Exploring the Influence of Direct and Indirect Factors on Information Security Policy Compliance: A Systematic Literature Review

Information systems security is considered one of the key issues concerning organizations’ management. Despite the massive investment that organizations make to safeguard their systems, there are still many internal security breaches. The increase in insider threats to information systems can be related to the employees’ compliance toward information security policy. Several review papers were conducted to explore information security policy compliance behavior research. However, the literature lacks insight into the positive and negative (direct or indirect) influence of human and organizational theories and their factors influencing information security policy compliance behavior. Therefore, this paper provides a systematic literature review synthesizing the psychological theories, organizational theories, and other internal and external factors on information security policy compliance researches. The results analysis of 87 studies showed that the general deterrence theory, theory of planned behavior, and protection motivation theory are the most frequently used. The influencing factors of theories are mostly similar in the results. Furthermore, information security education, training and awareness, trust, and leadership, among many other internal and external factors, are highly used. This study is one of the first researches that explores the relationship types among the influencing factors; emphasizing the direct and indirect effect, and information security policy compliance behavior. This paper also identifies some gaps in information security policy compliance behavior research and proposes future works. In addition, it provides a theoretical contribution and practical insight in the context of information security policy compliance.


I. INTRODUCTION
Due to globalization and interconnection, organizations rely heavily on information systems (IS) in their business processes [1]. Securing IS from potential threats and controlling the risk that relates to these systems must be an essential priority for organization management [2,3]. To safeguard IS assets, multi-dimensional solutions can be applied; these are the technical, and non-technical solutions. The technical solutions that can be used to protect IS are installing a firewall, using data backup, downloading an antivirus program and implementing frequent system checks against threats. Non-technical solutions relate to the behavioral solutions to employee and organization issues [4,5]. Many organizations realize that technology solutions alone were rarely sufficient to minimize the security threat because all the solutions were employed and managed by individuals [6,7]. Studies confirmed that human behavior should be a focus when considering security solutions alongside technology, since individuals are considered the weakest link in the organization's security [8,9]. An example can be seen in, the 2019 IBM X-Force Threat Intelligence Index which revealed that internal error was accountable for most of the incidents within the organization [10]. A study conducted in Britain found that 58% of attacks in organizations resulted from insider threats. 33% of these attacks resulted from noncompliance with information security policies [11].
To reduce organizational security threats, several organizations have applied various security standards and guidelines. Examples of these standards are the International Organization for Standardization (ISO), and International Electro-technical Commission (IEC) (ISO/IEC 27001); and Control Objectives for Information and Related Technologies (COBIT). These guidelines and standards provide best practices for IS security [12]. Therefore, to help individuals to improve their security activities, organizations should integrate these regulations into a document called Information Security Policy (ISP); this policy assists to shape their employees' behavior towards IS security [3]. ISP is defined as "a set of formalized procedures, guidelines, roles and responsibilities to which employees are required to adhere to safeguard and use properly the information and technology resources of their organizations" [13]. Furthermore, ISP is described as a document that states the employee's roles and duties to function in a manner that safeguards their organizations' information and technology assets [14]. Enforcing ISP increases the high level of security within the organization [15].
However, developing an ISP is not sufficient to ensure the security of the organization's assets; the employees must comply with their organization's ISP. Studies indicate that employees are not always complying with ISP, and this noncompliance is considered one of the most significant factors affecting security breaches [16,17]. Non-compliance with ISP leads to an interruption of the organization's operations [18]. Information security policy compliance (ISPC) is the degree to which employees safeguard their organization's information and technology assets against security threats by following ISP. Yazdanmehr and Wang [19] argues that the effectiveness of ISP depends on compliance with this policy, and a comprehensive policy will be insufficient as a countermeasure to security threats without compliance and observance thereof. ISPC is considered an issue of human behavior. Improving compliance behavior among employees will reduce security threats for the organizations and their employees [8].
Several studies have focused on ISPC and exploring the psychological and organizational theories that explain compliance behavior [3,[20][21][22][23]. Numerous articles examine several internal and external factors and theoretical constructs that motivate human behavior toward ISP [17,24,25]. While there are extensive studies on ISPC, it was noted that none of the reviewing studies classify the positive and negative (direct or indirect) influence of the human and organizational theories and their influencing factors toward ISPC behavior. This study investigates this issue as a research gap in the literature. We bridge this gap by exploring the literature published from 2012 -2020 to shed light on the need for synthesizing the psychological theories, organizational theories, and other factors on ISPC researches. In addition, this paper examines the positive and negative (direct or indirect) impact of the human and organizational theories and their influencing factors toward ISPC behavior. This paper provides an investigation into relation between these theories and ISPC. This paper engages in a systemic review of current studies that address the theories and factors that contribute significantly to ISPC for practice and research as described in section VIII.
The remainder of the paper is organized as follows: a presentation of the related research and motivations for the current study (section II) followed by the research methodology (section III), results and discussion of the study (section IV). Next, the moderation and mediation analyses are presented in (section VI). The paper concludes with the identified gaps (section VII), implications (section VIII), and conclusion (section VX).

