Advanced search
Publication Cover
European Journal of Information Systems Volume 26, 2017 - Issue 6: Security and Privacy in 21st Century Organisations
Submit an article Journal homepage
4,249
Views
115
CrossRef citations to date
0
Altmetric
Literature Review

Organizational information security policies: a review and research framework

W. Alec CramBentley University 175 Forest Street 02452WalthamMAUSACorrespondence[email protected]
View further author information
,
Jeffrey G. ProudfootBentley University 175 Forest Street 02452WalthamMAUSACorrespondence[email protected]
View further author information
&
John D’ArcyUniversity of Delaware 220 Purnell Hall 19716NewarkDEUSACorrespondence[email protected]
View further author information
Pages 605-641 | Received 22 Jan 2016, Accepted 14 Jun 2017, Published online: 15 Feb 2018

References

  • AksuluAWadeMA comprehensive review and synthesis of open source researchJournal of the Association for Information Systems20101111576656
  • Al-MukahalHMAlshareKAn examination of factors that influence the number of information security policy violations in qatari organizationsInformation and Computer Security201523110211810.1108/ICS-03-2014-0018
  • AlbrechtsenEA qualitative study of user’s view on information securityComputers and Security200726427628910.1016/j.cose.2006.11.004
  • AlterSDefining information systems as work systems: Implications for the IS fieldEuropean Journal of Information Systems200817544846910.1057/ejis.2008.37
  • AlterSService system fundamentals: Work system, value chain, and life cycleIBM Systems Journal2008471718510.1147/sj.471.0071
  • AlterSWork system theory: Overview of core concepts, extensions, and challenges for the futureJournal of the Association for Information Systems201314272121
  • AndersonCLAgarwalRPracticing safe computing: A multimethod empirical examination of home computer user security behavioral intentionsMIS Quarterly201034361364310.2307/25750694
  • Angst C, Block E, D’arcy J and Kelley K (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly Forthcoming.
  • AurigemmaSLeonardLThe influence of employee affective organizational commitment on security policy attitudes and compliance intentionsJournal of Information System Security2015113201222
  • Backhouse J, Hsu CW and Silva L (2006) Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly 30(Special Issue), 413–438.
  • BandaraWFurtmuellerEGorbachevaEMiskonSBeekhuyzenJAchieving rigor in literature reviews: Insights from qualitative data analysis and tool-supportCommunications of the Association for Information Systems2015348154204
  • BanerjeeDCronanTPJonesTWModeling IT ethics: A study in situational ethicsMIS Quarterly1998221316010.2307/249677
  • Barlow JB, Warkentin M, Ormond D and Dennis AR (2013) Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Computers and Security 39(Part B), 145–159.
  • BasinDJugéVKlaedtkeFZălinescuEEnforceable security policies revisitedACM Transactions on Information and System Security201316112610.1145/2487222.2487225
  • BaskervilleRParkEHKimJAn emote opportunity model of computer abuseInformation Technology & People201427215518110.1108/ITP-11-2011-0068
  • BaskervilleRSiponenMAn information security meta-policy for emergent organizationsLogistics Information Management2002155/633734610.1108/09576050210447019
  • BauerJMEetenMJGCybersecurity: Stakeholder incentives, externalities, and policy optionsTelecommunications Policy20093310–1170671910.1016/j.telpol.2009.09.001
  • BauerLLigattiJWalkerDComposing expressive runtime security policiesACM Transactions on Software Engineering and Methodology200918314310.1145/1525880.1525882
  • Bijlsma-FrankemaKMCostaACSITKINSBCARDINALLBBIJLSMA-FRANKEMAKMConsequences and antecedents of managerial and employee legitimacy interpretations of control: A natural open system approachOrganizational Control2010CambridgeCambridge University Press396433
  • BossSRGallettaDMoodyGDLowryPBPolakPWhat do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in usersMIS Quarterly201539483786410.25300/MISQ/2015/39.4.5
  • BossSRKirschLJAngermeierIShinglerRABossRWIf someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information securityEuropean Journal of Information Systems200918215116410.1057/ejis.2009.8
  • BulgurcuBCavusogluHBenbasatIInformation security policy compliance: An empirical study of rationality-based beliefs and information security awarenessMIS Quarterly201034352354810.2307/25750690
  • Burns AJ, Roberts TL, Posey C and Lowry PB (2017) Examining the influence of organisational insiders’ psychological capital on information security threat and coping appraisals. Computers in Human Behavior 68, 190–209.
  • Burton-JonesAMcLeanERMonodETheoretical perspectives in IS research: From variance and process to conceptual latitude and conceptual fitEuropean Journal of Information Systems201524666467910.1057/ejis.2014.31
  • CairneyPStanding on the shoulders of giants: How do we combine the insights of multiple theories in public policy studies?The Policy Studies Journal201341112110.1111/psj.12000
  • ChanMWoonIKankanhalliAPerceptions of information security in the workplace: Linking information security climate to compliant behaviorJournal of Information Privacy & Security200513184110.1080/15536548.2005.10855772
  • ChatterjeeSSarkerSValacichJSThe behavioral roots of information systems security: Exploring key factors related to unethical IT useJournal of Management Information Systems2015314498710.1080/07421222.2014.1001257
  • ChenYRamamurthyKWENK-WOrganizations’ information security policy compliance: Stick or carrot approach?Journal of Management Information Systems201229315718810.2753/MIS0742-1222290305
  • ChenYRamamurthyKWENK-WImpacts of comprehensive information security programs on information security cultureThe Journal of Computer Information Systems2015553111910.1080/08874417.2015.11645767
  • ChenYZahediFMIndividuals’ internet security perceptions and behaviors: Polycontextual contrasts between the United States and ChinaMIS Quarterly201640120522210.25300/MISQ/2016/40.1.09
  • Cheng L, Li Y, Li W, Holm E and Zhai Q (2013) Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security 39, 447–459.
