Abstract
A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aksulu A and Wade M (2010) A comprehensive review and synthesis of open source research. Journal of the Association for Information Systems 11(11), 576–656.
Al-Mukahal HM and Alshare K (2015) An examination of factors that influence the number of information security policy violations in qatari organizations. Information and Computer Security 23(1), 102–118.
Albrechtsen E (2007) A qualitative study of user’s view on information security. Computers and Security 26(4), 276–289.
Alter S (2008a) Defining information systems as work systems: Implications for the IS field. European Journal of Information Systems 17(5), 448–469.
Alter S (2008b) Service system fundamentals: Work system, value chain, and life cycle. IBM Systems Journal 47(1), 71–85.
Alter S (2013) Work system theory: Overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems 14(2), 72–121.
Anderson CL and Agarwal R (2010) Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34(3), 613–643.
Angst C, Block E, D’arcy J and Kelley K (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly Forthcoming.
Aurigemma S and Leonard L (2015) The influence of employee affective organizational commitment on security policy attitudes and compliance intentions. Journal of Information System Security 11(3), 201–222.
Backhouse J, Hsu CW and Silva L (2006) Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly 30(Special Issue), 413–438.
Bandara W, Furtmueller E, Gorbacheva E, Miskon S and Beekhuyzen J (2015) Achieving rigor in literature reviews: Insights from qualitative data analysis and tool-support. Communications of the Association for Information Systems 34(8), 154–204.
Banerjee D, Cronan TP and Jones TW (1998) Modeling IT ethics: A study in situational ethics. MIS Quarterly 22(1), 31–60.
Barlow JB, Warkentin M, Ormond D and Dennis AR (2013) Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Computers and Security 39(Part B), 145–159.
Basin D, Jugé V, Klaedtke F and Zălinescu E (2013) Enforceable security policies revisited. ACM Transactions on Information and System Security 16(1), 1–26.
Baskerville R, Park EH and Kim J (2014) An emote opportunity model of computer abuse. Information Technology and People 27(2), 155–181.
Baskerville R and Siponen M (2002) An information security meta-policy for emergent organizations. Logistics Information Management 15(5/6), 337–346.
Bauer JM and Van Eeten MJG (2009) Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy 33(10–11), 706–719.
Bauer L, Ligatti J and Walker D (2009) Composing expressive runtime security policies. ACM Transactions on Software Engineering and Methodology 18(3), 1–43.
Bijlsma-Frankema KM and Costa AC (2010) Consequences and antecedents of managerial and employee legitimacy interpretations of control: A natural open system approach. In Organizational Control (SITKIN SB, CARDINAL LB and BIJLSMA-FRANKEMA KM, Eds), pp 396–433, Cambridge University Press, Cambridge.
Boss SR, Galletta D, Moody GD, Lowry PB and Polak P (2015) What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quarterly 39(4), 837–864.
Boss SR, Kirsch LJ, Angermeier I, Shingler RA and Boss RW (2009) If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems 18(2), 151–164.
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34(3), 523–548.
Burns AJ, Roberts TL, Posey C and Lowry PB (2017) Examining the influence of organisational insiders’ psychological capital on information security threat and coping appraisals. Computers in Human Behavior 68, 190–209.
Burton-Jones A, Mclean ER and Monod E (2015) Theoretical perspectives in IS research: From variance and process to conceptual latitude and conceptual fit. European Journal of Information Systems 24(6), 664–679.
Cairney P (2013) Standing on the shoulders of giants: How do we combine the insights of multiple theories in public policy studies? The Policy Studies Journal 41(1), 1–21.
Chan M, Woon I and Kankanhalli A (2005) Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3), 18–41.
Chatterjee S, Sarker S and Valacich JS (2015) The behavioral roots of information systems security: Exploring key factors related to unethical IT use. Journal of Management Information Systems 31(4), 49–87.
Chen Y, Ramamurthy K and Wen K-W (2012) Organizations’ information security policy compliance: Stick or carrot approach? Journal of Management Information Systems 29(3), 157–188.
Chen Y, Ramamurthy K and Wen K-W (2015) Impacts of comprehensive information security programs on information security culture. The Journal of Computer Information Systems 55(3), 11–19.
Chen Y and Zahedi FM (2016) Individuals’ internet security perceptions and behaviors: Polycontextual contrasts between the United States and China. MIS Quarterly 40(1), 205–222.
Cheng L, Li Y, Li W, Holm E and Zhai Q (2013) Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security 39, 447–459.
Choudhury V and Sabherwal R (2003) Portfolios of control in outsourced software development projects. Information Systems Research 14(3), 291–314.
Chu AMY, Chau PYK and So MKP (2015) Developing a typological theory using a quantitative approach: A case of information security deviant behavior. Communications of the AIS 37(25), 510–535.
Chu MY, So MKP and Chung RSW (2016) Applying the randomized response technique in business ethics research: The misuse of information systems resources in the workplace. Journal of Business Ethics Online Early, 1–18.
Chua CEH, Lim W-K, Soh C and Sia SK (2012) Enacting clan control in complex IT projects: A social capital perspective. MIS Quarterly 36(2), 577–600.
Cram WA, Brohman MK and Gallupe RB (2016a) Hitting a moving target: A process model of information systems control change. Information Systems Journal 26(3), 195–226.
Cram WA, Brohman MK and Gallupe RB (2016b) Information systems control: A review and framework for emerging information systems. Journal of the Association for Information Systems 17(4), 216–266.
Cronan TP and Douglas DE (2006) Toward a comprehensive ethical behavior model for information technology. Journal of Organizational and End User Computing 18(1), 1–11.
Crossler RE and Bélanger F (2009) The effects of security education training and awareness programs and individual characteristics on end user security tool usage. Journal of Information System Security 5(3), 3–22.
Crossler RE, Johnston AC, Lowry PB, Hu Q, Warkentin M and Baskerville R (2013) Future directions for behavioral information security research. Computers and Security 32, 90–101.
Crossler RE, Long JH, Loraas TM and Trinkle BS (2014) Understanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention-behavior gap. Journal of Information Systems 28(1), 209–226.
Culnan MJ and Williams CC (2009) How ethics can enhance organizational privacy: Lessons from the Choicepoint and TJX data breaches. MIS Quarterly 33(4), 673–687.
Cuppens F, Cuppens-Boulahia N and Elrakaiby Y (2013) Formal specification and management of security policies with collective group obligations. Journal of Computer Security 21(1), 149–190.
D’arcy J and Devaraj S (2012) Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences 43(6), 1091–1124.
D’arcy J and Greene G (2014) Security culture and the employment relationship as drivers of employees’ security compliance. Information Management and Computer Security 22(5), 474–489.
D’arcy J and Herath T (2011) A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems 29(6), 643–658.
D’arcy J, Herath T and Shoss MK (2014) Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems 31(2), 285–318.
D’arcy J and Hovav A (2007) Deterring internal information systems abuse. Communications of the ACM 50(10), 113–117.
D’arcy J, Hovav A and Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1), 79–98.
David J (2002) Policy enforcement in the workplace. Computers and Security 21(6), 506–513.
Davis RC (1940) Industrial Organization and Management. Harper, New York.
Dhillon G (1997) Managing Information Security. Macmillan, London.
Dhillon G and Backhouse J (2000) Information system security management in the new millennium. Communications of the ACM 43(7), 125–128.
Dhillon G and Backhouse J (2001) Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal 11(2), 127–153.
Di Modica G and Tomarchio O (2016) Matchmaking semantic security policies in heterogeneous clouds. Future Generation Computer Systems 55, 176–185.
Dimaggio PJ (1988) Interest and agency in institutional theory. In Institutional patterns and organizations (ZUCKER LG, Ed), pp 3–21, Ballinger, Cambridge.
Dinev T, Goo J, Hu Q and Nam K (2009) User behaviour towards protective information technologies: The role of national cultural differences. Information Systems Journal 19(4), 391–412.
Dinev T and Hu Q (2007) The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems 8(7), 386–408.
Doherty NF, Anastasakis L and Fulford H (2009) The information security policy unpacked: A critical study of the content of university policies. International Journal of Information Management 29(6), 449–457.
Doherty NF and Fulford H (2005) Do information security policies reduce the incidence of security breaches: An exploratory analysis. Information Resources Management Journal 18(4), 21–39.
Doherty NF and Fulford H (2006) Aligning the information security policy with the strategic information systems plan. Computers and Security 25(1), 55–63.
Eisenhardt KM (1985) Control: Organizational and economic approaches. Management Science 31(2), 134–149.
Eisenhardt KM (1989) Agency theory: An assessment and review. Academy of Management Review 14(1), 57–74.
Evanschitzky H and Armstrong JS (2013) Research with in-built replications: Comment and further suggestions for replication research. Journal of Business Research 66(9), 1406–1408.
Flamholtz EG, Das TK and Tsui AS (1985) Toward and integrative framework of organizational control. Accounting, Organizations and Society 10(1), 35–50.
Flowerday SV and Tuyikeze T (2016) Information security policy development and implementation: The what, how and who. Computers and Security 61, 169–183.
Foley SN and Fitzgerald WM (2011) Management of security policy configuration using a semantic threat graph approach. Journal of Computer Security 19(3), 567–605.
Foth M (2016) Factors influencing the intention to comply with data protection regulations in hospitals: Based on gender differences in behaviour and deterrence. European Journal of Information Systems 25(2), 91–109.
Fulford H and Doherty NF (2003) The application of information security policies in large UK-based organizations: An exploratory investigation. Information Management & Computer Security 11(3), 106–114.
Gaunt N (1998) Installing an appropriate information security policy. International Journal of Medical Informatics 49(1), 131–134.
