Cyber–Information Security Compliance and Violation Behaviour in Organisations: A Systematic Review

: Cyber and information security (CIS) is an issue of national and international interest. Despite sophisticated security systems and extensive physical countermeasures to combat cyber-attacks, organisations are vulnerable due to the involvement of the human factor. Humans are regarded as the weakest link in cybersecurity systems as development in digital technology advances. The area of cybersecurity is an extension of the previously studied ﬁelds of information and internet security. The need to understand the underlying human behavioural factors associated with CIS policy warrants further study, mainly from theoretical perspectives. Based on these underlying theoretical perspectives, this study reviews literature focusing on CIS compliance and violations by personnel within organisations. Sixty studies from the years 2008 to 2020 were reviewed. Findings suggest that several prominent theories were used extensively and integrated with another speciﬁc theory. Protection Motivation Theory (PMT), the Theory of Planned Behaviour (TPB), and General Deterrence Theory (GDT) were identiﬁed as among the most referred-to theories in this area. The use of current theories is discussed based on their emerging importance and their suitability in future CIS studies. This review lays the foundation for future researchers by determining gaps and areas within the CIS context and encompassing employee compliance and violations within an organisation.


Introduction
From the beginning of the internet era, issues of cyber and information security (CIS) began to surface rapidly (Chen et al. 2018). CIS is regarded as the current avenue in today's digital world. Organisations are under threat and at risk of cyber-attack due to phishing activities. The cybersecurity issue is dynamic and has not been well-studied, despite its enormous importance (Gillam and Foster 2020). Cybersecurity threats include criminals, spammers, and threats from other assorted attackers. Developing countries are more at risk of cyber threats due to limited resources to acquire and implement the mechanisms of cybersecurity in their organisations (Kabanda et al. 2018). Organisations have introduced various security technologies, i.e., database security protection, networking security protocols, and intrusion detection methods (among others), to protect their cyber and information technology from cyber threats.
Considered as the weakest link, humans are vulnerable to various forms of cyber threats (Gratian et al. 2018). Poor and dangerous security practises among individuals in an organisation should be identified, and mitigation efforts such as continual education and awareness are needed to prevent cyber-crimes such as phishing and malware attacks on security systems resulting from human intervention. End users, either for personal usage or within organisations, pose the greatest threat (Menard et al. 2017). In light of this serious problem within organisations, management and stakeholders have established CIS problems as one of their critical agenda items. In response, organisations have made strict rules and policies to avoid persistent cyber threats such as system and data breaches and malicious software (Cram et al. 2017).
At the personal level, there are various measures available to strengthen one's cybersecurity; these include the adoption of antivirus software, antispyware software, cloud-based backup systems, and identity theft avoidance services (Menard et al. 2017). It is undeniable that external factors pose the biggest threat to CIS in an organisation. However, having the most sophisticated system does not protect the organisation if security surveillance is not imposed at the individual level. Personnel are an insider threat that surfaces as a risk for such a threat to happen (Cram et al. 2017). Hence, studies highlighting compliance and violations of CIS security policies provide the best understanding for practitioners of the antecedents that contribute to the most significant risks to CIS in an organisation.
Compliance and violation are considered two different perspectives in studies of CIS in organisations. The underlying elements of individual compliance and violation of CIS policies combine and are a manifestation of human behaviour. The theories of planned behaviour (TPB) (Ifinedo 2014), protection motivation theory (PMT) (Torten et al. 2018), and general deterrence theory (GDT) ) are among the theories widely used in CIS studies. Apart from these main theories, other relevant theories could provide a significant understanding of individual behaviours that result in compliance or violation of CIS policies. Studies that were reviewed lack in-depth analysis and conceptualisation of the stated theories. There is no integration of theory or production of hybrid models that encapsulate different aspects of CIS behaviour. As a result, this review offers the latest comprehensive critique and recapitulation of how the adaptation of theories in CIS studies has progressed in organisations from the standpoint of CIS compliance and violation caused by human behaviour.

The Terminology of Cybersecurity
Information and cybersecurity actually overlap, as the latter precedes the former in terms of including the human assets factor (Von Solms and Van Niekerk 2013). Information security is confined within the orbit of information-resources protection and the role of humans in the security process, whereas cybersecurity includes humans as potential targets, with them sometimes participating in a cyber-attack without consciously knowing it. The terminology of cybersecurity relates to protecting an individual's or organisation's virtual perimeter or environment (Althonayan and Andronache 2018). Van Schaik et al. (2017) define cybersecurity as cyberspace protection that includes personnel and organisations involved in cyberspace as well as any of their assets.
Many organisations tend to use these two terms interchangeably when relating them to their reputation, image, and compliance obligations (Althonayan and Andronache 2018). Among other terms used are "information assurance", "information technology security", or "electronic security". In another definition, Yoon and Kim (2013) define computer security as the "protection of information and computer assets" from computer attacks, theft, and other threats. General terminology such as "online safety behavior" (Boehmer et al. 2015) and "online security behavior" (Van Bavel et al. 2019) has also been adapted by several authors.
Due to these variations, the underlying crux of the term is based on managing software, hardware, assets, and humans in an organisation. Hence, this study uses cybersecurity and information security (CIS) terminology that reflects a holistic representation of protecting the cyber-physical aspects and the surrounding assets. This term also avoids confusion caused by variations in terminology that run the risk of researchers missing essential aspects of this field. This review is based on two facets of CIS: the cybersecurity measurement of personnel; and secondly, risk behaviour within cybersecurity. The former is usually reserved for, but not limited to, PMT applications, as well as those of TPB. The latter usually adopts Deterrence Theory, which features personnel deterrence to achieve compliance with security measures.

