Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance
Abstract
:1. Introduction
2. Literature Review
2.1. Information Security Behavior and Compliance towards Information Security Policies
2.2. Information Security Behavior and Noncompliance towards Information Security Policies
2.3. Related Research and Motivations for the Current Review
3. Methodology
- What are the behavioral factors concluded in studies as a significant determinant of information security policy compliance?
- What are the behavioral factors concluded in studies as a significant determinant of information security policy noncompliance?
- What are the best possible transformation steps of behavior as analyzed in studies from noncompliance to compliance?
- English is the language of the article.
- Articles are related to information security behavior and information security policy compliance.
- Article was published in a journal between 2010 and 2020.
- The article is related to information security behavior but not information security policy compliance or vice versa.
- Articles are related to other than organizational security policy compliance. For example, home users.
- Articles with just management/awareness/culture without any behavioral aspect.
- Articles related to cybersecurity not information security.
- Articles without any methodological evidence.
- A book, magazine, thesis, or a report.
4. Results and Analysis
4.1. Analysis of Compliance Behavior
4.1.1. National Culture and Compliance
4.1.2. Intrinsic/Extrinsic Motivations and Compliance
4.1.3. Protection Motivation Behaviors and Compliance
4.1.4. Security Culture, Awareness Behaviors and Compliance
4.1.5. Management Behaviors and Compliance
4.1.6. Social Behaviors and Compliance
4.1.7. Actual Behavior and Compliance
4.2. Analysis of NonCompliance Behaviors
4.2.1. Neutralization, SRS and Noncompliance
4.2.2. Value Conflicts and Noncompliance
4.2.3. Deterrence and Noncompliance
5. Discussion
5.1. Theoretical Implications
5.2. Practical Implications
5.3. Limitations and Future Research
6. Closing Remarks
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Appendix A
Study | Theory Used | Influencing Factors |
---|---|---|
[44] | Grounded Theory | Information security value, formalized controls, and workplace relationships |
[99] | Theory of Neutralization, Deterrence Theory | Power distance, masculinity, individualism, moral beliefs |
[8] | General Deterrence Theory | Perceived legitimacy, perceived value congruences, perceived severity, perceived certainty |
[59] | TPB, Self-Determination and Organismic Integration Theory | General motivations (locus of control) and situational motivations |
[60] | PMT, TPB | Social influence, response efficacy, self-efficacy |
[14] | PMT, TPB | Perceived vulnerability, response efficacy, self-efficacy, attitude, subjective norms. |
[61] | PMT | Habit, rewards, vulnerability, perceived severity |
[37] | PMT | Criticality |
[24] | PMT | Fear and protection motivation |
[62] | PMT | Fear and protection motivation |
[54] | PMT | Continues intention, perceived extraneous circumstances |
[63] | PMT | Hope, optimism, self-efficacy, resilience, fear, and protection motivation |
[64] | PMT | Response efficacy and response cost |
[65] | PMT | Responsibility, OCB, psychological ownership, and protection motivation |
[66] | PMT, Health Belief Model, DT, TRA | Self-efficacy and impact |
[45] | Ethical Decision-Making Model, and Value Congruence Theory | Moral beliefs |
[27] | PMT, TPB, GDT, and OT | Vulnerability, self-efficacy, response efficacy, response-cost |
[16] | TRA, TPB | Knowledge, value, skills, culture |
[49] | TPB | Top management, culture, attitude, perceived compliance control, subjective norms |
[46] | Social Exchange Theory | Job satisfaction, perceived organizational support, and security culture |
[68] | PMT | Knowledge and protection motivation |
[47] | PMT, TPB | Awareness, subjective norms, attitude, perceived behavioral control |
[52] | PMT and Health Belief Model | Security systems, security education, security visibility |
[17] | TPB | Security awareness, intention to confirm early |
[48] | Theory of Organizational Behavior and Strategic Management Theory | Discipline and agility |
[69] | PMT | Moral obligations, attitude |
[70] | TPB and Theory of Acceptance Model | Leadership, training, and perceived usefulness of security |
[71] | TPB and Health Believe Model | Management, awareness, working experience |
[72] | TPB | Status (rank), perceived behavioral control |
[73] | RCT | Psychological contract, perceived cost, perceived benefit |
[74] | RCT | Corporate social responsibility, perceived benefit, perceived benefit |
[75] | Social cognitive learning theory | Security monitoring, outcome expectation, self-efficacy |
[76] | Social Exchange Theory | Organizational commitment, perceived organizational support, response cost |
[77] | Theory of Inertia | Cognitive inertia, it usage inertia |
[15] | TRA, PMT, GDT, Innovation Diffusion Theory | Deterrence and intention to comply |
[90] | TPB | Intended behavior, perceived behavior control |
[35] | PMT, TPB, GDT | Organizational commitment, subjective norms, perceived behavior control, attitude |
[91] | TPB | Organizational culture, behavior type |
[92] | TPB | Intention to commit, desire to commit |
[93] | GDT, SCPT, TPB | Subjective norms, intention to prevent misbehavior |
[89] | Social Cognitive Theory | Coworker socialization, computer self-efficacy, personal innovations |
[103] | GDT, Social Bond Theory(SBT) | Commitment, involvement, personal norms, social pressure, perceived severity, and certainty |
[82] | TPB, SBT, Social Control Theory (SCT) | Attitude, subjective norms, locus of control, self-efficacy |
[83] | PMT | Social influence, knowledge, self-efficacy |