Goel S and Chengalur-Smith IN (2010) Metrics for characterizing the form of security policies. Journal of Strategic Information Systems 19(4), 281–295.
Goo J, Yim M-S and Kim DJ (2014) A path to successful management of employee security compliance: An empirical study of information security climate. IEEE Transactions on Professional Communication 57(4), 286–308.
Gopal A and Gosain S (2010) The role of organizational controls and boundary spanning in software development outsourcing: Implications for project performance. Information Systems Research 21(4), 1–23.
Grahlmann KR, Helms RW, Hilhorst C, Brinkkemper S and Van Amerongen S (2012) Reviewing enterprise content management: A functional framework. European Journal of Information Systems 21(3), 268–286.
Gregory RW, Beck R and Keil M (2013) Control balancing in information systems development offshoring projects. MIS Quarterly 37(4), 1211–1232.
Gritzalis D (1997) A baseline security policy for distributed healthcare information systems. Computers and Security 16(8), 709–719.
Guo KH (2013) Security-related behavior in using information systems in the workplace: A review and synthesis. Computers and Security 32, 242–251.
Guo KH and Yuan Y (2012) The effects of multilevel sanctions on information security violations: A mediating model. Information and Management 49(6), 320–326.
Guo KH, Yuan Y, Archer NP and Connelly CE (2011) Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems 28(2), 203–236.
Han J, Kim YJ and Kim H (2017) An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers and Security 66, 52–65.
Harrington SJ (1996) The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions. MIS Quarterly 20(3), 257-278.
Hassan NR (2014) Useful products in theorizing for information systems. In Thirty Fifth International Conference on Information Systems pp 1–21, Auckland.
Hassan NR and Lowry PB (2015) Seeking middle-range theories in information systems research. In Thirty Sixth International Conference on Information Systems pp 1–19, Fort Worth.
Hedström K, Kolkowska E, Karlsson F and Allen J (2011) Value conflicts for information security management. Journal of Strategic Information Systems 20(4), 373–384.
Helson R, Jones C and Kwan VSY (2002) Personality change over 40 years of adulthood: Hierarchical linear modeling analyses of two longitudinal samples. Journal of Personality and Social Psychology 83(3), 752–766.
Herath T, Chen R, Wang J, Banjara K, Wilbur J and Rao HR (2014) Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal 24(1), 61–84.
Herath T and Rao HR (2009a) Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 154–165.
Herath T and Rao HR (2009b) Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems 18(2), 106–125.
Hicks B, Rueda S, St. Clair L, Jaeger T and Mcdaniel P (2010) A logical specification and analysis for SELinux MLS policy. ACM Transactions on Information and System Security 13(3), 1–31.
Hofstede G (1978) The poverty of management control philosophy. Academy of Management Review 3(3), 450–461.
Höne K and Eloff JHP (2002a) Information security policy—what do international information security standards say? Computers and Security 21(5), 402–409.
Höne K and Eloff JHP (2002b) What makes an effective information security policy? Network Security 20(6), 14–16.
Hong K-S, Chi Y-P, Chao LR and Tang J-H (2006) An empirical study of information security policy on information security elevation in Taiwan. Information Management and Computer Security 14(2), 104–115.
Horcas J-M, Pinto M, Fuentes L, Mallouli W and Montes de Oca E (2016) An approach for deploying and monitoring dynamic security policies. Computers and Security 58, 20–38.
Hovav A and D’arcy J (2012) Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South Korea. Information and Management 49(2), 99–110.
Hsu JS-C, Shih S-P, Hung YW and Lowry PB (2015) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research 26(2), 282–300.
Hu Q, Dinev T, Hart P and Cooke D (2012) Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences 43(4), 615–659.
Hu Q, West R and Smarandescu L (2015) The role of self-control in information security violations: Insights from a cognitive neuroscience perspective. Journal of Management Information Systems 31(4), 6–48.
Hu Q, Xu Z, Dinev T and Ling H (2011) Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM 54(6), 54–60.
Hwang I, Kim D, Kim T and Kim S (2017) Why not comply with information security? An empirical approach for the causes of non-compliance. Online Information Review 41(1), 2–18.
Ifinedo P (2012) Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security 31(1), 83–95.
Ifinedo P (2014) Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information and Management 51(1), 69–79.
Ifinedo P (2016) Critical times for organizations: What should be done to curb workers’ noncompliance with IS security policy guidelines? Information Systems Management 33(1), 30–41.
International Organization For Standardization (2016) ISO/IEC 27000:2016. https://www.iso.org, accessed 30 January 2016.
Jaffee D (1991) Organization Theory: Tension and Change. McGraw-Hill, New York.
Jajodia S, Samarati P, Sapino ML and Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2), 214–260.
Jensen M and Meckling W (1976) Theory of the firm: Managerial behavior, agency costs, and ownership structure. Journal of Financial Economics 3(4), 305–360.
Johnston AC and Warkentin M (2010a) Fear appeals and information security behaviors: An empirical study. MIS Quarterly 34(3), 549–566.
Johnston AC and Warkentin M (2010b) The influence of perceived source credibility on end user attitudes and intentions to comply with recommended IT actions. Journal of Organizational and End User Computing 22(3), 1–21.
Johnston AC, Warkentin M, Mcbride M and Carter L (2016) Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems 25(3), 231–251.
Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39(1), 113–134.
Johnston AC, Wech B and Jack E (2013) Engaging remote employees: The moderating role of “remote” status in determining employee information security policy awareness. Journal of Organizational and End User Computing 25(1), 1–23.
Kadam AW (2007) Information security policy development and implementation. Information Systems Security 16(5), 246–256.
Kankanhalli A, Teo H-H, Tan BCY and Wei K-K (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23(2), 139–154.
Karjalainen M and Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems 12(8), 518–555.
Karlsson F, Åström J and Karlsson M (2015) Information security culture—state-of-the-art review between 2000 and 2013. Information and Computer Security 23(3), 246–285.
Karyda M, Kiountouzis E and Kokolakis S (2005) Information systems security policies: A contextual perspective. Computers and Security 24(3), 246–260.
Khoury R and Tawbi N (2012) Corrective enforcement: A new paradigm of security policy enforcement by monitors. ACM Transactions on Information and System Security 15(2), 1–27.
Kiel JM, Ciamacco FA and Steines BT (2016) Privacy and data security: HIPAA and HITECH. In Healthcare information management systems (WEAVER CA, BALL MJ, KIM GR and KIEL JM, Eds), pp 437–449, Springer, New York.
Kim J, Park EH and Baskerville R (2016) A model of emotion and computer abuse. Information and Management 53(1), 91–108.
King NJ and Raja VT (2012) Protecting the privacy and security of sensitive customer data in the cloud. Computer Law and Security Review 28(3), 308–319.
King WR and He J (2005) Understanding the role and methods of meta-analysis in IS research. Communications of the Association for Information Systems 16(32), 665–696.
Kirsch LJ (1997) Portfolios of control modes and IS project management. Information Systems Research 8(3), 215–239.
Kirsch LJ, Ko D-G and Haney MH (2010) Investigating the antecedents of team-based clan control: Adding social capital as a predictor. Organization Science 21(2), 469–489.
Knapp KJ and Ferrante CJ (2012) Policy awareness, enforcement and maintenance: Critical to information security effectiveness in organizations. Journal of Management Policy and Practice 13(5), 66–80.
Knapp KJ, Marshall TE, Rainer RK and Ford FN (2006) Information security: Management’s effect on culture and policy. Information Management and Computer Security 14(1), 24–36.
Knapp KJ, Morris RFJ, Marshall TE and Byrd TA (2009) Information security policy: An organizational-level process model. Computers and Security 28(7), 493–508.
Koops B-J (2014) The trouble with European data protection law. International Data Privacy Law 4(4), 250–261.
Landoll DJ (2016) Information Security Policies, Procedures, and Standards. CRC Press, Boca Raton.
Langley A (1999) Strategies for theorizing from process data. Academy of Management Review 24(4), 691–710.
Lebek B, Uffen J, Breitner MH, Neumann M and Hohler B (2013) Employees’ information security awareness and behavior: A literature review. In 46th Hawaii International Conference on System Sciences pp 2978–2986, Maui, Hawaii.
Lebek B, Uffen J, Neumann M, Hohler B and Breitner MH (2014) Information security awareness and behavior: A theory-based literature review. Management Research Review 37(12), 1049–1092.
Lee C, Lee CC and Kim S (2016) Understanding information security stress: Focusing on the type of information security compliance activity. Computers and Security 59(1), 60–70.
Lee J and Lee Y (2002) A holistic model of computer abuse within organizations. Information Management and Computer Security 10(2), 57–63.
Lee SM, Lee S-G and Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information and Management 41(6), 707–718.
Lee Y and Larson KR (2009) Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems 18(2), 177–187.
Leidner DE and Kayworth T (2006) A review of culture in information systems research: Toward a theory of information technology culture conflict. MIS Quarterly 30(2), 357–399.
Li H, Sarathy R, Zhang J and Luo X (2014) Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal 24(6), 479–502.
Li H, Zhang J and Sarathy R (2010) Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems 48(4), 635–645.
Li N and Wang Q (2008) Beyond separation of duty: An algebra for specifying high-level security policies. Journal of the ACM 55(3), 1–46.
Liang H and Xue Y (2009) Avoidance of information technology threats: A theoretical perspective. MIS Quarterly 33(1), 71–90.
Liang H and Xue Y (2010) Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems 11(7), 394–413.
Liang H, Xue Y and Wu L (2013) Ensuring employees’ IT compliance: Carrot or stick? Information Systems Research 24(2), 279–294.