  • ChoudhuryVSabherwalRPortfolios of control in outsourced software development projectsInformation Systems Research200314329131410.1287/isre.14.3.291.16563
  • ChuAMYChauPYKSoMKPDeveloping a typological theory using a quantitative approach: A case of information security deviant behaviorCommunications of the AIS20153725510535
  • Chu MY, So MKP and Chung RSW (2016) Applying the randomized response technique in business ethics research: The misuse of information systems resources in the workplace. Journal of Business Ethics Online Early, 1–18.
  • ChuaCEHLIMW-KSOHCSIASKEnacting clan control in complex IT projects: A social capital perspectiveMIS Quarterly2012362577600
  • CramWABrohmanMKGallupeRBHitting a moving target: A process model of information systems control changeInformation Systems Journal201626319522610.1111/isj.12059
  • CramWABrohmanMKGallupeRBInformation systems control: A review and framework for emerging information systemsJournal of the Association for Information Systems2016174216266
  • Cronan TP and Douglas DE (2006) Toward a comprehensive ethical behavior model for information technology. Journal of Organizational and End User Computing 18(1), 1–11.
  • CrosslerREBélangerFThe effects of security education training and awareness programs and individual characteristics on end user security tool usageJournal of Information System Security200953322
  • Crossler RE, Johnston AC, Lowry PB, Hu Q, Warkentin M and Baskerville R (2013) Future directions for behavioral information security research. Computers and Security 32, 90–101.
  • CrosslerRELongJHLoraasTMTrinkleBSUnderstanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention-behavior gapJournal of Information Systems201428120922610.2308/isys-50704
  • CulnanMJWilliamsCCHow ethics can enhance organizational privacy: Lessons from the Choicepoint and TJX data breachesMIS Quarterly200933467368710.2307/20650322
  • CuppensFCuppens-BoulahiaNElrakaibyYFormal specification and management of security policies with collective group obligationsJournal of Computer Security201321114919010.3233/JCS-2012-0459
  • D’ArcyJDevarajSEmployee misuse of information technology resources: Testing a contemporary deterrence modelDecision Sciences20124361091112410.1111/j.1540-5915.2012.00383.x
  • D’ArcyJGreeneGSecurity culture and the employment relationship as drivers of employees’ security complianceInformation Management & Computer Security201422547448910.1108/IMCS-08-2013-0057
  • D’ArcyJHerathTA review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findingsEuropean Journal of Information Systems201129664365810.1057/ejis.2011.23
  • D’ArcyJHerathTShossMKUnderstanding employee responses to stressful information security requirements: A coping perspectiveJournal of Management Information Systems201431228531810.2753/MIS0742-1222310210
  • D’ArcyJHovavADeterring internal information systems abuseCommunications of the ACM2007501011311710.1145/1290958.1290971
  • D’ArcyJHovavAGallettaDUser awareness of security countermeasures and its impact on information systems misuse: A deterrence approachInformation Systems Research2009201799810.1287/isre.1070.0160
  • DavidJPolicy enforcement in the workplaceComputers & Security200221650651310.1016/S0167-4048(02)01006-4
  • DavisRCIndustrial Organization and Management1940New YorkHarper
  • DhillonGManaging Information Security1997LondonMacmillan
  • DhillonGBackhouseJInformation system security management in the new millenniumCommunications of the ACM200043712512810.1145/341852.341877
  • DhillonGBackhouseJCurrent directions in IS security research: Towards socio-organizational perspectivesInformation Systems Journal200111212715310.1046/j.1365-2575.2001.00099.x
  • Di Modica G and Tomarchio O (2016) Matchmaking semantic security policies in heterogeneous clouds. Future Generation Computer Systems 55, 176–185.
  • DimaggioPJZUCKERLGInterest and agency in institutional theoryInstitutional patterns and organizations1988CambridgeBallinger321
  • DinevTGooJHuQNamKUser behaviour towards protective information technologies: The role of national cultural differencesInformation Systems Journal200919439141210.1111/j.1365-2575.2007.00289.x
  • DinevTHuQThe centrality of awareness in the formation of user behavioral intention toward protective information technologiesJournal of the Association for Information Systems200787386408
  • DohertyNFAnastasakisLFulfordHThe information security policy unpacked: A critical study of the content of university policiesInternational Journal of Information Management200929644945710.1016/j.ijinfomgt.2009.05.003
  • DohertyNFFulfordHDo information security policies reduce the incidence of security breaches: An exploratory analysisInformation Resources Management Journal2005184213910.4018/irmj.2005100102
  • DohertyNFFulfordHAligning the information security policy with the strategic information systems planComputers & Security2006251556310.1016/j.cose.2005.09.009
  • EisenhardtKMControl: Organizational and economic approachesManagement Science198531213414910.1287/mnsc.31.2.134
  • EisenhardtKMAgency theory: An assessment and reviewAcademy of Management Review19891415774
  • EvanschitzkyHArmstrongJSResearch with in-built replications: Comment and further suggestions for replication researchJournal of Business Research20136691406140810.1016/j.jbusres.2012.05.006
  • FlamholtzEGDasTKTsuiASToward and integrative framework of organizational controlAccounting, Organizations and Society1985101355010.1016/0361-3682(85)90030-3
  • Flowerday SV and Tuyikeze T (2016) Information security policy development and implementation: The what, how and who. Computers and Security 61, 169–183.
