article

Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance

Authors:

Jeffrey G. ProudfootAuthors Info & Claims

MIS Quarterly, Volume 43, Issue 2

Pages 525 - 554

https://doi.org/10.25300/MISQ/2019/15117

Published: 01 June 2019 Publication History

Abstract

A rich stream of research has identified numerous antecedents to employee compliance (and noncompliance) with information security policies. However, the number of competing theoretical perspectives and inconsistencies in the reported findings have hampered efforts to attain a clear understanding of what truly drives this behavior. To address this theoretical stalemate and build toward a consensus on the key antecedents of employees' security policy compliance in different contexts, we conducted a meta-analysis of the relevant literature. Drawing on 95 empirical papers, we classified 401 independent variables into 17 distinct categories and analyzed each category's relationship with security policy compliance, including an analysis for possible domain-specific moderators. A meta-analytic relative weight analysis determined the relative importance of each category in predicting security policy compliance, while adding robustness to our findings. At a broad level, our results suggest that much of the security policy compliance literature is plagued by suboptimal theoretical framing. Our findings can facilitate more refined theory-building efforts in this research domain and serve as a guide for practitioners to manage security policy compliance initiatives.

References

[1]

Ajzen, I. 1991. "The Theory of Planned Behavior," Organizational Behavior and Human Decision Processes (50:2), pp. 179-211.

[2]

Aquino, K., and Reed, A. 2002. "The Self-Importance of Moral Identity," Journal of Personality and Social Psychology (83:6), pp. 1423-1440.

[3]

Association for Information Systems. 2017. "AISWorld List Usage Policy and Conditions" (https://aisnet.org/?ISWorldServPolicies; retrieved January 27, 2018).

[4]

Balozian, P., and Leidner, D. 2017. "Review of IS Security Compliance: Toward the Building Blocks of an IS Security Theory," The DATA BASE for Advances in Information Systems (48:3), pp. 11-43.

Digital Library

[5]

Bandara, W., Furtmueller, E., Gorbacheva, E., Miskon, S., and Beekhuyzen, J. 2015. "Achieving Rigor in Literature Reviews: Insights from Qualitative Data Analysis and Tool-Support," Communications of the AIS (34:8), pp. 154-204.

[6]

Bandura, A. 1977. "Self-Efficacy: Toward a Unified Theory of Behavioral Change," Psychological Review (84:2), pp. 191-215.

[7]

Bauer, S., and Bernroider, E. W. N. 2017. "From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization," The DATA BASE for Advances in Information Systems (48:3), pp. 44-68.

Digital Library

[8]

Bergh, D. D., Aguinis, H., Heavey, C., Ketchen, D. J., Boyd, B. K., Su, P., Lau, C. L. L., and Joo, H. 2016. "Using Metaanalytic Structural Equation Modeling to Advance Strategic Management Research: Guidelines and an Empirical Illustration Via the Strategic Leadership–Performance Relationship," Strategic Management Journal (37:3), pp. 477-497.

[9]

Borenstein, M., Hedges, L. V., Higgins, J. P., and Rothstein, H. R. 2009. Introduction to Meta-Analysis, Chichester, UK: John Wiley & Sons, Ltd.

[10]

Boss, S. R., Galletta, D., Moody, G. D., Lowry, P. B., and Polak, P. 2015. "What Do Users Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Behaviors in Users," MIS Quarterly (39:4), pp. 837-864.

Digital Library

[11]

Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly (34:3), pp. 523-548.

Digital Library

[12]

Chin, W., Thatcher, J., and Wright, R. 2012. "Assessing Common Method Bias: Problems with the ULMC Technique," MIS Quarterly (36:3), pp. 1003-1019.

Digital Library

[13]

Chu, A. M. Y., Chau, P. Y. K., and So, M. K. P. 2015. "Explaining the Misuse of Information Systems Resources in the Workplace: A Dual-Process Approach," Journal of Business Ethics (131:1), pp. 209-225.

[14]

Cohen, J. 1960. "A Coefficient of Agreement for Nominal Scales," Educational and Psychological Measurement (20:1), pp. 37-46.

[15]

Cohen, J. 1988. Statistical Power Analysis for the Behavioral Sciences (2^nd ed.), Hillsdale, NJ: Lawrence Erlbaum Associates.