Previous Review
This study is not the first to review the literature on CIS. Previous reviews of CIS compliance and violations in organisations are available in the work of Lebek et al. (2014), Sommestad et al. (2014), Nasir et al. (2019), Soomro et al. (2016), Bongiovanni (2019), Cram et al. (2017), and Karlsson et al. 2016. These studies have their strength in reviewing CIS-related studies and, in particular, on focusing on CIS studies in specific disciplines. A study by Sommestad et al. (2014) presented a review of the determinants of information security policy compliance. The study discovered that several variables are found to be the most-adapted variables within specific theories such as TPB/TRA and TAM. The limitation in Sommestad's study is that the review included studies from various sources (17 journals, 3 magazines, 4 conference proceedings, and 5 from books or theses). Nasir et al. (2019) presented a study based on the cultural concept of information security. Their study is deficient in the broader sense of CIS in terms of the theoretical foundation, despite presenting the critical dimensions of information security studies. Other reviewed studies are limited to only higher education information security (Bongiovanni 2019) and a management approach (Soomro et al. 2016). All these reviews were fundamentally lacking in an understanding of cybersecurity as the 'umbrella' that covers all disciplines in organisational security practices.
The closest review paper that can be considered as the predecessor to this paper is the review by Lebek et al. (2014). The authors comprehensively reviewed a total of 144 articles on information security behaviour and the underlying theories used to conduct the studies. The relevance of our reviews compared to Lebek's study is due to several factors. Firstly, Lebek's study included a total of 51 conference papers. In light of the importance of conferences providing empirical findings, systematic review papers require a rigorous peer-review process that can only be processed by a reputable journal. Secondly, the study does not include the scope of cybersecurity behavioural studies. Cybersecurity, even though having a fundamentally similar notion as information security, covers an advanced scope that embraces organisational security entirely (Von Solms and Van Niekerk 2013).
From a methodological perspective, Lebek's study included eight different research methodologies (empirical research, modelling, deductive analysis, case study, action research, literature review, and grounded theory). Including all the different methodologies would not provide a sufficient understanding of the theory's application. Even more, the empirical studies in Lebek's study cover both quantitative and qualitative approaches. In this study, however, only quantitative studies that can be related to the theories based on the structural model and framework were used.
Next, Lebek's work only focused on the four theories adapted mainly from the reviews, comprising TAM, TPB/TRA, PMT, and GDT. By including conference-proceedings studies, the adapted theories might not have strong empirical justification based on the fundamental theory application. Leaving aside other validated theories such as Technology Threat Avoidance Theory or Social Capital Theory, further compromising insights into users' CIS security behaviour might lead to major flaws in the researchers' in-depth understanding of this phenomenon.
Finally, Lebek's study ranged from 2000 to 2014 and is now considered to be outdated. This current paper provides broader and revitalised findings from the CIS behaviour perspective from a new perspective. This dynamic field changes rapidly within 2 or 3 years as far as advancements in digital evolvement is concerned. This review notably stands out from other systematic-based reviews as its focus is within the scope of underpinning theories in CIS. As Lebek's is the only other study to discuss this, this study differs significantly by carrying out the theory integration of two and three theories from previous studies. This is in stark contrast to Lebek's study, which only focuses on four theories. Table 1 provides a summary of the previous systematic reviews or literature reviews of CIS in organisations.

Methodology
The methodology involves rigorous steps and procedures that examine the required papers within the scope of CIS behaviour. The articles included are from well-known sources, published in a Scopus-indexed journal, and based on reputable databases. Currently, Scopus and the Web of Science (WoS) are the only two reliable sources for citation data (Mongeon and Paul-Hus 2016); particularly, Scopus, whose coverage is interdisciplinary, represents a significant strength related to comparing different scientific fields. These databases included Sciencedirect, Emerald Insight, Taylor & Francis, Springer Link, Wiley-Blackwell, Inderscience, SAGE, and IEEE Explore. Apart from the 8 central databases, other journals included in the Scopus index are also acceptable. These include journals published by institutional publishers. The procedure for retrieving the articles is based on the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) method by including the exclusion and inclusion criteria for articles relevant to this review (Moher et al. 2015).