[41] | SCT | Attachment, commitment, involvement, personal norms, specification, evaluation, reward |
[84] | Norm Active Theory, Theory of Social Norms | Personal norms, awareness, ascription of personal responsibility |
[85] | SBT, Involvement Theory | Attachment, commitment, involvement, personal norms, knowledge sharing, collaboration, intervention, experience and attitude |
[86] | SBT, SCPT | Commitment, involvement, personal norms, misbehavior reduction intention |
[87] | Person-Organization fit theory | Security commitment, apathy, and fit elements |
Studies | Theory Used | Influencing Factors |
---|---|---|
[38] | TPB, PMT, GDT | Previous punishment experience |
[40] | PMT | IT vision conflict |
[20] | Coping Theory, Disengagement Theory, | SRS, realism, perceived sanctions |
[12] | Theory of Neutralization | SRS fatigue, and frustration |
[11] | TPB, RCT | Negative affect, work impediment, and daily deviance |
[42] | Grounded Theory | Value assignment, perception of information value |
[51] | Theory of Neutralization | Ethical work climate, beliefs |
[105] | PMT and GDT | Human personality traits (stability and plasticity) |
[95] | Theory of Neutralization, PMT, TPB | Normative faith |
[104] | GDT | Satisfaction and safe behavior |
[39] | Prospect Theory, RCT, self-justification Theory, Approach AvoidanceTheory | Sunk cost, self-justification, and risk perception |
[102] | Stewardship Theory | Value identification, trusted relationship fulfillment, growth need fulfillment, long-term orientation, the intention of CDSIV. |
[23] | TPB, GDT | Descriptive norms, moral norms |
[15] | Theory of Neutralization | Sanctions (formal. Informal), shame |
[40] | Coping Theory | Perceived externality, triage, procrastination, psychological detachment |
[96] | Theory of Neutralization, Deterrence | Organizational injustice (procedural and distributive) |
No | Theory Name |
---|---|
1 | Theory of Planned Behavior |
2 | Protection Motivation Theory |
3 | Social Cognitive Theory |
4 | Social Bond Theory |
5 | Social Control Theory |
6 | Rational Choice Theory |
7 | Health Belief Model |
8 | Social Exchange Theory |
9 | Agency theory |
10 | General Deterrence Theory |
No | Theory Name |
---|---|
1 | Theory of Neutralization |
2 | General Deterrence Theory |
3 | Protection Motivation Theory |
4 | Coping Theory |
5 | Rational Choice Theory |
6 | Self-Justification Theory |
Category | Compliance/Noncompliance | Number of Studies |
---|---|---|
National culture | Compliance | 1 |
Intrinsic/extrinsic motivations | Compliance | 3 |
Protection motivation behaviors | Compliance | 15 |
Culture/aware behaviors | Compliance | 7 |
Management behaviors | Compliance | 12 |
Social behaviors | Compliance | 10 |
Actual compliance behaviors | Compliance | 6 |
SRS/neutralization | Noncompliance | 12 |
Value conflicts | Noncompliance | 5 |
Deterrence | Noncompliance | 9 |
Total | 80 |
Terminology | Meaning |
---|---|
ISPC | Information security policy compliance |
SLR | Systematic literature review |
ISP | Information security policy |
ISB | Information security behavior |
BPMN | Business process modeling notation |
ICT | Information communication technology |
PMB | Protection motivation behaviors |
PMT | Protection motivation theory |
TPB | Theory of planned behavior |
TRA | Theory of reasoned action |
SBT | Social bond theory |
DT | Deterrence theory |
GDT | General deterrence theory |
OT | Operational theory |
RCT | Rational choice theory |
SCPT | Situational crime prevention theory |
SRS | Security-related stress |
CDISV | Consequence-delayed information security violation |
LTO | Long-term orientation |
References
- Ali, S.E.A.; Lai, F.-W.; Hassan, R.; Shad, M.K. The Long-Run Impact of Information Security Breach Announcements on Investors’ Confidence: The Context of Efficient Market Hypothesis. Sustainability 2021, 13, 1066. [Google Scholar] [CrossRef]
- Ali, S.E.A.; Lai, F.-W.; Hassan, R. Socio-Economic Factors On Sector-Wide Systematic Risk Of Information Security Breaches: Conceptual Framework. In Proceedings of the International Economics and Business Management Conference, Melaka, Malaysia, 2–3 November 2020; pp. 502–512. [Google Scholar]
- Ali, R.F.; Dominic, P.; Ali, K. Organizational governance, social bonds and information security policy compliance: A perspective towards oil and gas employees. Sustainability 2020, 12, 8576. [Google Scholar] [CrossRef]
- Dong, K.; Ali, R.F.; Dominic, P.; Ali, S.E.A. The Effect of Organizational Information Security Climate on Information Security Policy Compliance: The Mediating Effect of Social Bonding towards Healthcare Nurses. Sustainability 2021, 13, 2800. [Google Scholar] [CrossRef]
- Services, S. IBM Infographic: Cyber Security Intelligence Index; IBM: Armonk, NY, USA, 2014; Available online: http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic (accessed on 7 September 2019).
- PWC. UK Organisations Still Failing to Prepare Effectively for Cyber Attacks; PWC: Cambridge, UK, 2017; Available online: https://www.pwc.co.uk/press-room/press-releases/global-state-information-security-survey-2018-uk.html (accessed on 12 March 2020).
- NIST. NIST Standards and Guidlines; NIST: Gaithersburg, MD, USA, 2019. Available online: https://www.nist.gov/topics/cybersecurity (accessed on 14 April 2020).
- Jai-Yeol, S. Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Inf. Manag. 2011, 48, 296–302. [Google Scholar] [CrossRef]
- Siponen, M.; Willison, R. Information security management standards: Problems and solutions. Inf. Manag. 2009, 46, 267–270. [Google Scholar] [CrossRef] [Green Version]
- Yildirim, E.Y.; Akalp, G.; Aytac, S.; Bayram, N. Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. Int. J. Inf. Manag. 2011, 31, 360–365. [Google Scholar] [CrossRef]
- D’Arcy, J.; Lowry, P.B. Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study. Inf. Syst. J. 2019, 29, 43–69. [Google Scholar] [CrossRef] [Green Version]