[16]

Cohen, J., Cohen, P., West, S. G., and Aiken, L. S. 2003. Applied Multiple Regression/Correlation Analysis for the Behavioral Sciences, Mahwah, NJ: Lawrence Erlbaum Associates.

[17]

Colquitt, J. A., Conlon, D. E., Wesson, M. J., Porter, C. O. L. H., and Ng, K. Y. 2000. "Justice at the Millennium: A Meta-Analytic Review of 25 Years of Organizational Justice Research," The Journal of Applied Psychology (86:3), pp. 425-445.

[18]

Cooper, H., Hedges, L. V., and Valentine, J. C. (eds.). 2009. The Handbook of Research Synthesis and Meta-Analysis, New York: Russell Sage Foundation.

Digital Library

[19]

Cram, W. A., Proudfoot, J. G., and D'Arcy, J. 2017. "Organizational Information Security Policies: A Review and Research Framework," European Journal of Information Systems (26:6), pp. 605-641.

[20]

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., and Baskerville, R. 2013. "Future Directions for Behavioral Information Security Research," Computers & Security (32), pp. 90-101.

Digital Library

[21]

D'Arcy, J., and Greene, G. 2014. "Security Culture and the Employment Relationship as Drivers of Employees' Security Compliance," Information Management & Computer Security (22:5), pp. 474-489.

[22]

D'Arcy, J., and Herath, T. 2011. "A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings," European Journal of Information Systems (29:6), pp. 643-658.

[23]

D'Arcy, J., Herath, T., and Shoss, M. K. 2014. "Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective," Journal of Management Information Systems (31:2), pp. 285-318.

[24]

Dennis, A. R., Wixom, B. H., and Vandenberg, R. J. 2001. "Understanding Fit and Appropriation Effects in Group Support Systems Via Meta-Analysis," MIS Quarterly (25:2), pp. 167-193.

Digital Library

[25]

Dickersin, K. 2005. "Publication Bias: Recognizing the Problem, Understanding Its Origins, and Scope, and Preventing Harm," in Publication Bias in Meta Analysis: Prevention, Assessment, and Adjustments, H. R. Rothstein, A. J. Sutton, and M. Borenstein (eds.), Chichester, UK: John Wiley & Sons, Ltd., pp. 11-33.

[26]

Dimoka, A. 2010. "What Does the Brain Tell Us About Trust and Distrust? Evidence from a Functional Neuroimaging Study," MIS Quarterly (34:2), pp. 373-396.

Digital Library

[27]

Doi, S. A. R., Barendregt, J. J., Khan, S., Thalib, L., and Williams, G. M. 2015. "Advances in the Meta-Analysis of Heterogeneous Clinical Trials I: The Inverse Variance Heterogeneity Model," Contemporary Clinical Trials (45:Part A), pp. 130-138.

[28]

Foth, M. 2016. "Factors Influencing the Intention to Comply with Data Protection Regulations in Hospitals: Based on Gender Differences in Behaviour and Deterrence," European Journal of Information Systems (25:2), pp. 91-109.

[29]

Geganfurtner, A. 2011. "Comparing Two Handbooks of Meta-Analysis: Review of Hunter & Schmidt, Methods of Meta-Analysis: Correcting Error and Bias in Research Findings, and Borenstein, Hedges, Higgins, and Rothstein, Introduction to Meta-Analysis," Vocations and Learning (4:-), pp. 169-174.

[30]

Gerow, J. E., Ayyagari, R., Thatcher, J., and Roth, P. L. 2013. "Can We Have Fun @ Work? The Role of Intrinsic Motivation for Utilitarian Systems," European Journal of Information Systems (22:3), pp. 360-380.

[31]

Gerow, J. E., Grover, V., Thatcher, J., and Roth, P. L. 2014. "Looking Toward the Future of IT-Business Strategic Alignment through the Past: A Meta-Analysis," MIS Quarterly (38:4), pp. 1159-1185.

Digital Library

[32]

Glass, G. V. 1976. "Primary, Secondary, and Meta-Analysis of Research," Review of Research in Education (5:10), pp. 351-379.

[33]

Goo, J., Yim, M.-S., and Kim, D. J. 2014. "A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate," IEEE Transactions on Professional Communication (57:4), pp. 286-308.