  • FoleySNFitzgeraldWMManagement of security policy configuration using a semantic threat graph approachJournal of Computer Security201119356760510.3233/JCS-2011-0421
  • FothMFactors influencing the intention to comply with data protection regulations in hospitals: Based on gender differences in behaviour and deterrenceEuropean Journal of Information Systems20162529110910.1057/ejis.2015.9
  • FulfordHDohertyNFThe application of information security policies in large UK-based organizations: An exploratory investigationInformation Management and Computer Security200311310611410.1108/09685220310480381
  • GauntNInstalling an appropriate information security policyInternational Journal of Medical Informatics199849113113410.1016/S1386-5056(98)00022-7
  • GoelSChengalur-SmithINMetrics for characterizing the form of security policiesJournal of Strategic Information Systems201019428129510.1016/j.jsis.2010.10.002
  • GooJYIMM-SKIMDJA path to successful management of employee security compliance: An empirical study of information security climateIEEE Transactions on Professional Communication201457428630810.1109/TPC.2014.2374011
  • GopalAGosainSThe role of organizational controls and boundary spanning in software development outsourcing: Implications for project performanceInformation Systems Research201021412310.1287/isre.1080.0205
  • GrahlmannKRHelmsRWHilhorstCBrinkkemperSAmerongenSReviewing enterprise content management: A functional frameworkEuropean Journal of Information Systems201221326828610.1057/ejis.2011.41
  • GregoryRWBeckRKeilMControl balancing in information systems development offshoring projectsMIS Quarterly20133741211123210.25300/MISQ/2013/37.4.10
  • GritzalisDA baseline security policy for distributed healthcare information systemsComputers & Security199716870971910.1016/S0167-4048(97)00009-6
  • Guo KH (2013) Security-related behavior in using information systems in the workplace: A review and synthesis. Computers and Security 32, 242–251.
  • GuoKHYuanYThe effects of multilevel sanctions on information security violations: A mediating modelInformation & Management201249632032610.1016/j.im.2012.08.001
  • GuoKHYuanYArcherNPConnellyCEUnderstanding nonmalicious security violations in the workplace: A composite behavior modelJournal of Management Information Systems201128220323610.2753/MIS0742-1222280208
  • Han J, Kim YJ and Kim H (2017) An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers and Security 66, 52–65.
  • HarringtonSJThe effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentionsMIS Quarterly199620325727810.2307/249656
  • Hassan NR (2014) Useful products in theorizing for information systems. In Thirty Fifth International Conference on Information Systems pp 1–21, Auckland.
  • Hassan NR and Lowry PB (2015) Seeking middle-range theories in information systems research. In Thirty Sixth International Conference on Information Systems pp 1–19, Fort Worth.
  • HedströmKKolkowskaEKarlssonFAllenJValue conflicts for information security managementJournal of Strategic Information Systems201120437338410.1016/j.jsis.2011.06.001
  • HelsonRJonesCKwanVSYPersonality change over 40 years of adulthood: Hierarchical linear modeling analyses of two longitudinal samplesJournal of Personality and Social Psychology200283375276610.1037/0022-3514.83.3.752
  • HerathTChenRWangJBanjaraKWilburJRAOHRSecurity services as coping mechanisms: An investigation into user intention to adopt an email authentication serviceInformation Systems Journal2014241618410.1111/j.1365-2575.2012.00420.x
  • HerathTRaoHREncouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectivenessDecision Support Systems200947215416510.1016/j.dss.2009.02.005
  • HerathTRaoHRProtection motivation and deterrence: A framework for security policy compliance in organisationsEuropean Journal of Information Systems200918210612510.1057/ejis.2009.6
  • HicksBRuedaSST. CLAIRLJAEGERTMCDANIELPA logical specification and analysis for SELinux MLS policyACM Transactions on Information and System Security201013313110.1145/1805974.1805982
  • HofstedeGThe poverty of management control philosophyAcademy of Management Review197833450461
  • HöneKEloffJHPInformation security policy—what do international information security standards say?Computers & Security200221540240910.1016/S0167-4048(02)00504-7
  • HöneKEloffJHPWhat makes an effective information security policy?Network Security2002206141610.1016/S1353-4858(02)06011-7
  • HONGKSCHIY-PCHAOLRTANGJ-HAn empirical study of information security policy on information security elevation in TaiwanInformation Management and Computer Security200614210411510.1108/09685220610655861
  • Horcas J-M, Pinto M, Fuentes L, Mallouli W and Montes de Oca E (2016) An approach for deploying and monitoring dynamic security policies. Computers and Security 58, 20–38.
