research-article

Review of IS Security Policy Compliance: Toward the Building Blocks of an IS Security Theory

Authors:
Puzant Balozian

Lebanese American University, Beirut, Lebanon

Lebanese American University, Beirut, Lebanon
View Profile

,
Dorothy Leidner

Baylor University and Lund University, Waco, TX, USA

Baylor University and Lund University, Waco, TX, USA
View Profile

ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 48 Issue 3August 2017pp 11–43https://doi.org/10.1145/3130515.3130518

Published:02 August 2017Publication History

ACM SIGMIS Database: the DATABASE for Advances in Information Systems

Abstract

An understanding of insider threats in information systems (IS) is important to help address one of the dangers lurking within organizations. This article provides a review of the literature on insider compliance (and failure of compliance) with information systems' policies in order to understand the status of IS research regarding negligent and malicious insiders. We begin by defining the terms, developing a new taxonomy of insiders, and then providing a comprehensive review of articles on IS policy compliance for the past 26 years. Grounding the analysis in the literature, we inductively identify four themes to foster Information Security policy compliance among employees. The themes are: 1) IS management philosophy, 2) procedural countermeasures, 3) technical countermeasures, and 4) environmental countermeasures. We propose that future research can draw upon these themes and use them as the building blocks of an indigenous IS security theory.