[34]

Guo, K. H. 2013. "Security-Related Behavior in Using Information Systems in the Workplace: A Review and Sy nthesis," Computers & Security (32:-), pp. 242-251.

Digital Library

[35]

Harrington, S. J. 1996. "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgements and Intentions," MIS Quarterly (20:3), pp. 257-278.

Digital Library

[36]

He, J., and King, W. R. 2008. "The Role of User Participation in Information Systems Development: Implications from a Meta-Analysis," Journal of Management Information Systems (25:1), pp. 301-331.

Digital Library

[37]

Hedges, L. V., and Pigott, T. D. 2001. "The Power of Statistical Tests in Meta-Analysis," Psychological Methods (6:3), pp. 203-217.

[38]

Herath, T., and Rao, H. R. 2009a. "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems (47:2), pp. 154-165.

Digital Library

[39]

Herath, T., and Rao, H. R. 2009b. "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations," European Journal of Information Systems (18:2), pp. 106-125.

[40]

Hopewell, S., Clarke, M., and Mallett, S. 2005. "Grey Literature and Systematic Reviews," in Publication Bias in Meta Analysis: Prevention, Assessment, and Adjustments, H. R. Rothstein, A. J. Sutton, and M. Borenstein (eds.), Chichester, UK: John Wiley & Sons, Ltd., pp. 49-72.

[41]

Hovav, A., and D'Arcy, J. 2012. "Applying an Extended Model of Deterrence Across Cultures: An Investigation of Information Systems Misuse in the U.S. and South Korea," Information & Management (49:2), pp. 99-110.

Digital Library

[42]

Hui, K. L., Vance, A., and Zhdanov, D. 2016. "Securing Digital Assets," in MIS Quarterly Research Curations (https://misq.org/research-curations/).

[43]

Hunt, M. 1997. How Science Takes Stock: The Story of Meta-Analysis, New York: Russell Sage Foundation.

[44]

Hwang, M. I. 2014. "Disentangling the Effect of Top Management Support and Training on Systems Implementation Success: A Meta-Analysis," Communications of the AIS (35:2), pp. 19-37.

[45]

Ifinedo, P. 2012. "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory," Computers & Security (31:1), pp. 83-95.

Digital Library

[46]

Jenkins, J. L., and Durcikova, A. 2013. "What, I Shouldn't Have Done That? The Influence of Training and Just-in-Time Reminders on Secure Behavior," in Proceedings of the 34^th International Conference on Information Systems, Milan, Italy.

[47]

Jenkins, J. L., Durcikova, A., Ross, G., and Nunamaker Jr., J. F. 2010. "Encouraging Users to Behave Securely: Examining the Influence of Technical, Managerial, and Educational Controls on Users' Secure Behavior," in Proceedings of the 31^st International Conference on Information Systems, St. Louis, MO.

[48]

Jiang, K., Lepak, D. P., Hu, J., and Baer, J. 2012. "How Does Human Resource Management Influence Organizational Outcomes? A Meta-Analytic Investigation of Mediating Mechanisms," Academy of Management Journal (55:6), pp. 1264-1294.

[49]

Johnson, J. W. 2000. "A Heuristic Method for Estimating the Relative Weight of Predictor Variables in Multiple Regression," Multivariate Behavioral Research (35:1), pp. 1-19.

[50]

Johnson, J. W., and LeBreton, J. M. 2004. "History and Use of Relative Importance Indices in Organizational Research," Organizational Research Methods (7:3), pp. 238-257.

[51]

Johnston, A. C., Warkentin, M., and Siponen, M. 2015. "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset through Sanctioning Rhetoric," MIS Quarterly (39:1), pp. 113-134.

Digital Library

[52]

Joseph, D., Ng, K.-Y., Koh, C., and Ang, S. 2007. "Turnover of Information Technology Professionals: A Narrative Review, Meta-Analytic Structural Equation Modeling, and Model Development," MIS Quarterly (31:3), pp. 547-577.

Digital Library

[53]

Kam, H.-J., Katerattanakul, P., and Hong, S.-G. 2015. "A Tale of Two Cities: Policy Compliance of the Banks in the United States and South Korea," European Conference on Information Systems, Münster, Germany.