  • HovavAD’ArcyJApplying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South KoreaInformation & Management20124929911010.1016/j.im.2011.12.005
  • HSUJs-CSHIHS-PHUNGYWLOWRYPBThe role of extra-role behaviors and social controls in information security policy effectivenessInformation Systems Research201526228230010.1287/isre.2015.0569
  • HuQDinevTHartPCookeDManaging employee compliance with information security policies: The critical role of top management and organizational cultureDecision Sciences201243461565910.1111/j.1540-5915.2012.00361.x
  • HuQWestRSmarandescuLThe role of self-control in information security violations: Insights from a cognitive neuroscience perspectiveJournal of Management Information Systems201531464810.1080/07421222.2014.1001255
  • HuQXuZDinevTLingHDoes deterrence work in reducing information security policy abuse by employees?Communications of the ACM2011546546010.1145/1953122.1953142
  • HwangIKimDKimTKimSWhy not comply with information security? An empirical approach for the causes of non-complianceOnline Information Review201741121810.1108/OIR-11-2015-0358
  • IfinedoPUnderstanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theoryComputers & Security2012311839510.1016/j.cose.2011.10.007
  • IfinedoPInformation systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognitionInformation & Management2014511697910.1016/j.im.2013.10.001
  • IfinedoPCritical times for organizations: What should be done to curb workers’ noncompliance with IS security policy guidelines?Information Systems Management2016331304110.1080/10580530.2015.1117868
  • International Organization For Standardization (2016) ISO/IEC 27000:2016. https://www.iso.org, accessed 30 January 2016.
  • JaffeeDOrganization Theory: Tension and Change1991New YorkMcGraw-Hill
  • JajodiaSSamaratiPSapinoMLSubrahmanianVSFlexible support for multiple access control policiesACM Transactions on Database Systems200126221426010.1145/383891.383894
  • JensenMMecklingWTheory of the firm: Managerial behavior, agency costs, and ownership structureJournal of Financial Economics19763430536010.1016/0304-405X(76)90026-X
  • JohnstonACWarkentinMFear appeals and information security behaviors: An empirical studyMIS Quarterly201034354956610.2307/25750691
  • JohnstonACWarkentinMThe influence of perceived source credibility on end user attitudes and intentions to comply with recommended IT actionsJournal of Organizational and End User Computing201022312110.4018/joeuc.2010070101
  • JohnstonACWarkentinMMcBrideMCarterLDispositional and situational factors: Influences on information security policy violationsEuropean Journal of Information Systems201625323125110.1057/ejis.2015.15
  • JohnstonACWarkentinMSiponenMAn enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoricMIS Quarterly201539111313410.25300/MISQ/2015/39.1.06
  • JohnstonACWechBJackEEngaging remote employees: The moderating role of “remote” status in determining employee information security policy awarenessJournal of Organizational and End User Computing201325112310.4018/joeuc.2013010101
  • KadamAWInformation security policy development and implementationInformation Systems Security200716524625610.1080/10658980701744861
  • KankanhalliATEOH-HTANBCYWEIK-KAn integrative study of information systems security effectivenessInternational Journal of Information Management200323213915410.1016/S0268-4012(02)00105-6
  • KarjalainenMSiponenMToward a new meta-theory for designing information systems (IS) security training approachesJournal of the Association for Information Systems2011128518555
  • KarlssonFÅströmJKarlssonMInformation security culture—state-of-the-art review between 2000 and 2013Information & Computer Security201523324628510.1108/ICS-05-2014-0033
  • KarydaMKiountouzisEKokolakisSInformation systems security policies: A contextual perspectiveComputers & Security200524324626010.1016/j.cose.2004.08.011
  • KhouryRTawbiNCorrective enforcement: A new paradigm of security policy enforcement by monitorsACM Transactions on Information and System Security201215212710.1145/2240276.2240281
  • KielJMCiamaccoFASteinesBTWEAVERCABALLMJKIMGRKIELJMPrivacy and data security: HIPAA and HITECHHealthcare information management systems2016New YorkSpringer437449
  • KimJParkEHBaskervilleRA model of emotion and computer abuseInformation & Management20165319110810.1016/j.im.2015.09.003
  • KingNJRajaVTProtecting the privacy and security of sensitive customer data in the cloudComputer Law & Security Review201228330831910.1016/j.clsr.2012.03.003
  • KingWRHeJUnderstanding the role and methods of meta-analysis in IS researchCommunications of the Association for Information Systems20051632665696
  • KirschLJPortfolios of control modes and IS project managementInformation Systems Research19978321523910.1287/isre.8.3.215
  • KirschLJKOD-GHANEYMHInvestigating the antecedents of team-based clan control: Adding social capital as a predictorOrganization Science201021246948910.1287/orsc.1090.0458
  • KnappKJFerranteCJPolicy awareness, enforcement and maintenance: Critical to information security effectiveness in organizationsJournal of Management Policy and Practice20121356680
  • KnappKJMarshallTERainerRKFordFNInformation security: Management’s effect on culture and policyInformation Management & Computer Security2006141243610.1108/09685220610648355
  • KnappKJMorrisRFJMarshallTEByrdTAInformation security policy: An organizational-level process modelComputers & Security200928749350810.1016/j.cose.2009.07.001
  • KOOPSB-JThe trouble with European data protection lawInternational Data Privacy Law20144425026110.1093/idpl/ipu023
  • LandollDJInformation Security Policies, Procedures, and Standards2016Boca RatonCRC Press
  • LangleyAStrategies for theorizing from process dataAcademy of Management Review1999244691710
  • LebekBUffenJBreitnerMHNeumannMHohlerBEmployees’ information security awareness and behavior: A literature review46th Hawaii International Conference on System Sciences2013HawaiiMaui29782986
  • LebekBUffenJNeumannMHohlerBBreitnerMHInformation security awareness and behavior: A theory-based literature reviewManagement Research Review201437121049109210.1108/MRR-04-2013-0085
  • LeeCLeeCCKimSUnderstanding information security stress: Focusing on the type of information security compliance activityComputers & Security2016591607010.1016/j.cose.2016.02.004
  • LeeJLeeYA holistic model of computer abuse within organizationsInformation Management & Computer Security2002102576310.1108/09685220210424104
  • LeeSMLEES-GYOOSAn integrative model of computer abuse based on social control and general deterrence theoriesInformation & Management200441670771810.1016/j.im.2003.08.008
  • LeeYLarsonKRThreat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware softwareEuropean Journal of Information Systems200918217718710.1057/ejis.2009.11
