Organizational information security policies: a review and research framework

Informa UK Limited - Tập 26 - Trang 605-641 - 2017
W. Alec Cram1, Jeffrey G. Proudfoot1, John D’Arcy2
1Bentley University, Waltham, USA
2University of Delaware, Newark, USA

Tóm tắt

A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.

Tài liệu tham khảo

Aksulu A and Wade M (2010) A comprehensive review and synthesis of open source research. Journal of the Association for Information Systems 11(11), 576–656. Al-Mukahal HM and Alshare K (2015) An examination of factors that influence the number of information security policy violations in qatari organizations. Information and Computer Security 23(1), 102–118. Albrechtsen E (2007) A qualitative study of user’s view on information security. Computers and Security 26(4), 276–289. Alter S (2008a) Defining information systems as work systems: Implications for the IS field. European Journal of Information Systems 17(5), 448–469. Alter S (2008b) Service system fundamentals: Work system, value chain, and life cycle. IBM Systems Journal 47(1), 71–85. Alter S (2013) Work system theory: Overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems 14(2), 72–121. Anderson CL and Agarwal R (2010) Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34(3), 613–643. Angst C, Block E, D’arcy J and Kelley K (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly Forthcoming. Aurigemma S and Leonard L (2015) The influence of employee affective organizational commitment on security policy attitudes and compliance intentions. Journal of Information System Security 11(3), 201–222. Backhouse J, Hsu CW and Silva L (2006) Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly 30(Special Issue), 413–438. Bandara W, Furtmueller E, Gorbacheva E, Miskon S and Beekhuyzen J (2015) Achieving rigor in literature reviews: Insights from qualitative data analysis and tool-support. Communications of the Association for Information Systems 34(8), 154–204. Banerjee D, Cronan TP and Jones TW (1998) Modeling IT ethics: A study in situational ethics. MIS Quarterly 22(1), 31–60. Barlow JB, Warkentin M, Ormond D and Dennis AR (2013) Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Computers and Security 39(Part B), 145–159. Basin D, Jugé V, Klaedtke F and Zălinescu E (2013) Enforceable security policies revisited. ACM Transactions on Information and System Security 16(1), 1–26. Baskerville R, Park EH and Kim J (2014) An emote opportunity model of computer abuse. Information Technology and People 27(2), 155–181. Baskerville R and Siponen M (2002) An information security meta-policy for emergent organizations. Logistics Information Management 15(5/6), 337–346. Bauer JM and Van Eeten MJG (2009) Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy 33(10–11), 706–719. Bauer L, Ligatti J and Walker D (2009) Composing expressive runtime security policies. ACM Transactions on Software Engineering and Methodology 18(3), 1–43. Bijlsma-Frankema KM and Costa AC (2010) Consequences and antecedents of managerial and employee legitimacy interpretations of control: A natural open system approach. In Organizational Control (SITKIN SB, CARDINAL LB and BIJLSMA-FRANKEMA KM, Eds), pp 396–433, Cambridge University Press, Cambridge. Boss SR, Galletta D, Moody GD, Lowry PB and Polak P (2015) What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quarterly 39(4), 837–864. Boss SR, Kirsch LJ, Angermeier I, Shingler RA and Boss RW (2009) If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems 18(2), 151–164. Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34(3), 523–548. Burns AJ, Roberts TL, Posey C and Lowry PB (2017) Examining the influence of organisational insiders’ psychological capital on information security threat and coping appraisals. Computers in Human Behavior 68, 190–209. Burton-Jones A, Mclean ER and Monod E (2015) Theoretical perspectives in IS research: From variance and process to conceptual latitude and conceptual fit. European Journal of Information Systems 24(6), 664–679. Cairney P (2013) Standing on the shoulders of giants: How do we combine the insights of multiple theories in public policy studies? The Policy Studies Journal 41(1), 1–21. Chan M, Woon I and Kankanhalli A (2005) Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3), 18–41. Chatterjee S, Sarker S and Valacich JS (2015) The behavioral roots of information systems security: Exploring key factors related to unethical IT use. Journal of Management Information Systems 31(4), 49–87. Chen Y, Ramamurthy K and Wen K-W (2012) Organizations’ information security policy compliance: Stick or carrot approach? Journal of Management Information Systems 29(3), 157–188. Chen Y, Ramamurthy K and Wen K-W (2015) Impacts of comprehensive information security programs on information security culture. The Journal of Computer Information Systems 55(3), 11–19. Chen Y and Zahedi FM (2016) Individuals’ internet security perceptions and behaviors: Polycontextual contrasts between the United States and China. MIS Quarterly 40(1), 205–222. Cheng L, Li Y, Li W, Holm E and Zhai Q (2013) Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security 39, 447–459. Choudhury V and Sabherwal R (2003) Portfolios of control in outsourced