References

Alder, G. S., Noel, T. W., and Ambrose, M. L. (2006). "Clarifying the Effects of Internet Monitoring on Job Attitudes: The Mediating Role of Employee Trust." Information & Management, Vol. 43, No. 7: pp. 894--903. Google ScholarDigital Library
Andreoni, J., Harbaugh, W., and Vesterlund, L. (2003). "The Carrot or the Stick: Rewards, Punishments, and Cooperation." American Economic Review, Vol. 93, No. 3: pp. 893--902. Google ScholarCross Ref
Banerjee, D., Cronan, T. P., and Jones, T. W. (1998). "Modeling IT Ethics: A Study in Situational Ethics." MIS Quarterly, Vol. 22, No. 1: pp. 31--60. Google ScholarDigital Library
BBC News (2015, July 20). "Ashley Madison Infidelity Site's Customer Data Stolen." Retrieved April 9, 2016, from http://www.bbc.com/news/technology-33592594Google Scholar
Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R. (2009). "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security." European Journal of Information Systems, Vol. 18, No. 2: pp. 151--164. Google ScholarCross Ref
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., and Polak, P. (2015). "What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors." MIS Quarterly, Vol. 39, No. 4: pp. 837--864.Google ScholarDigital Library
Boudreau, M.C. and Robey, D. (2005). "Enacting Integrated Information Technology: A Human Agency Perspective." Organization Science, Vol. 16, No. 1: pp. 3--18. Google ScholarDigital Library
Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). "Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness." MIS Quarterly, Vol. 34, No. 3: pp. 523--548.Google ScholarCross Ref
Cannoy, S. D. and Salam, A. F. (2010). "A Framework for Health Care Information Assurance Policy and Compliance." Communications of the ACM, Vol. 53, No. 3: pp. 126--131. Google ScholarDigital Library
Chatterjee, S., Sarker, S., and Valacich, J. S. (2015). "The Behavioral Roots of Information Systems Security: Exploring Key Factors Related to Unethical IT Use." Journal of Management Information Systems, Vol. 31, No. 4: pp. 49--87. Google ScholarCross Ref
Chen, Y., Nyemba, S., and Malin, B. (2012a). "Detecting Anomalous Insiders in Collaborative Information Systems." IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 3: pp. 332--344. Google ScholarDigital Library
Chen, Y. R., Ramamurthy, K. and Wen, K.-W. (2012b). "Organizations' Information Security Policy Compliance: Stick or Carrot approach"? Journal of Management Information Systems, Vol. 29, No. 3: pp. 157--188. Google ScholarCross Ref
Chen, Y. and Zahedi, F. M. (2016). "Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China." MIS Quarterly, Vol. 40, No. 1: pp. 205--222.Google ScholarDigital Library
Cronan, T. P., Foltz, C. B., and Jones, T. W. (2006). "Piracy, Computer Crime, and IS Misuse at the University." Communications of the ACM, Vol. 49, No. 6: pp. 85--90. Google ScholarDigital Library
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M. and Baskerville, R. (2013). "Future Directions for Behavioral Information Security Research." Computers & Security, Vol. 32, pp. 90--101. Google ScholarDigital Library
D'Arcy, J. and Devaraj, S. (2012). "Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model." Decision Sciences, Vol. 43, No. 6: pp. 1091--1124. Google ScholarCross Ref
D'Arcy, J. and Herath, T. (2011). "A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings." European Journal of Information Systems, Vol. 20, No. 6: pp. 643--658. Google ScholarCross Ref
D'Arcy, J. and Hovav, A. (2007). "Deterring Internal Information Systems Misuse." Communications of the ACM, Vol. 50, No. 10: pp. 113--117. Google ScholarDigital Library
D'Arcy, J., Hovav, A., and Galletta, D. (2009). "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach." Information Systems Research, Vol. 20, No. 1: pp. 79--98. Google ScholarDigital Library
D'Arcy, J., Herath, T., and Shoss, M. K. (2014). Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective.? Journal of Management Information Systems, Vol. 31, No. 2: pp. 285--318. Google ScholarCross Ref
Davis, L. F. (1987). Moral Judgment Development of Graduate Management Students in Two Cultures: Minnesota and Singapore (Unpublished Doctoral Dissertation). University of Minnesota, Minneapolis, MN.Google Scholar
Dhillon, G. and Torkzadeh, G. (2006). "Value-focused Assessment of Information System Security in Organizations." Information Systems Journal, Vol. 16: pp. 293--314. Google ScholarCross Ref
Doherty, N. F. and Fulford, H. (2005). "Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis." Information Resources Management Journal, Vol. 18, No. 4: pp. 21--39. Google ScholarDigital Library
Fullbright Commission. (2015). "Cultural Differences." Retrieved August 24, 2015, from http://www.fulbright.org.uk/pre-departure/us-culture/cultural-differencesGoogle Scholar
Gattiker, U. E. and Kelley, H. (1999). "Morality and Computers: Attitudes and Differences in Moral Judgments." Information Systems Research, Vol. 10, No: 3: pp. 233--254. Google ScholarDigital Library
Guo, K. H. (2013). "Security-related Behavior in Using Information Systems in the Workplace: A Review and Synthesis." Computers & Security, Vol. 32: pp. 242--251. Google ScholarDigital Library
