In the 29 studies more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explain a small part of the variation in people’s behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation.
| Construct |
Cites |
Category |
Questions given? |
Content validity |
Pretests |
Response type |
Notes |
| Actual misuse |
Lee et al., 2004, Workman, 2007 |
|
example |
|
|
unclear |
|
| Actual compliance |
Siponen et al., 2010, Pahnila et al., 2007, Son, 2011, Myyry et al., 2009, Bulgurcu et al., 2010, Chan et al., 2005 |
|
example |
|
|
unclear |
|
| Attachment |
Lee et al., 2004 |
|
example |
|
|
unclear |
|
| Attitude toward security policy |
Guo et al., 2011 |
|
example |
|
|
unclear |
|
| Attitude towards compliance |
Li et al., 2010, Pahnila et al., 2007, Ifinedo, 2012, Bulgurcu et al., 2010, Zhang et al., 2009, Herath, 2009, Bulgurcu et al., 2009, Siponen et al., 2010 |
|
example |
|
|
unclear |
|
| Attitude toward misuse |
Guo et al., 2011, Dugo, 2007 |
|
example |
|
|
unclear |
|
| Computer monitoring |
D'Arcy, 2007 |
|
example |
|
|
unclear |
|
| Conservation |
Myyry et al., 2009 |
|
example |
|
|
unclear |
|
| Conventional reasoning |
Myyry et al., 2009 |
|
example |
|
|
unclear |
|
| Descriptive norm |
Herath, 2009 |
|
example |
|
|
unclear |
|
| Denial of responsibility |
Harrington, 1996 |
|
example |
|
|
unclear |
|
| Facilitating conditions |
Pahnila et al., 2007 |
|
example |
|
|
unclear |
|
| Habits |
Pahnila et al., 2007 |
|
example |
|
|
unclear |
|
| Information security awareness |
Bulgurcu et al., 2010 |
|
example |
|
|
unclear |
|
| Information security policy fairness |
Bulgurcu et al., 2010 |
|
example |
|
|
unclear |
|
| Information security policy quality |
Bulgurcu et al., 2010 |
|
example |
|
|
unclear |
|
| Intention to comply |
Siponen et al., 2010, Pahnila et al., 2007, Zhang et al., 2009, Li et al., 2010, Ifinedo, 2012, Bulgurcu et al., 2010, Herath, 2009, Siponen et al., 2010, Herath, 2009, Li et al., 2010, Bulgurcu et al., 2010, Myyry et al., 2009, Ifinedo, 2012, Vance et al., 2012, Siponen et al., 2010 |
|
example |
|
|
unclear |
|
| Intention to misuse |
Siponen, 2010, Guo et al., 2011, D'Arcy et al., 2009, D'Arcy, 2007, Hu et al., 2011, Dugo, 2007, Siponen, 2010, Vance, 2012, Lee et al., 2004 |
|
example |
|
|
unclear |
|
| Involvement |
Lee et al., 2004 |
|
example |
|
|
unclear |
|
| Moral beliefs |
D'Arcy et al., 2009, Vance, 2012, Lee et al., 2004 |
|
example |
|
|
unclear |
|
| Neutralization |
Siponen, 2010 |
|
example |
|
|
unclear |
|
| Normative beliefs |
Siponen et al., 2010, Herath, 2009, Bulgurcu et al., 2010, Pahnila et al., 2007, Ifinedo, 2012, Herath, 2009, Zhang et al., 2009, Li et al., 2010, Dugo, 2007, Guo et al., 2011, Workman, 2007 |
|
example |
|
|
unclear |
|
| Openness to change |
Myyry et al., 2009 |
|
example |
|
|
unclear |
|
| Organizational commitment |
Herath, 2009, Dugo, 2007, Lee et al., 2004 |
|
example |
|
|
unclear |
|
| Perceived Value congruence |
Son, 2011 |
|
example |
|
|
unclear |
|
| Perceived benefit of compliance |
Bulgurcu et al., 2010 |
|
example |
|
|
unclear |
|
| Perceived benefits of non-compliance |
Li et al., 2010, Vance, 2012 |
|
example |
|
|
unclear |
|
| Perceived extrinsic benefits |
Hu et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived identity match |
Guo et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived intrinsic benefits |
Hu et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived justice of punishment |
Xue et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived legitimacy |