Liao Q, Gurung A, Luo X and Li L (2009) Workplace management and employee misuse: Does punishment matter? Journal of Computer Information Systems 50(2), 49–59.
Lindsay RM and Ehrenberg ASC (1993) The design of replicated studies. The American Statistician 47(3), 217–222.
Liu C-C (2015) Types of employee perceptions of information security using Q methodology: An empirical study. European Journal of Information Systems 10(4), 557–575.
Liu J, Li Y, Wang H, Jin D, Su L, Zeng L and Vasilakos T (2016) Leveraging software-defined networking for security policy enforcement. Information Sciences 327, 288–299.
Lowry PB and Moody GD (2015) Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal 25(5), 465–488.
Lowry PB, Posey C, Bennett RJ and Roberts TL (2015) Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal 25(3), 193–230.
Lowry PB, Posey C, Roberts TL and Bennett RJ (2014) Is your banker leaking your personal information? The roles of ethics and individual-level cultural characteristics in predicting organizational computer abuse. Journal of Business Ethics 121(3), 385–401.
Macintosh NB (1994) Management Accounting and Control Systems: An Organizational and Behavioral Approach. Wiley, New York.
Maruping LM, Venkatesh V and Agarwal R (2009) A control theory perspective on agile methodology use and changing user requirements. Information Systems Research 20(3), 377–399.
Mcdaniel P and Prakash A (2006) Methods and limitations of security policy reconciliation. ACM Transactions on Information and System Security 9(3), 259–291.
Mehra SK (2010) Law and cybercrime in the United States today. The American Journal of Comparative Law 58, 659–685.
Meyer JW and Rowan B (1977) Institutional organizations: Formal structure as a myth and ceremony. American Journal of Sociology 83(2), 340–363.
Mezias SJ and Regnier MO (2007) Walking the walk as well as talking the talk: Replication and the normal science paradigm in strategic management research. Strategic Organization 5(3), 283–296.
Montanari M, Chan E, Larson K, Yoo W and Campbell RH (2013) Distributed security policy conformance. Computers and Security 33, 28–40.
Moody GD, Kirsch LJ, Slaughter SA, Dunn BK and Weng Q (2016) Facilitating the transformational: An exploration of control in cyberinfrastructure projects and the discovery of field control. Information Systems Research 27(2), 324–346.
Moores TT and Chang JC-J (2006) Ethical decision making in software piracy: Initial development and test of a four-component model. MIS Quarterly 30(1), 167–180.
Moquin R and Wakefield RL (2016) The roles of awareness, sanctions, and ethics in software compliance. The Journal of Computer Information Systems 56(3), 261–270.
Muthaiyah S and Kerschberg L (2007) Virtual organization security policies: An ontology-based integration approach. Information Systems Frontiers 9(5), 505–514.
Myyry L, Siponen M, Pahnila S, Vartiainen T and Vance A (2009) What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems 18(2), 126–139.
Ng B-Y, Kankanhalli A and Xu Y (2009) Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46(4), 815–825.
Niehoff BP and Moorman RH (1993) Justice as a mediator of the relationship between methods of monitoring and organizational citizenship behavior. Academy of Management Journal 36(3), 527–556.
Osenga K (2013) The internet is not a super highway: Using metaphors to communicate information and communications policy. Journal of Information Policy 3(1), 30–54.
Padayachee K (2012) Taxonomy of compliant information security behavior. Computers and Security 31(5), 673–680.
Paré G, Tate M, Johnstone D and Kitsiou S (2016) Contextualizing the twin concepts of systematicity and transparency in information systems literature reviews. European Journal of Information Systems 25(6), 493–508.
Paré G, Trudel M-C, Jaana M and Kitsiou S (2015) Synthesizing information systems knowledge: A typology of literature reviews. Information and Management 52(2), 183–199.
Pathari V and Sonar R (2012) Identifying linkages between statements in information security policy, procedures and controls. Information Management and Computer Security 20(4), 264–280.
Peace AG, Galletta DF and Thong JYL (2003) Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems 20(1), 153–177.
Perrow C (1986) Complex Organizations. Random House, New York.
Phelps DC, Gathegi JN, Workman M and Heo M (2012) Information system security: Self-efficacy and implementation effectiveness. Journal of Information System Security 8(1), 3–21.
Posey C, Bennett RJ and Roberts TL (2011a) Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers and Security 30(6–7), 486–497.
Posey C, Bennett RJ, Roberts TL and Lowry PB (2011b) When computer monitoring back-fires: Privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information System Security 7(1), 24–47.
Posey C, Roberts TL and Lowry PB (2015) The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems 32(4), 179–214.
Posey C, Roberts TL, Lowry PB, Bennett RJ and Courtney JF (2013) Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly 37(4), 1189–1210.
Puhakainen P and Siponen M (2010) Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly 34(4), 757–778.
Pwc (2016) The global state of information security survey 2016. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html, accessed 30 January 2017.
Rees J, Bandyopadhyay S and Spafford EH (2003) PFIRES: A policy framework for information security. Communications of the ACM 46(7), 101–106.
Remus U, Wiener M, Mähring M, Saunders C and Cram WA (2015) Why do you control? The concept of control purpose and its implications for IS project control research. In Thirty Sixth International Conference on Information Systems pp 1–19, Fort Worth.
Renaud K and Goucher W (2012) Health service employees and information security policies: An uneasy partnership? Information Management and Computer Security 20(4), 296–311.
Rhee H-S, Kim C and Ryu YU (2009) Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers and Security 28(8), 816–826.
Roberts BW, Walton KE and Viechtbauer W (2006) Patterns of mean-level change in personality traits across the life course: A meta-analysis of longitudinal studies. Psychological Bulletin 132(1), 1–25.
Ross SJ (2015) Cybersecurity for a “simple” auditor. ISACA Journal 6(6), 1–2.
Rowe F (2014) What literature review is not: Diversity, boundaries and recommendations. European Journal of Information Systems 23(3), 241–255.
Sabherwal R and Robey D (1995) Reconciling variance and process strategies for studying information systems development. Information Systems Research 6(4), 303–327.
Safa NS, Von Solms R and Furnell S (2016) Information security policy compliance model in organizations. Computers and Security 56(1), 70–82.
Salterio SE (2014) We don’t replicate accounting research—or do we? Contemporary Accounting Research 31(4), 1134–1142.
Santana M and Robey D (1995) Perceptions of control during systems development: Effects on job satisfaction of systems professionals. Computer Personnel 16(1), 20–34.
Schmerken I (2015) Morgan Stanley data theft exposes insider threat & need for more restrictions. http://www.wallstreetandtech.com/security/morgan-stanley-data-theft-exposes-insider-threat-and-need-for-more-restrictions, accessed 30 January 2015.
Schnedler W and Vadovic R (2011) Legitimacy of control. Journal of Economics and Management Strategy 20(4), 985–1009.
Schneider FB (2000) Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50.
Schryen G (2015) Writing qualitative IS literature reviews—guidelines for synthesis, interpretation, and guidance of research. Communications of the Association for Information Systems 37(12), 286–325.
Scott WR (1987) The adolescence of institutional theory. Administrative Science Quarterly 32(4), 493–511.
Sharma A (1997) Professional as agent: Knowledge asymmetry in agency exchange. Academy of Management Review 22(3), 758–798.
Shephard MM and Mejias RJ (2016) Nontechnical deterrence effects of mild and severe internet use policy reminders in reducing employee internet abuse. International Journal of Human-Computer Interaction 32(7), 557–567.
Shirtz D and Elovici Y (2011) Optimizing investment decisions in selecting information security remedies. Information Management and Computer Security 19(2), 95–112.
Shropshire J, Warkentin M and Sharma S (2015) Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers and Security 49, 177–191.
Silva L, Hsu C, Backhouse J and Mcdonnell A (2016) Resistance and power in a security certification scheme: The case of c:Cure. Decision Support Systems 92, 68–78.
Siponen M (2000) A conceptual foundation for organizational information security awareness. Information Management and Computer Security 8(1), 31–41.
Siponen M (2006) Information security standards focus on the existence of process, not its content. Communications of the ACM 49(8), 97–100.
Siponen M and Iivari J (2006) Six design theories for IS security policies and guidelines. Journal of the Association for Information Systems 7(7), 445–472.
Siponen M, Mahmood MA and Pahnila S (2009) Are employees putting your company at risk by not following information security policies? Communications of the ACM 52(12), 145–147.
Siponen M, Mahmood MA and Pahnila S (2014) Employees’ adherence to information security policies: An exploratory field study. Information and Management 51(2), 217–224.
Siponen M and Oinas-Kukkonen H (2007) A review of information security issues and respective research contributions. The DATA BASE for Advances in Information Systems 38(1), 60–80.
Siponen M, Pahnila S and Mahmood MA (2010) Compliance with information security policies: An empirical investigation. Computer 43(2), 64–71.
Siponen M and Vance A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly 34(3), 487–502.
Siponen M and Vance A (2014) Guidelines for improving the contextual relevance of field surveys: The case of information security policy violations. European Journal of Information Systems 23(3), 289–305.
Siponen M and Willison R (2009) Information security management standards: Problems and solutions. Information and Management 46(5), 267–270.
Siponen M, Willison R and Baskerville R (2008) Power and practice in information systems security research. In International Conference on Information Systems pp 1–13, Association for Information Systems, Paris.
Smith S, Winchester D, Bunker D and Jamieson R (2010) Circuits of power: A study of mandated compliance to an information systems security “de jure” standard in a government organization. MIS Quarterly 34(3), 463–486.
Sommestad T, Hallberg J, Lundholm K and Bengtsson J (2014) Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management and Computer Security 22(1), 42–75.
