY COMPLIANCE BEHAVIOR MODELS, THEORIES, AND INFLUENCING FACTORS: A SYSTEMATIC LITERATURE REVIEW

The paper aims to identify information security policy compliance behavior models, their respected theories, and influencing factors. This is the first and most current comprehensive systematic review of information security policy compliance models, theories, and influencing factors. A systematic review of empirical studies from twelve online databases was conducted. This review resulted in thirty-two (32) information security policy compliance behavior models proposed in different domains comprising various theories, concepts, and influencing factors. The results showed the importance of this issue among the researchers and a major limitation found was generalizability. Twenty (20) primary theories were extracted from the identified studies and found the theory of planned behavior and the protection motivation theory are the most trusted and reliable theories in information security policy compliance behavior models. Further analyses identified sixty (60) influencing factors and their alternative names and definitions. The most promising factors (high usage) of importance in descending orders are subjective norms, self-efficacy, attitudes, perceived benefits, threat vulnerability, threat severity, response efficacy, response cost, and experience. Besides that, factors such as self-efficacy, attitude, perceived benefit, threat severity, response efficacy, sanction severity, personal norms, experience, and training support were found and proved to be positively associated with the intention of compliance and considered robust for increasing information security compliance intention behavior. The results of this research can offer valuable information to fellow researchers in listing the models, their limitations, theories that are trustable, and influence factors that are critical for building a better model in the future.

[1]  Xuequn Wang,et al.  Deterrence and leadership factors: Which are important for information security policy compliance in the hotel industry , 2021 .

[2]  Rao Faizan Ali,et al.  Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance , 2021, Applied Sciences.

[3]  Irfan-Ullah Awan,et al.  Assessing the Moderating Effect of Security Technologies on Employees Compliance with Cybersecurity Control Procedures , 2021, ACM Trans. Manag. Inf. Syst..

[4]  Cong Wang,et al.  Influencing factors of employees’ information systems security police compliance: An empirical research in China , 2020, E3S Web of Conferences.

[5]  P.D.D. Dominic,et al.  Organizational Governance, Social Bonds and Information Security Policy Compliance: A Perspective towards Oil and Gas Employees , 2020, Sustainability.

[6]  Mohammed Anbar,et al.  Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector , 2020, Symmetry.

[7]  D. Bouhnik,et al.  The Effect of Rational Based Beliefs and Awareness on Employee Compliance with Information Security Procedures: A Case Study of a Financial Corporation in Israel , 2020, Interdisciplinary Journal of Information, Knowledge, and Management.

[8]  Sebastian Kurowski,et al.  Response biases in policy compliance research , 2019, Inf. Comput. Secur..

[9]  Tze Hui Liew,et al.  Security monitoring and information security assurance behaviour among employees , 2019, Inf. Comput. Secur..

[10]  Abdul Rahman Ahlan,et al.  Information Security Policy Perceived Compliance Among Staff in Palestine universities: An Empirical Pilot study , 2019, 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT).

[11]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[12]  Ali Eydgahi,et al.  Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education , 2019, Comput. Secur..

[13]  Dazhong Wu,et al.  Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables , 2018, Inf. Manag..

[14]  Teodor Sommestad,et al.  Work-related groups and information security policy compliance , 2018, Inf. Comput. Secur..

[15]  Elmarie Kritzinger,et al.  Establishing information security policy compliance culture in organizations , 2018, Inf. Comput. Secur..

[16]  Myeonggil Choi,et al.  Social control through deterrence on the compliance with information security policy , 2018, Soft Computing.

[17]  J. Alalwan Fear of cybercrime and the compliance with information security policies: a theoretical study , 2018, IC4E.

[18]  Jan Jürjens,et al.  Information security management and the human aspect in organizations , 2017, Inf. Comput. Secur..

[19]  Robert E. Crossler,et al.  User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory , 2017, J. Manag. Inf. Syst..

[20]  T. Hirschi A Control Theory of Delinquency , 2017 .

[21]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[22]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[23]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[24]  Jamal El-Den,et al.  Stress-based security compliance model - an exploratory study , 2016, Inf. Comput. Secur..

[25]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[26]  Hepu Deng,et al.  Investigating the Role of Socio-organizational Factors in the Information Security Compliance in Organizations , 2016, ACIS.

[27]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[28]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[29]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[30]  J. Doug Tygar,et al.  Investigation of Employee Security Behaviour: A Grounded Theory Approach , 2015, SEC.