[54]

Kaspersky Lab. 2017. "Human Factor in IT Security: How Employees Are Making Businesses Vulnerable from Within" (https://usa.kaspersky.com/about/press-releases/2017_kaseprsky-lab-survey-one-in-four-hide-cybersecurity-incidents-from-their-employers; retrieved October 4, 2017).

[55]

Kepes, S., Banks, G. C., McDaniel, M., and Whetzel, D. L. 2012. "Publication Bias in the Organizational Sciences," Organizational Research Methods (15:4), pp. 624-662.

[56]

Kinnunen, S. 2016. "Exploring Determinants of Different Information Security Behaviors," Master's Thesis, University of Jyväskylä.

[57]

Kohlberg, L. 1969. "Stage and Sequence: The Cognitive Developmental Approach to Socialization," in Handbook of Socialization Theory, D. A. Goslin (ed.),Chicago: Rand McNally, pp. 347-380.

[58]

Kohli, R., and Devaraj, S. 2003. "Measuring Information Technology Payoff: A Meta-Analysis of Structural Variables in Firm-Level Empirical Research," Information Systems Research (14:2), pp. 127-145.

Digital Library

[59]

Kotulic, A. G., and Clark, J. G. 2004. "Why There Aren't More Information Security Research Studies," Information & Management (41:5), pp. 597-607.

Digital Library

[60]

Landis, J. R., and Koch, G. G. 1977. "The Measurement of Observer Agreement for Categorical Data," Biometrics (33:1), pp. 159-174.

[61]

Lee, G., and Xia, W. 2006. "Organizational Size and IT Innovation Adoption: A Meta-Analysis," Information & Management (43:8), pp. 975-985.

Digital Library

[62]

Li, H., and Luo, X. 2017. "The Role of Situational Moral Judgment and Deterrence on Information Security Policy Violation," in Proceedings of 1^st International Conference on Internet Plus, Big Data & Business Innovation, Beijing, China.

[63]

Li, H., Sarathy, R., Zhang, J., and Luo, X. 2014. "Exploring the Effects of Organizational Justice, Personal Ethics and Sanction on Internet Use Policy Compliance," Information Systems Journal (24:6), pp. 479-502.

Digital Library

[64]

Li, H., Zhang, J., and Sarathy, R. 2010. "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory," Decision Support Systems (48:4), pp. 635-645.

Digital Library

[65]

Liang, H., and Xue, Y. 2010. "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective," Journal of the Association for Information Systems (11:7), pp. 394-413.

[66]

Liberati, A., Altman, D. G., Tetzlaff, J., Mulrow, C., Gøtzsche, P. C., Ioannidis, J. P. A., Clarke, M., Devereaux, P. J., Kleijnen, J., and Moher, D. 2009. "The Prisma Statement for Reporting Systematic Reviews and Meta-Analyses of Studies That Evaluate Health Care Interventions: Explanation and Elaboration," PLoS Medicine (6:7), pp. 1-28.

[67]

Lipsey, M. W., and Wilson, D. B. 2001. Practical Meta-Analysis, Thousand Oaks, CA: SAGE Publications.

[68]

Long, J. 2001. "An Introduction to and Generalization of the "FailSafe N"," paper presented at the annual meeting of the Southwest Educational Research Association, New Orleans, LA.

[69]

Lowry, P. B., Dinev, T., and Willison, R. 2017. "Why Security and Privacy Research Lies at the Centre of the Information Systems (IS) Artefact: Proposing a Bold Research Agenda," European Journal of Information Systems (26:6), pp. 546-563.

[70]

Lowry, P. B., and Moody, G. D. 2015. "Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies," Information Systems Journal (25:5), pp. 465-488.

Digital Library

[71]

Malhotra, N. K., Kim, S. S., and Patil, A. 2006. "Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research," Management Science (52:12), pp. 1865-1883.

Digital Library

[72]

McDaniel, M., Rothstein, H. R., and Whetzel, D. L. 2006. "Publication Bias: A Case Study of Four Test Vendors," Personnel Psychology (59:4), pp. 927-953.

[73]

McFerran, B., Aquino, K., and Duffy, M. 2010. "How Personality and Moral Identity Relate to Individuals' Ethical Ideology," Business Ethics Quarterly (20:1), pp. 35-56.

