To read this content please select one of the options below:

Variables influencing information security policy compliance: A systematic review of quantitative studies

Teodor Sommestad (Swedish Defence Research Agency (FOI), Linköping, Sweden)
Jonas Hallberg (Swedish Defence Research Agency (FOI), Linköping, Sweden)
Kristoffer Lundholm (Swedish Defence Research Agency (FOI), Linköping, Sweden)
Johan Bengtsson (Swedish Defence Research Agency (FOI), Linköping, Sweden)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 4 March 2014

4323

Abstract

Purpose

The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are.

Design/methodology/approach

A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed.

Findings

In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation.

Research limitations/implications

It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts.

Practical implications

For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown.

Originality/value

This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

Keywords

Citation

Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J. (2014), "Variables influencing information security policy compliance: A systematic review of quantitative studies", Information Management & Computer Security, Vol. 22 No. 1, pp. 42-75. https://doi.org/10.1108/IMCS-08-2012-0045

Publisher

:

Emerald Group Publishing Limited

Copyright © 2014, Emerald Group Publishing Limited

Related articles