Inclusion and Exclusion Criteria
The only articles accepted were those using empirical data, excluding review articles. Conference proceedings and book chapters were excluded. Conference proceedings were omitted to ensure only peer-reviewed articles, thus determining the quality of the reviewed publications (Mingers et al. 2012). Similar SLR studies have applied a similar approach by limiting sources to only journal publications (Galvão et al. 2018;Birkel and Müller 2021). Excluding conference proceedings has improved the quality of findings (Baashar et al. 2020). Furthermore, only English-language articles were included to minimise the potentially complicated process of understanding due to the need to translate. As for the duration, since the study of information and cybersecurity is relatively new in the social science context, only articles published between 2008 and 2020 (a thirteen-year time span) were accepted. As a result of the search, a total of 60 studies from reputable publishers were collected. Science Direct has the most extensive range of articles, comprising 35 studies. This is supported by multiple journals concerning information security and computer application journals, such as Computer & Security with 13 articles and Computers in Human Behaviour and Information & Management, which each produced 7 articles. Table 2 sets out the inclusion and exclusion criteria of this systematic review. Table 2. Inclusion and exclusion criteria for the systematic review.

Journal indexed in Scopus Journal not indexed in Scopus Written in English
Conference proceedings, book chapters, and theses Empirical and quantitative study Conceptual study and literature review Published between 2008 and 2020 Written in a language other than English

Search String
As CIS terminology varies in the literature, the authors searched for similar terminologies in dictionaries and thesauruses to ensure that essential terms were not missed. Information and cybersecurity overlap, as the latter precedes the former, including the human assets factor (Von Solms and Van Niekerk 2013). Information security is confined within the orbit of information resource protection and the role of humans in the security process. In contrast, cybersecurity includes humans as potential targets, sometimes participating in a cyber-attack without consciously knowing it. Cybersecurity terminology relates to protecting an individual's or organisation's virtual perimeter or environment (Althonayan and Andronache 2018). Van Schaik et al. (2017) define cybersecurity as cyberspace protection for personnel and organisations involved in cyberspace, as well as any of their assets.
Many organisations use these two terms interchangeably when relating them to their reputation, image, and compliance obligations (Althonayan and Andronache 2018). Among other terms used are "information assurance", "information technology security", or "electronic security". In another definition, Yoon and Kim (2013) define computer security as the "protection of information and computer assets" from computer attacks, theft, and other threats. General terminology such as "online safety behavior" (Boehmer et al. 2015) and "online security behavior" (Van Bavel et al. 2019) has also been adopted by several authors.
Due to these variations, the underlying crux of the term is based on managing software, hardware, assets, and humans in an organisation. Hence, this study uses cybersecurity and information security (CIS) terminology that reflects a holistic representation of protecting the cyber-physical aspects and the surrounding assets. This term also avoids confusion caused by variations in terminology that run the risk of researchers missing essential aspects of this field. The search string for the article search is as follows: "Cyber Security" or "Information Security" or "Computer Security" or "internet security" or "digital security" and "behavior".

Results and Analysis
All the databases were searched one by one based on the specified search string. As a result, 60 studies were finalised. Table 3 presents the list of journals publishing the 60 studies. Computer and Security (Elsevier) produced 13 of the studies. This is followed by Computers in Human Behavior (Elsevier) and Information and Management, with seven studies each. Other journals had four or fewer studies. (All 60 studies were marked with an "*" in the references).  Table 4 shows the list of theories adapted in all the 60 studies. PMT was the most frequently used, with 14 studies, followed by PMT + TPB/TRA and GDT with five studies each. PMT, the Health Belief Model (HBM), and GDT + Neutralisation Theory comprised three studies each. The rest of the theories were applied in at least one or two studies.

Discussion
This systematic review provides an insight into how several theories were adapted in CIS studies. This review is not the first to review theoretical perspectives, as Lebek et al. (2014) have already provided this, but it provides a more in-depth focus on the adapted theories and, especially, theory integration. This review is more converged and exclusive by limiting sources to only journal publications, as compared to Lebek's study, which includes conference proceedings, books, book chapters, and editorials that had not undergone an extensive peer-review process. This review discovered that one of the many theories discussed in their study, the Technology Acceptance Model (TAM), was not applied in any of the 60 studies, except for Dinev et al. (2009), which applied TAM as a supporting and complementary theory in support of PMT. This shows that TAM did not sufficiently explain the user's CIS behaviour, as the constructs did not relate to any cognitive evaluation of security or the psychological domain involving a threat and coping appraisal. The following discussion of this paper is presented in the form of theories adopted/adapted from previous studies.