[74]

Moody, G. D., Siponen, M., and Pahnila, S. 2018. "Toward a Unified Model of Information Security Policy Compliance," MIS Quarterly (42:1), pp. 285-331.

[75]

Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. 2009. "What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study," European Journal of Information Systems (18:2), pp. 126-139.

[76]

O'Boyle Jr., E. H., Humphrey, R. H., Pollack, J. M., Hawver, T. H., and Story, P. A. 2011. "The Relation between Emotional Intelligence and Job Performance: A Meta-Analysis," Journal of Organizational Behavior and Human Decision Processes (32:5), pp. 788-818.

[77]

Ormond, D., Warkentin, M., and Crossler, R. E. 2019. "Integrating Cognition with an Affective Lens to Better Understand Information Security Policy Compliance," Journal of the Association for Information Systems (forthcoming).

[78]

Pahnila, S., Karjalainen, M., and Siponen, M. 2013. "Information Security Behavior: Towards Multi-Stage Models," in Proceedings of the Pacific Asia Conference on Information Systems, Jeju Island, South Korea.

[79]

Parker, D. B. 1998. Fighting Computer Crime: A New Framework for Protecting Information, New York: Wiley.

Digital Library

[80]

Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y., and Podsakoff, N. P. 2003. "Common Method Bias in Behavioral Research: A Critical Review of the Literature and Recommended Remedies," Journal of Applied Psychology (88:5), pp. 879-903.

[81]

Ponemon Institute. 2016. "Managing Insider Risk through Training & Culture," Ponemon Institute© Research Report, Traverse City, MI.

[82]

Posey, C., Roberts, T. L., Lowry, P. B., and Hightower, R. T. 2014. "Bridging the Divide: A Qualitative Comparison of Information Security Thought Patterns between Information Security Professionals and Ordinary Organizational Insiders," Information & Management (51), pp. 551-567.

[83]

Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E., and Madensen, T. D. 2006. "The Empirical Status of Deterrence Theory: A Meta-Analysis," in Taking Stock: The Status of Criminological Theory, F. T. Cullen, J. P. Wright, and K. R. Blevins (eds.), New Brunswick, NJ: Transaction Publishers, pp. 37-76.

[84]

Puhakainen, P., and Siponen, M. 2010. "Improving Employees' Compliance through Information Systems Security Training: An Action Research Study," MIS Quarterly (34:4), pp. 757-778.

Digital Library

[85]

PwC. 2016. "The Global State of Information Security Survey 2016" (http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html; retrieved January 30, 2017).

[86]

Richardson, H. A., Simmering, M. J., and Sturman, M. C. 2009. "A Tale of Three Perspectives: Examining Post Hoc Statistical Techniques for Detection and Correction of Common Method Variance," Organizational Research Methods (12:4), pp. 762-800.

[87]

Rosenberg, M. S. 2005. "The File-Drawer Problem Revisited: A General Weighted Method for Calculating Fail-Safe Numbers in Meta-Analysis," Evolution (59:2), pp. 464-468.

[88]

Rosenthal, R. 1979. "The "File Drawer Problem" and Tolerance for Null Results," Psychological Bulletin (86:3), pp. 638-641.

[89]

Rothstein, H. R., Sutton, A. J., and Borenstein, M. 2005. "Publication Bias in Meta-Analysis," in Publication Bias in Meta Analysis: Prevention, Assessment, and Adjustments, H. R. Rothstein, A. J. Sutton, and M. Borenstein (eds.), Chichester, UK: John Wiley & Sons, Ltd., pp. 1-7.

[90]

Sabherwal, R., Jeyaraj, A., and Chowa, C. 2006. "Information System Success: Individual and Organizational Determinants," Management Science (52:12), pp. 1849-1864.

Digital Library

[91]

Schmidt, F. L. 1996. "Statistical Significance Testing and Cumulative Knowledge in Psychology: Implications for Training of Researchers," Psychological Methods (1:2), pp. 115-129.

[92]

Schmidt, F. L., and Hunter, J. E. 2015. Methods of Meta-Analysis: Correcting Error and Bias in Research Findings (3^rd ed.), Thousand Oaks, CA: SAGE Publications.