- D’Arcy, J.; Teh, P.-L. Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Inf. Manag. 2019, 56, 103–151. [Google Scholar] [CrossRef]
- D’Arcy, J.; Herath, T. A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. Eur. J. Inf. Syst. 2011, 20, 643–658. [Google Scholar] [CrossRef]
- Ifinedo, P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 2012, 31, 83–95. [Google Scholar] [CrossRef]
- Siponen, M.; Pahnila, S.; Mahmood, M.A. Compliance with information security policies: An empirical investigation. Computer 2010, 43, 64–71. [Google Scholar] [CrossRef]
- Alfawaz, S.; Nelson, K.; Mohannak, K. Information security culture: A behaviour compliance conceptual framework. In Proceedings of the Eighth Australasian Conference on Information Security-Volume 105, Brisbane, Australia, 10 January 2010; pp. 47–55. [Google Scholar]
- Bélanger, F.; Collignon, S.; Enget, K.; Negangard, E. Determinants of early conformance with information security policies. Inf. Manag. 2017, 54, 887–901. [Google Scholar] [CrossRef]
- Herath, T.; Rao, H.R. Protection motivation and deterrence: A framework for security policy compliance in organisations. Eur. J. Inf. Syst. 2009, 18, 106–125. [Google Scholar] [CrossRef]
- Herath, T.; Rao, H.R. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 2009, 47, 154–165. [Google Scholar] [CrossRef]
- D’Arcy, J.; Herath, T.; Shoss, M.K. Understanding employee responses to stressful information security requirements: A coping perspective. J. Manag. Inf. Syst. 2014, 31, 285–318. [Google Scholar] [CrossRef]
- Corradini, I. Security: Human Nature and Behaviour. In Building a Cybersecurity Culture in Organizations; Springer: Cham, Switzerland, 2020; Volume 1, pp. 23–47. [Google Scholar]
- Liu, C.; Wang, N.; Liang, H. Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment. Int. J. Inf. Manag. 2020, 54, 102152. [Google Scholar] [CrossRef]
- Merhi, M.I.; Ahluwalia, P. Examining the impact of deterrence factors and norms on resistance to information systems security. Comput. Hum. Behav. 2019, 92, 37–46. [Google Scholar] [CrossRef]
- Boss, S.; Galletta, D.; Lowry, P.B.; Moody, G.D.; Polak, P. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Q. 2015, 39, 837–864. Available online: https://www.jstor.org/stable/26628654 (accessed on 15 March 2020). [CrossRef] [Green Version]
- Bongiovanni, I. The least secure places in the universe? A systematic literature review on information security management in higher education. Comput. Secur. 2019, 86, 350–357. [Google Scholar] [CrossRef]
- Hina, S.; Dominic, P.D.D. Information security policies’ compliance: A perspective for higher education institutions. J. Comput. Inf. Syst. 2018, 60, 201–211. [Google Scholar] [CrossRef]
- Rajab, M.; Eydgahi, A. Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Comput. Secur. 2019, 80, 211–223. [Google Scholar] [CrossRef]
- Sommestad, T.; Karlzén, H.; Hallberg, J. A meta-analysis of studies on protection motivation theory and information security behaviour. Int. J. Inf. Secur. Priv. 2015, 9, 26–46. [Google Scholar] [CrossRef] [Green Version]
- Shahzad, K.; Nawab, R.M.A.; Abid, A.; Sharif, K.; Ali, F.; Aslam, F.; Mazhar, A. A process model collection and gold standard correspondences for process model matching. IEEE Access 2019, 7, 30708–30723. [Google Scholar] [CrossRef]
- Shankararaman, V. Business Enterprise, Process, and Technology Management: Models and Applications; IGI Global: Hershey, PA, USA, 2012. [Google Scholar]
- Shahzad, K.; Shareef, K.; Ali, R.F.; Nawab, R.M.A.; Abid, A. Generating process model collection with diverse label and structural features. In Proceedings of the 2016 Sixth International Conference on Innovative Computing Technology (INTECH), Dublin, Ireland, 24–26 August 2016; pp. 644–649. [Google Scholar]
- Sommestad, T.; Hallberg, J.; Lundholm, K.; Bengtsson, J. Variables influencing information security policy compliance. Inf. Manag. Comput. Secur. 2014, 22, 42–75. [Google Scholar] [CrossRef]
- Tsohou, A.; Holtkamp, P. Are users competent to comply with information security policies? An analysis of professional competence models. Inf. Technol. People 2018, 31, 1047–1068. [Google Scholar] [CrossRef]
- Trang, S.; Brendel, B. A meta-analysis of deterrence theory in information security policy compliance research. Inf. Syst. Front. 2019, 21, 1–20. [Google Scholar] [CrossRef]
- Salvatore, A. A Composite Framework for Behavioral Compliance with Information Security Policies. J. Organ. End User Comput. 2013, 25, 32–51. [Google Scholar] [CrossRef]
- Padayachee, K. Taxonomy of compliant information security behavior. Comput. Secur. 2012, 31, 673–680. [Google Scholar] [CrossRef]
- Posey, C.; Roberts, T.L.; Lowry, P.B.; Bennett, R.J. Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Q. 2013, 37, 1189–1210. Available online: http://www.jstor.org/stable/43825787 (accessed on 28 April 2020). [CrossRef]
- Aurigemma, S.; Mattson, T. Deterrence and punishment experience impacts on ISP compliance attitudes. Inf. Comput. Secur. 2017, 25, 421–436. [Google Scholar] [CrossRef]
- Kajtazi, M.; Cavusoglu, H.; Benbasat, I.; Haftor, D. Escalation of commitment as an antecedent to noncompliance with information security policy. Inf. Comput. Secur. 2018, 26, 171–193. [Google Scholar] [CrossRef] [Green Version]
- Chang, K.-C.; Seow, Y.M. Protective measures and security policy non-compliance intention: It vision conflict as a moderator. J. Organ. End User Comput. 2019, 31, 1–21. [Google Scholar] [CrossRef] [Green Version]
- Hsu, J.S.-C.; Shih, S.-P.; Hung, Y.W.; Lowry, P.B. The role of extra-role behaviors and social controls in information security policy effectiveness. Inf. Syst. Res. 2015, 26, 282–300. [Google Scholar] [CrossRef]