  • LeidnerDEKayworthTA review of culture in information systems research: Toward a theory of information technology culture conflictMIS Quarterly200630235739910.2307/25148735
  • LiHSarathyRZhangJLuoXExploring the effects of organizational justice, personal ethics and sanction on internet use policy complianceInformation Systems Journal201424647950210.1111/isj.12037
  • LiHZhangJSarathyRUnderstanding compliance with internet use policy from the perspective of rational choice theoryDecision Support Systems201048463564510.1016/j.dss.2009.12.005
  • LiNWangQBeyond separation of duty: An algebra for specifying high-level security policiesJournal of the ACM200855314610.1145/1379759.1379760
  • LiangHXueYAvoidance of information technology threats: A theoretical perspectiveMIS Quarterly2009331719010.2307/20650279
  • LiangHXueYUnderstanding security behaviors in personal computer usage: A threat avoidance perspectiveJournal of the Association for Information Systems2010117394413
  • LiangHXueYWuLEnsuring employees’ IT compliance: Carrot or stick?Information Systems Research201324227929410.1287/isre.1120.0427
  • LiaoQGurungALuoXLiLWorkplace management and employee misuse: Does punishment matter?Journal of Computer Information Systems20095024959
  • LindsayRMEhrenbergASCThe design of replicated studiesThe American Statistician1993473217222
  • LIUC-CTypes of employee perceptions of information security using Q methodology: An empirical studyEuropean Journal of Information Systems2015104557575
  • Liu J, Li Y, Wang H, Jin D, Su L, Zeng L and Vasilakos T (2016) Leveraging software-defined networking for security policy enforcement. Information Sciences 327, 288–299.
  • LowryPBMoodyGDProposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policiesInformation Systems Journal201525546548810.1111/isj.12043
  • LowryPBPoseyCBennettRJRobertsTLLeveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trustInformation Systems Journal201525319323010.1111/isj.12063
  • LowryPBPoseyCRobertsTLBennettRJIs your banker leaking your personal information? The roles of ethics and individual-level cultural characteristics in predicting organizational computer abuseJournal of Business Ethics2014121338540110.1007/s10551-013-1705-3
  • MacintoshNBManagement Accounting and Control Systems: An Organizational and Behavioral Approach1994New YorkWiley
  • MarupingLMVenkateshVAgarwalRA control theory perspective on agile methodology use and changing user requirementsInformation Systems Research200920337739910.1287/isre.1090.0238
  • McDanielPPrakashAMethods and limitations of security policy reconciliationACM Transactions on Information and System Security20069325929110.1145/1178618.1178620
  • Mehra SK (2010) Law and cybercrime in the United States today. The American Journal of Comparative Law 58, 659–685.
  • MeyerJWRowanBInstitutional organizations: Formal structure as a myth and ceremonyAmerican Journal of Sociology197783234036310.1086/226550
  • MeziasSJRegnierMOWalking the walk as well as talking the talk: Replication and the normal science paradigm in strategic management researchStrategic Organization20075328329610.1177/1476127007079958
  • Montanari M, Chan E, Larson K, Yoo W and Campbell RH (2013) Distributed security policy conformance. Computers and Security 33, 28–40.
  • MoodyGDKirschLJSLAUGHTERSADUNNBKWENGQFacilitating the transformational: An exploration of control in cyberinfrastructure projects and the discovery of field controlInformation Systems Research201627232434610.1287/isre.2016.0619
  • MooresTTCHANGJC-JEthical decision making in software piracy: Initial development and test of a four-component modelMIS Quarterly200630116718010.2307/25148722
  • MoquinRWakefieldRLThe roles of awareness, sanctions, and ethics in software complianceThe Journal of Computer Information Systems201656326127010.1080/08874417.2016.1153922
  • MuthaiyahSKerschbergLVirtual organization security policies: An ontology-based integration approachInformation Systems Frontiers20079550551410.1007/s10796-007-9050-7
  • MyyryLSiponenMPahnilaSVartiainenTVanceAWhat levels of moral reasoning and values explain adherence to information security rules? An empirical studyEuropean Journal of Information Systems200918212613910.1057/ejis.2009.10
  • NGB-YKANKANHALLIAXUYStudying users’ computer security behavior: A health belief perspectiveDecision Support Systems200946481582510.1016/j.dss.2008.11.010
  • NiehoffBPMoormanRHJustice as a mediator of the relationship between methods of monitoring and organizational citizenship behaviorAcademy of Management Journal199336352755610.2307/256591
  • OsengaKThe internet is not a super highway: Using metaphors to communicate information and communications policyJournal of Information Policy201331305410.5325/jinfopoli.3.2013.0030
  • PadayacheeKTaxonomy of compliant information security behaviorComputers & Security201231567368010.1016/j.cose.2012.04.004
  • ParéGTateMJohnstoneDKitsiouSContextualizing the twin concepts of systematicity and transparency in information systems literature reviewsEuropean Journal of Information Systems201625649350810.1057/s41303-016-0020-3
  • ParéGTRUDELM-CJAANAMKITSIOUSSynthesizing information systems knowledge: A typology of literature reviewsInformation & Management201552218319910.1016/j.im.2014.08.008
  • PathariVSonarRIdentifying linkages between statements in information security policy, procedures and controlsInformation Management & Computer Security201220426428010.1108/09685221211267648
  • PeaceAGGallettaDFThongJYLSoftware piracy in the workplace: A model and empirical testJournal of Management Information Systems200320115317710.1080/07421222.2003.11045759
  • PerrowCComplex Organizations1986New YorkRandom House
  • PhelpsDCGathegiJNWorkmanMHeoMInformation system security: Self-efficacy and implementation effectivenessJournal of Information System Security201281321
  • PoseyCBennettRJRobertsTLUnderstanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changesComputers & Security2011306–748649710.1016/j.cose.2011.05.002
  • PoseyCBennettRJRobertsTLLowryPBWhen computer monitoring back-fires: Privacy invasions and organizational injustice as precursors to computer abuseJournal of Information System Security2011712447
  • PoseyCRobertsTLLowryPBThe impact of organizational commitment on insiders’ motivation to protect organizational information assetsJournal of Management Information Systems201532417921410.1080/07421222.2015.1138374
  • PoseyCRobertsTLLowryPBBennettRJCourtneyJFInsiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviorsMIS Quarterly20133741189121010.25300/MISQ/2013/37.4.09
  • PuhakainenPSiponenMImproving employees’ compliance through information systems security training: An action research studyMIS Quarterly201034475777810.2307/25750704
  • Pwc (2016) The global state of information security survey 2016. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html, accessed 30 January 2017.