Guo, K. H., and Yuan, Y. (2012). "The Effects of Multilevel Sanctions on Information Security Violations: A Mediating Model." Information & Management, Vol. 49, No. 6: pp. 320--326. Google ScholarDigital Library
Guo, K., Yufei, Y., Archer, N., and Connelly, C. (2011). "Understanding Non-malicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236. Google ScholarDigital Library
Harrington, S. J. (1996). "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions." MIS Quarterly, Vol. 20, No. 3: pp. 257--278. Google ScholarDigital Library
Herath, T. and Rao, H. (2009a). "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations." European Journal of Information Systems, Vol. 18, No. 2: pp. 106--125. Google Scholar
Herath, T., and Rao, H. (2009b). "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effecrtiveness." Decision Support Systems, Vol. 47, No. 2: pp. 154--165. Google ScholarDigital Library
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., and Rao, H. R. (2014). "Security Services as Coping Mechanisms: An Investigation into User Intention to Adopt an Email Authentication Service." Information Systems Journal, Vol. 24, No. 1: pp. 61--84. Google ScholarDigital Library
Hovav, A. and D'Arcy, J. (2012). "Applying an Extended Model of Deterrence across Cultures: An Investigation of Information Systems Misuse in the U.S. and South Korea." Information & Management, Vol. 49, No. 2: pp. 99--110. Google ScholarDigital Library
Hu, Q., Xu, Z., Dinev, T., and Ling, H. (2011), "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees"? Communications of the ACM, Vol. 54, No. 6: pp. 54--60. Google ScholarDigital Library
Hu, Q., Dinev, T., Hart, P., and Cooke, D. (2012). "Managing Employee Compliance with Information Security Policy: The Critical Role of Top Management and Organizational Culture." Decision Sciences, Vol. 43, No. 4: pp. 615--659. Google ScholarCross Ref
Hu, Q., West, R., and Smarandescu, L. (2015). "The Role of Self-control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective." Journal of Management Information Systems, Vol. 31, No. 4: pp. 6--48. Google ScholarCross Ref
Hui, K. L., Teo, H. H., and Lee, S. Y. T. (2007). "The Value of Privacy Assurance: An Exploratory Field Experiment." MIS Quarterly, Vol. 31, No. 1: pp. 19--33.Google ScholarCross Ref
Hunter, P. (2003). "Computer Espionage." Computer Fraud & Security, Vol. 7: pp. 16.Google Scholar
Hsu, J. S. C., Shih, S. P., Hung, Y. W., and Lowry, P. B. (2015). "The Role of Extra-role Behaviors and Social Controls in Information Security Policy Effectiveness." Information Systems Research, Vol. 26, No. 2: pp. 282--300. Google ScholarDigital Library
Johnston, A. C., and Warkentin, M. (2010). "Fear Appeals and Information Security Behaviors: An Empirical Study." MIS Quarterly, Vol. 34, No. 3: pp. 549--566.Google ScholarCross Ref
Johnston, A. C., Warkentin, M., and Siponen, M. T. (2015). "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric." MIS Quarterly, Vol. 39, No. 1: pp. 113--134.Google ScholarDigital Library
Kankanhalli, A., Teo, H., Tan, B. C. Y., and Wei, K. (2003). "An Integrative Study of Information Systems Security Effectiveness." International Journal of Information Management, Vol. 23, No. 2: pp. 139--154. Google ScholarDigital Library
Kirsch, L. and Boss, S. (2007). "The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines." ICIS 2007 Proceedings. Paper 103. http://aisel.aisnet.org/icis2007/103Google Scholar
Lee, S. M., Lee, S. G., and Yoo, S. (2004). "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories." Information & Management, Vol. 41, No. 6: pp. 707--718. Google ScholarDigital Library
Leidner, D. and Kayworth, T. (2006). "Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict." MIS Quarterly, Vol. 30, No. 2: pp. 357--399.Google ScholarDigital Library
Leonard, L. N. K., Cronan, T. P., and Kreie, J. (2004). "What Influences IT Ethical Behavior Intentions - Planned Behavior, Reasoned Action, Perceived Importance, or Individual Characteristics"? Information & Management, Vol. 42, No. 1: pp. 143--158. Google ScholarDigital Library
Leonard, L. N. K. and Cronan, T.P. (2001). "Illegal, Inappropriate, and Unethical Behavior in an Information Technology Context: A Study to Explain Influences." Journal of the Association of Information Systems, Vol. 1, No. 12: pp. 1--31.Google ScholarCross Ref
Li, H., Zhang, J., and Sarathy, R. (2010). "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory." Decision Support Systems, Vol. 48, No. 4: pp. 635--645. Google ScholarDigital Library
Li, H., Sarathy, R., Zhang, J., and Luo, X. (2014). "Exploring the Effects of Organizational Justice, Personal Ethics and Sanction on Internet Use Policy Compliance." Information Systems Journal, Vol. 24, No. 6: pp. 479--502. Google ScholarDigital Library
Lim, V. K. G., Teo, T. S. H., and Loo, G. L. (2002). "How Do I Loaf Here? Let me Count the Ways." Communications of the ACM, Vol. 45, No. 1: pp. 66--70. Google ScholarDigital Library
Loch, K., Carr, H., and Warkentin, M. (1992). "Threats to Information Systems: Today's Reality, Yesterday's Understanding." MIS Quarterly, Vol. 16, No. 2: pp. 173--186. Google ScholarCross Ref
Loch, K. D., and Conger, S. (1996). "Evaluating Ethical Decision Making and Computer Use." Communications of the ACM, Vol. 39, No. 7: pp. 74--83. Google ScholarDigital Library