- Doherty, N.F.; Tajuddin, S.T. Towards a user-centric theory of value-driven information security compliance. Inf. Technol. People 2018, 31, 348–367. [Google Scholar] [CrossRef]
- Dinev, T.; Goo, J.; Hu, Q.; Nam, K. User behaviour towards protective information technologies: The role of national cultural differences. Inf. Syst. J. 2009, 19, 391–412. [Google Scholar] [CrossRef]
- Connolly, L.Y.; Lang, M.; Wall, D.S. Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees. Inf. Syst. Manag. 2019, 36, 306–322. [Google Scholar] [CrossRef]
- Lankton, N.K.; Stivason, C.; Gurung, A. Information protection behaviors: Morality and organizational criticality. Inf. Comput. Secur. 2019, 27, 468–488. [Google Scholar] [CrossRef]
- D’Arcy, J.; Greene, G. Security culture and the employment relationship as drivers of employees’ security compliance. Inf. Manag. Comput. Secur. 2014, 22, 474–489. [Google Scholar] [CrossRef]
- Safa, N.S.; Sookhak, M.; Von Solms, R.; Furnell, S.; Ghani, N.A.; Herawan, T. Information security conscious care behaviour formation in organizations. Comput. Secur. 2015, 53, 65–78. [Google Scholar] [CrossRef] [Green Version]
- Harnesk, D.; Lindström, J. Shaping security behaviour through discipline and agility: Implications for information security management. Inf. Manag. Comput. Secur. 2011, 19, 262–276. [Google Scholar] [CrossRef]
- Hu, Q.; Dinev, T.; Hart, P.; Cooke, D. Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decis. Sci. 2012, 43, 615–660. [Google Scholar] [CrossRef]
- Sykes, G.M.; Matza, D. Techniques of neutralization: A theory of delinquency. Am. Sociol. Rev. 1957, 22, 664–670. [Google Scholar] [CrossRef]
- Gwebu, K.L.; Wang, J.; Hu, M.Y. Information security policy noncompliance: An integrative social influence model. Inf. Syst. J. 2020, 30, 1350–1917. [Google Scholar] [CrossRef]
- Hwang, I.; Kim, D.; Kim, T.; Kim, S. Why not comply with information security? An empirical approach for the causes of non-compliance. Online Inf. Rev. 2017, 41, 2–18. [Google Scholar] [CrossRef]
- Anderson, C.L.; Agarwal, R. Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Q. 2010, 34, 613–643. [Google Scholar] [CrossRef] [Green Version]
- Merrill, W.; Allen, C. Continuance of protective security 1301 behavior: A longitudinal study. Decis. Support Syst. 2016, 92, 25–35. [Google Scholar] [CrossRef]
- Nasir, A.; Arshah, R.A.; Ab Hamid, M.R. Information Security Policy Compliance Behavior Based on Comprehensive Dimensions of Information Security Culture: A Conceptual Framework. In Proceedings of the 2017 International Conference on Information System and Data Mining, South Carolina, SC, USA, 1–3 April 2017; pp. 56–60. [Google Scholar]
- Soomro, Z.A.; Shah, M.H.; Ahmed, J. Information security management needs more holistic approach: A literature review. Int. J. Inf. Manag. 2016, 36, 215–225. [Google Scholar] [CrossRef]
- Wolfswinkel, J.F.; Furtmueller, E.; Wilderom, C.P. Using grounded theory as a method for rigorously reviewing literature. Eur. J. Inf. Syst. 2013, 22, 45–55. [Google Scholar] [CrossRef]
- Booth, A.; Sutton, A.; Papaioannou, D. Systematic Approaches to a Successful Literature Review; Sage: London, UK, 2016. [Google Scholar]
- Kranz, J.; Haeussinger, F. Why deterrence is not enough: The role of endogenous motivations on employees’ information security behavior. In Proceedings of the International conference on information systems, Auckland, New Zealand, 14–17 December 2014; pp. 23–44. [Google Scholar]
- Warkentin, M.; Johnston, A.C. Fear appeals and information security behaviors: An empirical study. Mis Q. 2010, 34, 549–566. [Google Scholar] [CrossRef]
- Vance, A.; Siponen, M.; Pahnila, S. Motivating IS security compliance: Insights from habit and protection motivation theory. Inf. Manag. 2012, 49, 190–198. [Google Scholar] [CrossRef]
- Warkentin, M.; Siponen, M. An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Q. 2015, 39, 113–134. Available online: https://www.jstor.org/stable/26628343 (accessed on 30 April 2020).
- Burns, A.; Posey, C.; Roberts, T.L.; Lowry, P.B. Examining the relationship of organizational insiders’ psychological capital with information security threat and coping appraisals. Comput. Hum. Behav. 2017, 68, 190–209. [Google Scholar] [CrossRef] [Green Version]
- Crossler, R.E.; Bélanger, F.; Ormond, D. The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats. Inf. Syst. Front. 2017, 21, 343–357. [Google Scholar] [CrossRef]
- Blythe, J.M.; Coventry, L. Costly but effective: Comparing the factors that influence employee anti-malware behaviours. Comput. Hum. Behav. 2018, 87, 87–97. [Google Scholar] [CrossRef]
- Hooper, V.; Blunt, C. Factors influencing the information security behaviour of IT employees. Behav. Inf. Technol. 2019, 39, 1–13. [Google Scholar] [CrossRef]
- Alanazi, S.T.; Anbar, M.; Ebad, S.A.; Karuppayah, S.; Al-Ani, H.A. Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector. Symmetry 2020, 12, 1544. [Google Scholar] [CrossRef]
- Pahnila, S.; Karjalainen, M.; Siponen, M.T. Information Security Behavior: Towards Multi-Stage Models. In Proceedings of the Pacific Asia Conference on Information Systems, Jeju Island, Korea, 18–22 June 2013; pp. 102–122. [Google Scholar]
- Yoon, C.; Kim, H. Understanding computer security behavioral intention in the workplace: An empirical study of Korean firms. Inf. Technol. People 2013, 26, 401–419. [Google Scholar] [CrossRef]
- Humaidi, N.; Balakrishnan, V. Exploratory factor analysis of user’s compliance behaviour towards health information system’s security. J. Health Med. Inform. 2013, 4, 2–9. [Google Scholar] [CrossRef] [Green Version]
- Humaidi, N.; Balakrishnan, V. The Moderating effect of working experience on health information system security policies compliance behaviour. Malays. J. Comput. Sci. 2015, 28, 70–92. Available online: https://ejournal.um.edu.my/index.php/MJCS/article/view/6856 (accessed on 15 May 2020).
