TY - JOUR
T1 - Information security policy compliance behavior models, theories, and influencing factors
T2 - A systematic literature review
AU - Kuppusamy, Puspadevi
AU - Samy, Ganthan Narayana
AU - Maarop, Nurazean
AU - Shanmugam, Bharanidharan
AU - Perumal, Sundresan
PY - 2022/3/15
Y1 - 2022/3/15
N2 - The paper aims to identify information security policy compliance behavior models, their respected theories, and influencing factors. This is the first and most current comprehensive systematic review of information security policy compliance models, theories, and influencing factors. A systematic review of empirical studies from twelve online databases was conducted. This review resulted in thirty-two (32) information security policy compliance behavior models proposed in different domains comprising various theories, concepts, and influencing factors. The results showed the importance of this issue among the researchers and a major limitation found was generalizability. Twenty (20) primary theories were extracted from the identified studies and found the theory of planned behavior and the protection motivation theory are the most trusted and reliable theories in information security policy compliance behavior models. Further analyses identified sixty (60) influencing factors and their alternative names and definitions. The most promising factors (high usage) of importance in descending orders are subjective norms, self-efficacy, attitudes, perceived benefits, threat vulnerability, threat severity, response efficacy, response cost, and experience. Besides that, factors such as self-efficacy, attitude, perceived benefit, threat severity, response efficacy, sanction severity, personal norms, experience, and training support were found and proved to be positively associated with the intention of compliance and considered robust for increasing information security compliance intention behavior. The results of this research can offer valuable information to fellow researchers in listing the models, their limitations, theories that are trustable, and influence factors that are critical for building a better model in the future.
AB - The paper aims to identify information security policy compliance behavior models, their respected theories, and influencing factors. This is the first and most current comprehensive systematic review of information security policy compliance models, theories, and influencing factors. A systematic review of empirical studies from twelve online databases was conducted. This review resulted in thirty-two (32) information security policy compliance behavior models proposed in different domains comprising various theories, concepts, and influencing factors. The results showed the importance of this issue among the researchers and a major limitation found was generalizability. Twenty (20) primary theories were extracted from the identified studies and found the theory of planned behavior and the protection motivation theory are the most trusted and reliable theories in information security policy compliance behavior models. Further analyses identified sixty (60) influencing factors and their alternative names and definitions. The most promising factors (high usage) of importance in descending orders are subjective norms, self-efficacy, attitudes, perceived benefits, threat vulnerability, threat severity, response efficacy, response cost, and experience. Besides that, factors such as self-efficacy, attitude, perceived benefit, threat severity, response efficacy, sanction severity, personal norms, experience, and training support were found and proved to be positively associated with the intention of compliance and considered robust for increasing information security compliance intention behavior. The results of this research can offer valuable information to fellow researchers in listing the models, their limitations, theories that are trustable, and influence factors that are critical for building a better model in the future.
KW - Information Security Policy, Cybersecurity Policy
KW - Security Behavior
KW - Security Compliance
KW - Systematic Literature Review
UR - http://www.scopus.com/inward/record.url?scp=85127473253&partnerID=8YFLogxK
M3 - Review article
AN - SCOPUS:85127473253
SN - 1992-8645
VL - 100
SP - 1536
EP - 1557
JO - Journal of Theoretical and Applied Information Technology
JF - Journal of Theoretical and Applied Information Technology
IS - 5
ER -