software development projects. Information Systems Research 14(3), 291–314. Chu AMY, Chau PYK and So MKP (2015) Developing a typological theory using a quantitative approach: A case of information security deviant behavior. Communications of the AIS 37(25), 510–535. Chu MY, So MKP and Chung RSW (2016) Applying the randomized response technique in business ethics research: The misuse of information systems resources in the workplace. Journal of Business Ethics Online Early, 1–18. Chua CEH, Lim W-K, Soh C and Sia SK (2012) Enacting clan control in complex IT projects: A social capital perspective. MIS Quarterly 36(2), 577–600. Cram WA, Brohman MK and Gallupe RB (2016a) Hitting a moving target: A process model of information systems control change. Information Systems Journal 26(3), 195–226. Cram WA, Brohman MK and Gallupe RB (2016b) Information systems control: A review and framework for emerging information systems. Journal of the Association for Information Systems 17(4), 216–266. Cronan TP and Douglas DE (2006) Toward a comprehensive ethical behavior model for information technology. Journal of Organizational and End User Computing 18(1), 1–11. Crossler RE and Bélanger F (2009) The effects of security education training and awareness programs and individual characteristics on end user security tool usage. Journal of Information System Security 5(3), 3–22. Crossler RE, Johnston AC, Lowry PB, Hu Q, Warkentin M and Baskerville R (2013) Future directions for behavioral information security research. Computers and Security 32, 90–101. Crossler RE, Long JH, Loraas TM and Trinkle BS (2014) Understanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention-behavior gap. Journal of Information Systems 28(1), 209–226. Culnan MJ and Williams CC (2009) How ethics can enhance organizational privacy: Lessons from the Choicepoint and TJX data breaches. MIS Quarterly 33(4), 673–687. Cuppens F, Cuppens-Boulahia N and Elrakaiby Y (2013) Formal specification and management of security policies with collective group obligations. Journal of Computer Security 21(1), 149–190. D’arcy J and Devaraj S (2012) Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences 43(6), 1091–1124. D’arcy J and Greene G (2014) Security culture and the employment relationship as drivers of employees’ security compliance. Information Management and Computer Security 22(5), 474–489. D’arcy J and Herath T (2011) A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems 29(6), 643–658. D’arcy J, Herath T and Shoss MK (2014) Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems 31(2), 285–318. D’arcy J and Hovav A (2007) Deterring internal information systems abuse. Communications of the ACM 50(10), 113–117. D’arcy J, Hovav A and Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1), 79–98. David J (2002) Policy enforcement in the workplace. Computers and Security 21(6), 506–513. Davis RC (1940) Industrial Organization and Management. Harper, New York. Dhillon G (1997) Managing Information Security. Macmillan, London. Dhillon G and Backhouse J (2000) Information system security management in the new millennium. Communications of the ACM 43(7), 125–128. Dhillon G and Backhouse J (2001) Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal 11(2), 127–153. Di Modica G and Tomarchio O (2016) Matchmaking semantic security policies in heterogeneous clouds. Future Generation Computer Systems 55, 176–185. Dimaggio PJ (1988) Interest and agency in institutional theory. In Institutional patterns and organizations (ZUCKER LG, Ed), pp 3–21, Ballinger, Cambridge. Dinev T, Goo J, Hu Q and Nam K (2009) User behaviour towards protective information technologies: The role of national cultural differences. Information Systems Journal 19(4), 391–412. Dinev T and Hu Q (2007) The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems 8(7), 386–408. Doherty NF, Anastasakis L and Fulford H (2009) The information security policy unpacked: A critical study of the content of university policies. International Journal of Information Management 29(6), 449–457. Doherty NF and Fulford H (2005) Do information security policies reduce the incidence of security breaches: An exploratory analysis. Information Resources Management Journal 18(4), 21–39. Doherty NF and Fulford H (2006) Aligning the information security policy with the strategic information systems plan. Computers and Security 25(1), 55–63. Eisenhardt KM (1985) Control: Organizational and economic approaches. Management Science 31(2), 134–149. Eisenhardt KM (1989) Agency theory: An assessment and review. Academy of Management Review 14(1), 57–74. Evanschitzky H and Armstrong JS (2013) Research with in-built replications: Comment and further suggestions for replication research. Journal of Business Research 66(9), 1406–1408. Flamholtz EG, Das TK and Tsui AS (1985) Toward and integrative framework of organizational control. Accounting, Organizations and Society 10(1), 35–50. Flowerday SV and Tuyikeze T (2016) Information security policy development and implementation: The what, how and who. Computers and Security 61, 169–183. Foley SN and Fitzgerald WM (2011) Management of security policy configuration using a semantic threat graph approach. Journal of Computer Security 