II. MOTIVATIONS FOR THE CURRENT STUDY
The systematic literature review (SLR) is based on the information security policy compliance reviewing studies. The available studies focus on determining the behavioral and organizational theories that are used (i.e. theory of planned behavior, deterrence theory, etc.) [3,8]. Moreover, several studies were conducted to discover the influencing factors that affect information security policy compliance behavior (i.e. information security awareness, rewards, etc) [22,25].
One of the earliest studies performed by Sommestad [26] covered 16 articles related to the theory of planned behavior.
In a later study, Sommestad et al. [27] analyze more than 60 factors from 29 articles that significantly contribute to the information security policy compliance behavior. Similarly, Cram et al. [28] classify the influence factors into 17 categories by conducting a meta-analysis covering 25 quantitative studies. Furthermore, SLR based on 51 articles was performed by Hina and Dominic [29] to explain the information security culture, awareness, and management issues within ISPC. A meta-analysis of 35 articles was conducted by Trang and Brendel [30] to explain the effect of deterrence theory towards ISPC. Angraini et al. [31] conducted a study covering 59 articles to evaluate the existing theories in ISPC research. Kuppusamy et al. [32] also identified several theories using 29 relevant articles. Recently, an SLR study based on 80 articles was performed by Ali et al. [33] to identify the behavioral transformation process from ISP noncompliance to compliance. The results and limitations obtained from the previous studies of ISPC researches are shown in Table I. In examining the literature, it was noted that none of the reviewing studies classify the positive and negative (direct or indirect) influence of the human and organizational theories and their influencing factors toward ISPC behavior. Considering the studies mentioned above, a systematic literature review was conducted to analyze the human behavior and organizational theories used in the ISPC researches. This study explores the factors that are related to these theories and their relation to ISPC behavior. Furthermore, the factors that are used in ISPC researches are reviewed. The study contributes to the research stream and will provide insight for other researchers to further investigate ISCP behavior.

III. RESEARCH METHODOLOGY
Based on the Okoli et al. [34] method, a systematic literature review was performed to cover the research topic. The process includes four phases; planning, selection, extraction, and execution. The planning phase includes identifying the research purpose and questions, in addition to the protocol that will be used in the literature. The purpose of the systematic literature review is to identify and classify the current body of research literature, that either quantitatively or qualitatively used theories in the information security policy compliance context in a given organizational setting. The following questions were formulated to expand the investigation.
RQ1-What are the theories used in the information security policies compliance context? RQ2-What is the kind of relation of influencing factors and information security policies compliance behavior? RQ3-What are the factors concluded in studies that influence information security policy compliance?
This process was performed using multiple keywords applied to the online database. The online databases of AIS library, Emerald insight, IEEE Xplore, Google Scholar, ProQuest, and ScienceDirect were used to identify the current researches of information security policy compliance. The search strategy was based on the following strings and combination of keywords: Information security policy/policies, compliance, comply, non-compliance, adherence, and compliance behavior.
The selection phase includes specifying the inclusion and exclusion criteria for the eligibility of the retrieved researches which is shown in Table II.