[93]

Schmidt, F. L., and Le, H. 2014. "Software for the Hunter-Schmidt Meta-Analysis Methods, Version 2.0," unpublished paper, Department of Management & Organizations, University of Iowa,

[94]

Schryen, G. 2015. "Writing Qualitative IS Literature Reviews— Guidelines for Synthesis, Interpretation, and Guidance of Research," Communications of the Association for Information Systems (37:12), pp. 286-325.

[95]

Schultze, R. 2007. "Current Methods for Meta-Analysis: Approaches, Issues, and Developments," Zeitschrift für Psychologie (Journal of Psychology) (215:2), pp. 90-103.

[96]

Sharma, R., and Yetton, P. 2003. "The Contingent Effects of Management Support and Task Interdependence on Successful Information Systems Implementation," MIS Quarterly (27:4), pp. 533-555.

Digital Library

[97]

Sharma, R., Yetton, P., and Crawford, J. 2009. "Estimating the Effect of Common Method Variance: The Method-Method Pair Technique with an Illustration from TAM Research," MIS Quarterly (33:3), pp. 473-490.

Digital Library

[98]

Shropshire, J., Warkentin, M., and Sharma, S. 2015. "Personality, Attitudes, and Intentions: Predicting Initial Adoption of Information Security Behavior," Computers & Security (49), pp. 177-191.

Digital Library

[99]

Silberman, M. 1976. "Toward a Theory of Criminal Deterrence," American Sociological Review (41:3), pp. 442-461.

[100]

Siponen, M. 2000. "A Conceptual Foundation for Organizational Information Security Awareness," Information Management & Computer Security (8:1), pp. 31-41.

[101]

Siponen, M., Mahmood, M. A., and Pahnila, S. 2014. "Employees' Adherence to Information Security Policies: An Exploratory Field Study," Information & Management (51:2), pp. 217-224.

Digital Library

[102]

Siponen, M., and Vance, A. 2014. "Guidelines for Improving the Contextual Relevance of Field Surveys: the Case of Information Security Policy Violations," European Journal of Information Systems (23:3), pp. 289-305.

[103]

Sommestad, T., and Hallberg, J. 2013. "A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance," in Proceedings of the IFIP International Information Security Conference: Security and Privacy Protection in Information Systems Processing, E. Janczewski, H. Wolf, and S. Shenoi (eds.), Berlin: Springer, pp. 257-271.

[104]

Sommestad, T., Hallberg, J., Lundholm, K., and Bengtsson, J. 2014. "Variables Influencing Information Security Policy Compliance: A Systematic Review of Quantitative Studies," Information Management & Computer Security (22:1), pp. 42-75.

[105]

Sommestad, T., Karlzén, H., and Hallberg, J. 2015. "A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour," International Journal of Information Security and Privacy (9:1), pp. 26-46.

Digital Library

[106]

Spears, J. L., and Barki, H. 2010. "User Participation in Information Systems Security Risk Management," MIS Quarterly (34:3), pp. 503-522.

Digital Library

[107]

Sterne, J. A. C., Gavaghan, D., and Egger, M. 2000. "Publication and Related Bias in Meta-Analysis: Power of Statistical Tests and Prevalence in the Literature," Journal of Clinical Epidemiology (53:11), pp. 1119-1129.

[108]

Straub, D. 1986. "Deterring Compute Abuse: The Effectiveness of Deterrent Countermeasures in the Computer Security Environment," unpublished D.B.A. Thesis, Indiana University.

[109]

Straub, D. 1990. "Effective IS Security: An Empirical Study," Information Systems Research, (1:3), pp. 255-276.

Digital Library

[110]

Straub, D., and Burton-Jones, A. 2007. "Veni, Vidi, Vici: Breaking the TAM Logjam," Journal of the AIS (8:4), pp. 223-229.

[111]

Sutton, A. J. 2006. "Evidence Concerning the Consequences of Publication and Related Biases," in Publication Bias in Meta-Analysis: Prevention, Assessment and Adjustments, H. R. Roth-stein, A. J., Sutton and M. Borenstein (eds.), Chichester, UK: John Wiley & Sons, Ltd., pp. 175-192.

[112]

Sutton, S. G., Song, F., Gilbody, S. M., and Abrams, K. R. 2000. "Modelling Publication Bias in Meta-Analysis: A Review," Statistical Methods in Medical Research (9:5), pp. 421-445.

[113]

Templier, M., and Paré, G. 2015. "A Framework for Guiding and Evaluating Literature Reviews," Communications of the AIS (37:6), pp. 112-137.