19(3), 567–605. Foth M (2016) Factors influencing the intention to comply with data protection regulations in hospitals: Based on gender differences in behaviour and deterrence. European Journal of Information Systems 25(2), 91–109. Fulford H and Doherty NF (2003) The application of information security policies in large UK-based organizations: An exploratory investigation. Information Management & Computer Security 11(3), 106–114. Gaunt N (1998) Installing an appropriate information security policy. International Journal of Medical Informatics 49(1), 131–134. Goel S and Chengalur-Smith IN (2010) Metrics for characterizing the form of security policies. Journal of Strategic Information Systems 19(4), 281–295. Goo J, Yim M-S and Kim DJ (2014) A path to successful management of employee security compliance: An empirical study of information security climate. IEEE Transactions on Professional Communication 57(4), 286–308. Gopal A and Gosain S (2010) The role of organizational controls and boundary spanning in software development outsourcing: Implications for project performance. Information Systems Research 21(4), 1–23. Grahlmann KR, Helms RW, Hilhorst C, Brinkkemper S and Van Amerongen S (2012) Reviewing enterprise content management: A functional framework. European Journal of Information Systems 21(3), 268–286. Gregory RW, Beck R and Keil M (2013) Control balancing in information systems development offshoring projects. MIS Quarterly 37(4), 1211–1232. Gritzalis D (1997) A baseline security policy for distributed healthcare information systems. Computers and Security 16(8), 709–719. Guo KH (2013) Security-related behavior in using information systems in the workplace: A review and synthesis. Computers and Security 32, 242–251. Guo KH and Yuan Y (2012) The effects of multilevel sanctions on information security violations: A mediating model. Information and Management 49(6), 320–326. Guo KH, Yuan Y, Archer NP and Connelly CE (2011) Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems 28(2), 203–236. Han J, Kim YJ and Kim H (2017) An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers and Security 66, 52–65. Harrington SJ (1996) The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions. MIS Quarterly 20(3), 257-278. Hassan NR (2014) Useful products in theorizing for information systems. In Thirty Fifth International Conference on Information Systems pp 1–21, Auckland. Hassan NR and Lowry PB (2015) Seeking middle-range theories in information systems research. In Thirty Sixth International Conference on Information Systems pp 1–19, Fort Worth. Hedström K, Kolkowska E, Karlsson F and Allen J (2011) Value conflicts for information security management. Journal of Strategic Information Systems 20(4), 373–384. Helson R, Jones C and Kwan VSY (2002) Personality change over 40 years of adulthood: Hierarchical linear modeling analyses of two longitudinal samples. Journal of Personality and Social Psychology 83(3), 752–766. Herath T, Chen R, Wang J, Banjara K, Wilbur J and Rao HR (2014) Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal 24(1), 61–84. Herath T and Rao HR (2009a) Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 154–165. Herath T and Rao HR (2009b) Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems 18(2), 106–125. Hicks B, Rueda S, St. Clair L, Jaeger T and Mcdaniel P (2010) A logical specification and analysis for SELinux MLS policy. ACM Transactions on Information and System Security 13(3), 1–31. Hofstede G (1978) The poverty of management control philosophy. Academy of Management Review 3(3), 450–461. Höne K and Eloff JHP (2002a) Information security policy—what do international information security standards say? Computers and Security 21(5), 402–409. Höne K and Eloff JHP (2002b) What makes an effective information security policy? Network Security 20(6), 14–16. Hong K-S, Chi Y-P, Chao LR and Tang J-H (2006) An empirical study of information security policy on information security elevation in Taiwan. Information Management and Computer Security 14(2), 104–115. Horcas J-M, Pinto M, Fuentes L, Mallouli W and Montes de Oca E (2016) An approach for deploying and monitoring dynamic security policies. Computers and Security 58, 20–38. Hovav A and D’arcy J (2012) Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South Korea. Information and Management 49(2), 99–110. Hsu JS-C, Shih S-P, Hung YW and Lowry PB (2015) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research 26(2), 282–300. Hu Q, Dinev T, Hart P and Cooke D (2012) Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences 43(4), 615–659. Hu Q, West R and Smarandescu L (2015) The role of self-control in information security violations: Insights from a cognitive neuroscience perspective. Journal of Management Information Systems 31(4), 6–48. Hu Q, Xu Z, Dinev T and Ling H (2011) Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM 54(6), 54–60. Hwang I, Kim D, Kim T and Kim S (2017) Why not comply with information security? An empirical approach for the causes of non-compliance. Online Information Review 41(1), 2–18. Ifinedo P (2012) Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security 31(1), 83–95. Ifinedo P (2014) Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information