Study
Sample Size Results Limitations [29] 51 articles -An association between information security awareness, culture, and management with information security policy compliance behavior was found.
-Performed in the education field only. -Three concepts were studied. 16 Articles -Theory of planned behavior can explain the ISPC behavior as other behaviors. - The study only targets the theory of planned behavior and its influencing factors. [33] 80 Articles -Value conflicts, security-related stress, and neutralization significantly influence ISP noncompliance. -Internal/external and protection motivations positively affect the ISPC. - The transformation process from noncompliance into compliance is may controlled by deterrence techniques, management behaviors, culture, and information security awareness.
-The classification of compliance and noncompliance factors were ambiguous. Kitchenham and Charters [35] claim that quality assessment of the selected review paper determines the significance of the individual publication when the results are being synthesized. Quality assessment was applied to assure the reliability of the selected publications [36]. Several guidelines and metrics were suggested in multiple studies to make such assessments effective [37]. Therefore, in addition to the inclusion and exclusion criteria determined previously, this study applied the assessment of individual publications quality through other criteria. Articles from indexed impact factor journals were included. For conference papers, three quality assessments criteria were assessed. First, papers published in high reputable IS and Computer Science conference proceedings that are indexed in google scholar metrics, by "h-index" in the latest five-year window [37]. Second, conference papers that are cited in articles published in leading journals [38]. Third, papers published in conferences that have high-rank Scopus's CiteScore [39].
In the extraction phase, the researches that met one of the exclusion criteria were eliminated, and classified by the eliminating reasons. The result of the search strategy produced 127 studies from different databases, in addition to 24 studies through forward and backward searches, two studies were excluded for non-English language. After records screening, nine studies were duplicated, and thus eliminated from the process. Also, five studies additional studies were excluded for the following reasons; one study cannot be accessed, and four studies were guideline reports. Afterward, a title and abstract screening were performed, and an additional 25 studies did not meet the criteria. Then, a full-text screening for the remaining studies was conducted, and 23 studies were out of the research scope, that is the employees' compliance behavior towards information security policy in the organizations. Finally, a total of 87 published studies were included for detailed analysis. The result of the literature search strategy and evaluation for inclusion is shown in Fig 1. Finally, the execution phase includes analyzing the findings, which are discussed in further detail in section IV and V.

IV. RESULTS AND DISCUSSION RELATED TO THE MAJOR CLASSIFICATION
In this section, the finding and state of art analysis of the systematic literature review were reported based on the process that described above. The search strategy produced a total of 87 studies used for detailed analysis, which are shown in Appendix Table 1. The research was analyzed based on patterns in the nature of the research, empirical methods used, the classification of the applied theories, and research target sectors, in relation to the information security policy compliance context.

A. THE NATURE OF RESEARCH
To determine the research nature, Kothari [40] classification was used for the selected studies. The categorizing is based on whether the study is conceptual or empirical research. Conceptual research relates to an abstract idea or theory, and is also used to develop new concepts or reinterpret present concepts. Empirical research depends on experience or observation, and is based on primary or secondary data. The empirical research concludes with results that can be proved by observation or experiments. In our study, the literature review paper that concluded with a new result was classified as empirical research, while that study with unclear results was categorized as conceptual research. Empirical research was used in most of the publications, 73 studies (84%), as shown in Fig 3. More than half of the empirical publications were quantitative, 67 studies (77%), and the rest were qualitative (7%). Only 14 studies (16%) were classified as conceptual research. As earlier noted, 84% of studies were empirical research. Most (78%) of the studies used a survey method [17,41,42], and (6%) used a mixed method approach [8,20,23]. In addition, 9 studies (12%) used interviews, meta-analysis, and systematic literature review [43][44][45]. While (3%) of studies applied experiments [46,47], and one study (1%) used a case study method [48] as illustrated in

