Information security policy compliance behavior models, theories, and influencing factors: a systematic literature review

Abstract

The paper aims to identify information security policy compliance behavior models, their respected theories, and influencing factors. This is the first and most current comprehensive systematic review of information security policy compliance models, theories, and influencing factors. A systematic review of empirical studies from twelve online databases was conducted. This review resulted in thirty-two (32) information security policy compliance behavior models proposed in different domains comprising various theories, concepts, and influencing factors. The results showed the importance of this issue among the researchers and a major limitation found was generalizability. Twenty (20) primary theories were extracted from the identified studies and found the theory of planned behavior and the protection motivation theory are the most trusted and reliable theories in information security policy compliance behavior models. Further analyses identified sixty (60) influencing factors and their alternative names and definitions. The most promising factors (high usage) of importance in descending orders are subjective norms, self-efficacy, attitudes, perceived benefits, threat vulnerability, threat severity, response efficacy, response cost, and experience. Besides that, factors such as self-efficacy, attitude, perceived benefit, threat severity, response efficacy, sanction severity, personal norms, experience, and training support were found and proved to be positively associated with the intention of compliance and considered robust for increasing information security compliance intention behavior. The results of this research can offer valuable information to fellow researchers in listing the models, their limitations, theories that are trustable, and influence factors that are critical for building a better model in the future.