and Management 51(1), 69–79. Ifinedo P (2016) Critical times for organizations: What should be done to curb workers’ noncompliance with IS security policy guidelines? Information Systems Management 33(1), 30–41. International Organization For Standardization (2016) ISO/IEC 27000:2016. https://www.iso.org, accessed 30 January 2016. Jaffee D (1991) Organization Theory: Tension and Change. McGraw-Hill, New York. Jajodia S, Samarati P, Sapino ML and Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2), 214–260. Jensen M and Meckling W (1976) Theory of the firm: Managerial behavior, agency costs, and ownership structure. Journal of Financial Economics 3(4), 305–360. Johnston AC and Warkentin M (2010a) Fear appeals and information security behaviors: An empirical study. MIS Quarterly 34(3), 549–566. Johnston AC and Warkentin M (2010b) The influence of perceived source credibility on end user attitudes and intentions to comply with recommended IT actions. Journal of Organizational and End User Computing 22(3), 1–21. Johnston AC, Warkentin M, Mcbride M and Carter L (2016) Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems 25(3), 231–251. Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39(1), 113–134. Johnston AC, Wech B and Jack E (2013) Engaging remote employees: The moderating role of “remote” status in determining employee information security policy awareness. Journal of Organizational and End User Computing 25(1), 1–23. Kadam AW (2007) Information security policy development and implementation. Information Systems Security 16(5), 246–256. Kankanhalli A, Teo H-H, Tan BCY and Wei K-K (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23(2), 139–154. Karjalainen M and Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems 12(8), 518–555. Karlsson F, Åström J and Karlsson M (2015) Information security culture—state-of-the-art review between 2000 and 2013. Information and Computer Security 23(3), 246–285. Karyda M, Kiountouzis E and Kokolakis S (2005) Information systems security policies: A contextual perspective. Computers and Security 24(3), 246–260. Khoury R and Tawbi N (2012) Corrective enforcement: A new paradigm of security policy enforcement by monitors. ACM Transactions on Information and System Security 15(2), 1–27. Kiel JM, Ciamacco FA and Steines BT (2016) Privacy and data security: HIPAA and HITECH. In Healthcare information management systems (WEAVER CA, BALL MJ, KIM GR and KIEL JM, Eds), pp 437–449, Springer, New York. Kim J, Park EH and Baskerville R (2016) A model of emotion and computer abuse. Information and Management 53(1), 91–108. King NJ and Raja VT (2012) Protecting the privacy and security of sensitive customer data in the cloud. Computer Law and Security Review 28(3), 308–319. King WR and He J (2005) Understanding the role and methods of meta-analysis in IS research. Communications of the Association for Information Systems 16(32), 665–696. Kirsch LJ (1997) Portfolios of control modes and IS project management. Information Systems Research 8(3), 215–239. Kirsch LJ, Ko D-G and Haney MH (2010) Investigating the antecedents of team-based clan control: Adding social capital as a predictor. Organization Science 21(2), 469–489. Knapp KJ and Ferrante CJ (2012) Policy awareness, enforcement and maintenance: Critical to information security effectiveness in organizations. Journal of Management Policy and Practice 13(5), 66–80. Knapp KJ, Marshall TE, Rainer RK and Ford FN (2006) Information security: Management’s effect on culture and policy. Information Management and Computer Security 14(1), 24–36. Knapp KJ, Morris RFJ, Marshall TE and Byrd TA (2009) Information security policy: An organizational-level process model. Computers and Security 28(7), 493–508. Koops B-J (2014) The trouble with European data protection law. International Data Privacy Law 4(4), 250–261. Landoll DJ (2016) Information Security Policies, Procedures, and Standards. CRC Press, Boca Raton. Langley A (1999) Strategies for theorizing from process data. Academy of Management Review 24(4), 691–710. Lebek B, Uffen J, Breitner MH, Neumann M and Hohler B (2013) Employees’ information security awareness and behavior: A literature review. In 46th Hawaii International Conference on System Sciences pp 2978–2986, Maui, Hawaii. Lebek B, Uffen J, Neumann M, Hohler B and Breitner MH (2014) Information security awareness and behavior: A theory-based literature review. Management Research Review 37(12), 1049–1092. Lee C, Lee CC and Kim S (2016) Understanding information security stress: Focusing on the type of information security compliance activity. Computers and Security 59(1), 60–70. Lee J and Lee Y (2002) A holistic model of computer abuse within organizations. Information Management and Computer Security 10(2), 57–63. Lee SM, Lee S-G and Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information and Management 41(6), 707–718. Lee Y and Larson KR (2009) Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems 18(2), 177–187. Leidner DE and Kayworth T (2006) A review of culture in information systems research: Toward a theory of information technology culture conflict. MIS Quarterly 30(2), 357–399. Li H, Sarathy R, Zhang J and Luo X (2014) Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal 24(6), 479–502. Li H, Zhang J and Sarathy R (2010) Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems 48(4), 635–645. Li N and Wang Q (2008) Beyond separation of duty: An algebra for specifying high-level security policies. Journal of the ACM 55(3), 1–46. Liang H and Xue Y (2009) Avoidance of information technology threats: A theoretical perspective. MIS Quarterly 33(1), 71–90. Liang H and Xue Y (2010) Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems 11(7), 394–413. Liang H, Xue Y and Wu L (2013) Ensuring employees’ IT compliance: Carrot or stick? Information Systems Research 24(2), 279–294. Liao Q, Gurung A, Luo X and Li L (2009) Workplace management and employee misuse: Does punishment matter? Journal of Computer Information Systems 50(2), 49–59. Lindsay RM and Ehrenberg ASC (1993) The design of replicated studies. The American Statistician 47(3), 217–222. Liu C-C (2015) Types of employee perceptions of information security using Q methodology: An empirical study. European Journal of Information Systems 10(4), 557–575. Liu J, Li Y, Wang H, Jin D, Su L, Zeng L and Vasilakos T (2016) Leveraging software-defined networking for security policy enforcement. Information Sciences 327, 288–299. Lowry PB and Moody GD (2015) Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal 25(5), 465–488. Lowry PB, Posey C, Bennett RJ and Roberts TL (2015) Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal 25(3), 193–230. Lowry PB, Posey C, Roberts TL and Bennett RJ (2014) Is your banker leaking your personal information? The roles of ethics and individual-level cultural characteristics in predicting organizational computer abuse. Journal of Business Ethics 121(3), 385–401. Macintosh NB (1994) Management Accounting and Control Systems: An Organizational and Behavioral Approach. Wiley, New York. Maruping LM, Venkatesh V and Agarwal R (2009) A control theory perspective on agile methodology use and changing user requirements. Information Systems Research 20(3), 377–399. Mcdaniel P and Prakash A (2006) Methods and limitations of security policy reconciliation. ACM Transactions on Information and System Security 9(3), 259–291. Mehra SK (2010) Law and cybercrime in the United States today. The American Journal of Comparative Law 58, 659–685. Meyer JW and Rowan B (1977) Institutional organizations: Formal structure as a myth and ceremony. American Journal of Sociology 83(2), 340–363. Mezias SJ and Regnier MO (2007) Walking the walk as well as talking the talk: Replication and the normal science paradigm in strategic management research. Strategic Organization 5(3), 283–296. Montanari M, Chan E, Larson K, Yoo W and Campbell RH (2013) Distributed security policy conformance. Computers and Security 33, 28–40. Moody GD, Kirsch LJ, Slaughter SA, Dunn BK and Weng Q (2016) Facilitating the transformational: An exploration of control in cyberinfrastructure projects and the discovery of field control. Information Systems Research 27(2), 324–346. Moores TT and Chang JC-J (2006) Ethical decision making in software piracy: Initial development and test of a four-component model. MIS Quarterly 30(1), 167–180. Moquin R and Wakefield RL (2016) The roles of awareness, sanctions, and ethics in software compliance. The Journal of Computer Information Systems 56(3), 261–270. Muthaiyah S and Kerschberg L (2007) Virtual organization security policies: An ontology-based integration approach. Information Systems Frontiers 9(5), 505–514. Myyry L, Siponen M, Pahnila S, Vartiainen T and Vance A (2009) What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems 18(2), 126–139. Ng B-Y, Kankanhalli A and Xu Y (2009) Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46(4), 815–825. Niehoff BP and Moorman RH (1993) Justice as a mediator of the relationship between methods of monitoring and organizational citizenship behavior. Academy of Management Journal 36(3), 527–556. Osenga K (2013) The internet is not a super highway: Using metaphors to communicate information and communications policy. Journal of Information Policy 3(1), 30–54. Padayachee K (2012) Taxonomy of compliant information security behavior. Computers and Security 31(5), 673–680. Paré G, Tate M, Johnstone D and Kitsiou S (2016) Contextualizing the twin concepts of systematicity and transparency in information systems literature reviews. European Journal of Information Systems 25(6), 493–508. Paré G, Trudel M-C, Jaana M and Kitsiou S (2015) Synthesizing information systems knowledge: A typology of literature reviews. Information and Management 52(2), 183–199. Pathari V and Sonar R (2012) Identifying linkages between statements in information security policy, procedures and controls. Information Management and Computer Security 20(4), 264–280. Peace AG, Galletta DF and Thong JYL (2003) Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems 20(1), 153–177. Perrow C (1986) Complex Organizations. Random House, New York. Phelps DC, Gathegi JN, Workman M and Heo M (2012) Information system security: Self-efficacy and implementation effectiveness. Journal of Information System Security 8(1), 3–21. Posey C, Bennett RJ and Roberts TL (2011a) Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers and Security 30(6–7), 486–497. Posey C, Bennett RJ, Roberts TL and Lowry PB (2011b) When computer monitoring back-fires: Privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information System Security 7(1), 24–47. Posey C, Roberts TL and Lowry PB (2015) The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems 32(4), 179–214. Posey C, Roberts TL, Lowry PB, Bennett RJ and Courtney JF (2013) Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly 37(4), 1189–1210. Puhakainen P and Siponen M (2010) Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly 34(4), 757–778. Pwc (2016) The global state of information security survey 2016. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html, accessed 30 January 2017. Rees J, Bandyopadhyay S and Spafford EH (2003) PFIRES: A policy framework for information security. Communications of the ACM 46(7), 101–106. Remus U, Wiener M, Mähring M, Saunders C and Cram WA (2015) Why do you control? The concept of control purpose and its implications for IS project control research. In Thirty Sixth International Conference on Information Systems pp 1–19, Fort Worth. Renaud K and Goucher W (2012) Health service employees and information security policies: An uneasy partnership? Information Management and Computer Security 20(4), 296–311. Rhee H-S, Kim C and Ryu YU (2009) Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers and Security 28(8), 816–826. Roberts BW, Walton KE and Viechtbauer W (2006) Patterns of mean-level change in personality traits across the life course: A meta-analysis of longitudinal studies. Psychological Bulletin 132(1), 1–25. Ross SJ (2015) Cybersecurity for a “simple” auditor. ISACA Journal 6(6), 1–2. Rowe F (2014) What literature review is not: Diversity, boundaries and recommendations. European Journal of Information Systems 23(3), 241–255. Sabherwal R and Robey D (1995) Reconciling variance and process strategies for studying information systems development. Information Systems Research 6(4), 303–327. Safa NS, Von Solms R and Furnell S (2016) Information security policy compliance model in organizations. Computers and Security 56(1), 70–82. Salterio SE (2014) We don’t replicate accounting research—or do we? Contemporary Accounting Research 31(4), 1134–1142. Santana M and Robey D (1995) Perceptions of control during systems development: Effects on job satisfaction of systems professionals. Computer Personnel 16(1), 20–34. Schmerken I (2015) Morgan Stanley data theft exposes insider threat & need for more restrictions. http://www.wallstreetandtech.com/security/morgan-stanley-data-theft-exposes-insider-threat-and-need-for-more-restrictions, accessed 30 January 2015. Schnedler W and Vadovic R (2011) Legitimacy of control. Journal of Economics and Management Strategy 20(4), 985–1009. Schneider FB (2000) Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50. Schryen G (2015) Writing qualitative IS literature reviews—guidelines for synthesis, interpretation, and guidance of research. Communications of the Association for Information Systems 37(12), 286–325. Scott WR (1987) The adolescence of institutional theory. Administrative Science Quarterly 32(4), 493–511. Sharma A (1997) Professional as agent: Knowledge asymmetry in agency exchange. Academy of Management Review 22(3), 758–798. Shephard MM and Mejias RJ (2016) Nontechnical deterrence effects of mild and severe internet use policy reminders in reducing employee internet abuse. International Journal of Human-Computer Interaction 32(7), 557–567. Shirtz D and Elovici Y (2011) Optimizing investment decisions in selecting information security remedies. Information Management and Computer Security 19(2), 95–112. Shropshire J, Warkentin M and Sharma S (2015) Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers and Security 49, 177–191. Silva L, Hsu C, Backhouse J and Mcdonnell A (2016) Resistance and power in a security certification scheme: The case of c:Cure. Decision Support Systems 92, 68–78. Siponen M (2000) A conceptual foundation for organizational information security awareness. Information Management and Computer Security 8(1), 31–41. Siponen M (2006) Information security standards focus on the existence of process, not its content. Communications of the ACM 49(8), 97–100. Siponen M and Iivari J (2006) Six design theories for IS security policies and guidelines. Journal of the Association for Information Systems 7(7), 445–472. Siponen M, Mahmood MA and Pahnila S (2009) Are employees putting your company at risk by not following information security policies? Communications of the ACM 52(12), 145–147. Siponen M, Mahmood MA and Pahnila S (2014) Employees’ adherence to information security policies: An exploratory field study. Information and Management 51(2), 217–224. Siponen M and Oinas-Kukkonen H (2007) A review of information security issues and respective research contributions. The DATA BASE for Advances in Information Systems 38(1), 60–80. Siponen M, Pahnila S and Mahmood MA (2010) Compliance with information security policies: An empirical investigation. Computer 43(2), 64–71. Siponen M and Vance A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly 34(3), 487–502. Siponen M and Vance A (2014) Guidelines for improving the contextual relevance of