Systematic Literature Review of Information Security Compliance Behaviour Theories

The paper aims to identify behavioural theories that influence information security policies compliance behaviour. A systematic review of empirical studies from eleven online databases (ACM digital library, Emerald Insight, IEEE Xplore digital library, Springer link, Science direct, Scopus, Web of Science, Oxford academic journals, SAGE journals, Taylor & Francis and Wiley online library) are conducted. This review identified 29 studies met its criterion for inclusion. The investigated theories were extracted and analysed. Total of 19 theories have been identified and studied concerning to security policy compliance behaviour. The result indicated that the most established theories in information security compliance behaviour studies are the Theory of Planned Behavior and Protection Motivation theory. Meanwhile, General Deterrence Theory, Neutralization theory, Social Bond Theory / Social Control Theory are used moderately in this research area. Less explored theories are namely Self Determination Theory, Knowledge, Attitude, and Behavior, Social Cognitive Theory, Involvement Theory, Health belief model, Theory of Interpersonal Behavior, Extended Parallel Processing Model, Organisational Control Theory, Psychological Reactance Theory, Norm Activation Theory, Organizational Behaviour Theory, Cognitive Evaluation Theory and Extended Job Demands-Resources. The results from this review may guide the development and evaluation of theories promoting information security compliance behaviours. This will further contribute in the development of an integrated theory of information security compliance behaviour.


Introduction
Organisations around the globe today highly dependent on the digital world where information system and information security becomes backbone of their daily operations. Most organisation develop and communicate information security policies aimed to guide their employees on do's and don't in the digital world. Unfortunately, research shows that employees do not comply to information security policies [1], [2]. Hence employee behavior plays an crucial role in the information security of all organisations [3], [4].
Understanding what makes employees have information security compliance behaviour is important [4]. Several theories have been employed as pillars in security compliance studies. These theories have been used widely in the works of literature to explain and predict employees security-related behaviour. There is indeed a need for solid confirmation of existing theories in the context of information security compliance behaviours. Therefore a systematic literature review was performed. The remaining article is organized as follows: Section II contain the background on information security compliance behaviour theories research work. Section III defines the research method. Section IV, V and VI contain steps in systematic literature review namely planning, execution and reporting of the systematic literature review. The conclusions are highlighted in Section VII and acknowledgment is in section VIII.

Background
Information security compliance behaviour has been studied using a range of behavioural theories from fields of criminology, psychology, and management [5], [6]. Even though there are a huge amount of studies, there is still less research on the current overview of used theories in information security compliance studies. Investigating various theoretical approach in information security compliance of employees in the organisation through empirical research would advance the present knowledge in the field [7], [8].

Research Method
To provide an overview of the theories used in information security compliance behaviour research, we conducted a systematic literature review guided by the process from [9]. The authors followed the steps presented in Figure 1. In the planning phase, the research questions and the review protocol are defined. The review protocol contains the inclusion and exclusion criteria, data sources, search strategy and search strings definitions. The execution phase means executing the research based on the review protocol in the 1. What are the existing information security compliance behaviour theories available? 2. What are the origins and domains of the identified theories? 3. Who has applied the identified theories in their information security compliance research?

B. Define data sources and strategy of the search
We studied all published articles on information security compliance models that are accessible from eleven online databases as data sources which are ACM digital library, Emerald Insight, IEEE Xplore digital library, Springer link, Science direct, Scopus, Web of Science, Oxford academic journals, SAGE journals, Taylor & Francis and Wiley online library as subscribed by the University Teknologi Malaysia.

C. Define inclusion and exclusion criteria
In accordance with our research questions, the inclusion criteria are as follows:- Studies written in English;  Studies that propose an information security compliance model;  Studies published in the last 6 years between January 2014 and Jun 2019.
On the other hand, exclusion criteria are as follows:  Studies that applied theory but failed to produce the model clearly;  Studies that produce information security compliance models but did explain on the theories used;  Studies that do not have emprical results.
In the event of duplicate reports from the same research, the most latest full report discovered is considered for evaluation.

D. Define quality criteria
We also assessed the general quality of the discovered research in relation to our inclusion and exclusion criteria. We only looked at papers with significant data about compliance with information security detailing their theories.

E. Define search string
The search string included combinations of research-related and synonymous phrases. The initial search string is (information security compliance), (information security behaviour), (model). The search string was calibrated and adjusted in accordance with each data source's particular syntax.

A. Search and selection
The search was carried out by the first author in March 2019 and revised by the other authors. All authors treated the search string definition together. The first author conducted the original search resulting in 12,123 articles being selected. In step two of the selection, papers are selected after a discussion regarding inclusion or exclusion of papers resulting in 2328 articles. Figure 2 shows the flow diagram of the search strategy and study selection. A total of 519 papers was selected for abstract review. After excluding non-relevant studies, duplicates, and unaccessible full texts studies, 182 articles were selected for full-text review. After applying the exclusion criteria, 29 eligible studies were finally evaluated and included in this systematic review as shown in Table 1.

B. Data extraction
We collected information from the 29 relevant research articles systematically, as shown in Table 1 to respond to the research questions. The extracted data are shown in the data analysis segment.  [20] Abed and Weistroffer 2016 A16 [21] Yazdanmehr and Wang 2016 A17 [22] Bauer and Bernroider 2017 A18 [23] D'Arcy and Lowry 2017 A19 [24] Hina and Dominic 2017 A20 [25] Hofeditz

A. Data analysis
This segment produce an analysis of the data extracted from the studies according to the research questions that have been defined. Table 2 decipted the existing theories in information security compliance research.

Protection Motivation Theory
Describe that when a person faces a threat, he cognitively evaluates it and a likely solution and then chooses to act in an adaptive or ill-adaptive manner [26].

General Deterrence Theory
Describe that serious, rapid and certain penalties dissuade people from specific behaviors [8].

4.
Neutralization theory Describe that the real reason that people break the rules is that they somehow justify themselves even though they respect the rules and values of the society [12].

Social Bond Theory / Social Control Theory
Defines the social bonds between individual and his group where the individual is naturally inclined towards offense but persons with stronger social ties are less attracted to indulge in any antisocial or deviant behaviour [4].

Rational Choice Theory
Describe which people first identify options when choosing and then consider the possible results of each option [28], [36].

Self Determination Theory
Describes intrinsic and some types of extrinsic motivation and explain how these motivations impact situational reactions in diverse fields [37].

Knowledge, Attitude, And Behavior
Describe that a person's understanding produces an attitude as a direct consequence, which in turn results in behavioral modifications [38].

Social Cognitive Theory
Describe the concurrent and dynamic interplay between social and personal variables in which people are actively involved and achieve required outcomes when they think their activities are under their control [10].

Involvement Theory
Discuss the amount of energy, time and participation in a specific task and impacts attitude and tend to manifest in different ways too [4].
This theory found in multiple fields such as customer involvement, product involvement and student involvement.
11. Health belief model Explain health behaviour where risk was measured through its

Theory of Interpersonal Behavior
Explain that behaviours are more complicated and consist of facilitating circumstances, added social components, attitude forecasters and conditions such as habits as well as intentions that can foresee behaviours better [32].

Extended Parallel Processing Model
Explain why fear appeals fail by centralizing fear and specifying the relationship between threat and effectiveness [40].

Organisational
Control Theory Describe the social conditions in which diverse forms of control are used [2].

Psychological Reactance Theory
Describe what people feel that if any of their activities are stopped or threatened to be stopped, it will stimulate the encouraging state of psychological reaction. [41].

Norm Activation Theory
Indicate which personal norms are the direct predecessor of one's conduct and it represents ones commitment to their internalized values [42].

Organizational
Behaviour Theory Explain what individuals in and around organisations think, feel and do [43].

Cognitive Evaluation Theory
Describe how both internal and external events affect people's intrinsic motivation [37].

Extended Job Demands-Resources
Explain the work-stress model offering work requirements and resources influencing the organisational commitment and performance of staff through work burnout and engagement. [18] . Table 3 shows the summarised details of the identified theories such as the authors, the year it was first published and also the initial subject area domain of the theories. One notable theory which is the theory of reasoned action is first founded by Fishbein and Ajzen but later it has become Theory of Planned Behaviour with added construct by Ajzen. Meanwhile, Social Bond Theory is also should be noticed that sometimes referred to as Social Control Theory.   Table 4 shows the list of literature which has applied the identified theories in information security compliance behaviour studies. Besides that Figure 3 shows information security compliance model's theories usage in percentage.

Conclusions
Our results contribute by presenting an overview of theories that influence information security compliance behaviour. From the finalised 29 papers that were selected for this systematic literature review, we managed to capture 19 theories that are widely used in information security compliance model research. The most dominant theories in information security compliance studies are the Theory of Reasoned Action or Theory of Planned Behavior and Protection Motivation theory. Around 19 percentage of information security compliance studies are using the Theory of Planned Behavior and Protection Motivation theory. These established theories are proven in their capability to predict compliance with information security policies [3]. Our findings through the most dominant theories shows that if an employee sees the adequate capacity to complete a security task plus having a happy attitude in carrying it out, and also seeing others doing the same task, the employee will most likely to comply. Nevertheless, when fronting a security threat, an employee performs threat and coping evaluations to decide either to comply or not to comply.
The reviewed theories in this paper have contributed to a better understanding of information security compliance behaviour and therefore, able to define effective security measures to encourage information security compliance. Future studies can focus on the significance of these theories in predicting information security compliance behaviour better.