Son, 2011 |
|
example |
|
|
unclear |
|
| Perceived organizational benefit of compliance |
Bulgurcu et al., 2009 |
|
example |
|
|
unclear |
|
| Perceived organizational cost of compliance |
Bulgurcu et al., 2009 |
|
example |
|
|
unclear |
|
| Perceived organizational cost of non-compliance |
Bulgurcu et al., 2009 |
|
example |
|
|
unclear |
|
| Perceived risk of Shame |
Hu et al., 2011, Siponen, 2010 |
|
example |
|
|
unclear |
|
| Perceived severity of incident |
Vance et al., 2012, Ifinedo, 2012 |
|
example |
|
|
unclear |
|
| Perceived severity of sanctions |
D'Arcy et al., 2009, Hu et al., 2011, Guo et al., 2011, Son, 2011, Herath, 2009, Li et al., 2010, Dugo, 2007 |
|
example |
|
|
unclear |
|
| Perceived behavioral control |
Zhang et al., 2009, Dugo, 2007, Workman, 2007 |
|
example |
|
|
unclear |
|
| Perceived Certainty of Sanctions |
Herath, 2009, Li et al., 2010, Son, 2011, Dugo, 2007 |
|
example |
|
|
unclear |
|
| Perceived cost of non-compliance |
Siponen et al., 2010, Bulgurcu et al., 2010, Xue et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived vulnerability |
Ifinedo, 2012, Li et al., 2010, Vance et al., 2012 |
|
example |
|
|
unclear |
|
| Perceived usefulness |
Xue et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived informal risk |
Hu et al., 2011, Siponen, 2010, Siponen, 2010, Vance, 2012 |
|
example |
|
|
unclear |
|
| Perceived Celerity of Sanctions |
Hu et al., 2011 |
|
example |
|
|
unclear |
|
| Perceived formal Risk |
Hu et al., 2011, Siponen, 2010, Siponen, 2010, Vance, 2012 |
|
example |
|
|
unclear |
|
| Perceived information security Climate |
Chan et al., 2005 |
|
example |
|
|
unclear |
|
| Perceived security risk |
Guo et al., 2011 |
|
example |
|
|
unclear |
|
| Postconventional reasoning |
Myyry et al., 2009 |
|
example |
|
|
unclear |
|
| Preconventional reasoning |
Myyry et al., 2009 |
|
example |
|
|
unclear |
|
| Preventive security software |
D'Arcy, 2007 |
|
example |
|
|
unclear |
|
| Response cost |
Ifinedo, 2012, Herath, 2009, Guo et al., 2011, Bulgurcu et al., 2010, Vance et al., 2012 |
|
example |
|
|
unclear |
|
| Response efficacy |
Herath, 2009, Siponen et al., 2010, Ifinedo, 2012, Zhang et al., 2009, Vance et al., 2012 |
|
example |
|
|
unclear |
|
| Rewards |
Siponen et al., 2010, Vance et al., 2012 |
|
example |
|
|
unclear |
|
| Satisfaction |
Xue et al., 2011 |
|
example |
|
|
unclear |
|
| Security awareness program |
D'Arcy, 2007 |
|
example |
|
|
unclear |
|
| Security culture |
Dugo, 2007 |
|
example |
|
|
unclear |
|
| Security policies |
D'Arcy, 2007 |
|
example |
|
|
unclear |
|
| Self defense |
Lee et al., 2004 |
|
example |
|
|
unclear |
|
| Self-efficacy |
Herath, 2009, Bulgurcu et al., 2010, Siponen et al., 2010, Herath, 2009, Ifinedo, 2012, Son, 2011, Chan et al., 2005 |
|
example |
|
|
unclear |
|
| Source competency |
Siponen et al., 2010 |
|
example |
|
|
unclear |
|
| Source trustworthiness |
Siponen et al., 2010 |
|
example |
|
|
unclear |
|
| Source dynamism |
Siponen et al., 2010 |
|
example |
|
|
unclear |
|
| Threat appraisal |
Herath, 2009, Pahnila et al., 2007, Siponen et al., 2010 |
|
example |
|
|
unclear |
|
| Visibility |
Siponen et al., 2010 |
|
example |
|
|
unclear |
|
Teodor Sommestad, Jonas Hallberg, Kristoffer Lundholm, and Johan Bengtsson.
Variables influencing information security policy compliance: a systematic review of quantitative studies.
Information Management & Computer Security, 22(1):42–75, 2014.
doi:10.1108/IMCS-08-2012-0045.