Identifying Factors of Non-Compliance, Compliance with Information Security Policy, and Behavior Change to Compliance: Literature Review

Abstract

This paper aims to build a process model that converts employees' non-compliance into compliance. The authors evaluated articles that studied the association between information security behavior and information security policy compliance (ISPC). The authors used grounded theory in this comprehensive literature review. The idea helps researchers study issues in depth and breadth, using the five main approach steps (to define, search, select, analyze, and display). The ISPC analysis placed a greater emphasis on compliance than on non-compliance. Value conflicts, stress due to security issues, and neutralization cause the lack of compliance. This review identified 22 studies that met its criterion for inclusion. Compliance increased for both internal and external causes, as well as for protection. Social circle, management, and company culture motivate employees to be security-aware. Deterrence strategies, managerial practices, culture, and awareness of information security help staff adhere to the rules. Information security is jeopardized when employees do not value ISPC. ISPC studies usually distinguish compliance and non-compliance. The literature lacks a complete grasp of the elements that change employees' Non-compliance to compliance. We conducted a systematic literature review on information security behavior toward ISPC in various settings: research frameworks, research designs, and research methodologies throughout the last decade. This systematic review has implications for information security behavior. This research details a behavior-change technique. The conversion helps security professionals comprehend employee non-compliance and helps them comply. According to research, most security professionals develop information security policies generically, which leads to non-compliance. Most researchers agree that information security policies should be organization-specific. This study explored significant compliance/non-compliance characteristics to help design information security policies.