- Aurigemma, S.; Mattson, T. Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Comput. Secur. 2017, 66, 218–234. [Google Scholar] [CrossRef]
- Han, J.; Kim, Y.J.; Kim, H. An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Comput. Secur. 2017, 66, 52–65. [Google Scholar] [CrossRef]
- Kim, H.L.; Han, J. Do employees in a “good” company comply better with information security policy? A corporate social responsibility perspective. Inf. Technol. People 2018, 32, 858–875. [Google Scholar] [CrossRef]
- Ahmad, Z.; Ong, T.S.; Liew, T.H.; Norhashim, M. Security monitoring and information security assurance behaviour among employees: An empirical analysis. Inf. Comput. Secur. 2019, 27, 165–188. [Google Scholar] [CrossRef]
- Sharma, S.; Warkentin, M. Do I really belong? Impact of employment status on information security policy compliance. Comput. Secur. 2019, 87, 101397. [Google Scholar] [CrossRef]
- Sillic, M. Critical impact of organizational and individual inertia in explaining non-compliant security behavior in the Shadow IT context. Comput. Secur. 2019, 80, 108–119. [Google Scholar] [CrossRef]
- Koohang, A.; Nowak, A.; Paliszkiewicz, J.; Nord, J.H. Information Security Policy Compliance: Leadership, Trust, Role Values, and Awareness. J. Comput. Inf. Syst. 2020, 60, 1–8. [Google Scholar] [CrossRef]
- Chakraborty, T.; Jajodia, S.; Katz, J.; Picariello, A.; Sperli, G.; Subrahmanian, V. FORGE: A fake online repository generation engine for cyber deception. IEEE Trans. Dependable Secur. Comput. 2019, 18, 518–533. [Google Scholar] [CrossRef]
- Han, Q.; Molinaro, C.; Picariello, A.; Sperli, G.; Subrahmanian, V.S.; Xiong, Y. Generating Fake Documents using Probabilistic Logic Graphs. IEEE Trans. Dependable Secur. Comput. 2021, 1–15. [Google Scholar] [CrossRef]
- Naseer, S.; Faizan Ali, R.; Dominic, P.; Saleem, Y. Learning Representations of Network Traffic Using Deep Neural Networks for Network Anomaly Detection: A Perspective towards Oil and Gas IT Infrastructures. Symmetry 2020, 12, 1882. [Google Scholar] [CrossRef]
- Ifinedo, P. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 2014, 51, 69–79. [Google Scholar] [CrossRef]
- Posey, C.; Roberts, T.L.; Lowry, P.B.; Hightower, R.T. Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Inf. Manag. 2014, 51, 551–567. [Google Scholar] [CrossRef]
- Yazdanmehr, A.; Wang, J. Employees’ information security policy compliance: A norm activation perspective. Decis. Support Syst. 2016, 92, 36–46. [Google Scholar] [CrossRef] [Green Version]
- Safa, N.S.; Von Solms, R.; Furnell, S. Information security policy compliance model in organizations. Comput. Secur. 2016, 56, 70–82. [Google Scholar] [CrossRef]
- Safa, N.S.; Maple, C.; Watson, T.; Von Solms, R. Motivation and opportunity based model to reduce information security insider threats in organisations. J. Inf. Secur. Appl. 2018, 40, 247–257. [Google Scholar] [CrossRef] [Green Version]
- Chen, H.; Li, W. Understanding commitment and apathy in is security extra-role behavior from a person-organization fit perspective. Behav. Inf. Technol. 2019, 38, 454–468. [Google Scholar] [CrossRef]
- Yazdanmehr, A.; Wang, J.; Yang, Z. Peers matter: The moderating role of social influence on information security policy compliance. Inf. Syst. J. 2020, 30, 787–790. [Google Scholar] [CrossRef]
- Jaafar, N.I.; Ajis, A. Organizational climate and individual factors effects on information security compliance behaviour. Int. J. Bus. Soc. Sci. 2013, 4, 1–13. [Google Scholar]
- Cox, J. Information systems user security: A structured model of the knowing—Doing gap. Comput. Hum. Behav. 2012, 28, 1849–1858. [Google Scholar] [CrossRef]
- Djajadikerta, H.G.; Roni, S.M.; Trireksani, T. Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research. Inf. Manag. 2015, 52, 1012–1024. [Google Scholar] [CrossRef] [Green Version]
- Chu, A.M.; Chau, P.Y.; So, M.K. Explaining the misuse of information systems resources in the workplace: A dual-process approach. J. Bus. Ethics 2015, 131, 209–225. [Google Scholar] [CrossRef]
- Safa, N.S.; Maple, C.; Furnell, S.; Azad, M.A.; Perera, C.; Dabbagh, M.; Sookhak, M. Deterrence and prevention-based model to mitigate information security insider threats in organisations. Future Gener. Comput. Syst. 2019 97, 587–597. [CrossRef]
- Mikko, S.; Vance, A. Neutralization: New insights into the problem of employee information systems 1407 security policy violations. MIS Q. 2010, 34, 487–502. [Google Scholar] [CrossRef]
- Kim, S.H.; Yang, K.H.; Park, S. An integrative behavioral model of information security policy compliance. Sci. World J. 2014, 2014, 463870. [Google Scholar] [CrossRef] [PubMed]
- Willison, R.; Warkentin, M.; Johnston, A.C. Examining employee computer abuse intentions: Insights from justice, deterrence and neutralization perspectives. Inf. Syst. J. 2018, 28, 266–293. [Google Scholar] [CrossRef] [Green Version]
- Moody, G.D.; Siponen, M.; Pahnila, S. Toward a unified model of information security policy compliance. MIS Q. 2018, 42, 285–302. [Google Scholar] [CrossRef]
- Shadbad, F.N.; Biros, D. Technostress and its influence on employee information security policy compliance. Inf. Technol. People 2020, 2, 1–23. [Google Scholar] [CrossRef]
- Vance, A.; Siponen, M.T.; Straub, D.W. Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inf. Manag. 2020, 57, 103212. [Google Scholar] [CrossRef]
- Xu, Z.; Guo, K. It ain’t my business: A coping perspective on employee effortful security behavior. J. Enterp. Inf. Manag. 2019, 32, 824–842. [Google Scholar] [CrossRef]
- Bansal, G.; Muzatko, S.; Shin, S.I. Information system security policy noncompliance: The role of situation-specific ethical orientation. Inf. Technol. People 2020, 34, 250–296. [Google Scholar] [CrossRef]
- Li, Y.; Zhang, N.; Siponen, M. Keeping secure to the end: A long-term perspective to understand employees’ consequence-delayed information security violation. Behav. Inf. Technol. 2019, 38, 435–453. [Google Scholar] [CrossRef]
- Cheng, L.; Li, Y.; Li, W.; Holm, E.; Zhai, Q. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Comput. Secur. 2013, 39, 447–459. [Google Scholar] [CrossRef]
- Klein, R.H.; Luciano, E.M. What influences information security behavior? A study with Brazilian users. J. Inf. Syst. Technol. Manag. 2016, 13, 479–496. [Google Scholar] [CrossRef]
- Johnston, A.C.; Warkentin, M.; McBride, M.; Carter, L. Dispositional and situational factors: Influences on information security policy violations. Eur. J. Inf. Syst. 2016, 25, 231–251. [Google Scholar] [CrossRef]
- Jaeger, L.; Eckhardt, A.; Kroenung, J. The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis. Inf. Manag. 2020, 1, 103318. [Google Scholar] [CrossRef]
- Chen, L.; Zhen, J.; Dong, K.; Xie, Z. Effects of sanction on the mentality of information security policy compliance. Rev. Argent. Clínica Psicológica 2020, 29, 39–49. [Google Scholar] [CrossRef] [Green Version]
- Da Veiga, A.; Astakhova, L.V.; Botha, A.; Herselman, M. Defining organisational information security culture—Perspectives from academia and industry. Comput. Secur. 2020, 92, 101713. [Google Scholar] [CrossRef]
- Boss, S.R.; Kirsch, L.J.; Angermeier, I.; Shingler, R.A.; Boss, R.W. If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. Eur. J. Inf. Syst. 2009, 18, 151–164. [Google Scholar] [CrossRef]
- Rogers, J.W.; Buffalo, M. Neutralization techniques: Toward a simplified measurement scale. Pac. Sociol. Rev. 1974, 17, 313–331. [Google Scholar] [CrossRef]
- Lee, S.; Lee, M. An exploratory study on the information security culture indicator. Informatiz. Policy 2008, 15, 100–119. [Google Scholar]
- Myyry, L.; Siponen, M.; Pahnila, S.; Vartiainen, T.; Vance, A. What levels of moral reasoning and values explain adherence to information security rules? An empirical study. Eur. J. Inf. Syst. 2009, 18, 126–139. [Google Scholar] [CrossRef]
- Robinson, S.L.; O’Leary-Kelly, A.M. Monkey see, monkey do: The influence of work groups on the antisocial behavior of employees. Acad. Manag. J. 1998, 41, 658–672. [Google Scholar] [CrossRef]