London, M. and Bray, D. W. (1980). "Ethical Issues in Testing and Evaluation for Personnel Decisions." American Psychologist, Vol. 35, No. 10: pp. 890--901. Google ScholarCross Ref
Lowry, P. B., Moody, G. D., Galetta, D. F., and Vance, A. (2013). "The Drivers in the Use of Online Whistle-Blowing Reporting Systems." Journal of Management Information Systems, Vol. 30, No. 1: pp. 153--189. Google ScholarCross Ref
Lowry, P. B., Romans D., and Curtis A. (2004). "Global Journal Prestige and Supporting Disciplines: A Scientometric Study of Information Systems Journals." Journal of the Association for Information Systems, Vol. 5, No. 2: pp. 29--77.Google ScholarCross Ref
Lowry, P. B. and Moody, G. D. (2015). "Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies." Information Systems Journal, Vol. 25, No. 5: pp. 433--463. Google ScholarDigital Library
Lowry, P. B., Posey, C., Bennett, R. B. J., and Roberts, T. L. (2015). "Leveraging Fairness and Reactance Theories to Deter Reactive Computer Abuse Following Enhanced Organisational Information Security Policies: An Empirical Study of the Influence of Counterfactual Reasoning and Organisational Trust." Information Systems Journal, Vol. 25, No. 3: pp. 193--273. Google ScholarDigital Library
Ma, Q. and Pearson, J. M. (2005). "ISO 17799: 'Best Practices' in Information Security Management"? Communications of the AIS, Vol. 15, No. 1: pp. 577--591.Google Scholar
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. (2009). "What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules' An Empirical Study." European Journal of Information Systems, Vol. 18, No. 2: pp. 126--139. Google ScholarCross Ref
Neumann, P. G. (1999). "Risks of Insiders." Comunications of the ACM, Vol. 42, No. 12: pp. 160. Google ScholarDigital Library
Ng, B.-Y., Kankanhalli, A., and Xu, Y. C. (2009). "Studying Users' Computer Security Behavior: A Health Belief Perspective." Decision Support Systems, Vol. 46, No. 4: pp. 815--825. Google ScholarDigital Library
Pahnila, S., Siponen, M., and Mahmood, A. (2007). "Employees' Behavior Towards IS Security Policy Compliance," in 40th Hawaii International Conference on System Sciences (HICSS 07). Hawaii, USA. Google ScholarDigital Library
Peace, A. G., Galletta, D., and Thong, J. Y. L. (2003). "Software Privacy in the Workplace: A Model and Empirical Test," Journal of Management Information Systems, Vol. 20, No. 1: pp. 153--177. Google ScholarDigital Library
Ponemon Institute (2012). 2013 State of the Endpoint. Traverse City, MI. Available at http://www.ponemon.org/blog/2013-state-of-the-endpointGoogle Scholar
Posey, C., Bennett, R. J., and Roberts, T. L. (2011). "Understanding the Mindset of the Abusive Insider: An Examination of Insiders' Causal Reasoning Following Internal Security Changes." Computers & Security, Vol. 30, No. 6: pp. 486--497. Google ScholarDigital Library
Puhakainen, P. and Siponen, M. (2010). "Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study." MIS Quarterly, Vol. 34, No. 4: pp. 757--778.Google ScholarCross Ref
PWC, PricewaterhouseCoopers. (2015). Managing Cyber Risks in an Interconnected World: Key Findings from the Global State of Information Security Survey 2015. Retrieved from http://www.pwc.com/gsiss2015Google Scholar
Renaud, K. (2012). "Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches"? Security & Privacy, Vol. 10, No. 3: pp. 57--63. Google ScholarDigital Library
Rest, J. R. (1979). Development in Judging Moral Issues. Minneapolis, MN: University of Minnesota Press.Google Scholar
Richardson R. (2011). "15th Annual 2010/2011 Computer Crime and Security Survey." Computer Security Institute. Available at http://reports.informationweek.com/abstract/21/7377/Security/research-2010--2011-csi-survey.htmlGoogle Scholar
Sharp, A. (2015, Aug 24). "Two People May Have Committed Suicide After Ashley Madison Hack: Police." Retrieved April 9, 2016, from http://www.wired.com/2015/08/ashley-madison-ceo-resigns-wake-hack-news-affairs/Google Scholar
Shaw, E., Ruby, K. G., and Post, J. M. (1998). "The Insider Threat to Information Systems" [pdf]. Security Awareness Bulletin, Vol. 2, No. 98: pp. 1. Available online at www.pol-psych.com/sab.pdfGoogle Scholar
Shropshire, J. (2009). "A Canonical Analysis of Intentional Information Security Breaches by Insiders." Information Management and Computer Security, Vol. 17, No. 4: pp. 221--234. Google ScholarCross Ref
Siponen, M. T. and Oinas-Kukkonen, H. (2007). "A Review of Information Security Issues and Respective Research Contributions." The DATABASE for Advances in Information Systems, Vol. 38, No. 1: pp. 60--80. Google ScholarDigital Library
Siponen, M., Pahnila, S., and Mahmood, M.A. (2010). "Compliance with Information Security Policies: An Empirical Investigation." Computer, Vol. 43, No. 2: pp. 64--71. Google ScholarDigital Library
Siponen, M. and Vance, A. (2010). "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations." MIS Quarterly, Vol. 34, No. 3: pp. 487--512.Google ScholarCross Ref
Skinner, W. F. and Fream, A. M. (1997). "A Social Learning Theory Analysis of Computer Crime Among College Students." Journal of Research on Crime and Delinquency, Vol. 34, No. 4: pp. 495--518. Google ScholarCross Ref