Sommestad T, Karlzén H and Hallberg J (2015) The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information and Computer Security 23(2), 200–217.
Son J-Y (2011) Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information and Management 48(7), 296–302.
Son J-Y and Park J (2016) Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns. International Journal of Information Management 36(3), 309–321.
Soomro ZA, Shah MH and Ahmed J (2016) Information security management needs more holistic approach: A literature review. International Journal of Information Management 36(2), 215–225.
Spears JL and Barki H (2010) User participation in information systems security risk management. MIS Quarterly 34(3), 503–522.
Stahl BC, Doherty NF and Shaw M (2012) Information security policies in the uk healthcare sector: A critical evaluation. Information Systems Journal 22(1), 77–94.
Stanton J, Stam K, Mastrangelo P and Jolton J (2005) Analysis of end user security behaviors. Computers and Security 24(2), 124–133.
Straub DW (1990) Effective IS security: An empirical study. Information Systems Research 1(3), 255–276.
Straub DW and Nance WD (1990) Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly 14(1), 45–62.
Straub DW and Welke RJ (1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22(4), 441–469.
Susanto H, Almunawar MN and Tuan YC (2011) Information security management system standards: A comparative study of the big five. International Journal of Electrical and Computer Sciences 11(5), 23–29.
Tang M, Li M and Zhang T (2016) The impacts of organizational culture on information security culture: A case study. Information Technology and Management 17(2), 179–186.
Tannenbaum AS (1962) Control in organizations: Individual adjustment and organizational performance. Administrative Science Quarterly 7(2), 236–257.
Teh P-L, Ahmed PK and D’arcy J (2015) What drives information security policy violations among banking employees? Insights from neutralization and social exchange theory. Journal of Global Information Management 23(1), 44–64.
Thomson K-L (2010) Information security conscience: A precondition to an information security culture? Journal of Information System Security 6(4), 3–19.
Thong JYL and Yap CS (1998) Testing an ethical decision-making theory: The case of softlifting. Journal of Management Information Systems 15(1), 213–237.
Tiwana A and Keil M (2009) Control in internal and outsourced software projects. Journal of Management Information Systems 26(3), 9–44.
Tsang EWK and Kwan K-M (1999) Replication and theory development in organizational science: A critical realist perspective. Academy of Management Review 24(4), 759–780.
Tsohou A, Karyda M and Kokolakis S (2015a) Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers and Security 52, 128–141.
Tsohou A, Karyda M, Kokolakis S and Kiountouzis E (2010) Aligning security awareness with information system security management. Journal of Information System Security 6(1), 36–54.
Tsohou A, Karyda M, Kokolakis S and Kiountouzis E (2015b) Managing the introduction of information security awareness programmes in organizations. European Journal of Information Systems 24(1), 38–58.
Twenge JM, Konrath S, Foster JD, Campbell WK and Bushman BJ (2008) Egos inflating over time: A cross-temporal meta-analysis of the narcissistic personality inventory. Journal of Personality and Social Psychology 76(4), 875–902.
Unal D and Caglayan MU (2013) A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks 57(1), 330–350.
Uzunov AV, Fernandez EB and Falkner K (2015) Security solution frames and security patterns for authorization in distributed, collaborative systems. Computers and Security 55(1), 193–234.
Vaast E (2007) Danger is in the eye of the beholders: Social representations of information systems security in healthcare. Journal of Strategic Information Systems 16(2), 130–152.
Van Iddekinge CH, Ferris GR and Heffner TS (2009) Test of a multistage model of distal and proximal antecedents of leader performance. Personnel Psychology 62(3), 463–495.
Vance A, Anderson BB, Kirwan CB and Eargle D (2014) Using measures of risk perception to predict information security behavior: Insights from electroencephalography (EEG). Journal of the Association for Information Systems 15(10), 679–722.
Vance A, Lowry PB and Eggett D (2013) Using accountability to reduce access policy violations in information systems. Journal of Management Information Systems 29(4), 263–289.
Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quarterly 39(2), 345–366.
Vance A and Siponen M (2012) IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing 24(1), 21–41.
Vance A, Siponen M and Pahnila S (2012) Motivating IS security compliance: Insights from habit and protection motivation theory. Information and Management 49(3–4), 190–198.
Verizon (2016) 2016 data breach investigations report. http://www.verizonenterprise.com/DBIR/2015/, accessed 25 February 2017.
Vom Brocke J, Simons A, Riemer K, Niehaves B and Plattfaut R (2015) Standing on the shoulders of giants: Challenges and recommendations of literature search in information systems research. Communications of the Association for Information Systems 37(9), 205–224.
Von Dran GM, Guynes CS and Prybutok VR (1996) The information infrastructure: Policy and security considerations. Computers and Society 26(1), 13–15.
Von Solms R (1999) Information security management: Why standards are important. Information Management and Computer Security 7(1), 50–57.
Vroom C and Von Solms R (2004) Towards information security behavioural compliance. Computers and Security 23(3), 191–198.
Wall DS (2013) Enemies within: Redefining the insider threat in organizational security policy. Security Journal 26(2), 107–124.
Wall JD, Lowry PB and Barlow JB (2016) Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems 17(1), 39–76.
Wall JD, Palvia P and Lowry PB (2013) Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security 9(4), 52–79.
Wall JD, Stahl BC and Salam AF (2015) Critical discourse analysis as a review methodology: An empirical example. Communications of the Association for Information Systems 37(1), 257–285.
Warkentin M, Johnston AC and Shropshire J (2011) The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20(3), 267–284.
Warkentin M, Johnston AC, Shropshire J and Barnett WD (2016a) Continuance of protective security behavior: A longitudinal study. Decision Support Systems 92, 25–35.
Warkentin M, Walden E, Johnston AC and Straub DW (2016b) Neural correlates of protection motivation for secure IT behaviors: An fMRI examination. Journal of the Association for Information Systems 17(3), 194–215.
Warman AR (1992) Organizational computer security policy: The reality. European Journal of Information Systems 1(5), 305–310.
Webster J and Watson RT (2002) Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly 26(2), xiii–xxiii.
Weldon D (2015) Are your biggest security threats on the inside? http://www.cio.com/article/2985790/security/are-your-biggest-security-threats-on-the-inside.html, accessed 1 December 2015.
Whitman ME (2008) Security policy: From design to maintenance. In Information security: Policy, processes, and practices (Straub DW, Goodman SE and Baskerville R, Eds), pp 123–151, M. E. Sharpe, New York.
Whitman ME, Townsend AM and Aalberts RJ (2001) Information systems security and the need for policy. In Information security management: Global challenges in the new millennium (DHILLON G, Ed), pp 10–20, IGI Global, Hershey PA.
Wiant TL (2005) Information security policy’s impact on reporting security incidents. Computers and Security 24(6), 448–459.
Wiener M, Mähring M, Remus U and Saunders C (2016) Control configuration and control enactment in information systems projects: Review and expanded theoretical framework. MIS Quarterly 40(3), 741–774.
Willison R (2006) Understanding the perpetration of employee computer crime in the organisational context. Information and Organization 16(4), 304–324.
Willison R and Backhouse J (2006) Opportunities for computer abuse: Considering systems risk from the offender’s perspective. European Journal of Information Systems 15(4), 403–414.
Willison R and Warkentin M (2013) Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly 37(1), 1–20.
Wood CC (1982) Policies for deterring computer abuse. Computers and Security 1(2), 139–145.
Workman M (2009) A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions. Information and Organization 19(4), 218–232.
Workman M, Bommer WH and Straub DW (2008) Security lapses and the omission of information securitymeasures: A threat control model and empirical test. Computers in Human Behavior 24(6), 2799–2816.
Workman M and Gathegi J (2007) Punishment and ethics deterrents: A study of insider security contravention. Journal of the American Society for Information Science and Technology 58(2), 212–222.
Xue Y, Liang H and Wu L (2011) Punishment, justice, and compliance in mandatory IT settings. Information Systems Research 22(2), 400–414.
Yazdanmehr A and Wang J (2016) Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems 92, 36–46.
Zafar H and Clark JG (2009) Current state of information security research in IS. Communications of the AIS 24(34), 557–596.
Zhang J, Reithel BJ and Li H (2009) Impact of perceived technical protection on security behaviors. Information Management and Computer Security 17(4), 330–340.
Zhang X, Parisi-Presicce F, Sandhu R and Park J (2005) Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8(4), 351–387.
Zsidisin GA and Ellram LM (2003) An agency theory investigation of supply risk management. Journal of Supply Chain Management 39(3), 15–27.
Author information
Authors and Affiliations
Corresponding author
Additional information
Special Issue Editors: Paul Benjamin Lowry, Tamara Dinev, Robert Willison
Appendices
Appendix A: Security policy research literature reviews
The following is not an exhaustive list of IS security research literature reviews, as there are additional reviews that are only tangentially related to security policy research and/or appear in lower-tier journals and conference proceedings.