- Thomas, J.G.; Griffin, R.W. The power of social information in the workplace. Organ. Dyn. 1989, 18, 63–75. [Google Scholar] [CrossRef]
Authors | Sample Size | Category | Findings | Limitations |
---|---|---|---|---|
[26] | 51 articles | Component-based SLR | Information security awareness, culture, and management are critical factors for the assessment of information security policy compliance |
|
[55] | 79 articles | Component-based SLR | Information security culture is a multidimensional component and essential for incorporating information security policy compliance (ISPC) behaviors in organizations |
|
[25] | 43 articles | Component-based SLR | Information security management can enhance ISPC in higher education institutions |
|
[56] | 39 articles | Component-based SLR | Management role should be considered to cultivate good ISPC in organizations |
|
[13] | 60 articles | Theory-based SLR | Methodological and additional substantive issues are the reason for the inconsistent results of deterrence theory |
|
[34] | 35 articles | Theory-based SLR | Deterrence theory (except sanction celerity) affects ISP compliance behavior, and deterrence effects vary with different cultures |
|
[32] | 30 articles | Theory-based SLR | Protection motivation behaviors are critical for enhancing ISPC |
|
[28] | 29 articles | Variable based SLR | There were no clear winners of the most influencing variable or the theory for compliance or incompliance |
|
Keywords | Queries |
---|---|
Information security behavior | “Information security policy” OR “security policies” OR” policy compliance” AND “information security behavior” |
Inform security policy compliance | “Information security behavioral compliance” AND “organizational ICT” OR “IT” |
ICT | ” ICT policies OR security policy” AND” information security behavioral compliance” |
Organizational information security policy | ” Organizational security policy” OR” regulations” OR” guidelines” OR” policies compliance” AND” information security behaviors” |
Information security policy | Employee OR user OR “staff information security policy compliance” AND “violations” OR “non-compliance behaviors” |
Information security policy behavioral compliance | “Information security policy compliance” OR “behavioral policy compliance” AND “information security behaviors” |
Information security policy noncompliance | “Information security policy non-compliance” OR “violations” AND “information security behaviors” |
Information security policy violations | “Information security policy violation” OR “deviance” OR “volitional security behavior” |
Data Bases | Search Engines |
---|---|
Scopus®®® by Elsevier B.V | Google Scholar®®® by Google |
IEEE Xplore®®® Digital Library by IEEE | Yahoo!™ |
ScienceDirect®®® by Elsevier B.V | RefSeek™ (privately held) |
Web of Science™ by Clarivate | |
AIS Electronic Library | |
ACM Digital Library |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[44] | Qualitative study analytical grounded theory approach adopted | 19 semi-structured interviews from the US and Ireland | US employees have more adaptive behavior toward security policies and procedures than Irish employees. |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[8] | A quantitative method for framework validation, SEM used for hypotheses testing | A total of 602 employees from different organizations participated | Intrinsic motivation model factors have better results than extrinsic motivation model factors on employees’ behavior towards ISP compliance |
[36] | Overview of behavior articles to develop a taxonomy of compliant information security behavior | Almost 35 studies reviewed information security behavior | Intrinsic and extrinsic factors reviewed; extrinsic factors reviewed in detail. Extrinsic factors have a significant effect on ISB, but intrinsic factors need more exploration |
[59] | Quantitative research methodology adapted and PLS used for hypothesis testing | 444 respondents participated | Effects of external PLOC (Perceived locus of causality) and Internal PLOC examined, internal PLOC find to be more significant than external |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[60] | Mixed method research design structural equation modeling used for framework testing | 275 usable responses from collected from a university | Fear appeal, response efficacy, self-efficacy, and social influence have significant effects on information security behavior |
[14] | The quantitative research methodology adopted and SEM used for research model testing | 124 business managers and professionals participated | Self-efficacy, attitude toward compliance, subjective norms, response efficacy, and perceived vulnerability positively influence ISP behavioral compliance intentions of employees |
[61] | The hypothetical research design adopted (pre- and post-test), and SEM used for research model testing | 210 participants responded correctly from a Finnish organization | Past behavior (habit) has a significant effect on protection motivation and employees’ intentions to comply with ISP |
[37] | A six steps Mixed (Qualitative and Quantitative) Methodology adopted to develop a taxonomy for protection motivation behaviors (PMB) | 67 classes identified for the protection motivation behaviors of insiders | PMBs taxonomy will provide a nomenclature that will increase practitioners and academicians’ understanding of IS security behaviors |
[24] | The mixed research methodology adopted, and STATA softeare was used for model fitness and hypotheses testing | A total of 452 business and psychology students participated | For measuring protection motivation behaviors, researchers must use core and full constructs of protection motivation theory (PMT) |
[32] | Literature Review (Meta-Analysis) | A total of 30 research articles reviewed | PMT explains voluntary security behavior better than mandatory. PMT predicts better ISB if the threat and the coping process are specific, and PMT is a good predictor of ISB for individuals’ threats, not the organizational threats |
[62] | Mixed method approach used and PLS used for research model testing | 559 insiders participated from the city government of Finland | Enhanced fear appeal with PMT has better results on ISPC |
[54] | The longitudinal research design was adopted. PLS is used for data and model testing | 253 valid responses were collected | Self-efficacy perceived threat severity, and perceived threat susceptibility significantly affect employees’ continue protective behaviors |
[63] | The quantitative research design adopted SEM used for model and hypothesis testing | 377 usable responses from the public and private organizations | Psychological capital has positive effects on employees’ protective motivated behaviors |
[64] | Mixed method research with multidimensional scaling analysis | Seven expert interviews and 279 computer users participated | Users perform multiple security behaviors to deal with security threats. Response efficacy and response cost help users to choose security protection behaviors |
[65] | The quantitative research methodology adopted regression is used for data and model testing | 526 employees participated | Along with additional parameters, PMT s threat appraisal was less predictive than coping appraisal to detect employees’ intent to engage in antimalware behaviors |
[66] | Quantitative study design and SEM used for results analysis | 70 responses IT personals collected from New Zealand | Perceived impact and self-efficacy have positive effects on intention to practice information security |
[45] | Scenario-based quantitative study design. PLS used for model testing | 261 participants from a university | Dimensions of moral intensity and organization criticality have significant effects on insiders’ protection behaviors |
[27] | Quantitative study. SEM used for model and hypothesis testing | 206 correct responses were collected from the higher education sector | PMT is the best predictor of employees’ behavior towards ISPC in the higher education sector |
