Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

[1]  Mohammed Anbar,et al.  Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector , 2020, Symmetry.

[2]  Gaurav Bansal,et al.  Information system security policy noncompliance: the role of situation-specific ethical orientation , 2020, Inf. Technol. People.

[3]  Adnan Abid,et al.  A Process Model Collection and Gold Standard Correspondences for Process Model Matching , 2019, IEEE Access.

[4]  Ivano Bongiovanni,et al.  The least secure places in the universe? A systematic literature review on information security management in higher education , 2019, Comput. Secur..

[5]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[6]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[7]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[8]  Daejin Kim,et al.  Why not comply with information security? An empirical approach for the causes of non-compliance , 2017, Online Inf. Rev..

[9]  Ricky W. Griffin,et al.  The power of social information in the workplace , 1989 .

[10]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[11]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[12]  Mario Silic Critical impact of organizational and individual inertia in explaining non-compliant security behavior in the Shadow IT context , 2019, Comput. Secur..

[13]  Saiyidi Mat Roni,et al.  Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research , 2015, Inf. Manag..

[14]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[15]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[16]  Tze Hui Liew,et al.  Security monitoring and information security assurance behaviour among employees , 2019, Inf. Comput. Secur..

[17]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[18]  Rao Faizan Ali,et al.  Learning Representations of Network Traffic Using Deep Neural Networks for Network Anomaly Detection: A Perspective towards Oil and Gas IT Infrastructures , 2020, Symmetry.

[19]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[20]  Nancy K. Lankton,et al.  Information protection behaviors: morality and organizational criticality , 2019, Inf. Comput. Secur..

[21]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[22]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[23]  P.D.D. Dominic,et al.  Organizational Governance, Social Bonds and Information Security Policy Compliance: A Perspective towards Oil and Gas Employees , 2020, Sustainability.

[24]  Elfi Furtmueller,et al.  Using grounded theory as a method for rigorously reviewing literature , 2013, Eur. J. Inf. Syst..

[25]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[26]  Philipp Holtkamp,et al.  Are users competent to comply with information security policies? An analysis of professional competence models , 2018, Inf. Technol. People.

[27]  Noor Ismawati Jaafar,et al.  Organizational Climate and Individual Factors Effects on Information Security Compliance Behaviour , 2013 .

[28]  Thomas Mattson,et al.  Deterrence and punishment experience impacts on ISP compliance attitudes , 2017, Inf. Comput. Secur..

[29]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[30]  Vimala Balakrishnan,et al.  Exploratory Factor Analysis of UserâÂÂs Compliance Behaviour towards Health Information SystemâÂÂs Security , 2013 .

[31]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[32]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[33]  Thomas Mattson,et al.  Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls , 2017, Comput. Secur..

[34]  Rao Faizan Ali,et al.  The Effect of Organizational Information Security Climate on Information Security Policy Compliance: The Mediating Effect of Social Bonding towards Healthcare Nurses , 2021 .

[35]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[36]  Hyung Jin Kim,et al.  Do employees in a "good" company comply better with information security policy? A corporate social responsibility perspective , 2019, Inf. Technol. People.

[37]  Isabella Corradini Security: Human Nature and Behaviour , 2020 .

[38]  Steven Furnell,et al.  Deterrence and Prevention-based Model to Mitigate Information Security Insider Threats in Organisations , 2019, Future Gener. Comput. Syst..

[39]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[40]  Pei-Lee Teh,et al.  Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization , 2019, Inf. Manag..

[41]  Tim Watson,et al.  Motivation and opportunity based model to reduce information security insider threats in organisations , 2018, J. Inf. Secur. Appl..

[42]  Adel Yazdanmehr,et al.  Peers matter: The moderating role of social influence on information security policy compliance , 2020, Inf. Syst. J..

[43]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[44]  Muhammad Kashif Shad,et al.  The Long-Run Impact of Information Security Breach Announcements on Investors’ Confidence: The Context of Efficient Market Hypothesis , 2021, Sustainability.

[45]  Punit Ahluwalia,et al.  Examining the impact of deterrence factors and norms on resistance to Information Systems Security , 2019, Comput. Hum. Behav..

[46]  Ali Eydgahi,et al.  Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education , 2019, Comput. Secur..

[47]  Jordan Shropshire,et al.  Continuance of protective security behavior: A longitudinal study , 2016, Decis. Support Syst..

[48]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[49]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[50]  Tom L. Roberts,et al.  Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals , 2017, Comput. Hum. Behav..

[51]  Nan Zhang,et al.  Keeping secure to the end: a long-term perspective to understand employees’ consequence-delayed information security violation , 2018, Behav. Inf. Technol..

[52]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[53]  Sushil Jajodia,et al.  FORGE: A Fake Online Repository Generation Engine for Cyber Deception , 2019 .