Article | Coverage | Description/key findings | How our review differs in scope* |
|---|---|---|---|
Crossler et al (2013) | Overview of behavioral IS security literature; not a systematic review paper | Using the extant literature as a base, proposed the following topics for future behavioral IS security research: separating insider deviant behavior from insider misbehavior; unmasking the mystery of the hacker world; improving information security compliance; cross-cultural information security research | We review the broader body of security policy literature |
D’Arcy and Herath (2011) | 17 empirical studies in the IS literature that used deterrence (sanction) constructs, published through 2010 (approximately); specific time period not provided | Reviewed empirical studies that used deterrence theory in the IS literature; in an attempt to explain the contradictory findings in this literature, identified contingency variables, and methodological and theoretical issues specific to the application of deterrence theory in the IS context | We review the broader body of security policy literature |
Dhillon and Backhouse (2001) | IS security literature through 2000 (approximately); specific number of articles and time period not provided | Classified IS security literature into Burrell and Morgan’s sociological paradigms (functionalist, interpretive, radical humanist, radical structuralist); one of the earliest papers to identify the preponderance of purely technical IS security research and called for a socioorganizational perspective | We review the more specific body of security policy literature |
Guo (2013) | Not a systematic review paper; literature on employees’ security-related behavior; specific number of articles and time period not provided | Provided a classification/taxonomy of employees’ security-related behavior, based on the extant literature | We review the broader body of security policy literature |
Karlsson et al (2015) | 72 information security culture research articles published between 2000 and 2013 | Classified the papers in terms of theories, research methods, and research topics | We review the security policy literature, which is distinct from security culture research |
113 articles on employees’ information security awareness and behavior published between 2000 and mid 2012 (both the 2013 and 2014 publications cover the same scope) | Classified 54 different theories used in behavioral IS security studies; based on the results, provided a taxonomy of antecedents of information security behavior | We review the broader body of security policy literature | |
Padayachee (2012) | Not a systematic review paper; overview of selected literature on employees’ security policy compliance; specific number of articles and time period not provided | Provided a taxonomy of factors that influence employees’ security policy compliance, which was derived from the literature and grounded in self-determination theory | We review the broader body of security policy literature |
Siponen and Oinas-Kukkonen (2007) | IS security literature through 2000; specific number of articles not provided | Classified the papers based on research approaches, reference disciplines, and security issues (access to information systems, secure communication, security management, secure information systems development) | We review the more specific body of security policy literature |
Siponen & Vance (2014) | 19 empirical, survey studies of employees’ security policy compliance, published between 1990 and 2011 | Provided methodological guidelines for survey studies of security policy compliance behavior in organizations; the guidelines were applied to the reviewed articles, and no study met more than three of the five proposed guidelines. | We review the broader body of security policy literature |
Siponen et al (2008) | 1280 IS security research articles published between 1990 and 2004 | Classified the papers in terms of theories, research methods, and research topics | We review the more specific body of security policy literature |
Sommestad et al (2014) | 29 empirical studies of employees’ security policy compliance published through 2012 (approximately); specific time period not provided | Meta-analyzed the literature on employees’ security policy compliance; showed the relative strength of the various predictor variables used in the literature (60 total predictor variables) | We review the broader body of security policy literature |
Soomro et al (2016) | 67 articles on management role in information security published between 2004 and September 2014 | Classified the papers into the following categories: information security and management; information security policy awareness and training; integration of technical and managerial activities for information security management; human aspects of information security management; information security as a business issue | We review the more specific body of security policy literature |
Wall et al (2015) | 24 empirical studies of employees’ security-related behavior published between 2002 and 2012 | Evaluated the philosophical underpinnings (using critical review methods) of empirical studies of employees’ security-related behavior | We review the broader body of security policy literature |
Willison and Warkentin (2013) | Overview of selected IS and general literature on neutralization, deterrence and expressive motivations, and organizational justice; specific number of articles and time period not provided; not a systematic review paper | Proposed the following topics for future empirical investigations of employee computer abuse: techniques of neutralization (rationalizations), expressive/instrumental criminal motivations, disgruntlement as a result of perceptions of organizational justice | We review the broader body of security policy literature |
Zafar & Clark (2009) | 137 IS security research articles published through 2007; start date not provided | Classified the papers according to themes established by the IBM Information Security Capability Reference Model (e.g., Governance, Identity and Access Management, Personnel Security) | We review the more specific body of security policy literature |
Appendix B: Articles included in review (sorted by author)
The issue of which articles constitute security policy research is not entirely straightforward, particularly when it comes to the vast literature on employees’ security policy compliance. Within this subset of the security policy literature, there exist many different conceptualizations of compliance behavior (Chu et al, 2015; Guo, 2013), and not all behaviors contain an explicit security policy labeling. We follow the criteria of past reviews (Siponen & Vance, 2014; Sommestad et al, 2014) and include policy-related behaviors in organizational contexts, such as computer abuse and IS misuse, within our conceptualization of security policy compliance. Including these behaviors is based on the notion that they mainly involve the unauthorized use of information and technology resources within organizations, and, therefore, constitute security policy violations (Chu et al, 2015).
A similar issue exists with respect to protection motivation theory (PMT)-based studies on how to achieve secure behavior (e.g., Boss et al, 2009, 2015; Johnston & Warkentin, 2010a; Posey et al, 2015). Within this work, some papers explicitly describe secure behaviors in response to security policies (e.g., using anti-spyware, backing up data, changing passwords), whereas others are vague on this issue, or are specific to the personal/home usage context. Again, following past reviews of the security compliance literature (Siponen & Vance, 2014; Sommestad et al, 2014), we include only those PMT-based studies that involve secure behavior in organizational contexts. Adhering to these criteria means that a study meets at least one of the following conditions: (1) a description of secure behavior in which the user is interacting with an organizational information system, (2) a description of the direct relevance of the secure behavior to the organizational context, or (3) the use of organizational respondents. PMT-based studies where the population is personal/home computer users or the context is otherwise not work-related are excluded, because in such cases individuals are not subject to security policies and must acquire information about security threats and tools on their own (Anderson & Agarwal, 2010; Chen and Zahedi, 2016). Appendix D further details our exclusion criteria, as it pertains to a specific list of excluded articles.
In making the preceding points, we emphasize that the PMT-based studies of how to achieve secure behavior often use similar constructs, regardless of whether the context is organizational or personal/home usage. Likewise, studies of employees’ security compliance use many similar theoretical bases and constructs across the variety of behaviors being investigated (e.g., security policy compliance/non-compliance, computer abuse, IS misuse, etc.). Consequently, we have captured the key constructs and themes within these subsets of the security policy literature, even if a particular study may have been excluded based on our criteria.
Regarding the overall security policy literature, we do not claim to have captured every (peer-reviewed) published article for this review, but we do have a relatively complete consensus of the literature, to the point where the constructs and interrelationships in our research framework are supported and no new concepts emerged from the literature. In this manner, we followed Rowe’s (2014) guidance that reviews for understanding should strive for strong coverage of the domain rather than absolute completeness.
Article | Journal | Empirical/Conceptual | Methodology |
|---|---|---|---|
Al-Mukahal & Alshare (2015) | Information and Computer Security | Empirical | Survey |
Aurigemma & Leonard (2015) | Journal of Information System Security | Empirical | Survey |
Barlow et al (2013) | Computers and Security | Empirical | Survey |
Baskerville et al (2014) | Information Technology and People | Conceptual | – |
Boss et al (2009) | European Journal of Information Systems | Empirical | Survey |
Bulgurcu et al (2010) | MIS Quarterly | Empirical | Survey |
Chan et al (2005) | Journal of Information Privacy and Security | Empirical | Survey |
Chen et al (2012) | Journal of Management Information Systems | Empirical | Experiment |
Chen et al (2015) | The Journal of Computer Information Systems | Empirical | Survey |