Protection Motivation Theory (PMT)
PMT first evolved in the 1980s from the Theory of Fear Appeal (Maddux and Rogers 1983). It has been proposed in the health and medical fields to predict individual engagement in disease prevention (Torten et al. 2018). Within the preventive medicine field, PMT was formulated to predict protective responses among individuals through the health threat of fear appeals (Posey et al. 2015). The theory has developed as a general motivation theory that explains human behaviour based on threats to their actions. Subjectively, the primary purpose of fear appeals is not to frighten people, but to inspire protective behaviours (Herath and Rao 2009;Meso et al. 2013;Boss et al. 2015). Fear is induced when an individual values the cost-benefit analysis in a state of perceived danger or when facing a threat (Workman et al. 2008). It is negatively associated with one affective state that represents a response that arises from a perceived threat, such as worry, negative arousal, discomfort, concern, or a particularly negative mood (Boehmer et al. 2015). Safa et al. (2015) explain why PMT is one of the best theories to explain individual protective actions. It is central to information technology for users to comply with and perform actions related to cyber protection (Torten et al. 2018). On the other hand, security awareness as a critical role in PMT can also be designed from PMT developed through cognitive responses to security in the form of perceived severity, perceived vulnerability, response cost, response efficacy, and self-efficacy (Hanus and Wu 2016). The danger process controls the primary cognitive function by inducing stress and coping appraisals (Workman et al. 2008). This cognitive coping appraisal is engaged when an individual confronts a situation under pressure, which then leads to appraising the threat vulnerability. This could entail motivational consideration in facing such a threat based on the perception of vulnerability's existence (Herath and Rao 2009). PMT has been adapted in various studies, including in complying with the policy on security, data backup, protection of home and network computers, employing antivirus and antimalware software (Menard et al. 2017), desktop security behaviour (Hanus and Wu 2016), the omission of information security measures (Workman et al. 2008), and general security compliance behaviour (Herath and Rao 2009;Meso et al. 2013;Yoon and Kim 2013;Siponen et al. 2014).

Extension of PMT
PMT has been used as the most fundamental theory in the field of CIS in the past decade. As organisations seek to protect their assets and valuable intangible property, understanding employees' "protection" actions and reactions to threats is the most practical insight for organisations. Given that the majority of the studies adapt PMT, notable studies have adapted and integrated PMT well with other theories and variables. TPB, within the scope of cybersecurity, has been seen to be compatible with PMT (Safa et al. 2015). Five of the studies integrated PMT and TPB/TRA. Four studies integrated PMT and TPB (Ifinedo 2012;Cox 2012;Safa et al. 2015;Hina et al. 2019) and one study integrated PMT and TRA (Yoon and Kim 2013). Ifinedo (2012) suggest that PMT and TPB, when combined, provide a better understanding of the factors that affect an employee's cybersecurity compliance. As organisations comprise various psychological aspects, a combination of different domains within two or more theories will deepen the fundamental knowledge of employee compliance and violation in CIS.
Dang-Pham and Pittayachawan (2015) proposed an extended PMT model. This model is deemed to be viable in the context of a personal mobile device or the "bring your own device" (BYOD) context that involves corporate and public places. One of the variables included in the extended PMT is the reward. Reward was found to be affected by response efficacy based on the user's intention. The suggested link is different from other studies, as the relationship was proposed as an endogenous relationship, rather than both serving as an exogenous variable to compliance intention. Findings emphasised that the extent of the cyber-threat critically influences the user's intention to perform malware avoidance. Users are not prepared to avoid malware even though they are not working while online. This extended PMT utilises the user's cognitive factors to provoke a considerable change in their intention to avoid threat. Burns et al. (2017) proposed a relationship between psychological capacities (hope, optimism, self-efficacy, and resilience) and PMT variables. Psychological capacities encompass critical resources for work-related motivation. This integration provides a broad understanding of an employee's compliance with cybersecurity policies through motivational determinants that complement PMT. Furthermore, the model includes maladaptive rewards and fear; these two extra variables within the model help to explain employee-protective security actions.
Another construct integrated with PMT is perceived extraneous circumstances, defined as the user's inability to take control due to unforeseen circumstances that prevent one from engaging in intended actions . Similar to facilitating conditions as a factor that makes an action easier, the perceived extraneous circumstance is a hindrance factor based on events beyond one's control. It may be in the form of family emergencies, work duties, or travel restrictions. Within the scope of cybersecurity, this variable can be viewed as employees failing to comply with cybersecurity policies, perceiving that their workload is high, being busy with assignments, and/or focusing on other necessary job scopes (Siponen et al. 2014). Safa et al. (2015) linked PMT with the TPB variable with a precedent-dependable construct. This includes information security awareness of attitude and organisation policy on the subjective norm and experience and involvement in perceived behavioural control.
The Health Belief Model (HBM) is considered the predecessor of PMT. PMT and HBM have been integrated in two studies (Anwar et al. 2017;Hwang et al. 2017). As an extension of HBM, PMT has been able to predict individual cybersecurity behaviour. One particular focus of the integration of PMT and HBM is the way these two theories are integrated. While many of the PMT and HBM studies acted as two underlying precedent theories to predict cybersecurity behaviour, Li et al. (2019) presented HBM variables as the exogenous variables to PMT. The model refers to peer behaviour that influences cues to action and, subsequently, to prior experience with security practice. It was constructed in such a way that a link was established between the employees' experience of having security breaches and how they would make them less vulnerable to future cyber-attacks. Tsai et al. (2016) tested the prior experience of safety hazards on the user's online behaviour. The study included perceived security support, personal responsibility, and safety habits. The new coping appraisal examines cognitive capability in connection to taking protective security actions. This coping variable is opted for more frequently than the threat appraisal due to its desirability in identifying user education interventions that can develop the motivation to acquire cybersecurity habits that can fend off online threats.