[114]

Thatcher, J., Wright, R., Sun, H., Zagenczyk, T. J., and Klein, R. 2018. "Mindfulness in Information Technology Use: Definitions, Distinctions, and a New Measure," MIS Quarterly (42:3), pp. 831-847.

[115]

Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E. 2005. "The Insider Threat to Information Systems and the Effectiveness of ISO17799," Computers & Security (24:6), pp. 472-484.

Digital Library

[116]

Thomson, M. E., and von Solms, R. 1998. "Information Security Awareness: Educating Your Users Effectively," Information Management & Computer Security (6:4), pp. 167-173.

[117]

Tonidandel, S., and LeBreton, J. M. 2011. "Relative Importance Analyses: A Useful Supplement to Multiple Regression Analyses," Journal of Business and Psychology (26:1), pp. 1-9.

[118]

Tonidandel, S., and LeBreton, J. M. 2015. "RWA Web: A Free, Comprehensive, Web-Based, and User-Friendly Tool for Relative Weight Analyses," Journal of Business and Psychology (30:2), pp. 207-216.

[119]

Triandis, H. C. 1977. Interpersonal Behavior. Monterey, CA: Brooks/Cole Publishing Company.

[120]

Valentine, J. C., Piggott, T. D., and Rothstein, H. R. 2010. "How Many Studies Do You Need? A Primer on Statistical Power for Meta-Analysis," Journal of Educational and Behavioral Statistics (35:2), pp. 215-247.

[121]

Vance, A., Anderson, B. B., Kirwan, C. B., and Eargle, D. 2014. "Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG)," Journal of the AIS (15:10), pp. 679-722.

[122]

Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D. 2003. "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly (27:3), pp. 425-478.

Digital Library

[123]

Viswesvaran, C., and Ones, D. S. 1995. "Theory Testing: Combining Psychometric Meta-Analysis and Structural Equations Modeling," Personnel Psychology (48:4), pp. 865-885.

[124]

vom Brocke, J., Simons, A., Riemer, K., Niehaves, B., and Plattfaut, R. 2015. "Standing on the Shoulders of Giants: Challenges and Recommendations of Literature Search in Information Systems Research," Communications of the AIS (37:9), pp. 205-224.

[125]

Warkentin, M., Johnston, A. C., and Shropshire, J. 2011. "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention," European Journal of Information Systems (20:3), pp. 267-284.

[126]

Webster, J., and Watson, R. T. 2002. "Analyzing the Past to Prepare for the Future: Writing a Literature Review," MIS Quarterly (26:2), pp. xiii-xxiii.

Digital Library

[127]

Whitener, E. M. 1990. "Confusion of Confidence Intervals and Credibility Intervals in Meta-Analysis," Journal of Applied Psychology (75:3), pp. 315-321.

[128]

Willison, R., and Warkentin, M. 2013. "Beyond Deterrence: An Expanded View of Employee Computer Abuse," MIS Quarterly (37:1), pp. 1-20.

Digital Library

[129]

Wood, J. A. 2008. "Methodology for Dealing with Duplicate Study Effects in a Meta-Analysis," Organizational Research Methods (11:1), pp. 79-95.

[130]

Workman, M., Bommer, W. H., and Straub, D. W. 2008. "Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test," Computers in Human Behavior (24:6), pp. 2799-2816.

Digital Library

[131]

Wu, J., and Du, H. 2012. "Toward a Better Understanding of Behavioral Intention and System Usage Constructs," European Journal of Information Systems (21:6), pp. 680-698.

[132]

Wu, J., and Lederer, A. 2009. "A Meta-Analysis of the Role of Environment-Based Voluntariness of Information Technology Acceptance," MIS Quarterly (33:2), pp. 419-432.

Digital Library

[133]

Wu, J., and Lu, X. 2013. "Effects of Extrinsic and Intrinsic Motivators on Using Utalitarian, Hedonic, and Dual-Purposed Information Systems: A Meta-Analysis," Journal of the AIS (14:3), pp. 153-191.

[134]

Yazdanmehr, A., and Wang, J. 2016. "Employees' Information Security Policy Compliance: A Norm Activation Perspective," Decision Support Systems (92), pp. 36-46.