C. TARGET SECTORS
The sector specific distribution of the studies is shown in Fig  6. Eight sectors have been identified from the researches analysis. The highest percentage of the studies (35%) were applied to various fields ex banking, insurance, manufacturing, retail, and government organization, etc. [1,21], followed by the education field with (21%) [25,49]. The financial sector followed with (10%) of studies [43,51]. While (6%) of the studies targeted the health and energy sectors [52,53]. Cybersecurity, and engineering, as the target sectors, accounted for 4% in all studies [54]. Only (1%) of studies targeted the social services field [55]. However (22%) of studies do not identify the sectors related to the research [22,42]. Notably, the reviewed studies were unbalanced in terms of target sectors.

RQ1-What are the theories used in the information security policies compliance context? RQ2-What is the kind of relation of influencing factors and information security policies compliance behavior?
This section outlines the theories and factors that are consistently used within the reviewed ISPC research. Across 85 publications, 35 human behavior and organizational theories were analyzed. Studies may have used constructs from theories or the whole theory to demonstrate as much result variance as possible. All the constructs studied the dependent variable (DVs), which are (intent to comply and actual compliance behavior). In this research, the relation to ISPC is classified as direct, indirect, partial, and no effect. The constructs that affect the DV directly. positively or negatively are classified as a direct effect (D+, D-). Indirect effect is noted when there is a moderator or mediator to indicate the relation, or when the construct effect on a variable, in turn affects the DV (InD+, InD-). In the case of measuring multiple aspects of the construct, in which the result supports some of them, they classified as a partial effect (P+, P-). Finally, no or weak effect demonstrates the lack of effect for DV (N). Fig 7 and 8 show the most common theories and their influencing factors related to information security policy compliance, which are listed in Appendix Table 2 in detail. Less explored theories which used in one or two studies are listed in Appendix Table 3. The studies are drawn from diverse theories including human behavior theories and organizational theories. Examples of these theories are the theory of planned behavior, the theory of protection motivation, general deterrence theory, social bond theory, neo-institutional theory, and organizational control theory, which include variables that impact ISP compliance. The results showed that the general deterrence theory, theory of planned behavior (TPB) and protection motivation theory are the most frequently used in the field which concurs with [31,32]. The following paragraphs discuss the five most common theories in the studies; other theories are listed in Appendix Table 2 in detail.
As presented in Fig 7 and 8, drawing from the TBP, attitude, normative belief, self-efficacy, descriptive norms, subjective norms, perceived behavioral were examined in 23 articles to find out about employees' ISPC. While compliance is human behavior, the TPB was explored commonly. The studies were similar in results as shown in the figures. ATT and SE are positively significant to ISPC, while NB and SN have weak strength in predicting ISPC. However, DN and PBC have not been given extensive attention in the studies. The protection motivation theory constructs which are response efficacy, selfefficacy, response cost, perceived vulnerability, and perceived incision were analyzed through 16 articles. Most of the studies showed a positive effect on ISPC. RE, PV, and PSEV are considered strong positive predictors for ISPC. In addition, SE has a positive direct influence on ISPC. Ryutov et al. [56] proved a negative indirect association between RC and ISPC, while Rajab et al. [57] found a positive relation. Ifinedo [4], Nasir et al. [58] also found that RC is not a significant predictor for ISPC. Furthermore, the general deterrence theory explained the punishment severity, punishment celerity, punishment certainty, sanctions, certainty of detection, and shame in 16 [63], D'Arcy and Lowry [41], Kim et al. [7] found a positive direct and indirect influence of BCOM and CNCOM on ISPC. The exception was found in the studies of D'Arcy and Lowry [41], Kim et al. [7], Ifinedo [64], they found a negative relation between CCOM and ISPC behavior.