General Deterrence Theory (GDT)
GDT is the second most adapted theory in CIS studies (Alshare et al. 2018;Johnston et al. 2016;Cheng et al. 2013;Guo and Yuan 2012;Hovav and D'Arcy 2012;Son 2011;and Herath and Rao 2009). Studies applying Single Deterrence Theory include Son (2011), Hovav andD'Arcy (2012), and Guo and Yuan (2012). Studies that apply a single GDT to CIS typically investigate the aspect of negative encouragement in engaging in cybercrime. As studies of CIS are categorised in terms of compliance and violation, all the studies that apply GDT have both compliance (five studies) and violation (seven studies). This shows that GDT is the most suitable theory to be applied to understand employees' violations of behaviour as compared to compliance.
Deterrence Theory suggests that humans will refrain from engaging in undesirable behaviours (violation, crime, and abusive behaviour) if they believe that adverse consequences such as punishment and sanctions might occur ). Consequently, GDT was found to establish a relationship with humans engaging in deviant behaviours (Cheng et al. 2013). Human behaviour is based on an individual level of rationality that can be influenced by incentives in a particular negative way. Two main domains are laid out in this theory: sanction severity and sanction certainty. Certainty is defined as a belief that their criminal behaviour will be detected. Severity, on the other hand, refers to the degree of punishment once they are caught. It is posited that the higher the degree of certainty and severity of sanctions for a particular act, the more the individual will be deterred from acting in a negative way (Wenzel 2004). Another critical aspect of GDT is the celerity of sanctions, or the swiftness of sanction implementation. People will avoid criminal behaviour if the punishment for such behaviour is carried out with severity, swiftness, and a degree conviction (Alshare et al. 2018). People who are rational in terms of their actions are unlikely to commit a criminal act if their perception of the certainty, celerity, and severity of the sanctions resulting from their actions are more significant than the benefits of the crime (Dinev et al. 2009).
GDT has the highest instances of theory integration. A review shows that it is integrated with PMT + TPB (Herath and Rao 2009) (Alshare et al. 2018). GDT is effective and efficient due to its deterrence in relation to abiding by security policies. Deviant human behaviour can be explained in terms of punishment and sanctions to obtain compliance, as most people weigh up benefits and risks before engaging in any action. Future studies should always include factors within GDT in order to understand the implicit actions related to compliance with CIS.

