Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance
by
John D’Arcy
Associate Professor of MIS
Lerner College of Business and Economics, University of Delaware
Friday, April 6, 2018
10:30 AM – noon
Speakman Hall Suite 200
Abstract
A rich stream of research has identified numerous antecedents to employee compliance (and non-compliance) with information security policies. However, the number of competing theoretical perspectives and inconsistencies in the reported findings have hampered efforts to attain a clear understanding of what truly drives this behavior. To address this theoretical stalemate and build toward a consensus on the key antecedents of employees’ security policy compliance in different contexts, we conducted a meta-analysis of the relevant literature. Drawing on 84 quantitative studies focusing on security policy compliance, we classified 299 independent variables into 17 distinct categories and analyzed each category’s relationship with security policy compliance, including an analysis for possible domain-specific moderators. We augmented our meta-analytic assessment of the bivariate relationships between the independent variables and security policy compliance with a relative weight analysis that accounted for several construct intercorrelations. Collectively, our results suggest that much of the security policy compliance literature is plagued by suboptimal theoretical framing. Our findings can facilitate more refined theory-building efforts in this research domain and serve as a guide for practitioners to manage policy compliance initiatives.