[54]  Alfred Benedikt Brendel,et al.  A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research , 2019, Information Systems Frontiers.

[55]  Jing Wang,et al.  Information security policy noncompliance: An integrative social influence model , 2019, Inf. Syst. J..

[56]  Salvatore Aurigemma,et al.  A Composite Framework for Behavioral Compliance with Information Security Policies , 2012, 2012 45th Hawaii International Conference on System Sciences.

[57]  Hao Chen,et al.  Understanding commitment and apathy in is security extra-role behavior from a person-organization fit perspective , 2018, Behav. Inf. Technol..

[58]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[59]  Merrill Warkentin,et al.  Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives , 2018, Inf. Syst. J..

[60]  P. Dhanapal Durai Dominic,et al.  Information security policies’ compliance: a perspective for higher education institutions , 2020, J. Comput. Inf. Syst..

[61]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[62]  Izak Benbasat,et al.  Escalation of commitment as an antecedent to noncompliance with information security policy , 2018, Inf. Comput. Secur..

[63]  Michael Lang,et al.  Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees , 2019, Inf. Syst. Manag..

[64]  Marlien Herselman,et al.  Defining organisational information security culture - Perspectives from academia and industry , 2020, Comput. Secur..

[65]  A. O'Leary-Kelly,et al.  Monkey See, Monkey Do: The Influence of Work Groups on the Antisocial Behavior of Employees , 1998 .

[66]  France Bélanger,et al.  Determinants of early conformance with information security policies , 2017, Inf. Manag..

[67]  Lynne M. Coventry,et al.  Costly but effective: Comparing the factors that influence employee anti-malware behaviours , 2018, Comput. Hum. Behav..

[68]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[69]  Andreas Eckhardt,et al.  The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis , 2020, Inf. Manag..

[70]  Cristian Molinaro,et al.  Generating Fake Documents using Probabilistic Logic Graphs , 2021 .

[71]  Edimara Mezzomo Luciano,et al.  WHAT INFLUENCES INFORMATION SECURITY BEHAVIOR? A STUDY WITH BRAZILIAN USERS , 2016 .

[72]  Huigang Liang,et al.  Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment , 2020, Int. J. Inf. Manag..

[73]  Teodor Sommestad,et al.  A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour , 2015, Int. J. Inf. Secur. Priv..

[74]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[75]  Cheolho Yoon,et al.  Understanding computer security behavioral intention in the workplace: An empirical study of Korean firms , 2013, Inf. Technol. People.

[76]  Val Hooper,et al.  Factors influencing the information security behaviour of IT employees , 2019, Behav. Inf. Technol..

[77]  Sang hoon Kim,et al.  An Integrative Behavioral Model of Information Security Policy Compliance , 2014, TheScientificWorldJournal.

[78]  Neil F. Doherty,et al.  Towards a user-centric theory of value-driven information security compliance , 2018, Inf. Technol. People.

[79]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[80]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[81]  Joseph W. Rogers,et al.  Neutralization Techniques , 1974 .

[82]  Zhengchuan Xu,et al.  It ain't my business: a coping perspective on employee effortful security behavior , 2019, J. Enterp. Inf. Manag..

[83]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[84]  Lemuria Carter,et al.  Dispositional and situational factors: influences on information security policy violations , 2016, Eur. J. Inf. Syst..

[85]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[86]  Vimala Balakrishnan,et al.  THE MODERATING EFFECT OF WORKING EXPERIENCE ON HEALTH INFORMATION SYSTEM SECURITY POLICIES COMPLIANCE BEHAVIOUR , 2015 .

[87]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[88]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[89]  Patrick Y. K. Chau,et al.  Explaining the Misuse of Information Systems Resources in the Workplace: A Dual-Process Approach , 2014, Journal of Business Ethics.

[90]  Dan Harnesk,et al.  Shaping security behaviour through discipline and agility , 2011 .

[91]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[92]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[93]  Kuo-Chung Chang,et al.  Protective Measures and Security Policy Non-Compliance Intention: IT Vision Conflict as a Moderator , 2019, J. Organ. End User Comput..

[94]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[95]  Robert E. Crossler,et al.  The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats , 2019, Inf. Syst. Frontiers.

[96]  Detmar W. Straub,et al.  Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures , 2020, Inf. Manag..

[97]  Alex Koohang,et al.  Information Security Policy Compliance: Leadership, Trust, Role Values, and Awareness , 2019, J. Comput. Inf. Syst..

[98]  D. Biros,et al.  Technostress and its influence on employee information security policy compliance , 2020, Information Technology & People.

[99]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[100]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[101]  Merrill Warkentin,et al.  Do I really belong?: Impact of employment status on information security policy compliance , 2012, Comput. Secur..