[31]  Teodor Sommestad,et al.  The sufficiency of the theory of planned behavior for explaining information security policy compliance , 2015, Inf. Comput. Secur..

[32]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[33]  Wenli Li,et al.  Understanding personal use of the Internet at work: An integrated model of neutralization techniques and general deterrence theory , 2014, Comput. Hum. Behav..

[34]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[35]  Sang hoon Kim,et al.  An Integrative Behavioral Model of Information Security Policy Compliance , 2014, TheScientificWorldJournal.

[36]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[37]  Jeffrey D. Wall,et al.  Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy , 2013 .

[38]  Emilia Mendes,et al.  Empirical Studies of Pair Programming for CS/SE Teaching in Higher Education: A Systematic Literature Review , 2011, IEEE Transactions on Software Engineering.

[39]  R. Noe,et al.  Knowledge sharing: A review and directions for future research , 2010 .

[40]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[41]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[42]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[43]  M. Conner,et al.  Anticipated regret as an additional predictor in the theory of planned behaviour: a meta-analysis. , 2008, The British journal of social psychology.

[44]  Robert LaRose,et al.  Your privacy is assured - of being disturbed: websites with and without privacy seals , 2006, New Media Soc..

[45]  M. Petticrew,et al.  Systematic Reviews in the Social Sciences: A Practical Guide , 2005 .

[46]  P. Luarn,et al.  Toward an understanding of the behavioral intention to use mobile banking , 2005, Comput. Hum. Behav..

[47]  Refractor Information , 2001, The Lancet.

[48]  R. Bennett,et al.  Development of a measure of workplace deviance. , 2000, The Journal of applied psychology.

[49]  A. Astin Student involvement: A developmental theory for higher education. , 1999 .

[50]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[51]  A. Bandura Human agency in social cognitive theory. , 1989, The American psychologist.

[52]  John Rohrbaugh,et al.  A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis , 1983 .

[53]  D. Mcclelland,et al.  Leadership motive pattern and long-term success in management. , 1982 .

[54]  J. Brehm A theory of psychological reactance. , 1981 .

[55]  L. Kohlberg,et al.  Moral development: A review of the theory , 1977 .

[56]  W. Ouchi,et al.  Organizational Control: Two Functions. , 1975 .

[57]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[58]  M. Becker The Health Belief Model and Sick Role Behavior* , 1974 .

[59]  G. Becker,et al.  A Theory of Social Interactions , 1974, Journal of Political Economy.

[60]  E. Deci,et al.  Cognitive Evaluation Theory , 2020, Encyclopedia of Behavioral Medicine.

[61]  Gurpreet Dhillon,et al.  The Mediating Role of Psychological Empowerment in Information Security Compliance Intentions , 2020, J. Assoc. Inf. Syst..

[62]  Huigang Liang,et al.  How Paternalistic Leadership Influences IT Security Policy Compliance: The Mediating Role of the Social Bond , 2019, J. Assoc. Inf. Syst..

[63]  Maslina Daud,et al.  Bridging the Gap between Organisational Practices and Cyber Security Compliance: Can Cooperation Promote Compliance in Organisations? , 2018 .

[64]  Princely Ifinedo,et al.  Roles of Organizational Climate, Social Bonds, and Perceptions of Security Threats on IS Security Policy Compliance Intentions , 2018, Inf. Resour. Manag. J..

[65]  G. Schewe,et al.  "Want to" Versus "Have to": Intrinsic and Extrinsic Motivators as Predictors of Compliance Behavior Intention , 2017 .

[66]  Ap-Azli Bunawan,et al.  Information security policies compliance among employees in Cybersecurity Malaysia , 2016 .

[67]  Vimala Balakrishnan,et al.  Exploring user's compliance behavior towards Health Information System security policies based on extended Health Belief Model , 2014, 2014 IEEE Conference on e-Learning, e-Management and e-Services (IC3e).

[68]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[69]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[70]  M. Fleischer,et al.  processes of technological innovation , 1990 .

[71]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[72]  S. Schwartz Normative Influences on Altruism , 1977 .

[73]  J. Newstrom,et al.  Human behavior at work : organizational behavior , 1977 .

[74]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[75]  A. Maslow A Theory of Human Motivation , 1943 .

[76]  D. Pottas,et al.  Centeris 2014 -conference on Enterprise Information Systems / Projman 2014 -international Conference on Project Management / Hcist 2014 -international Conference on Health and Social Care Information Systems and Technologies a Model for Information Security Compliant Behaviour in the Healthcare Cont , 2022 .