field surveys: The case of information security policy violations. European Journal of Information Systems 23(3), 289–305. Siponen M and Willison R (2009) Information security management standards: Problems and solutions. Information and Management 46(5), 267–270. Siponen M, Willison R and Baskerville R (2008) Power and practice in information systems security research. In International Conference on Information Systems pp 1–13, Association for Information Systems, Paris. Smith S, Winchester D, Bunker D and Jamieson R (2010) Circuits of power: A study of mandated compliance to an information systems security “de jure” standard in a government organization. MIS Quarterly 34(3), 463–486. Sommestad T, Hallberg J, Lundholm K and Bengtsson J (2014) Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management and Computer Security 22(1), 42–75. Sommestad T, Karlzén H and Hallberg J (2015) The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information and Computer Security 23(2), 200–217. Son J-Y (2011) Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information and Management 48(7), 296–302. Son J-Y and Park J (2016) Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns. International Journal of Information Management 36(3), 309–321. Soomro ZA, Shah MH and Ahmed J (2016) Information security management needs more holistic approach: A literature review. International Journal of Information Management 36(2), 215–225. Spears JL and Barki H (2010) User participation in information systems security risk management. MIS Quarterly 34(3), 503–522. Stahl BC, Doherty NF and Shaw M (2012) Information security policies in the uk healthcare sector: A critical evaluation. Information Systems Journal 22(1), 77–94. Stanton J, Stam K, Mastrangelo P and Jolton J (2005) Analysis of end user security behaviors. Computers and Security 24(2), 124–133. Straub DW (1990) Effective IS security: An empirical study. Information Systems Research 1(3), 255–276. Straub DW and Nance WD (1990) Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly 14(1), 45–62. Straub DW and Welke RJ (1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22(4), 441–469. Susanto H, Almunawar MN and Tuan YC (2011) Information security management system standards: A comparative study of the big five. International Journal of Electrical and Computer Sciences 11(5), 23–29. Tang M, Li M and Zhang T (2016) The impacts of organizational culture on information security culture: A case study. Information Technology and Management 17(2), 179–186. Tannenbaum AS (1962) Control in organizations: Individual adjustment and organizational performance. Administrative Science Quarterly 7(2), 236–257. Teh P-L, Ahmed PK and D’arcy J (2015) What drives information security policy violations among banking employees? Insights from neutralization and social exchange theory. Journal of Global Information Management 23(1), 44–64. Thomson K-L (2010) Information security conscience: A precondition to an information security culture? Journal of Information System Security 6(4), 3–19. Thong JYL and Yap CS (1998) Testing an ethical decision-making theory: The case of softlifting. Journal of Management Information Systems 15(1), 213–237. Tiwana A and Keil M (2009) Control in internal and outsourced software projects. Journal of Management Information Systems 26(3), 9–44. Tsang EWK and Kwan K-M (1999) Replication and theory development in organizational science: A critical realist perspective. Academy of Management Review 24(4), 759–780. Tsohou A, Karyda M and Kokolakis S (2015a) Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers and Security 52, 128–141. Tsohou A, Karyda M, Kokolakis S and Kiountouzis E (2010) Aligning security awareness with information system security management. Journal of Information System Security 6(1), 36–54. Tsohou A, Karyda M, Kokolakis S and Kiountouzis E (2015b) Managing the introduction of information security awareness programmes in organizations. European Journal of Information Systems 24(1), 38–58. Twenge JM, Konrath S, Foster JD, Campbell WK and Bushman BJ (2008) Egos inflating over time: A cross-temporal meta-analysis of the narcissistic personality inventory. Journal of Personality and Social Psychology 76(4), 875–902. Unal D and Caglayan MU (2013) A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks 57(1), 330–350. Uzunov AV, Fernandez EB and Falkner K (2015) Security solution frames and security patterns for authorization in distributed, collaborative systems. Computers and Security 55(1), 193–234. Vaast E (2007) Danger is in the eye of the beholders: Social representations of information systems security in healthcare. Journal of Strategic Information Systems 16(2), 130–152. Van Iddekinge CH, Ferris GR and Heffner TS (2009) Test of a multistage model of distal and proximal antecedents of leader performance. Personnel Psychology 62(3), 463–495. Vance A, Anderson BB, Kirwan CB and Eargle D (2014) Using measures of risk perception to predict information security behavior: Insights from electroencephalography (EEG). Journal of the Association for Information Systems 15(10), 679–722. Vance A, Lowry PB and Eggett D (2013) Using accountability to reduce access policy violations in information systems. Journal of Management Information Systems 29(4), 263–289. Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quarterly 39(2), 345–366. Vance A and Siponen M (2012) IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing 24(1), 21–41. Vance A, Siponen M and Pahnila S (2012) Motivating IS security compliance: Insights from habit and protection motivation theory. Information and Management 49(3–4), 190–198. Verizon (2016) 2016 data breach investigations report. http://www.verizonenterprise.com/DBIR/2015/, accessed 25 February 2017. Vom Brocke J, Simons A, Riemer K, Niehaves B and Plattfaut R (2015) Standing on the shoulders of giants: Challenges and recommendations of literature search in information systems research. Communications of the Association for Information Systems 37(9), 205–224. Von Dran GM, Guynes CS and Prybutok VR (1996) The information infrastructure: Policy and security considerations. Computers and Society 26(1), 13–15. Von Solms R (1999) Information security management: Why standards are important. Information Management and Computer Security 7(1), 50–57. Vroom C and Von Solms R (2004) Towards information security behavioural compliance. Computers and Security 23(3), 191–198. Wall DS (2013) Enemies within: Redefining the insider threat in organizational security policy. Security Journal 26(2), 107–124. Wall JD, Lowry PB and Barlow JB (2016) Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems 17(1), 39–76. Wall JD, Palvia P and Lowry PB (2013) Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security 9(4), 52–79. Wall JD, Stahl BC and Salam AF (2015) Critical discourse analysis as a review methodology: An empirical example. Communications of the Association for Information Systems 37(1), 257–285. Warkentin M, Johnston AC and Shropshire J (2011) The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20(3), 267–284. Warkentin M, Johnston AC, Shropshire J and Barnett WD (2016a) Continuance of protective security behavior: A longitudinal study. Decision Support Systems 92, 25–35. Warkentin M, Walden E, Johnston AC and Straub DW (2016b) Neural correlates of protection motivation for secure IT behaviors: An fMRI examination. Journal of the Association for Information Systems 17(3), 194–215. Warman AR (1992) Organizational computer security policy: The reality. European Journal of Information Systems 1(5), 305–310. Webster J and Watson RT (2002) Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly 26(2), xiii–xxiii. Weldon D (2015) Are your biggest security threats on the inside? http://www.cio.com/article/2985790/security/are-your-biggest-security-threats-on-the-inside.html, accessed 1 December 2015. Whitman ME (2008) Security policy: From design to maintenance. In Information security: Policy, processes, and practices (Straub DW, Goodman SE and Baskerville R, Eds), pp 123–151, M. E. Sharpe, New York. Whitman ME, Townsend AM and Aalberts RJ (2001) Information systems security and the need for policy. In Information security management: Global challenges in the new millennium (DHILLON G, Ed), pp 10–20, IGI Global, Hershey PA. Wiant TL (2005) Information security policy’s impact on reporting security incidents. Computers and Security 24(6), 448–459. Wiener M, Mähring M, Remus U and Saunders C (2016) Control configuration and control enactment in information systems projects: Review and expanded theoretical framework. MIS Quarterly 40(3), 741–774. Willison R (2006) Understanding the perpetration of employee computer crime in the organisational context. Information and Organization 16(4), 304–324. Willison R and Backhouse J (2006) Opportunities for computer abuse: Considering systems risk from the offender’s perspective. European Journal of Information Systems 15(4), 403–414. Willison R and Warkentin M (2013) Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly 37(1), 1–20. Wood CC (1982) Policies for deterring computer abuse. Computers and Security 1(2), 139–145. Workman M (2009) A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions. Information and Organization 19(4), 218–232. Workman M, Bommer WH and Straub DW (2008) Security lapses and the omission of information securitymeasures: A threat control model and empirical test. Computers in Human Behavior 24(6), 2799–2816. Workman M and Gathegi J (2007) Punishment and ethics deterrents: A study of insider security contravention. Journal of the American Society for Information Science and Technology 58(2), 212–222. Xue Y, Liang H and Wu L (2011) Punishment, justice, and compliance in mandatory IT settings. Information Systems Research 22(2), 400–414. Yazdanmehr A and Wang J (2016) Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems 92, 36–46. Zafar H and Clark JG (2009) Current state of information security research in IS. Communications of the AIS 24(34), 557–596. Zhang J, Reithel BJ and Li H (2009) Impact of perceived technical protection on security behaviors. Information Management and Computer Security 17(4), 330–340. Zhang X, Parisi-Presicce F, Sandhu R and Park J (2005) Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8(4), 351–387. Zsidisin GA and Ellram LM (2003) An agency theory investigation of supply risk management. Journal of Supply Chain Management 39(3), 15–27.