Variables influencing information security policy compliance: A systematic review of quantitative studies

The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. A systematic review of empirical studies described in extant literature is performed. The investigated variables in studies and the effect size reported for them were extracted and analysed. In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people’s behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation.