Identifying Factors of Non-Compliance, Compliance with Information Security Policy, and Behavior Change to Compliance: Literature Review

Ayman Hasan Asfoor, Hairoladenan Kasim, Aliza Binti Abdul Latif, Rina Azlin Razali, Zul-Azri Ibrahim, Abdelsalam Shanneb

Abstract

This paper aims to build a process model that converts employees' non-compliance into compliance. The authors evaluated articles that studied the association between information security behavior and information security policy compliance (ISPC). The authors used grounded theory in this comprehensive literature review. The idea helps researchers study issues in depth and breadth, using the five main approach steps (to define, search, select, analyze, and display). The ISPC analysis placed a greater emphasis on compliance than on non-compliance. Value conflicts, stress due to security issues, and neutralization cause the lack of compliance. This review identified 22 studies that met its criterion for inclusion. Compliance increased for both internal and external causes, as well as for protection. Social circle, management, and company culture motivate employees to be security-aware. Deterrence strategies, managerial practices, culture, and awareness of information security help staff adhere to the rules. Information security is jeopardized when employees do not value ISPC. ISPC studies usually distinguish compliance and non-compliance. The literature lacks a complete grasp of the elements that change employees' Non-compliance to compliance. We conducted a systematic literature review on information security behavior toward ISPC in various settings: research frameworks, research designs, and research methodologies throughout the last decade. This systematic review has implications for information security behavior. This research details a behavior-change technique. The conversion helps security professionals comprehend employee non-compliance and helps them comply. According to research, most security professionals develop information security policies generically, which leads to non-compliance. Most researchers agree that information security policies should be organization-specific. This study explored significant compliance/non-compliance characteristics to help design information security policies.

 

Keywords: information security policy, information security policy compliance, non-compliance, information security behavior, systematic literature review.

 

https://doi.org/10.55463/issn.1674-2974.49.12.28


Full Text:

PDF


References


BOOTH A., SUTTON A., and PAPAIOANNOU D. Systematic Approaches to a Successful Literature Review. 2nd ed. SAGE Publications Ltd, London, 2017.

DOHERTY N.F., and FULFORD H. Aligning the information security policy with the strategic information systems plan. Computers & Security, 2006, 25(1): 55-63. DOI: 10.1016/j.cose.2005.09.009.

EMAD S., ALI A., LAI F., HASSAN R., and SHAD M.K. The Long-Run Impact of Information Security Breach Announcements on Investors ’ Confidence : The Context of Efficient Market Hypothesis sustainability The Long-Run Impact of Information Security Breach Announcements on Investors’ Confidence: The Context. Sustainability, 2021, 13(3): 1066. DOI: 10.3390/su13031066.

AZHAR E., and HASSAN R. Socio-Economic Factors on Sector-Wide Systematic Risk of Information Security Breaches: Conceptual Framework. In: 9th International Economics and Business Management Conference, 2020. DOI: 10.15405/epsbs.2020.12.05.54.

ALI R.F., DOMINIC P.D.D., and ALI K. Organizational Governance , Social Bonds and Information Security Policy Compliance : A Perspective towards Oil and Gas Employees. Sustainability, 2020, (12): 1-27.

CHEN L., ZHEN J., DONG K., and XIE Z. Effects of sanction on the mentality of information security policy compliance. Argentina Review of Psychological Clinic, 2020, 29(1): 39-49. DOI: 10.24205/03276716.2020.6.

IBM. IBM Infographic: Cyber Security Intelligence Index. IBM, Armonk, NY, USA, 2014.

PWC UK. Organizations still failing to prepare effectively for cyber attacks. PwC Cambridge, UK, 2017: 1-3. https://www.pwc.com/m1/en/media-centre/2017/press-releases/documents/organisations-are-failing-to-prepare-effectively-for-cyberattack.pdf

NIST. NIST Standard Guid. National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce, Gaithersburg, MD, USA, 2019.

ALOTAIBI M., FURNELL S., and CLARKE N. Information security policies: A review of challenges and influencing factors. In: 2016 11th International Conference for Internet Technology and Secured Transactions, 2017: 352-358. DOI: 10.1109/ICITST.2016.7856729.

ANTONIOU G.S. Designing an effective information security policy for exceptional situations in an organization: An experimental study. Doctoral dissertation. Nova Southeastern University, 2015.

WILLISON R., and WARKENTIN M. Beyond Deterrence: An Expanded View of Employee Computer Abuse. MIS Quarterly, 2013, 37(1): 1-20. DOI: 10.25300/MISQ/2013/37.1.01.

D’ARCY J., and LOWRY P.B. Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 2019, 29(1): 43-69. DOI: 10.1111/isj.12173.

SANS, HAYSTAX TECHNOLOGY. Insider Threat Survey. 2017. https://haystax.com/new-sans-haystax-technology-insider-threat-survey-reveals-malicious-actors-damaging-threat-vector-companies/

HINA S., SELVAM D.P., and LOWRY P.B. Institutional governance and protection motivation: Theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Computer Security, 2019, 87: 101594. DOI: 10.1016/j.cose.2019.101594.

RAJAB M., and EYDGAHI A. Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Computer Security, 2019, 80: 211-223. DOI: 10.1016/j.cose.2018.09.016.

SAXENA N., HAYES E., BERTINO E., OJO P., CHOO K.K.R., and BURNAP P. Impact and key challenges of insider threats on organizations and critical businesses. Electronics, 2020, 9(9): 1460. DOI: 10.3390/electronics9091460.

CYBERSECURITY INSIDERS. Insider Threat 2018 Report. 2018: 41. https://www.cybersecurity-insiders.com/

SOMMESTAD T., HALLBERG J., LUNDHOLM K., and BENGTSSON J. Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management & Computer Security, 2014, 22(1): 42-75. DOI: 10.1108/IMCS-08-2012-0045.

TSOHOU A., and HOLTKAMP P. Are users competent to comply with information security policies? An analysis of professional competence models. Information Technology and People, 2018, (31): 1047-1068.

D’ARCY J., and HERATH T. A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 2011, 20(6): 643-658. DOI: 10.1057/ejis.2011.23.

TRANG S., and BRENDEL B. A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research. Information Systems Frontiers., 2019, 21(6): 1265-1284. DOI: 10.1007/s10796-019-09956-4.

AURIGEMMA S., and PANKO R. A composite framework for behavioral compliance with information security policies. In: Proceedings of the 2012 45th Hawaii International Conference on System Sciences, 2013, 3248-3257. DOI: 10.1109/HICSS.2012.49.

PADAYACHEE K. Taxonomy of compliant information security behavior. Computer Security, 2012, 31(5): 673-680. DOI: 10.1016/j.cose.2012.04.004.

POSEY C., ROBERTS T., and LOWRY P. Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quaterly, 2013, 2013-2015.

SIPONEN M., and VANCE A. Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly: Management Information Systems, 2010, 34(3): 487-502. DOI: 10.2307/25750688.

AURIGEMMA S., and MATTSON T. Deterrence and punishment experience impacts on ISP compliance attitudes. Information and Computer Security, 2017, 25(4): 421-436. DOI: 10.1108/ICS-11-2016-0089.

KOLKOWSKA E., KARLSSON F., and HEDSTRÖM K. Escalation of commitment as an antecedent to non-compliance with information security policy. Information and Computer Security, 2017, 26(2): 39-57. DOI: 10.1108/ICS-09-2017-0066.

BOSS S.R., GALLETTA D.F., LOWRY P.B., MOODY G.D., and POLAK P. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly: Management Information Systems, 2015, 39(4): 837-864. DOI: 10.25300/MISQ/2015/39.4.5.

IFINEDO P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computer Security, 2012, 31(1): 83-95. DOI: 10.1016/j.cose.2011.10.007.

HSU J.S.C., SHIH S.P., HUNG Y.W., and LOWRY P.B. The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research, 2015, 26(2): 282-300. DOI: 10.1287/isre.2015.0569.

DOHERTY N.F., and TAJUDDIN S.T. Towards a user-centric theory of value-driven information security compliance. Information Technology and People, 2018, 31(2): 348-367. DOI: 10.1108/ITP-08-2016-0194.

CONNOLLY L.Y., LANG M., and WALL D.S. Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees. Information Systems Management, 36(4): 306-322, 2019. DOI: 10.1080/10580530.2019.1651113.

HERATH T., and RAO H.R. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 2009, 47(2): 154-165. DOI: 10.1016/j.dss.2009.02.005.

LANKTON N.K., STIVASON C., and GURUNG A. Information protection behaviors: morality and organizational criticality. Information and Computer Security, 2019, 27(3): 468-488. DOI: 10.1108/ICS-07-2018-0092.

SAFA N.S., SOOKHAK M., VON SOLMS R., FURNELL S., GHANI N.A., and HERAWAN T. Information security conscious care behaviour formation in organizations. Computer Security, 2015, 53: 65-78. DOI: 10.1016/j.cose.2015.05.012.

HU Q., DINEV T., HART P., and COOKE D. Managing Employee Compliance with Information Security Policies : The Critical Role of Top Management and Organizational Culture. Decision Sciences Journal, 2012, 43: 615-660.

D’ARCY, and TEH P.L. Predicting employee information security J. policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management, 2019, 56(7). DOI: 10.1016/j.im.2019.02.006.

SYKES G.M., and MATZA D. Techniques of Neutralization : A Theory of Delinquency. American Sociological Review, 1957, 22(6): 664-670.

GWEBU K.L., WANG J., and HU M.Y. Information security policy non-compliance: An integrative social influence model. Information Systems Journal, 2020, 30(2): 220-269. DOI: 10.1111/isj.12257.

MERHI M.I., and AHLUWALIA P. Examining the impact of deterrence factors and norms on resistance to Information Systems Security. Computers in Human Behavior, 2019, 92: 37-46. DOI: 10.1016/j.chb.2018.10.031.

ANDERSON C.L., and AGARWAL R. Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quaterly, 2010, 34(2): 613-643.

HWANG I., KIM, K.T., and KIM S. Why Not Comply with Information Security? An Empirical Approach for the Causes of Non-Compliance. Online Information Review, 2017, 41(1): 1-18.

WILLISON R., WARKENTIN M., and JOHNSTON A.C. Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives. Information Systems Journal, 2018, 28(2): 266-293. DOI: 10.1111/isj.12129.

MOODY G., SIPONEN M., and PAHNILA S. Toward a unified model of information security policy compliance. MIS Quaterly, 2018, 42: 285-302.

SHADBAD F., and BIROS D. Technostress and its influence on employee information security policy compliance. Information Technology and People, 2020, 2: 1-23. DOI: 10.1108/ITP-09-2020-0610.

BANSAL G., MUZATKO S., and SHIN S.I. Information system security policy non-compliance: the role of situation-specific ethical orientation. Information Technology and People, 2020, 30(1): 1350. DOI: 10.1108/ITP-03-2019-0109.

KLEIN R.H., and LUCIANO E.M. What Influences Information Security Behavior? A Study with Brazilian Users. Journal of Information Systems and Technology Management, 2016, 13(3): 479-496. DOI: 10.4301/s1807-17752016000300007.

JOHNSTON A.C., WARKENTIN M., MCBRIDE M., and CARTER L. Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 2016, 25(3): 231-251. DOI: 10.1057/ejis.2015.15.

MERHI M.I., and AHLUWALIA P. Examining the impact of deterrence factors and norms on resistance to Information Systems Security. Computers in Human Behavior, 2019, 92: 37-46. DOI: 10.1016/j.chb.2018.10.031.

TRINKLE B.S., WARKENTIN M., MALIMAGE K., and RADDATZ N. High-risk deviant decisions: Does neutralization still play a role? Journal of the Association for Information Systems, 2021, 22(3): 797-826. DOI: 10.17705/1jais.00680.

XU F., HSU C., LUO X., and WARKENTIN M. Reactions to Abusive Supervision: Neutralization and IS Misuse. Journal of Computer Information Systems, 2022, 62(3). DOI: 10.1080/08874417.2021.1887776.

BURNS A.J., POSEY C., ROBERTS T.L., and LOWRY P.B. Examining the relationship of organizational insiders’ psychological capital with information security threat and coping appraisals. Computers in Human Behavior, 2017, 68: 190-209. DOI: 10.1016/j.chb.2016.11.018.

HOOPER V., and BLUNT C. Factors influencing the information security behaviour of IT employees.

Behaviour & Information Technology, 2019, 39(8): 1-13. DOI: 10.1080/0144929X.2019.1623322.

BÉLANGER F., COLLIGNON S., ENGET K., and NEGANGARD E. Determinants of early conformance with information security policies. Information & Management, 2017, 54(7): 887-901. DOI: 10.1016/j.im.2017.01.003.

CHAKRABORTY T., JAJODIA S., KATZ J., PICARIELLO A., SPERLI G., and SUBRAHMANIAN V.S. A Fake Online Repository Generation Engine for Cyber Deception. IEEE Transactions on Dependable and Secure Computing, 2021, 18(2): 518-533. DOI: 10.1109/TDSC.2019.2898661.

HAN Q., MOLINARO C., PICARIELLO A., SPERLI G., SUBRAHMANIAN V.S., and XIONG Y. Generating Fake Documents using Probabilistic Logic Graphs. IEEE Transactions on Dependable and Secure Computing., 2021, 5971(c): 1-14. DOI: 10.1109/TDSC.2021.3058994.

SAFA N.S., MAPLE C., FURNELL S., AZAD M.A., PERERA C., DABBAGH M., and SOOKHAK M. Deterrence and prevention-based model to mitigate information security insider threats in organizations. Future Generation Computer Systems, 2019, 97: 587-597.

KIM H.L., and HAN J. Do employees in a ‘good’ company comply better with information security policy? A corporate social responsibility perspective. Information Technology and People, 2018, 32(4): 858-875. DOI: 10.1108/ITP-09-2017-0298.

YAZDANMEHR A., and WANG J. Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems, 2016, 92: 36-46. DOI: 10.1016/j.dss.2016.09.009.

AURIGEMMA S., and MATTSON T. Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computer Security, 2017, 66: 218-234. DOI: 10.1016/j.cose.2017.02.006.

MERRILL W., and ALLEN C. Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 2016, 92: 25-35. DOI: 10.1016/j.dss.2016.09.013.

TSOHOU A., and HOLTKAMP P. Are users competent to comply with information security policies? An analysis of professional competence models. Information Technology and People, 2018, 28(1): 163-194.


Refbacks

  • There are currently no refbacks.