Cheng et al (2013) | Computers and Security | Empirical | Survey |
Chu et al (2016) | Journal of Business Ethics | Empirical | Survey |
Crossler et al (2014) | Journal of Information Systems | Empirical | Survey |
D’Arcy and Hovav (2007) | Communications of the ACM | Empirical | Survey |
D’Arcy & Devaraj (2012) | Decision Sciences | Empirical | Survey |
D’Arcy and Greene (2014) | Information Management and Computer Security | Empirical | Survey |
D’Arcy et al (2009) | Information Systems Research | Empirical | Survey |
D’Arcy et al (2014) | Journal of Management Information Systems | Empirical | Survey |
Dinev & Hu (2007) | Journal of the Association for Information Systems | Empirical | Survey |
Dinev et al (2009) | Information Systems Journal | Empirical | Survey |
Doherty & Fulford (2005) | Information Resources Management Journal | Empirical | Survey |
Doherty & Fulford (2006) | Computers & Security | Conceptual | – |
Doherty et al (2009) | International Journal of Information Management | Empirical | Archival |
Flowerday & Tuyikeze (2016) | Computers and Security | Empirical | Survey |
Foth (2016) | European Journal of Information Systems | Empirical | Survey |
Fulford & Doherty (2003) | Information Management and Computer Security | Empirical | Survey |
Gaunt (1998) | International Journal of Medical Informatics | Empirical | Observation, Survey |
Goel and Chengalur-Smith (2010) | Journal of Strategic Information Systems | Empirical | Survey |
Goo et al (2014) | IEEE Transactions on Professional Communication | Empirical | Survey |
Gritzalis (1997) | Computers and Security | Conceptual | – |
Guo & Yuan (2012) | Information and Management | Empirical | Survey |
Guo et al (2011) | Journal of Management Information Systems | Empirical | Survey |
Han et al (2017) | Computers and Security | Empirical | Survey |
Harrington (1996) | MIS Quarterly | Empirical | Survey |
Hedström et al (2011) | Journal of Strategic Information Systems | Empirical | Case studies |
Herath & Rao (2009a) | Decision Support Systems | Empirical | Survey |
Herath & Rao (2009b) | European Journal of Information Systems | Empirical | Survey |
Höne and Eloff (2002a) | Computers and Security | Conceptual | – |
Höne and Eloff (2002b) | Network Security | Conceptual | – |
Hong et al (2006) | Information Management and Computer Security | Empirical | Survey |
Hovav & D’Arcy (2012) | Information and Management | Empirical | Survey |
Hsu et al (2015) | Information Systems Research | Empirical | Survey |
Hu et al (2011) | Communications of the ACM | Empirical | Scenario, Survey |
Hu et al (2012) | Decision Sciences | Empirical | Survey |
Hu et al (2015) | Journal of Management Information Systems | Empirical | Experiment |
Hwang et al (2017) | Online Information Review | Empirical | Survey |
Ifinedo (2012) | Computers and Security | Empirical | Survey |
Ifinedo (2014) | Information and Management | Empirical | Survey |
Ifinedo (2016) | Information Systems Management | Empirical | Survey |
Johnston & Warkentin (2010a) | MIS Quarterly | Empirical | Experiment |
Johnston & Warkentin (2010b) | Journal of Organizational and End User Computing | Empirical | Experiment |
Johnston et al (2013) | Journal of Organizational and End User Computing | Empirical | Survey |
Johnston et al (2015) | MIS Quarterly | Empirical | Experiment, Interviews |
Johnston et al (2016) | European Journal of Information Systems | Empirical | Survey |
Kadam (2007) | Information Systems Security | Conceptual | – |
Karyda et al (2005) | Computers & Security | Empirical | Case studies |
Kim et al (2016) | Information & Management | Empirical | Survey |
Knapp et al (2006) | Information Management and Computer Security | Empirical | Interviews, Survey |
Knapp et al (2009) | Computers & Security | Empirical | Survey, Content Analysis |
Knapp & Ferrante (2012) | Journal of Management Policy and Practice | Empirical | Survey |
Lee and Larson (2009) | European Journal of Information Systems | Empirical | Survey |
Lee and Lee (2002) | Information Management and Computer Security | Conceptual | – |
Lee et al (2004) | Information and Management | Empirical | Survey |
Lee et al (2016) | Computers and Security | Empirical | Survey |
Li et al (2010) | Decision Support Systems | Empirical | Survey |
Li et al (2014) | Information Systems Journal | Empirical | Survey |
Liao et al (2009) | Journal of Computer Information Systems | Empirical | Survey |
Liang et al (2013) | Information Systems Research | Empirical | Survey |
Lowry & Moody (2015) | Information Systems Journal | Empirical | Scenario, Survey |
Lowry et al (2015) | Information Systems Journal | Empirical | Survey |
Moquin & Wakefield (2016) | Journal of Computer Information Systems | Empirical | Survey |
Myyry et al (2009) | European Journal of Information Systems | Empirical | Survey |
Ng et al (2009) | Decision Support Systems | Empirical | Survey |
Padayachee (2012) | Computers & Security | Conceptual | – |
Pathari & Sonar (2012) | Information Management and Computer Security | Conceptual | Modeling |
Posey et al (2011a) | Computers and Security | Empirical | Survey |
Posey et al (2015) | Journal of Management Information Systems | Empirical | Survey |
Puhakainen & Siponen (2010) | MIS Quarterly | Empirical | Survey, Interviews |
Rees et al (2003) | Communications of the ACM | Conceptual | – |
Renaud & Goucher (2012) | Information Management and Computer Security | Empirical | Interviews |
Safa et al (2016) | Computers & Security | Empirical | Survey |
Shephard & Mejias (2016) | International Journal of Human–Computer Interaction | Empirical | Experiment |
Shropshire et al (2015) | Computers and Security | Empirical | Survey |
Siponen (2000) | Information Management and Computer Security | Conceptual | – |
Siponen (2006) | Communications of the ACM | Conceptual | – |
Siponen & Iivari (2006) | Journal of the Association for Information Systems | Conceptual | – |
Siponen & Vance (2010) | MIS Quarterly | Empirical | Scenario, Survey |
Siponen & Willison (2009) | Information and Management | Empirical | Archival |
Siponen et al (2009) | Communications of the ACM | Empirical | Survey |
Siponen et al (2010) | Computer | Empirical | Survey |
Siponen et al (2014) | Information and Management | Empirical | Survey |
Sommestad et al (2015) | Information and Computer Security | Empirical | Survey |
Son (2011) | Information and Management | Empirical | Survey |
Park & Son (2016) | International Journal of Information Management | Empirical | Survey |
Spears & Barki (2010) | MIS Quarterly | Empirical | Interviews, Survey |
Stahl et al (2012) | Information Systems Journal | Empirical | Archival |
Straub (1990) | Information Systems Research | Empirical | Survey |
Teh et al (2015) | Journal of Global Information Management | Empirical | Survey |
Tsohou et al (2015b) | European Journal of Information Systems | Empirical | Action, Case Study |
Vaast (2007) | Journal of Strategic Information Systems | Empirical | Interviews |
Vance & Siponen (2012) | Journal of Organizational and End User Computing | Empirical | Scenario, Survey |
Vance et al (2012) | Information and Management | Empirical | Survey |
Vance et al (2013) | Journal of Management Information Systems | Empirical | Scenario, Survey |
Vance et al (2015) | MIS Quarterly | Empirical | Scenario, Survey |
von Solms (1999) | Information Management and Computer Security | Conceptual | – |
Wall (2013) | Security Journal | Empirical | Archival |
Wall et al (2013) | Journal of Information Privacy and Security | Empirical | Survey |
Warkentin et al (2011) | European Journal of Information Systems | Empirical | Survey |
Warman (1992) | European Journal of Information Systems | Empirical | Survey, Interview |
Wiant (2005) | Computers and Security | Empirical | Survey |
Wood (1982) | Computers and Security | Conceptual | – |
Workman et al (2008) | Computers in Human Behavior | Empirical | Archival, Survey |
Xue et al (2011) | Information Systems Research | Empirical | Survey |
Yazdanmehr & Wang (2016) | Decision Support Systems | Empirical | Survey |
Zhang et al (2009) | Information Management and Computer Security | Empirical | Survey |
Appendix C: Articles included in review (sorted by article frequency)
Journal | Number of articles included in review |
|---|---|
Computers and Security | 17 |
Information Management and Computer Security | 10 |
European Journal of Information Systems | 9 |
Information and Management | 9 |
MIS Quarterly | 8 |
Journal of Management Information Systems | 6 |
Communications of the ACM | 5 |
Information Systems Journal | 5 |
Information Systems Research | 5 |
Decision Support Systems | 4 |
Journal of Computer Information Systems | 3 |
Journal of Organizational and End User Computing | 3 |
Journal of Strategic Information Systems | 3 |
Decision Sciences | 2 |
Information and Computer Security | 2 |
International Journal of Information Management | 2 |
Journal of Information Privacy and Security | 2 |
Journal of the Association for Information Systems | 2 |
Computer | 1 |
Computers in Human Behavior | 1 |
IEEE Transactions on Professional Communication | 1 |
International Journal of Human–Computer Interaction | 1 |
International Journal of Medical Informatics | 1 |
Information Resources Management Journal | 1 |
Information Systems Management | 1 |
Information Systems Security | 1 |
Information Technology and People | 1 |
Journal of Business Ethics | 1 |
Journal of Global Information Management | 1 |
Journal of Information Systems | 1 |
Journal of Information System Security | 1 |
Journal of Management Policy and Practice | 1 |
Network Security | 1 |
Online Information Review | 1 |
Security Journal | 1 |
Appendix D: Articles excluded from the review
The following table lists articles that were excluded from our review, including details of our rationale. Obviously, this list is not exhaustive, but our aim is to provide transparency into our exclusion process, particularly with respect to the exclusion of certain well-known articles that appear in top-tier IS journals. We refer the reader back to the Methodology section, as well as Appendix B, for additional details on our inclusion/exclusion criteria.
Notes: the term “not security policy centric” is used to describe an article that we deemed as not directly addressing the design, implementation, compliance/non-compliance, or monitoring of security policies in organizations. Many such articles address information security issues or information security management in a general sense. The remaining descriptions of our rationale for exclusion are self-explanatory.