Theory of Planned Behaviour (TPB)
TPB is a theory that explains how three predictors (attitude, subjective norm, and perceived behavioural control) influence an intention. The intention, in turn, affects individual behaviour. TPB is an extension of the Theory of Reasoned Action (TRA). Both theories are regarded as having the same theoretical underpinning in this review. The former has the added variable of perceived behavioural control. These two theories explain that attitude refers to positive personal feelings toward a behaviour either positively or negatively. The subjective norm is other people's perceptions and views of individuals engaging in a particular behaviour, while perceived behavioural control is one's perception that one can influence such behaviour ).
Ten studies applied TPB/TRA (eight of the studies applied TPB) (Dinev et al. 2009;Bulgurcu et al. 2010;Hu et al. 2012;Ifinedo 2012;Cox 2012;Ifinedo 2014;Safa et al. 2015;Humaidi and Balakrishnan 2015), while two studies applied TRA (Yoon and Kim 2013;Siponen et al. 2014). Studies that applied TPB with other theories included PMT (Ifinedo 2014;Cox 2012;Safa et al. 2015) and HBM (Humaidi and Balakrishnan 2015). Humaidi and Balakrishnan (2015) adopted TPB and HBM when assessing employees' security policies and compliance behaviour. This behaviour was linked with the HBM factors inherent in information security awareness (perceived severity, perceived susceptibility, and perceived benefits). Within the model, management support plays a vital role in information security when managing, for example, a public hospital. The study shows that hospital management is directly connected to decision making by dint of having the authority to solve problems related to human errors before proceeding to develop any information security policies. Another variable perceived to be important is trust. Trust is embedded in the TPB and HBM models. Trust is a critical factor for employees to believe in top management. Instilling confidence in employees to take on board security policy practises and implementation is highly dependent on the role of top management. Dinev et al. (2009) proposed a model comprising TPB and elements of the Technology Acceptance Model (TAM). The two domains of TAM, i.e., perceived ease of use and perceived usefulness, were posited as the antecedents of attitude, subjective norm, and perceived behavioural control. The model was further complemented by Hofstede's (1980) cultural domain of uncertainty avoidance, power distance, masculinity, individualism, and long-term orientation. The study assesses an organisation's employees' antispyware technology adoption to protect information technology in two different cultures, the U.S. and South Korea. Hofstede believes that cultural differences have a considerable impact on an employee's intentions and behaviour. The practical implication of Hofstede's cultural contention provides an in-depth understanding of different cultural practises and compliance to cybersecurity protocols in the organisation. As this study was conducted in 2009, an early stage in digital technology, it is probably one of the few studies that adapted TAM in its study. Interestingly, TAM was not found in any of the recent studies other than in that of Dinev et al. (2009).
Top management has a strong influence on employees' norms, values, and beliefs concerning security policies. Subordinates would be more willing to participate in cybersecurity practises if they believed that top management participated in related initiatives and programs. Top management is the party responsible for establishing and enforcing such policies. Perceived management participation was studied by Hu et al. (2012), based on the TPB model. Apart from that, perceived goal orientation and perceived rule-oriented findings show that top management in the study impacted subjective norms and perceived behavioural control, but not attitude. This is because attitude is derived from an individual's cognitive evaluation of compliance within their inner self-belief. Top management provides the extrinsic motivation or pressure on employees' compliance intentions, which encourages employees to conform to CIS security policies.

Integration of Three Theories
Considering the depth and critical impact of CIS on organisational safety and livelihoods, it is acceptable that a combination of more than two theories is sufficient to answer the fundamental issue in today's organisational context. Very few studies combine more than two theories due to considerable difficulty in explaining the reason for these theories concerning CIS studies. This review discovered that six studies integrated three theories to explain the CIS phenomenon.

PMT + TPB + GDT
PMT and TPB are the two most adapted theories in CIS studies, with five studies. Herath and Rao (2009) extended the model by incorporating it with GDT. The model is viewed as an Integrated Protection Motivation and Deterrence Model of Security Policy Compliance under Taylor-Todd's Decomposed TRA. Even though the study is considered to pass the current perspective in CIS, it could provide valuable insights for future researchers reviewing the possibility of drawing together the theoretical perspectives of threat and coping appraisal that can determine the attitude of security policies among employees. The model is claimed to be holistic, as it comprises the organisational commitment of employees and the intention to comply, as well as environmental factors in the deterrence of facilitating conditions and social influence. Social influence is measured in the context of subjective and descriptive norms. This was one of the earliest studies to provide a theoretical focus on employees' policy compliance intentions. The findings provide a foundation for other scholars studying employee compliance behaviour. The study found that an employee's certainty around security breaches has little impact on security concerns. Employees were found to have low security-breach perceptions. When this study was conducted in the late 2000s, CIS breaches and threats were not as prevalent as they are now. Employees complied with security policies because they perceived that it was not a hindrance to their daily lives. Furthermore, organisations were not as conscious of, and had very little idea of, the severity of CIS threats and their implications for their systems and organisations as a whole.

PMT, TRA, and CET
PMT, the Theory of Reasoned Action, and Cognitive Evaluation Theory, were studied by Siponen et al. (2014). The model consists of several components of the theories, including attitude (TRA), threat and coping appraisal (PMT), and rewards (CET). CET is a theory that estimates the negative outcome of rewards on intrinsic motivation, particularly for tangible rewards such as prizes or awards (Siponen et al. 2014). CET posits that rewards are a negative element in the context of their acting as a tool for behavioural control. This is due to recipients feeling controlled, resulting in decreased feelings of self-determination and autonomy. It was believed that CET rewards would be directly linked to positive behaviour such as security compliance, but attitudes toward compliance with security policies are needed, as employees' affection toward the policy as well as regulated rules is highly associated with their attitude. Rewards, on the other hand, predict the detrimental effect of intrinsic motivation on individuals based on actual remuneration.

GDT + Neutralisation Theory + TPB
GDT successfully explains an employee's compliance, integrated with Neutralisation and TPB. A study of three theories (GDT, Neutralisation, and TPB), with the added inclusion of Hofstede's cultural value, was studied by Al-Mukahal and Alshare (2015) in relation to employees in Qatar. The integration of the cultural factors of Hofstede's uncertainty avoidance and collectivism delineated the CIS behaviour in a developing country. Uncertainty avoidance moderates the scope of policy and the violation of information security in the case of a country having high uncertainty avoidance. On the other hand, collectivism shows that in a society where trust influences the violation of information security, it correlates negatively with a society with high collectivism. The clarity of the CIS policy predicts employees' violations. An individual who does not understand or who has a different understanding of the management's views does not comprehend the need to comply with security policies. Policy violations, work environments, and policy scope are all moderated by the cultural dimensions of uncertainty avoidance and collectivism.