  • ReesJBandyopadhyaySSpaffordEHPFIRES: A policy framework for information securityCommunications of the ACM200346710110610.1145/792704.792706
  • Remus U, Wiener M, Mähring M, Saunders C and Cram WA (2015) Why do you control? The concept of control purpose and its implications for IS project control research. In Thirty Sixth International Conference on Information Systems pp 1–19, Fort Worth.
  • RenaudKGoucherWHealth service employees and information security policies: An uneasy partnership?Information Management & Computer Security201220429631110.1108/09685221211267666
  • RHEEH-SKIMCRYUYUSelf-efficacy in information security: Its influence on end users’ information security practice behaviorComputers & Security200928881682610.1016/j.cose.2009.05.008
  • RobertsBWWaltonKEViechtbauerWPatterns of mean-level change in personality traits across the life course: A meta-analysis of longitudinal studiesPsychological Bulletin2006132112510.1037/0033-2909.132.1.1
  • RossSJCybersecurity for a “simple” auditorISACA Journal20156612
  • RoweFWhat literature review is not: Diversity, boundaries and recommendationsEuropean Journal of Information Systems201423324125510.1057/ejis.2014.7
  • SabherwalRRobeyDReconciling variance and process strategies for studying information systems developmentInformation Systems Research19956430332710.1287/isre.6.4.303
  • SafaNSSolmsRFurnellSInformation security policy compliance model in organizationsComputers & Security2016561708210.1016/j.cose.2015.10.006
  • SalterioSEWe don’t replicate accounting research - or do we?Contemporary Accounting Research20143141134114210.1111/1911-3846.12102
  • SantanaMRobeyDPerceptions of control during systems development: Effects on job satisfaction of systems professionalsComputer Personnel1995161203410.1145/216504.216508
  • Schmerken I (2015) Morgan Stanley data theft exposes insider threat & need for more restrictions. http://www.wallstreetandtech.com/security/morgan-stanley-data-theft-exposes-insider-threat-and-need-for-more-restrictions, accessed 30 January 2015.
  • SchnedlerWVadovicRLegitimacy of controlJournal of Economics and Management Strategy2011204985100910.1111/j.1530-9134.2011.00315.x
  • SchneiderFBEnforceable security policiesACM Transactions on Information and System Security200031305010.1145/353323.353382
  • SchryenGWriting qualitative IS literature reviews—guidelines for synthesis, interpretation, and guidance of researchCommunications of the Association for Information Systems20153712286325
  • ScottWRThe adolescence of institutional theoryAdministrative Science Quarterly198732449351110.2307/2392880
  • SharmaAProfessional as agent: Knowledge asymmetry in agency exchangeAcademy of Management Review1997223758798
  • ShephardMMMejiasRJNontechnical deterrence effects of mild and severe internet use policy reminders in reducing employee internet abuseInternational Journal of Human-Computer Interaction201632755756710.1080/10447318.2016.1183862
  • ShirtzDEloviciYOptimizing investment decisions in selecting information security remediesInformation Management & Computer Security20111929511210.1108/09685221111143042
  • Shropshire J, Warkentin M and Sharma S (2015) Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers and Security 49, 177–191.
  • Silva L, Hsu C, Backhouse J and Mcdonnell A (2016) Resistance and power in a security certification scheme: The case of c:Cure. Decision Support Systems 92, 68–78.
  • SiponenMA conceptual foundation for organizational information security awarenessInformation Management & Computer Security200081314110.1108/09685220010371394
  • SiponenMInformation security standards focus on the existence of process, not its contentCommunications of the ACM20064989710010.1145/1145287.1145316
  • SiponenMIivariJSix design theories for IS security policies and guidelinesJournal of the Association for Information Systems200677445472
  • SiponenMMahmoodMAPahnilaSAre employees putting your company at risk by not following information security policies?Communications of the ACM2009521214514710.1145/1610252.1610289
  • SiponenMMahmoodMAPahnilaSEmployees’ adherence to information security policies: An exploratory field studyInformation & Management201451221722410.1016/j.im.2013.08.006
  • SiponenMOinas-KukkonenHA review of information security issues and respective research contributionsThe DATA BASE for Advances in Information Systems2007381608010.1145/1216218.1216224
  • SiponenMPahnilaSMahmoodMACompliance with information security policies: An empirical investigationComputer2010432647110.1109/MC.2010.35
  • SiponenMVanceANeutralization: New insights into the problem of employee information systems security policy violationsMIS Quarterly201034348750210.2307/25750688
  • SiponenMVanceAGuidelines for improving the contextual relevance of field surveys: The case of information security policy violationsEuropean Journal of Information Systems201423328930510.1057/ejis.2012.59
  • SiponenMWillisonRInformation security management standards: Problems and solutionsInformation & Management200946526727010.1016/j.im.2008.12.007
  • SiponenMWillisonRBaskervilleRPower and practice in information systems security researchInternational Conference on Information Systems2008ParisAssociation for Information Systems113
  • SmithSWinchesterDBunkerDJamiesonRCircuits of power: A study of mandated compliance to an information systems security “de jure” standard in a government organizationMIS Quarterly201034346348610.2307/25750687
  • SommestadTHallbergJLundholmKBengtssonJVariables influencing information security policy compliance: A systematic review of quantitative studiesInformation Management and Computer Security2014221427510.1108/IMCS-08-2012-0045
  • SommestadTKarlzénHHallbergJThe sufficiency of the theory of planned behavior for explaining information security policy complianceInformation and Computer Security201523220021710.1108/ICS-04-2014-0025
  • SONJ-YOut of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policiesInformation & Management201148729630210.1016/j.im.2011.07.002
  • PARKJSONJ-YProcedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concernsInternational Journal of Information Management201636330932110.1016/j.ijinfomgt.2015.12.005
  • SoomroZAShahMHAhmedJInformation security management needs more holistic approach: A literature reviewInternational Journal of Information Management201636221522510.1016/j.ijinfomgt.2015.11.009
  • SpearsJLBarkiHUser participation in information systems security risk managementMIS Quarterly201034350352210.2307/25750689
  • StahlBCDohertyNFShawMInformation security policies in the uk healthcare sector: A critical evaluationInformation Systems Journal2012221779410.1111/j.1365-2575.2011.00378.x
  • StantonJStamKMastrangeloPJoltonJAnalysis of end user security behaviorsComputers and Security200524212413310.1016/j.cose.2004.07.001
  • StraubDWEffective IS security: An empirical studyInformation Systems Research19901325527610.1287/isre.1.3.255
  • StraubDWNanceWDDiscovering and disciplining computer abuse in organizations: A field studyMIS Quarterly1990141456210.2307/249307
  • StraubDWWelkeRJCoping with systems risk: Security planning models for management decision makingMIS Quarterly199822444146910.2307/249551
  • SusantoHAlmunawarMNTuanYCInformation security management system standards: A comparative study of the big fiveInternational Journal of Electrical and Computer Sciences20111152329
  • TangMLiMZhangTThe impacts of organizational culture on information security culture: A case studyInformation Technology and Management201617217918610.1007/s10799-015-0252-2
  • TannenbaumASControl in organizations: Individual adjustment and organizational performanceAdministrative Science Quarterly19627223625710.2307/2390857
  • TEHP-LAHMEDPKD’ARCYJWhat drives information security policy violations among banking employees? Insights from neutralization and social exchange theoryJournal of Global Information Management2015231446410.4018/jgim.2015010103
  • THOMSONK-LInformation security conscience: A precondition to an information security culture?Journal of Information System Security201064319
  • ThongJYLYapCSTesting an ethical decision-making theory: The case of softliftingJournal of Management Information Systems199815121323710.1080/07421222.1998.11518203
  • TiwanaAKeilMControl in internal and outsourced software projectsJournal of Management Information Systems200926394410.2753/MIS0742-1222260301
  • TsangEWKKWANK-MReplication and theory development in organizational science: A critical realist perspectiveAcademy of Management Review1999244759780
  • Tsohou A, Karyda M and Kokolakis S (2015a) Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers and Security 52, 128–141.
  • TsohouAKarydaMKokolakisSKiountouzisEAligning security awareness with information system security managementJournal of Information System Security2010613654
  • TsohouAKarydaMKokolakisSKiountouzisEManaging the introduction of information security awareness programmes in organizationsEuropean Journal of Information Systems2015241385810.1057/ejis.2013.27
  • TwengeJMKonrathSFosterJDCampbellWKBushmanBJEgos inflating over time: A cross-temporal meta-analysis of the narcissistic personality inventoryJournal of Personality and Social Psychology2008764875902
  • UnalDCaglayanMUA formal role-based access control model for security policies in multi-domain mobile networksComputer Networks201357133035010.1016/j.comnet.2012.09.018
  • UzunovAVFernandezEBFalknerKSecurity solution frames and security patterns for authorization in distributed, collaborative systemsComputers and Security201555119323410.1016/j.cose.2015.08.003
  • VaastEDanger is in the eye of the beholders: Social representations of information systems security in healthcareJournal of Strategic Information Systems200716213015210.1016/j.jsis.2007.05.003
  • IddekingeCHFerrisGRHeffnerTSTest of a multistage model of distal and proximal antecedents of leader performancePersonnel Psychology200962346349510.1111/j.1744-6570.2009.01145.x
  • VanceAAndersonBBKirwanCBEargleDUsing measures of risk perception to predict information security behavior: Insights from electroencephalography (EEG)Journal of the Association for Information Systems20141510679722
  • VanceALowryPBEggettDUsing accountability to reduce access policy violations in information systemsJournal of Management Information Systems201329426328910.2753/MIS0742-1222290410
  • VanceALowryPBEggettDIncreasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violationsMIS Quarterly201539234536610.25300/MISQ/2015/39.2.04
  • VanceASiponenMIS security policy violations: A rational choice perspectiveJournal of Organizational and End User Computing2012241214110.4018/joeuc.2012010102
  • VanceASiponenMPahnilaSMotivating IS security compliance: Insights from habit and protection motivation theoryInformation & Management2012493–419019810.1016/j.im.2012.04.002
  • Verizon (2016) 2016 data breach investigations report. http://www.verizonenterprise.com/DBIR/2015/, accessed 25 February 2017.