Smith, A. L., Baxter, R. J., Boss, S. R., and Hunton, J. E. (2012). "The Dark Side of Online Knowledge Sharing." Journal of Information Systems, Vol. 26, No. 2: pp. 71--91. Google ScholarCross Ref
Son, J. Y. (2011). "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies." Information & Management, Vol. 48, No. 7: pp. 296--302. Google ScholarDigital Library
Spears, J. and Barki, H. (2010). "User Participation in Information Systems Security Risk Management." MIS Quarterly, Vol. 34, No. 3: pp. 503--522.Google ScholarCross Ref
Stahl, B. C., Doherty, N. F., and Shaw, M. (2012). "Information Security Policies in the U.K. Healthcare Sector: A Critical Evaluation." Information Systems Journal, Vol. 22, No. 1: pp. 77--94. Google ScholarCross Ref
Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. (2005). "Analysis of End User Security Behaviors." Computers & Security, Vol. 24, No. 2: pp. 124--133. Google ScholarDigital Library
Straub, D. W. (1990). "Effective IS Security: An Empirical Study." Information Systems Research, Vol. 1, No. 3: pp. 255--276. Google ScholarDigital Library
Straub, D. W. and Nance, W. D. (1990). "Discovering and Disciplining Computer Abuse in Organizations: A Field Study." MIS Quarterly, Vol. 14, No. 1: pp. 45--60. Google ScholarDigital Library
Straub, D. W. and Welke, R. J. (1998). "Coping with Systems Risk: Security Planning Models for Management Decision Making." MIS Quarterly, Vol. 22, No. 4: pp. 441--469. Google ScholarDigital Library
Straub, D. W. and Widon, C. S. (1984). "Deviancy by Bits and Bytes: Computer Abusers and Control Measures," in Computer Security: A Global Challenge. J. Finch & E. Dougall (Eds.). Amsterdam: Elsevier Science Publishers B.V, (North-Holland) and IFIP, pp. 431--442.Google Scholar
Thoma, S. J. and Davison, M. L. (1983). "Moral Reasoning Development and Graduate Education." Journal of Applied Developmental Psychology, Vol. 4, No. 3: pp. 227--238. Google ScholarCross Ref
Tsai, J. Y., Egelman, S., Cranor, L., and Acquisti, A. (2011). "The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study." Information Systems Research, Vol. 22, No. 2: pp. 254--268. Google ScholarDigital Library
Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E. (2015). "Managing the Introduction of Information Security Awareness Programmes in Organisations." European Journal of Information Systems, Vol. 24, No. 1: pp. 38--58. Google ScholarCross Ref
Tyler, R. T. and Blader, S. L. (2005). "Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings." The Academy of Management Journal, Vol. 48, No. 6: pp. 1143--1158. Google ScholarCross Ref
Vance, A., Siponen, M., and Pahnila, S. (2012). "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory." Information & Management, Vol. 49, No. 3: pp. 190--198. Google ScholarDigital Library
Vance, A., Anderson, B. B., Kirwan, C. B., and Eargle, D. (2014). "Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG)." Journal of the Association for Information Systems, Vol. 15, No. 10: pp. 679--722.Google ScholarCross Ref
Vance, A., Lowry, P. B., and Eggett, D. L. (2015). "Increasing Accountability Through User-interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations." MIS Quarterly, Vol. 39, No. 2: pp. 345--366.Google ScholarDigital Library
Verizon. (2013). "Data Breach Investigations Report." Verizon Enterprise. Available at http://www.verizonenterprise.com/DBIR/2013/Google Scholar
Warkentin, M., Johnston, A. C., and Shropshire, J. (2011). "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention." European Journal of Information Systems, Vol. 20: pp. 267--284. Google ScholarCross Ref
Warkentin, M. and Willison, R. (2009). "Behavioral and Policy Issues in Information Systems Security: The Insider Threat." European Journal of Information Systems, Vol. 18, No. 2: pp. 101--105. Google ScholarCross Ref
Whitman, M. (2004). "In Defense of the Realm: Understanding the Threats to Information Security." International Journal of Information Management, Vol. 24: pp. 43--57. Google ScholarDigital Library
Willison, R. and Backhouse, J. (2006). "Opportunities for Computer Crime: Considering Systems Risk from a Criminological Perspective." European Journal of Information Systems, Vol. 15, No. 4: pp. 403--414. Google ScholarCross Ref
Willison, R. and Warkentin, M. (2013). "Beyond Deterrence: An Expanded View of Employee Computer Abuse." MIS Quarterly, Vol. 37, No. 1: pp. 1--20.Google ScholarDigital Library
Workman, M. and Gathegi, J. (2007). "Punishment and Ethics Deterrents: A Study of Insider Security Contravention." Journal of the American Society for Information Science and Technology, Vol. 58, No. 2: pp. 212--222. Google ScholarDigital Library
Workman, M., Bommer, W. H., and Straub, D. (2008). "Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test." Computers in Human Behavior, Vol. 24: pp. 2799--2816. Google ScholarDigital Library
Young, E. (2014). "Get Ahead of Cybercrime." Ernst & Young's 2014 Global Information Security Survey.Google Scholar
Zetter, K. (2015, Aug 28). "Ashley Madison CEO Resigns in Wake of Hack, News of Affair." Retrieved April 9, 2016, from http://www.wired.com/2015/08/ashley-madisons-business-growing-company-says/Google Scholar
Zviran, M., and Haga, W. J. (1999). "Password Security: An Empirical Study." Journal of Management Information Systems, Vol. 15, No. 4: pp. 161--185. Google ScholarDigital Library