Digital Library

Cited By

N BMathew S(2025)Exploring the factors influencing information security policy compliance and violationsComputers and Security10.1016/j.cose.2024.104062147:COnline publication date: 7-Jan-2025
https://dl.acm.org/doi/10.1016/j.cose.2024.104062
Jiang HSiponen MJiang ZTsohou A(2024)The Impacts of Internet Monitoring on Employees’ Cyberloafing and Organizational Citizenship BehaviorInformation Systems Research10.1287/isre.2020.021635:3(1175-1194)Online publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1287/isre.2020.0216
Van Slyke CKamis A(2024)The Limits of Empiricism: A Critique of Data-Driven Theory DevelopmentACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3663682.366368955:2(120-146)Online publication date: 3-May-2024
https://dl.acm.org/doi/10.1145/3663682.3663689
Show More Cited By

Recommendations

A Composite Framework for Behavioral Compliance with Information Security Policies

To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in ...
Achieving Interoperability in a Multiple-Security- Policies Environment

The interoperability problems that emerge when information systems cooperate, are often attributed to incompatible security policies. In this paper, we introduce a systemic framework for achieving interoperability when multiple security policies are ...
Explaining Opposing Compliance Motivations towards Organizational Information Security Policies
HICSS '13: Proceedings of the 2013 46th Hawaii International Conference on System Sciences

Lack of compliance with organizational information security policies (ISPOs) is a widespread organizational issue that increasingly bears very large direct and qualitative costs. The purpose of our study was to explain the causes of tensions within ...

Comments

Information & Contributors

Information

Published In

cover image MIS Quarterly

MIS Quarterly Volume 43, Issue 2

June 2019

544 pages

ISSN:0276-7783

Editor:
Arun Rai
Robinson College of Business, Georgia State University

Issue’s Table of Contents

Publisher

Society for Information Management and The Management Information Systems Research Center

United States

Publication History

Published: 01 June 2019

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

N BMathew S(2025)Exploring the factors influencing information security policy compliance and violationsComputers and Security10.1016/j.cose.2024.104062147:COnline publication date: 7-Jan-2025
https://dl.acm.org/doi/10.1016/j.cose.2024.104062
Jiang HSiponen MJiang ZTsohou A(2024)The Impacts of Internet Monitoring on Employees’ Cyberloafing and Organizational Citizenship BehaviorInformation Systems Research10.1287/isre.2020.021635:3(1175-1194)Online publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1287/isre.2020.0216
Van Slyke CKamis A(2024)The Limits of Empiricism: A Critique of Data-Driven Theory DevelopmentACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3663682.366368955:2(120-146)Online publication date: 3-May-2024
https://dl.acm.org/doi/10.1145/3663682.3663689
Li YPosey CStafford T(2024)Bureaucracies in information securingInformation and Organization10.1016/j.infoandorg.2024.10052634:3Online publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1016/j.infoandorg.2024.100526
Vedadi AWarkentin MStraub DShropshire J(2024)Fostering information security compliance as organizational citizenship behaviorInformation and Management10.1016/j.im.2024.10396861:5Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.im.2024.103968
Renaud KWarkentin MPogrebna Gvan der Schyff K(2024)VISTAInformation and Management10.1016/j.im.2023.10387761:1Online publication date: 14-Mar-2024
https://dl.acm.org/doi/10.1016/j.im.2023.103877
Lu ZMin QJiang LChen Q(2024)The effect of the anthropomorphic design of chatbots on customer switching intention when the chatbot service failsInternational Journal of Information Management: The Journal for Information Professionals10.1016/j.ijinfomgt.2024.10276776:COnline publication date: 17-Jul-2024
https://dl.acm.org/doi/10.1016/j.ijinfomgt.2024.102767
Yazdanmehr AJawad MBenbunan-Fich RWang J(2024)The role of ethical climates in employee information security policy violationsDecision Support Systems10.1016/j.dss.2023.114086177:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.dss.2023.114086
Niemimaa M(2024)Incorrect compliance and correct noncompliance with information security policiesComputers and Security10.1016/j.cose.2024.103986145:COnline publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103986
Baltuttis DTeubner TAdam M(2024)A typology of cybersecurity behavior among knowledge workersComputers and Security10.1016/j.cose.2024.103741140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103741
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents