Litcius/Paper detail

Exploring the Influence of Direct and Indirect Factors on Information Security Policy Compliance: A Systematic Literature Review

Mada Alassaf, Ali Alkhalifah

2021IEEE Access41 citationsDOIOpen Access PDF

Abstract

Information systems security is considered one of the key issues concerning organizations’ management. Despite the massive investment that organizations make to safeguard their systems, there are still many internal security breaches. The increase in insider threats to information systems can be related to the employees’ compliance toward information security policy. Several review papers were conducted to explore information security policy compliance behavior research. However, the literature lacks insight into the positive and negative (direct or indirect) influence of human and organizational theories and their factors influencing information security policy compliance behavior. Therefore, this paper provides a systematic literature review synthesizing the psychological theories, organizational theories, and other internal and external factors on information security policy compliance researches. The results analysis of 87 studies showed that the general deterrence theory, theory of planned behavior, and protection motivation theory are the most frequently used. The influencing factors of theories are mostly similar in the results. Furthermore, information security education, training and awareness, trust, and leadership, among many other internal and external factors, are highly used. This study is one of the first researches that explores the relationship types among the influencing factors; emphasizing the direct and indirect effect, and information security policy compliance behavior. This paper also identifies some gaps in information security policy compliance behavior research and proposes future works. In addition, it provides a theoretical contribution and practical insight in the context of information security policy compliance.

Topics & Concepts

Information securityInformation security managementInformation security standardsSecurity policyInsider threatDeterrence theoryKnowledge managementContext (archaeology)BusinessCritical security studiesStandard of Good PracticeSecurity information and event managementSystematic reviewInsiderSecurity convergenceCompliance (psychology)ThreatInformation systemComputer securitySecurity managementInformation security auditSecurity engineeringCertified Information Security ManagerPublic relationsRisk analysis (engineering)Information systems securityComputer scienceInformation technologyNetwork security policyCorporate securityAsset (computer security)Theory of planned behaviorCloud computing securitySecurity studiesInformation protection policyComputer security modelInternal securityInformation and Cyber SecurityAccess Control and TrustNetwork Packet Processing and Optimization
Exploring the Influence of Direct and Indirect Factors on Information Security Policy Compliance: A Systematic Literature Review | Litcius