RQ3-What are the factors concluded in studies that influence information security policy compliance?
Among 85 studies, 38 factors from different concepts were analyzed. All the factors studied toward the dependent variable that was used in the studies, which are (intention to comply and actual compliance behavior). These factors can be categorized as both internal and external to the individuals. Examples of internal factors are trust, information security awareness, organizational citizenship behaviors, and demographics. Moreover, the external factors could be a SETA program, corporate social responsibility, supportive organizational culture, and compliance audit. The results indicate that internal factors play more of a role in motivating the ISPC behavior than external factors. The most commonly noted factors, discussed in the next sections, are information security education, training and awareness, trust, and leadership. Table III lists the factors that influence ISPC.

A. INFORMATION SECURITY EDUCATION, TRAINING, AWARENESS
Studies confirm that information security awareness education and training is a powerful predictor of ISP compliance. Researchers argue that ISP awareness is associated with positive attitudes among organizations' employees [18,25]. Hina et al. [65] argue that security education, training, and awareness (SETA) programs improve the information security culture in organizations. Similarly, the information security education, training, and awareness factor was commonly analyzed in current researches. Koohang et al. [25] analyzed four predictors for ISPC within 237 university employees; their results confirmed that information security awareness is essential for ISPC. Abed et al. [66] proposed an ISP continuous model, and found security awareness directly influences continuous ISPC behavior among 270 banking employees. Chongrui et al. [67] examined the role of security climate and training on employee's ISPC. Their study was conducted on 525 civil servants in China and results show a significant direct effect of security training on ISPC. Dhillon et al. [17] study the mediation role of psychological empowerment in ISPC intention. They found that SETA, participation in information security decision-making, and access to ISP influence the ISPC intention.
The above mentioned studies explain the direct effect of SETA on ISPC behavior. However, Koohang et al. [18] build an awareness-centered ISPC model; their study was applied among 285 non-management employees, and results show the indirect impact of ISP awareness through the understanding of resource vulnerability and self-efficacy which lead employees to comply with ISP requirements. Alomari et al. [68] proved that information security and technologies awareness shape employees' attitude toward the ISPC among 878 financial organization employees. Arage et al. [63] explored the role of norms in compliance toward ISP within 201 employees from different organizations . Their findings show that ISP-related awareness of consequences shapes the personal norms, which in turn guide ISPC behavior. Furthermore, Stafford et al. [46] confirmed that an effective training program for users is more crucial than other prevention protocols in ISPC behavior. Among 301 employees working in higher education institutions in Malaysia, Hina et al. [65] considered the SETA program to play a vital role in motivating employees to embrace protective behavior for compliance with ISP. The study of Burns et al. [69] explores the role of employee awareness of the SETA program toward two different intentions among 411 participants. The result shows that the SETA program indirectly affects ISPC intention and protection of organization information assets. Likewise, Ali et al. [23] study three organizational factors to explore the social bound theory constructs with a survey of 254 managers in oil and gas organizations. They found that a SETA program was one of the factors which play an essential role in developing ISPC behavior among the employees. However, the studies of Kretzer et al. [70], Abdul Kadir et al. [54] concluded that information security training has a weak positive association with ISP compliance behavior.