[67] | Quantitative research design | 433 employees participated in this study | Self-efficacy and morality are the most influential factors of ISB. |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[16] | Qualitative study | 47 semi-structured interviews conducted | Different modes of behavior affect information security culture differently in organizations |
[49] | Quantitative study. SEM used for Model testing | 148 responses collected from a public university | Top management can cultivate good security culture, and a security culture help shaping employees’ behavior towards ISPC |
[68] | Mix method research methodology adopted. SPSS is used for descriptive analysis, and PLS is used for data analysis. | 513 responses were collected from 4 Finnish firms | Different levels of ISP knowledge influence information security behavioral compliance |
[46] | A quantitative study, PLS used for hypothesis testing | 127 correct response were collected from various organizations | Security culture and organizational behavior are the vital drivers of ISPC |
[47] | Mixed methodology adapted. Data and model tested with SEM | 212 IS experts and professionals participated from different Malaysian firms | Security awareness, organizational security policy, threat appraisal, and self-efficacy positively affect employees’ information security-conscious care behaviors |
[17] | The quantitative research methodology was adopted, and the model was tested with PLS. | 535 usable responses collected from a university | Attitude and intention are significant predictors of actual early compliance behavior towards ISP |
[33] | Systematic literature review | A total of 32 articles and eight professional frameworks were analyzed regarding users’ competencies associated with ISP compliance | Professional frameworks fail to recommend competencies associated with ISP compliance |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[48] | The mixed research methodology adopted, case study, and qualitative analysis | Seven semi-structured interviews conducted with crucial personals (managers and operational staff) | An organization’s existing culture and management discipline and agility shape different types of information security behaviors |
[69] | Quantitative research methodology and structural equation modeling used | 162 employees participated in multiple Korean organizations. | Organizational norms, moral obligations, and attitude toward the computer and security behavior have significant effects on employees’ behavioral intentions |
[70] | The quantitative research methodology was adopted. SPSS used for data analysis | 42 employees participated from the health sector | Leadership, management, user’s awareness, and training significantly affect information security compliant behavior |
[71] | The quantitative research methodology was used. SEM used for hypotheses testing. | 454 health personals participated | Management and security awareness have significant effects on ISB. Furthermore, employee experience is a crucial factor and has much significance towards ISB of Health employees |
[72] | Pre- and post-tested quantitative research design. Covariant based SEM used for research model testing | 317 correct responses from the department of defense USA | Employees’ status (hierarchal rank) significantly affects the perceived behavioral control over tailgating behaviors. |
[73] | Pre and post-test quantitative methodology used. PLS is used for data and research model analysis | 213 total responses were collected from two groups (supervisors and supervisee) | The psychological contract is an essential factor, and it affects ISP compliance intention significantly |
[74] | The quantitative research approach adopted and PLS used for data and hypothesis analysis | 162 employees participated from South Korea | Moral corporate social responsibility and RCT factors have significant effects on ISP compliance behavior |
[75] | The quantitative research methodology was adopted. SEM used for model testing | 525 employees from the telecommunication sector | Information security monitoring and social learning factors significantly affect employees’ security assurance behavior |
[76] | In a quantitative study, PLS used for results analysis | 619 usable responses collected | Employment status affects ISP compliance behavior of employees |
[77] | Quantitative research methodology. PLS used for hypothesis and model testing | A final sample of 404 respondents | Organizational inertia and individual inertia have significant effects on shadow IT security behavior |
[78] | Quantitative study | 237 employees from a university participated | Leadership, belief, values, and ISP awareness positively associated with ISPC |
[22] | Empirical quantitative study | 235 government employees from China participated | Supervisors’ support enhances organizational commitment, which has positive effects on employees’ compliance behaviors |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[89] | Quantitative research methodology adapted, and SPSS used for instrument validation and regression analysis | 400 participants from the Malaysian army | Social and individual factors have positive effects on information security compliant behavior |
[82] | The quantitative research methodology used, SEM used for hypotheses testing and data analysis. | 68 employees of different firms responded | Social, cognitive, and psychological factors influence information security behavior towards ISP |
[83] | The qualitative research methodology adopted | A total of 33 semi-structured interviews (22 from insiders and 11 from security professionals) conducted from different sectors of the US | Insiders adopt behaviors from social influence; they depend on knowledge from one another |
[41] | Quantitative research methodology with SEM testing. | 217 employees and 78 IS managers participated from 78 different organizations in Taiwan | Extrarole behaviors and in role behaviors have significant effects on ISP effectiveness |
[84] | The quantitative research methodology adopted, and PLS is used for data testing | 201 employees participated | ISP-related personal norms have positive effects on information security compliance behavior |
[85] | Quantitative method used for research. SEM used for data and hypothesis testing | 462 correct responses were collected from four different firms in Malaysia | Social bonding with an extending view of involvement has positive effects on ISPC behavior |
[86] | The mixed-method research methodology was adopted. SEM used for model and data testing | 518 correct responses were collected | Situational Crime Prevention Theory (SCPT) and Social Bond Theory (SBT) components significantly affect insiders’ (employee) attitude towards misbehavior except for attachment and reducing provocations |
[87] | Quantitative research menology adopted. PLS used for result analysis | 253 responses collected from organizations in China | PO fit has positive effects on employees’ extrarole security behavior and adverse effects on apathy |
[88] | Quantitative study design | 122 females and 124 males participated | Rules-oriented ethical climate and susceptibility weaken the effect of regulatory factors towards ISPC |
[3] | Mixed method research design | 254 Malaysian employees participated | Good organizational governance can enhance employees’ social bonding, which later improves ISPC |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[15] | Quantitative study. SPSS and Amos were used for model and data testing. | 917 usable responses collected | Deterrence and intention are the best predictors of actual compliance behavior towards ISP |
[90] | The quantitative methodology used and research model tested with partial least squares | Randomly selected persons from different firms having more than 500 employees—exact number of participants not mentioned | The difference between intended information security behavior and actual security behavior is addressed in this study. Intended behavior does have a significant effect on actual behavior |