Article | Journal | Rationale for Exclusion |
|---|---|---|
Albrechtsen (2007) | Computers and Security | Not security policy centric |
Anderson & Agarwal (2010) | MIS Quarterly | Not security policy centric; personal/home usage context |
Backhouse et al (2006) | MIS Quarterly | Oriented toward industry policy |
Basin et al (2013) | ACM Transactions on Information and System Security | Oriented toward technical policy |
Bauer and van Eeten (2009) | Telecommunications Policy | Not security policy centric |
Bauer et al (2009) | ACM Transactions on Software Engineering and Methodology | Oriented toward technical policy |
Boss et al (2015) | MIS Quarterly | Not security policy centric; personal/home usage context |
Burns et al (2017) | Computers in Human Behavior | Not security policy centric |
Chen and Zahedi (2016) | MIS Quarterly | Not security policy centric; personal/home usage context |
Crossler and Bélanger (2009) | Journal of Information System Security | Not security policy centric |
Culnan and Williams (2009) | MIS Quarterly | Not security policy centric; issues and opinion paper |
Cuppens et al (2013) | Journal of Computer Security | Oriented toward technical policy |
David (2002) | Computers and Security | Issues and opinion paper |
Dhillon and Backhouse (2000) | Communications of the ACM | Not security policy centric |
Di Modica and Tomarchio (2016) | ||
Foley and Fitzgerald (2011) | Journal of Computer Security | Oriented toward technical policy |
Herath et al (2014) | Information Systems Journal | Not security policy centric; personal/home usage context |
Hicks et al (2010) | ACM Transactions on Information and System Security | Oriented toward technical policy |
Horcas et al (2016) | Computers and Security | Oriented toward technical policy |
Jajodia et al (2001) | ACM Transactions on Database Systems | Oriented toward technical policy |
Kankanhalli et al (2003) | International Journal of Information Management | Not security policy centric |
Karjalainen and Siponen (2011) | Journal of the Association for Information Systems | Not security policy centric |
Khoury and Tawbi (2012) | ACM Transactions on Information and System Security | Oriented toward technical policy |
Li & Wang (2008) | Journal of the ACM | Not security policy centric |
Liang & Xue (2009) | MIS Quarterly | Not security policy centric; personal/home usage context |
Liang & Xue (2010) | Journal of the Association for Information Systems | Not security policy centric; personal/home usage context |
Liu (2015) | European Journal of Information Systems | Not security policy centric |
Liu et al (2016) | Information Sciences | Oriented toward technical policy |
Lowry et al (2014) | Journal of Business Ethics | Not security policy centric |
McDaniel and Prakash (2006) | ACM Transactions on Information and System Security | Oriented toward technical policy |
Mehra (2010) | The American Journal of Comparative Law | Oriented toward public policy |
Montanari et al (2013) | Computers & Security | Oriented toward technical policy |
Muthaiyah and Kerschberg (2007) | Information Systems Frontiers | Oriented toward technical policy |
Osenga (2013) | Journal of Information Policy | Oriented toward public policy |
Phelps et al (2012) | Journal of Information System Security | Not security policy centric |
Posey et al (2011b) | Journal of Information System Security | Not security policy centric |
Posey et al (2013) | MIS Quarterly | Not security policy centric; primarily a methodological article; taxonomy of security-related behaviors |
Rhee et al (2009) | Computers & Security | Not security policy centric; personal/home usage context |
Schneider (2000) | ACM Transactions on Information and System Security | Oriented toward technical policy |
Shirtz and Elovici (2011) | Information Management and Computer Security | Not security policy centric |
Silva et al (2016) | Decision Support Systems | Oriented toward industry policy |
Smith et al (2010) | MIS Quarterly | Oriented toward industry policy |
Stanton et al (2005) | Computers and Security | Not security policy centric; taxonomy of security-related behaviors |
Straub and Nance (1990) | MIS Quarterly | Not security policy centric |
Straub & Welke (1998) | MIS Quarterly | Not security policy centric |
Tang et al (2016) | Information Technology and Management | Not security policy centric |
Thomson (2010) | Journal of Information System Security | Not security policy centric |
Tsohou et al (2010) | Journal of Information System Security | Not security policy centric |
Tsohou et al (2015a) | Computers & Security | Not security policy centric |
Unal & Caglayan (2013) | Computer Networks | Oriented toward technical policy |
Uzunov et al (2015) | Computers and Security | Oriented toward technical policy |
Vance et al (2014) | Journal of the Association for Information Systems | Not security policy centric; personal/home usage context |
Von Dran et al (1996) | Computers and Security | Issues and opinion paper |
Vroom and von Solms (2004) | Computers and Security | Not security policy centric |
Wall et al (2016) | Journal of the Association for Information Systems | Oriented toward public policy |
Warkentin et al (2016b) | Journal of the Association for Information Systems | Not security policy centric; personal/home usage context |
Warkentin et al (2016a) | Decision Support Systems | Not security policy centric; personal/home usage context. |
Willison (2006) | Information and Organization | Not security policy centric |
Willison and Backhouse (2006) | European Journal of Information Systems | Not security policy centric |
Workman and Gathegi (2007) | Journal of the American Society for Information Science and Technology | Not security policy centric; personal/home usage context |
Zhang et al (2005) | ACM Transactions on Information and System Security | Oriented toward technical policy |
Appendix E: Research framework constructs, definitions, and supporting publications
Construct | Definition | Examples | Sample Publications |
|---|---|---|---|
Security standards, guidelines and regulations | The formal documents and opinions on security policy recommendations that are published by external bodies, groups, or associations | ISO 27001/02, COBIT, Health Insurance Portability and Accountability Act (HIPPA), Information Technology Infrastructure Library (ITIL), and the Payment Card Industry Data Security Standard (PCI DSS) | |
Desired policy format and structure | The aims and objectives of an organization’s security policies, in terms of length, clarity, and level of detail | Management endeavors to design security policies that are concise and easy to understand | |
Internal and external risk management considerations | The internal and external factors that pose information security risks to an organization | Organization type, size, IT infrastructure, business objectives, economic environment, and internal/external threats | Hong et al (2006), Karyda et al (2005), Knapp et al (2009), Warman (1992), Wall (2013) |
Security policy design and implementation | The actual design characteristics of the completed security policy and the manner in which the policy is implemented at the organization | Creating an internet use policy by defining the purpose, scope, roles/responsibilities, and expected/prohibited employee behaviors | |
Information security culture, awareness, and support | Security culture consists of the shared assumptions, values, and beliefs help by a group of employees (Karlsson et al, 2015; Knapp et al, 2006). Security awareness refers to the values and attitudes that individual employees hold in regard to secure information practices (Tsohou et al, 2015). Managerial support for information security initiatives represents the financial backing, sponsorship, encouragement, and leadership that management put forth for security initiatives | Management is strongly committed to delivering the funds necessary to enhance employee awareness of security policies | Chen et al (2015), Johnston et al (2013), Karyda et al (2005) |
Socioemotional consequences for employees | The interaction between the existence of a security policy and an employee’s social and emotional well-being | An employee feels an increased sense of stress in needing to comply with a new anti-malware policy at their organization | |
Personality and dispositional traits | The inherent, individual characteristics of employees, including behavioral, cognitive, and ethical norms | An employee believes that it is their moral responsibility to comply with security policies laid out by the organization | |
Security policy legitimacy, fairness and justice | The perception of an individual that a security policy is desirable, appropriate, and reasonable | An employee considers a new password policy at their organization as an unfair burden on them | |
Compliance with security policy | The extent to which employees intend to comply or actually comply with a security policy | Despite a policy stating that data backups should be completed every night, an employee ignores the guideline and only backs up their data on a weekly basis. | |
Organizational security objectives | The benefits that the implementation of security policies intend to achieve | By implementing a data protection policy, an organization hopes to reduce the number of incidents of personal information being accidentally released. | Hsu et al 2015; Knapp & Ferrante (2012), Spears & Barki (2010), Wiant (2005) |
Appendix F: Article coding results by relationship
The papers highlighted in the R1–R5 columns below correspond to the findings presented in the Results section. The items listed in the “Main Theoretical/Conceptual Linkages” column represent theories and conceptual models that were referenced in each of the listed papers. The data presented here varies in magnitude and scope, depending on the theoretical orientation of each paper. In some cases, a theory or model was used to construct or extend a research model; in other cases, a broader theory or concept simply informed the direction of the research.
Paper | R1 | R2 | R3 | R4 | R5 | Main Theoretical/Conceptual Linkages |
|---|---|---|---|---|---|---|
Al-Mukahal & Alshare (2015) | x | Deterrence theory, neutralization theory, theory of planned behavior | ||||
Aurigemma & Leonard (2015) | x | Affective organizational commitment, theory of planned behavior, rational choice theory | ||||
Barlow et al (2013) | x | Theory of neutralization techniques | ||||
Baskerville et al (2014) | x | Emote opportunity model of computer abuse | ||||
Boss et al (2009) | x | x | Social influence theory, organismic integration theory, agency theory, control theory | |||
Bulgurcu et al (2010) | x | Theory of planned behavior, rational choice theory, deterrence theory | ||||
Chan et al (2005) | x | Not applicable or none noted | ||||
Chen et al (2012) | x | Compliance theory, general deterrence theory | ||||
Chen et al (2015) | x | Organizational culture theory, security culture framework | ||||
Cheng et al (2013) | x | General deterrence theory, social bond theory, social control mechanisms | ||||
Chu et al (2016) | x | General deterrence theory | ||||
Crossler et al (2014) | x | Protection motivation theory | ||||
D’Arcy and Hovav (2007) | x | General deterrence theory | ||||
D’Arcy & Devaraj (2012) | x | Deterrence theory | ||||
D’Arcy and Greene (2014) | x | Social exchange theory | ||||
D’Arcy et al (2009) | x | General deterrence theory | ||||
D’Arcy et al (2014) | x | Coping theory, moral disengagement theory, social cognitive theory | ||||
Dinev & Hu (2007) | x | Theory of planned behavior | ||||
Dinev et al (2009) | x | Theory of planned behavior | ||||
Doherty & Fulford (2005) | x | Not applicable or none noted | ||||