TPB + SCT + SBT
Ifinedo (2014) proposed a recomposed TPB model. It was integrated with Social Capital Theory and Social Bond Theory (SBT). The SCT consists of locus of control and self-efficacy, which are based on perceived behavioural control. The study tends to link socialisation and group influence through SBT, personal beliefs, and self-efficacy through TPB and SCT, and cognition through TPB. SBT describes the bonding of the social aspect within a group. Bonding involves commitment, attachment, personal norms, and involvement (Hirschi 2002). The theory explains that individuals who have built their relationships upon such bonding could reduce their antisocial behaviour. Ifinedo (2014) believes that attachment is inherent in SBT and reflects individual identification with organisational values. Commitment refers to the effort and energy to uphold organisational CIS policy, while involvement reflects the employee's relationship with subordinates. Personal norms are the views and values of employees in relation to CIS policy. It was found that the socio-organisational element was critical in explaining an individual's security compliance behaviour. Socio-organisational factors predict individual intention positively through the attitude and subjective norms of CIS compliance. On the other hand, social influence and the perception of individuals of their competence and control in conforming to such compliance have a dominant impact on their compliance behaviour.

GDT, TPB, and Situational Crime Prevention Theory (SCPT)
One study combined GDT, TPB, and situational crime prevention factors. Situational crime prevention encourages employees to prevent misconduct within information security (Safa et al. 2019). Both theories have a positive impact on individual attitudes, albeit an outcome proven slightly different in its role. GDT focuses on perception and attitude, while Situational Crime Prevention Theory emphasises environmental restrictions that allow the organisation to mitigate the insider threat. The integration has tended to decrease insider threats to the organisation. SCPT is believed to have the same effect on individuals' attitudes. Altogether, the three theories are claimed to complete a "chain of behaviour change" in relation to violating the CIS. The study by Safa et al. (2019) conceptualised the scope of deterrence and prevention based on insider threats. The deterrence factors of employees can be examined through the lens of managerial aspects. The security breaches and violations within organisations can be managed by technology. More importantly, psychological factors should be subjected to substantial managerial action. The role of values and culture also has a considerable influence on employees' violations in CIS (Wiley et al. 2020).

GDT, Neutralisation, and Justice Theory
A comprehensive study by Alshare et al. (2018) integrated three theories (GDT, Neutralisation, and Justice Theory). Within Justice Theory, procedural and distributive justice were significant factors in employee violations of CIS in higher education in the United States. On the other hand, interactional justice was not significant. While the importance of sanction severity and certainty is undeniable, sanctions' celerity has not been seen as influential. This is crucial in managing CIS in organisations, as threats and risks can happen very quickly. As violations or compliance in an organisation are implemented, the issue of justice arises. An employee might be compliant and rewarded for their loyalty, while other employees who violate the protocols might not be sufficiently punished for their actions. This form of justice involves various dimensions and magnitudes that warrant further empirical investigation within the organisation. This could provide interesting findings in relation to whether justice prevails among employees through the implementation of cybersecurity practises in an organisation.

Other Theories
Other relevant theories adapted in these studies include the Health Belief Model (HBM) (Bonar and Rosenberg 2011;Dodel and Mesch 2019), Rational Choice Theory (Li et al. 2010;Vance and Siponen 2012), Social Bond Theory (Choi and Song 2018), Social Exchange Theory (D'Arcy and Greene 2014), Control Theory and Reactance Theory , Compensation Theory (Zhang et al. 2009), Personality (Shropshire et al. 2015;McCormac et al. 2017), and Norm Activation Theory (Yazdanmehr and Wang 2016). All these theories are relevant based on their contextual studies. The findings could provide considerable insights for practitioners based on the findings and the inferred justifications provided. The use of any of these theories has a justification for employing them. For example, in the case of using HBM, the context of the study should be to answer the organisation's perceived "health" on the verge of the CIS attack. As for the use of personality, it could be used to determine the relationship between personality and the individual traits that organisations perceive would be a risk to CIS.

