Exploring the factors influencing information security policy compliance and violations: A systematic literature review

Abstract

Despite advancements in security technology, the prevalence of insider threats has been on the rise in recent years. Organizations implement Information Security Policies (ISPs) that outline the expected security-related behavior and compliance standards for employees. Ensuring and enhancing ISP compliance and reducing violations is crucial for organizations to maintain their security posture. This Systematic Literature Review (SLR) aims to synthesize the existing research on ISP compliance and violations to identify the underlying factors behind employee policy violations and delve into the factors that promote compliance with ISPs. In order to provide a theoretical foundation for understanding these behaviors, this SLR identifies the prominent theories used to explain ISP compliance and violation. A comprehensive search is conducted across different academic databases, applying defined inclusion and exclusion criteria to select the relevant studies between 2012 and 2023. To understand intentional violations, we categorize and analyze studies on ISP violations based on Moral Disengagement, Neutralization and Deterrence, Stress, and Monitoring mechanisms. For ISP compliance, we categorize and analyze studies based on individual-level decision-making and organizational-level factors. We identified forty-seven factors that influence compliance behavior and forty-one factors that determine non-compliance behavior. Fourteen common factors were identified from prior literature, which were determinants of both compliance and violation behaviors, with opposite directions of influence. By considering both compliance and noncompliance simultaneously, organizations can develop more effective strategies for enhancing compliance and mitigating noncompliance.