B. TRUST
Studies realized that users' perception of the security characteristics for their information systems leads to trust in the system. The high level of IS trust leads to improve the security decisions that performed by employees [25]. This is also supported by Bahtiyar et al. [71] who confirm that individuals' high trust level in the security system guides to using this system consistently, which might decrease the security threat in the organization. Therefore, the organization should build trust in their security systems, and that trust-based information security has a positive effect in safeguard the organizations from security incidents [25].
Several empirical studies confirmed that trust is a powerful predictor of an employee's intention to comply with the ISP requirements. Koohang et al. [25] study the trust beliefs impact among 237 university employees, they found a prediction association for trust toward employees' ISP compliance. Humaidi et al. [72] implement multidisciplinary theories to evaluate the correlation between the and compliance behavior and integrated social-technical values towards ISP among 454 health professionals. Their study was performed on two sub-group which are a high and low experience groups. They revealed that perceived trust is the most important predictor of ISPC in both sub-groups. The study of Humaidi et al. [52] explored the Indirect effect of management support on users' ISPC within 454 healthcare professionals. Their finding supports the effect of management support through both self-efficacy and the trust factor. In addition, a direct influence was found between trust and ISPC behavior. While Paliszkiewicz, [42], Koohang et al. [18] confirmed the indirect impact of trust toward the organization's ISP compliance through the leadership factor.

C. LEADERSHIP
Studies argue that information security should be considered a top management priority and that effective leadership from top management encourages ISP enforcement [18]. Leaders should develop a strong information security culture to enhance compliance with ISP requirements in the organizations, and preserve the organization's assets from security incidents. Leaders should motivate their employees to follow the ISP procedures [25] . Researchers propose that employees might comply with ISP because of reliance on their leader, or in regard to their leader's morals. Employees' beliefs, attitudes, and intention to ISP compliance can heavily depend on their leader's opinions [21,73].
Koohang et al. [25] study the leadership influence among 237 university employees, and they found a direct positive association for leadership toward employees' ISP compliance. Feng et al. [73] examined the relationship between paternalistic leadership and employees' ISPC. Their study was conducted among 314 employees and their supervisors in organizations. The findings supported that all three dimensions of paternalistic leadership which are benevolence, morality, and authoritarianism directly affect employees' ISPC. Koohang et al. [18] found an indirect positive impact of effective leadership which guides employees to comply with ISP requirements among 285 non-management staff. However, the study of Amankwa et al. [21] which was performed on 424 employees in different organization, argues that leaders have a weak impact on employees' compliance toward ISP.

VI. MODERATION AND MEDIATION ANALYSIS
Among existing studies, ten articles used moderation and mediation analysis to enhance the result. Humaidi et al. [72] study the employees' work experience as moderator for the relationship between (management support, information security awareness, perceived barrier, self-efficacy, perceived trust) and ISPC behavior. Their results confirmed the effect of work experience on management support and information security awareness, while they did not support the other constructs. Yazdanmehr et al. [82] argue that the rule-oriented ethical climate and susceptibility to interpersonal influence negatively moderated both the effect of the command-andcontrol approach and the effect of the self-regulatory approach on ISPC. Liu et al. [84] suggest that organizational commitment could be a significant moderator in threat avoidance behavior. They proved that organizational commitment weakens the negative effect of perceived costs and the positive effect of self-efficacy on ISPC behavior. They also found a weak effect of organizational commitment on the perceived threat, perceived effectiveness and ISPC behavior. Yazdanmehr and Wang [19] propose that the ISP awareness of consequence and ISP ascription of personal responsibility positively moderates the impact of ISP-related personal norms on ISPC. Their results confirmed the effect of ISP ascription of personal responsibility, while they did not confirm the ISP awareness of consequence.
For the mediation analysis, Feng et al. [73] proved that the social bond mediates the effect of moral leadership and benevolent leadership on ISPC intentions; however, social bond did not mediate the effect the authoritarian leadership on ISPC. Moreover, Dhillon et al. [17] confirm the argument that psychological empowerment mediates the association between (SETA, access to information, participation in decision-making) and ISPC intention. . Kim [85] found that compliance knowledge mediates the correlations between (social pressure ,and compliance behavioral belief) and compliance intention. Overall, this kind of analysis is helpful because it explains the relationships and the variables' impact on these relationships. There was variety in the moderators and mediators, individuals' factors (such as psychological empowerment, and employees experience), and environmental factors (such as ethical climate). Also, several factors were studied frequently (such as leadership, rewards, SETA, response cost), which may produce a valuable result when they are utilized as moderators and mediators.