  • VOM BrockeJSimonsARiemerKNiehavesBPLATTFAUTRStanding on the shoulders of giants: Challenges and recommendations of literature search in information systems researchCommunications of the Association for Information Systems2015379205224
  • DranGMGuynesCSPrybutokVRThe information infrastructure: Policy and security considerationsComputers and Society1996261131510.1145/229403.229410
  • SolmsRInformation security management: Why standards are importantInformation Management and Computer Security199971505710.1108/09685229910255223
  • VroomCSolmsRTowards information security behavioural complianceComputers & Security200423319119810.1016/j.cose.2004.01.012
  • WallDSEnemies within: Redefining the insider threat in organizational security policySecurity Journal201326210712410.1057/sj.2012.1
  • WallJDLowryPBBarlowJBOrganizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excessJournal of the Association for Information Systems20161713976
  • WallJDPalviaPLowryPBControl-related motivations and information security policy compliance: The role of autonomy and efficacyJournal of Information Privacy and Security201394527910.1080/15536548.2013.10845690
  • WallJDStahlBCSalamAFCritical discourse analysis as a review methodology: An empirical exampleCommunications of the Association for Information Systems2015371257285
  • WarkentinMJohnstonACShropshireJThe influence of the informal social learning environment on information privacy policy compliance efficacy and intentionEuropean Journal of Information Systems201120326728410.1057/ejis.2010.72
  • Warkentin M, Johnston AC, Shropshire J and Barnett WD (2016a) Continuance of protective security behavior: A longitudinal study. Decision Support Systems 92, 25–35.
  • WarkentinMWaldenEJohnstonACStraubDWNeural correlates of protection motivation for secure IT behaviors: An fMRI examinationJournal of the Association for Information Systems2016173194215
  • WarmanAROrganizational computer security policy: The realityEuropean Journal of Information Systems19921530531010.1057/ejis.1992.2
  • Webster J and Watson RT (2002) Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly 26(2), xiii–xxiii.
  • Weldon D (2015) Are your biggest security threats on the inside? http://www.cio.com/article/2985790/security/are-your-biggest-security-threats-on-the-inside.html, accessed 1 December 2015.
  • WhitmanMESTRAUBDWGOODMANSEBASKERVILLERSecurity policy: From design to maintenanceInformation security: Policy, processes, and practices2008New YorkM. E. Sharpe123151
  • WhitmanMETownsendAMAalbertsRJDHILLONGInformation systems security and the need for policyInformation security management: Global challenges in the new millennium2001IGI GlobalHershey PA1020
  • WiantTLInformation security policy’s impact on reporting security incidentsComputers & Security200524644845910.1016/j.cose.2005.03.008
  • WienerMMähringMRemusUSaundersCControl configuration and control enactment in information systems projects: Review and expanded theoretical frameworkMIS Quarterly201640374177410.25300/MISQ/2016/40.3.11
  • WillisonRUnderstanding the perpetration of employee computer crime in the organisational contextInformation and Organization200616430432410.1016/j.infoandorg.2006.08.001
  • WillisonRBackhouseJOpportunities for computer abuse: Considering systems risk from the offender’s perspectiveEuropean Journal of Information Systems200615440341410.1057/palgrave.ejis.3000592
  • WillisonRWarkentinMBeyond deterrence: An expanded view of employee computer abuseMIS Quarterly201337112010.25300/MISQ/2013/37.1.01
  • WoodCCPolicies for deterring computer abuseComputers & Security19821213914510.1016/0167-4048(82)90006-2
  • WorkmanMA field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptionsInformation and Organization200919421823210.1016/j.infoandorg.2009.06.001
  • WorkmanMBommerWHStraubDWSecurity lapses and the omission of information securitymeasures: A threat control model and empirical testComputers in Human Behavior20082462799281610.1016/j.chb.2008.04.005
  • WorkmanMGathegiJPunishment and ethics deterrents: A study of insider security contraventionJournal of the American Society for Information Science and Technology200758221222210.1002/asi.20474
  • XueYLiangHWuLPunishment, justice, and compliance in mandatory IT settingsInformation Systems Research201122240041410.1287/isre.1090.0266
  • Yazdanmehr A and Wang J (2016) Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems 92, 36–46.
  • ZafarHClarkJGCurrent state of information security research in ISCommunications of the AIS20092434557596
  • ZhangJReithelBJLiHImpact of perceived technical protection on security behaviorsInformation Management & Computer Security200917433034010.1108/09685220910993980
  • ZhangXParisi-PresicceFSandhuRParkJFormal model and policy specification of usage controlACM Transactions on Information and System Security20058435138710.1145/1108906.1108908
  • ZsidisinGAEllramLMAn agency theory investigation of supply risk managementJournal of Supply Chain Management2003393152710.1111/j.1745-493X.2003.tb00156.x

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.