Index Terms

Review of IS Security Policy Compliance: Toward the Building Blocks of an IS Security Theory
1. Security and privacy
  1. Human and societal aspects of security and privacy

Recommendations

Curiosity Killed the Organization: A Psychological Comparison between Malicious and Non-Malicious Insiders and the Insider Threat
RIIT '16: Proceedings of the 5th Annual Conference on Research in Information Technology

Insider threats remain a significant problem within organizations, especially as industries that rely on technology continue to grow. Traditionally, research has been focused on the malicious insider; someone that intentionally seeks to perform a ...
Read More
Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat
STAST '14: Proceedings of the 2014 Workshop on Socio-Technical Aspects in Security and Trust

An enterprise's information security policy is an exceptionally important control as it provides the employees of an organisation with details of what is expected of them, and what they can expect from the organisation's security teams, as well as ...
Read More
Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition

This study investigated employees' information systems security policy (ISSP) compliance behavioural intentions in organisations from the theoretical lenses of social bonding, social influence, and cognitive processing. Given that previous research on ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 48, Issue 3
August 2017
130 pages
ISSN:0095-0033
EISSN:1532-0936
DOI:10.1145/3130515
Editors:
Stacie Petter
Baylor Universitym Waco, TX
,
Tom Stafford
Louisiana Tech University, Ruston, LA
,
Xihui "Paul" Zhang
Northern Alabama University, Florence, AL
,
Heidi Seward
Baylor University, Waco, TX
Issue’s Table of Contents
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 August 2017
Check for updates
Author Tags
compliance
information systems security
information systems security policy
insider threat
noncompliance
review
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 34
  Total Citations
  View Citations
- 1,169
  Total Downloads
- Downloads (Last 12 months)174
- Downloads (Last 6 weeks)21
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Review of IS Security Policy Compliance: Toward the Building Blocks of an IS Security Theory

ACM SIGMIS Database: the DATABASE for Advances in Information Systems

Abstract

References

Cited By

Index Terms

Recommendations

Curiosity Killed the Organization: A Psychological Comparison between Malicious and Non-Malicious Insiders and the Insider Threat

Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat

Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Review of IS Security Policy Compliance: Toward the Building Blocks of an IS Security Theory

ACM SIGMIS Database: the DATABASE for Advances in Information Systems

Abstract

References

Cited By

Index Terms

Recommendations

Curiosity Killed the Organization: A Psychological Comparison between Malicious and Non-Malicious Insiders and the Insider Threat

Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat

Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media