Security-Related Stress
A stress resulted from the internal and external security requirements, which are beyond the employee's energy and capabilities. [22] Understanding Resource Vulnerability Understanding the weakness in the organization's resources and assets, which may utilize through a threat source. [18]

Information Security Training
The organization programs to communicate with their employees about the organization's information security issues.
[ Organizational Deviance A behavior breach of the essential organization rules, which can influence the organization's reputation and well-being. [41] Perceived Organizational Formalization Formalize the organization's rules, instructions, and communications to manage the employees' behaviors. [8]

Work-Related Groups
The individuals associated with others under the same circumstances. [77] Ethical Climate Describing the moral atmosphere of the organization and its members. [19] Organization's Information Security Strategy Access Employee opportunities given by the management, to reach and understand their organization's information security strategic objectives. [17] Position Level An employee position within the organization, that addresses the individual's required liabilities and job expectations. [78]

Information Security Climate
The policies, practices, and procedures that enhance the employees' perception about the information security value in their organizations. [67,79] Satisfaction The positive feeling about the information security policy that motivates compliance. [66] Confirmation An individual's confirmation of expectations about the ISPC. [66] Security Avoidance Deliberately avoiding the information security policy, despite employee knowledge of its need and importance. [79]

Participation in Decision-Making
Grant the employee the right to participate in their organization's information security goals, by requesting input. [17] Demographic A population statistical study, which can include multiple criteria like age, ethnicity, education level, and work experience. [24] Corporate Social Responsibility Engaging in social goals and practices to provide a high financial return to shareholders. [62] SETA programs Sharing knowledge about information security issues with the employees, in addition to the required security practices to do their job.
[17] [23,53,65,69,75] Psychological Empowerment Intrinsic motivation factors which derive from the task, that reflect on the individual's work and involvement [78] [17] Religiosity Religiosity level in a social context impact the compliance and deviance behavior. [80] Supportive Organizational Culture A set of common suppositions and conceptions relating to the organization's work environment.
[76] [21] Internal Audit Examining the preventive system quality, and figuring the vulnerabilities of security solutions against security policy violations. [46] Behavioral Monitoring The employees' behavior observation at work to identify how they deal with technologies, systems, and assets. [45] Provision of Policy The existence of ISP and its role in improving the security behavior within the organization employees [65] Negative Experience The negative incident related to information system security that remains in the employee experience when dealing with future issues. [65] Security Agents The consultant and trainer responsible to perform securityrelated tasks whether a full or part time security agent. [70] Informational Materials Tangible and non-tangible resources that explain the employees' compliance behavior, and common mistakes within the organization. [70] Compliance Audit Checking the information security policy compliance through an internal and external auditor. [70] National Culture The impact of the society's culture on the individual's values, and the relationship between these values and their behavior. [63]

Worries about Cybercrime
The fear that may have functional and dysfunctional effects, and the individuals are different in nature; so, their level of worry varies. [81] Working Experience Abilities, knowledge, and skills can be gained through education or participation in specific events. [72]

Self-Regulatory Approach
The approach that considers the major drivers of behavior are intrinsic desires. [82] Psychological Ownership The sense of possession of the information related to their work. [83] Organizational Injustice The organization's actions that impact the employee conception of justice and injustice, which are divided into distributive, procedural and interactional justice. [47]