Doherty & Fulford (2006) | x | Not applicable or none noted | ||||
Doherty et al (2009) | x | Not applicable or none noted | ||||
Flowerday & Tuyikeze (2016) | x | x | Not applicable or none noted | |||
Foth (2016) | x | Theory of planned behavior, general deterrence theory | ||||
Fulford & Doherty (2003) | x | Not applicable or none noted | ||||
Gaunt (1998) | x | Not applicable or none noted | ||||
Goel & Chengalur-Smith (2010) | x | Not applicable or none noted | ||||
Goo et al (2014) | x | Safety climate and performance model | ||||
Gritzalis (1997) | x | Not applicable or none noted | ||||
Guo & Yuan (2012) | x | Deterrence theory, social cognitive theory | ||||
Guo et al (2011) | x | Composite behavior model | ||||
Han et al (2017) | x | Rational choice theory | ||||
Harrington (1996) | x | Deterrence theory | ||||
Hedström et al (2011) | x | Value-based compliance model | ||||
Herath & Rao (2009a) | x | General deterrence theory, protection motivation theory | ||||
Herath & Rao (2009b) | x | General deterrence theory, agency theory | ||||
Höne and Eloff (2002a) | x | Not applicable or none noted | ||||
Höne and Eloff (2002b) | x | Not applicable or none noted | ||||
Hong et al (2006) | x | Integrated system theory of information security management | ||||
Hovav & D’Arcy (2012) | x | Deterrence theory | ||||
Hsu et al (2015) | x | x | Social control theory | |||
Hu et al (2011) | x | Deterrence theory, rational choice theory, self-control theory | ||||
Hu et al (2012) | x | Theory of planned behavior | ||||
Hu et al (2015) | x | Self-control theory | ||||
Hwang et al (2017) | x | Protection motivation theory | ||||
Ifinedo (2012) | x | Theory of planned behavior, protection motivation theory | ||||
Ifinedo (2014) | x | Theory of planned behavior, social cognitive theory, social bond theory | ||||
Ifinedo (2016) | x | General deterrence theory, rational choice theory, organizational climate perspective | ||||
Johnston & Warkentin (2010a) | x | Protection motivation theory, fear appeals model | ||||
Johnston & Warkentin (2010b) | x | Not applicable or none noted | ||||
Johnston et al (2013) | x | Social cognitive theory | ||||
Johnston et al (2015) | x | Protection motivation theory, deterrence theory | ||||
Johnston et al (2016) | x | Protection motivation theory, general deterrence theory | ||||
Kadam (2007) | x | Not applicable or none noted | ||||
Karyda et al (2005) | x | x | x | Not applicable or none noted | ||
Kim et al (2016) | x | Abuse opportunity structure, emotion process model | ||||
Knapp et al (2006) | x | Grounded theory | ||||
Knapp et al (2009) | x | x | x | Grounded theory | ||
Knapp & Ferrante (2012) | x | x | General deterrence theory, theory of organizational learning | |||
Lee and Larson (2009) | x | Protection motivation theory | ||||
Lee and Lee (2002) | x | General deterrence theory, social bond theory, social learning theory | ||||
Lee et al (2004) | x | General deterrence theory, social control theory, theory of planned behavior | ||||
Lee et al (2016) | x | Person-environment fit theory | ||||
Li et al (2010) | x | Rational choice theory | ||||
Li et al (2014) | x | Organizational justice | ||||
Liao et al (2009) | x | Theory of planned behavior, deterrence theory, theory of ethics | ||||
Liang et al (2013) | x | Control theory, regulatory focus theory | ||||
Lowry & Moody (2015) | x | x | Organizational control theory, reactance theory | |||
Lowry et al (2015) | x | Fairness theory, reactance theory | ||||
Moquin & Wakefield (2016) | x | Protection motivation theory, theory of planned behavior | ||||
Myyry et al (2009) | x | Theory of cognitive moral development, theory of motivational types of values | ||||
Ng et al (2009) | x | Health belief model | ||||
Padayachee (2012) | x | Self-determination theory | ||||
Pathari & Sonar (2012) | x | Not applicable or none noted | ||||
Posey et al (2011a) | x | Causal reasoning theory, attribution theory | ||||
Posey et al (2015) | x | Protection motivation theory, organizational commitment | ||||
Puhakainen & Siponen (2010) | x | Universal constructive instructional theory, elaboration likelihood model | ||||
Rees et al (2003) | x | x | Not applicable or none noted | |||
Renaud & Goucher (2012) | x | Not applicable or none noted | ||||
Safa et al (2016) | x | Social bond theory, involvement theory | ||||
Shephard & Mejias (2016) | x | General deterrence theory, rational choice theory, agency theory | ||||
Shropshire et al (2015) | x | Theory of reasoned action, technology acceptance model | ||||
Siponen (2000) | x | Theory of reasoned action, theory of planned behavior, intrinsic motivation, technology acceptance model | ||||
Siponen (2006) | x | Not applicable or none noted | ||||
Siponen & Iivari (2006) | x | Conservative-deontological theory, liberal-intuitive theory, prima-facie theory, virtue theory, utilitarian theory, universalizability theory | ||||
Siponen & Vance (2010) | x | Neutralization theory, general deterrence theory | ||||
Siponen & Willison (2009) | x | Not applicable or none noted | ||||
Siponen et al (2009) | x | Theory of reasoned action, protection motivation theory | ||||
Siponen et al (2010) | x | Protection motivation theory, deterrence theory, theory of reasoned action, innovation diffusion theory | ||||
Siponen et al (2014) | x | Protection motivation theory, theory of reasoned action, cognitive evaluation theory | ||||
Sommestad et al (2015) | x | Theory of planned behavior, protection motivation theory | ||||
Son (2011) | x | General deterrence theory, intrinsic and extrinsic motivation models | ||||
Park & Son (2016) | x | Procedural justice | ||||
Spears & Barki (2010) | x | x | Buy-in theory of participation, system quality theory, emergent interactions theory | |||
Stahl et al (2012) | x | Critical social theory | ||||
Straub (1990) | x | General deterrence theory | ||||
Teh et al (2015) | x | Social exchange theory | ||||
Tsohou et al (2015b) | x | Actor-network theory, structuration theory, contextualism | ||||
Vaast (2007) | x | Not applicable or none noted | ||||
Vance & Siponen (2012) | x | Rational choice theory | ||||
Vance et al (2012) | x | Protection motivation theory, habit theory | ||||
Vance et al (2013) | x | Theory of accountability | ||||
Vance et al (2015) | x | Accountability theory | ||||
von Solms (1999) | x | Not applicable or none noted | ||||
Wall (2013) | x | x | Not applicable or none noted | |||
Wall et al (2013) | Self-determination theory, psychological reactance theory | |||||
Warkentin et al (2011) | x | Social learning theory | ||||
Warman (1992) | x | Not applicable or none noted | ||||
Wiant (2005) | x | Deterrence theory | ||||
Wood (1982) | x | x | Not applicable or none noted | |||
Workman et al (2008) | x | Threat control model, social cognitive theory, protection motivation theory | ||||
Xue et al (2011) | x | Technology acceptance model | ||||
Yazdanmehr & Wang (2016) | x | Norm activation theory, social norms theory | ||||
Zhang et al (2009) | x | Risk compensation theory, theory of planned behavior | ||||
Total articles | 20 | 15 | 81 | 4 | 6 |
Appendix G: Overview of Supplementary Theories and Approaches
Informing theory or approach | Summary | Boundary conditions and assumptions | Limitations | References |
|---|---|---|---|---|
Control theory | Control theory examines the managerial design and implementation of mechanisms that attempt to affect the behavior of another person or group as a means to achieve organizational goals. Key areas of focus include the antecedents to control choice (e.g., behavior observability) and the characteristics of control (e.g., control mode, degree, style) | Control theory assumes a clear division of roles between controllers (e.g., managers) and controllees (e.g., staff) Control theory focuses primarily around the controller’s concern for the organization’s ability to capture value | Where organizational structure and job roles are ambiguous, control theory is less helpful in clarifying controller–controlee interactions Control research within IS has been largely focused on systems development processes | Cram et al (2016b), Davis (1940), Flamholtz et al (1985), Remus et al (2015), Tannenbaum (1962), Wiener et al (2016) |
Institutional theory | Institutional theory considers the norms, processes, and routines within organizations associated with social behavior | Where organizational structures are viewed as being legitimate, fair, and just, employees are more likely to perform their responsibilities more effectively, including complying with rules and regulations | Institutional theory deemphasizes the individual interests of actors, in favor of institutional influences | DiMaggio (1988), Jaffee (1991), Meyer and Rowan (1977), Niehoff and Moorman (1993), Schnedler and Vadovic (2011), Scott (1987), Workman (2009) |
Replication and longitudinal research | Replication research seeks to obtain the same results as previous studies by either reproducing similar conditions or deliberately introducing variations to the conditions (e.g., data set, population) of the original study Longitudinal research draws on data from multiple points in time | Replication research relies on the prior publication of work that allows for a reproduction of similar study conditions or a deliberate variation of particular study conditions Longitudinal research aims to identify causal factors by uncovering changes that occur over time | Replication research is not always identified as such and comprises only a small proportion of published research Longitudinal research introduces challenges in terms of data collection difficulties (e.g., finding organizations or individuals willing to participate on multiple occasions) | Lindsay and Ehrenberg (1993), Salterio (2014), Tsang and Kwan (1999) |
Agency theory | Agency theory examines the relationship between two parties, the principal and agent, and the challenges that arise from their conflicting goals and the limited ability of the principal to oversee the agent’s work | Applications of agency theory commonly assume that (1) agents act primarily out of self-interest; (2) the goals of principals and agents conflict; and (3) information asymmetry exists between principals and agents Agency relationships can apply in a variety of settings, including owner-manager and manager-subordinate | Agency theory is most useful in situations where principal–agent goal conflict and/or information asymmetry is high Agency theory has been criticized for being narrow in scope and difficult to test | Eisenhardt (1989), Jensen and Meckling (1976), Perrow (1986), Sharma (1997), Zsidisin and Ellram (2003) |
Work systems theory, cybernetics | Work systems theory considers the circumstances where humans and machines perform work using information and technology, while accounting for the planned and unplanned changes that occur within such systems. A cybernetic process is one that uses a feedback loop to set goals, determine achievement against those goals, and make ongoing corrections | Systems and processes are standardized and measurable. Where performance variances are identified within the systems, the related information can be used to resolve the problems that exist. Work systems theory and cybernetics can apply to both technical processes, as well as sociotechnical systems | In processes that are unstandardized, difficult to measure, or information isn’t available to make corrections, feedback loops may be less helpful |
Rights and permissions
About this article
Cite this article
Cram, W.A., Proudfoot, J.G. & D’Arcy, J. Organizational information security policies: a review and research framework. Eur J Inf Syst 26, 605–641 (2017). https://doi.org/10.1057/s41303-017-0059-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41303-017-0059-9