[35] | Literature review | A composite theoretical information security behavioral compliance model developed with the help of previous studies | Attitude, perceived behavioral control, organizational commitment, and subjective norms have significant effects on behavioral intent |
[91] | Quantitative research methodologyused. SEM used for model and hypotheses testing | 387 usable responses collected from SMEs in Malaysia | Intentions of employees depend upon theory of planned behavior (TPB) predictors and dysfunctional IS behaviors |
[92] | The quantitative research methodology adopted, and PLS is used for hypothesis testing | 208 computer users participated via a web-based survey | The intention is not the only predictor of actual behavior |
[93] | Quantitative study design SEM used for results analysis | 444 correct responses considered | SCPT and GDT have significant effects on the insider’s negative attitude towards misbehavior |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[94] | The quantitative research methodology was adopted. SEM is used for model testing. | 1449 employees participated | Neutralization is a significant predictor of employees’ intention to violate ISP. |
[95] | The quantitative methodology was adopted. SPSS used for data analysis; PLS used for hypothesis testing | 179 employees from 10 different industries participated | Neutralization techniques should be considered when designing an ISPC model. Attitude and response efficacy are also helpful. Self-efficacy was not found to be effective. |
[20] | Quantitative method used. SEM is used for results and analysis | 539 usable responses of the computer using professionals collected from different organization | The stress of security requirements leads to moral disengagement, which increases violating ISB. |
[52] | The quantitative research methodology was adopted. SEM is used for hypothesis and model testing | 415 usable responses were collected from manufacturing and services firms | Noncompliance behaviors of peers, work impediments, and security system anxiety is the causes of noncompliance with ISP. |
[96] | A scenario-based quantitative study. SPSS and PROC MIXED used for hypothesis and data testing | 968 complete responses collected | Procedural, organizational injustice causes computer abuse behavior; sanction certainty reduces injustice effect and intention to abuse ISP. |
[97] | Mixed method research design | 924 Finnish employees participated. | Neutralization was found to be a significant predictor of reactance towards ISPC. |
[12] | Experience sampling method adopted. hierarchical linear modeling used for results analysis | 138 accurate responses collected | Stress-related security requirements cause fatigue and frustration, which later on relate to neutralization. Moreover, neutralization has a negative behavioral effect on ISP compliance. |
[11] | ESM research design adopted. HLM is used for results and analysis. | 77 recruited participants filled surveys correctly | Work impediment, positive affect, negative affect, and computer monitoring influence compliance behavior’s daily compliance attitude. |
[98] | Quantitative study design | 356 employees from the IT industry participated | Technostress is positively associated (direct and indirect) with perceived strain and intention to violate ISP |
[51] | Quantitative research. PLS used for Hypothesis testing | 393 employees from different organizations | Neutralization and beliefs have significant effects on employees’ noncompliance. |
[99] | Scenario-based quantitative study design. PLS used for result analysis. | 615 employees from 48 countries. | National culture does not affect deterrence. Shame, neutralization, and moral beliefs have significant effects on ISP noncompliance intention of employees from all cultures. |
[101] | Quantitative study design | 120 female and 101 males participated in this study | Gender has no effects on ISP noncompliance; however, rewards and punishments are dependent upon the situation-specific ethical orientation |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[39] | Pre and post-test quantitative research methodology. SEM used for results and analysis | 500 employees participated from different organizations | Task completion impediments significantly influence employees’ noncompliance behavior towards ISP. |
[42] | Qualitative study design and results analysis conducted with NVivo 11. | A total of 55 semi-structured interviews conducted | The value of information is a determinant of users’ compliant behavior. |
[40] | The quantitative research methodology used and PLS used for results and analysis | 275 correct responses considered | IT vision conflict influence perceived severity and attitude towards ISP noncompliance behavior. |
[101] | Quantitative research methodology. PLS used for hypothesis testing | 223 usable responses collected | Perceived externalities and triage are the leading causes for less effortful behavior of employees towards information security. |
[102] | Pre and post-test quantitative methodology adopted. PLS used for hypothesis testing. | 170 usable responses from a global firm | Long-term orientation ISB discourages consequence-delayed information security violation intention. |
Authors | Research Method | Sample Size | Findings |
---|---|---|---|
[13] | Literature review | 60 articles reviewed on deterrence theory | Methodological and additional substantive issues are the reason for the inconsistent results of deterrence theory |
[104] | Pre and post-test quantitative research methodology used for instrument validation, while PLS used for hypotheses and data analysis | A total data of 185 employees tested | Deterrence, social bonds, and social pressures play a vital role in preventing ISSP violation behaviors |
[105] | The quantitative research methodology adopted | 112 correct responses collected | Susceptibility of the threat, the severity of the threat, certainty of detection, punishment severity and satisfaction have positive effects on secure ISB |
[106] | The mixed-method research methodology used, and PLS is used for data and hypothesis testing | 317 correct responses were collected | Different personality traits have significant effects on ISP violating behavior |
[38] | The quantitative research methodology was adopted. Covariant-based SEM used for research model testing. | 239 employees participated from the US department of defense | Rational use of sanctions creates attitude-dependent ISB. Attitude developed by sanction threats biased by previous punishment experience |
[23] | Quantitative research design. PLS used for model testing | 139 employees from 10 different organizations | Deterrence factors shape employees’ norms, which influence behavioral resistance towards ISP compliance |
[34] | A meta-analysis (literature review) | A total of 35 studies analyzed | (1) Deterrence theory (except sanction celerity) affects ISP compliance behavior (2) deterrence effects vary with different cultures |
[107] | Quantitative research method | 311 public sector employees participated | Information security awareness positively influences inclined employees personally and declined employees’ formal and social sanctions |
[108] | Scenario-based quantitative study | 320 Chinese employees participated | Sanction severity, celerity, and certainty can reduce ISP violations |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ali, R.F.; Dominic, P.D.D.; Ali, S.E.A.; Rehman, M.; Sohail, A. Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance. Appl. Sci. 2021, 11, 3383. https://doi.org/10.3390/app11083383
Ali RF, Dominic PDD, Ali SEA, Rehman M, Sohail A. Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance. Applied Sciences. 2021; 11(8):3383. https://doi.org/10.3390/app11083383
Chicago/Turabian StyleAli, Rao Faizan, P. D. D. Dominic, Syed Emad Azhar Ali, Mobashar Rehman, and Abid Sohail. 2021. "Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance" Applied Sciences 11, no. 8: 3383. https://doi.org/10.3390/app11083383
APA StyleAli, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance. Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383