Suggestions for Future Research
Based on this review, the directions for future studies are many. The frequency of cybersecurity and information breaches has become a norm; compliance with policies should be the number one policy goal in an organisation. Therefore, the organisation should make sure employees understand policy implementation and the reason it is being regulated. PMT predicted that employees who felt that security policies were inconvenient and believed that the cost of compliance was too high would be more likely to not comply (Vance and Siponen 2012). Gaps are discussed and provide possibilities for relevant future studies in the scope of CIS.
When deciphering the geographical context of CIS studies conducted, one of the main gaps is the locality of studies. Based on a geographical context, the majority of the studies (31) were conducted in the United States, representing more than half of all the studies reviewed. Within the magnitude of studies in the United States, it is well-accepted that organisations in the United States are aware of the need to study the role of cybersecurity issues in the country's organisations. They are acutely aware of safeguarding their assets and information and their vulnerability to cyber-attacks. Other countries have a high concentration of studies, including Canada (four studies), South Korea (four studies), Finland (three studies), and Malaysia (three studies). Of these four countries, Malaysia is considered the only developing country among the top four countries undertaking CIS-behaviour studies; this indicates that the CIS issue is a serious issue for the country's cybersecurity. European countries, on the other hand, have not displayed as much interest in the CIS field, with only a handful of studies. Except for Finland with three studies, other countries have only one study (the UK and Israel) and only two studies have been conducted across multiple European countries ( Van Bavel et al. 2019;Silic et al. 2017). European countries do not focus as much on CIS studies, possibly for two main reasons. Firstly, security systems are well-coordinated in Europe; or secondly, the people in Europe are law-abiding citizens who do not see the need to conduct an in-depth CIS study.
Security policies should include the domain of reward and penalty, as suggested by Safa et al. (2015). Abiding by policies is not easy for some individuals due to their personalities. Hence, customising reward and penalty schemes would enhance the regulatory aspect of cybersecurity. Apart from that, intervention by the management in terms of knowledge sharing by experts and industrial partners conducting technical training on how to avoid and identify threats could serve as a new research avenue (Fauzi et al. 2018). Knowledge sharing by experts skilled in the area of cybersecurity coming from industry or academia would be able to develop individual susceptibility and resistance towards cyber threats and reduce the risk of cyber-attacks.
To date, the role of responsibility in relation to cybersecurity is still understudied; this includes personal responsibility and group responsibility. Personal responsibility is a normative belief of personal action that is required for an individual to achieve a desirable outcome (Boehmer et al. 2015). As studies employing personal responsibility are still scarce, future studies should employ this variable on personal grounds. One should take responsibility for taking care of one's cyber welfare, similar to health (Gaston and Prapavessis 2014). In a cybersecurity context, users should believe that they have the responsibility to fend off possible malicious threats via the internet and become more vigilant. Employees should also update their spyware protection and make sure that their security software is a programme that is reliable in preventing malware and spam.
Another critical issue of interest is the effect of gender on cybersecurity in the organisation. Due to biological and physiological differences, each gender perceives risk and threat differently; hence, there would be different dependent variables for cybersecurity practices. In a significant study by Anwar et al. (2017), it was revealed that men have more self-reported cybersecurity behaviour compared to women. Men tend to take risks, while women have a higher level of risk concern. Women are significantly impacted by perceived control and risk of privacy when using social networking sites when sharing information (Hajli and Lin 2016). The impact of gender on CIS should be further investigated to mitigate the CIS issue in an organisation.
The underlying concern of this study is that the integration of theories serves to explain employee compliance and violations in CIS. Well-established and -adopted theories should be tested thoroughly before being extended or integrated, as suggested by Sommestad et al. (2014). The main issue of integrating different theories in studying the user's CIS is the effect size. Combining effect sizes from different adapted models may lead to a distortion of variables and an overlap of each other, as they can measure similar aspects from different theories. This causes one variable to have the effect size of other variables in the same model . This issue is also apparent when researchers remove certain variables, as it will cause an increase in effect size. Hence, from a statistical point of view, each theory's adaptation should be carefully taken from well-proven theories, having been empirically tested individually in relation to information and cybersecurity practises such as PMT, TPB, and GDT. Other nonextensive theories should be adapted individually or as complementary theories.

Conclusions
The escalation of cyber and information usage in today's world warrants the need for a systematic implementation of security policies in an organisation. Despite having sophisticated security systems in organisations, humans will always be the most vulnerable point of attack and threat to an organisation's CIS system. In light of cybersecurity studies, this paper reviewed 60 recent adoptions of CIS in the last 13 years. Three theories have been extensively used to study employee compliance and violation behaviour in the organisational context. Empirical justifications are crucial in explaining the CIS phenomenon. PMT, TPB, and GDT were found to be of the most relevance and served as the basis of future underpinning theories. A review of these theories, together with other relevant theories in CIS studies, provides compelling insight for practitioners, particularly to mitigating the severity of security compliance as well as violation. Several gaps and mis-steps were identified in CIS studies, including the geographical context of studies conducted, the role of gender in complying with CIS, the role of responsibility, and the issue of theory integration. Related studies to understand the user's adoption of cyber-related regulations are reviewed in this paper. This review has proven that CIS is imperative for an organisation to stay relevant in this challenging digital age. Threat and risk are ever present when the human factor is included in the equation.

Conflicts of Interest:
The authors declare no conflict of interest.