VII. IDENTIFIED GAPS
The analysis of the current studies provides some of research gaps that could be investigated. First, the role of organizational theories needs further deep investigation. Second, there is a noted paucity in studies implementing technology-related behavior theories, such as the technology acceptance model, technology threat avoidance theory, and task technology fit model. The technology-related behavior theories should be a priority in future ISPC research because the understanding of these theories will reflect on the security countermeasures that are used in organizations [86]. Third, the moderation and mediation analysis have received less attention within the current studies. The potential mediation and moderation effect could help gain better understanding of the underlying factors and theories. Future research could be carried out on empirical work and a meta-analysis considering the effect of mediator and moderator variables. Fourth, the studies were unbalanced in related to the target sectors. For example, there is a general lack of research targeting the health sector, where, according to a report by Bitglass [87], the average cost of security breaches is still higher than that of every other industry in 2020. There were approximately 600 healthcare data breaches in 2020, increasing 55% from 2019. Therefore, more attention should be paid to the health sector. Fifth, very few studies have applied diverse research methods such as lab experiments and interviews, and using such methods may obtain new results in the field. Finally, the data analysis techniques were mostly similar using the structural equation modeling (see Appendix Table 1); therefore, there was an absence of techniques such as artificial intelligence techniques. Liébana-Cabanillas et al. [88], Alwabel and Zeng [89] confirm that using artificial neural networks, which is an important artificial intelligence technique, can provide greater prediction accuracy than linear models, and it is better than the traditional statistical techniques in predicting technology adoption. Therefore, it would be interesting to focus more intensely on these gaps to investigate ISPC behavior.

VIII. IMPLICATIONS FOR PRACTICE AND RESEARCH
This paper has several contributions and implications for information security research. The paper seeks to offer an overview of information on security policy compliance current research. From the research perspective, one of the most important contributions is the synthesizing of the human behavior theories and organizational theories, and other factors that motivate the compliance behavior. Another significant contribution to the academic field is that it is one of the first researches to determine the relationship types among the influencing factors; emphasizing the direct and indirect effect, and information security policy compliance behavior provided from current researches. Furthermore, the paper also enhances the growing body of research that study the current theories in information security behavior, highlighting the need for organizational theories that specify compliance behavior. It also emphasizes the importance of implementing more technology-related behavior theories such as the technology acceptance model. Moreover, the study draws attention to the need to revisit neglected theories and models in this field; for instance, the task technology fit model which may provide new insight into the field. It also identified some research gaps that should be addressed in future researches.
The study findings will provide guidelines for future studies that concentrate on ISPC behavior in the organizations. This systematic literature review has provided several practical contributions for information security behavioral research. In light of the huge impact of attitude and selfefficacy found on ISPC behavior, managers could implement several strategies to shape their employees' behavior, such as frequent awareness and training programs, and facilitation of information security procedures and practices, so that employees can take responsibility for basic issues of information security. Given that punishment severity could engender compliance, the management should foster suitable sanctions within the organization. The studies confirmed the effect of perceived severity and perceived vulnerability in ISPC behavior; therefore, management should constantly remind employees of information security threats; and the extent of the damage caused by these threats [90]. Several studies indicate that better social bonding among the employees positively impacts ISPC behavior [45,73]; therefore information security policymakers should take this information into account to improve compliance behavior [33]. Furthermore, the study proved that compliance behavior may be circumscribed by the employees' rational choices. Ifinedo [64] urges managers to clarify the advantages and benefits for the employees associated with compliance.
This study's findings show the important impact of SETA, leadership, and trust as compliance factors. Thus, the organization should provide an education and training program, and make it consistently available and easy to reach until the employees ultimately adopt security behavior. Leadership should guaranty employee knowledge about the ISP requirements, and leaders should adjust their behavior to impact the employees' behavior. Moreover, trust among the employees and their management must be enhanced, as this could effectively leverage the compliance behavior. This study also provides the main compliance factors that can assist security managers and IT professionals to design their information security policies.

IX. CONCLUSION
This systematic literature review aimed to investigate existing studies that explore information security policy compliance.
The main objective of this study was to examine the positive and negative (direct or indirect) impact of the human and organizational theories and their influencing factors toward ISPC behavior. The study attempted to answer three research questions by reviewing a total of 87 articles that examine the ISPC context. Comprehensively, this paper answered the VOLUME XX, 2021 13 following questions: What are the theories used in the information security policies compliance context? What is the kind of relation of influencing factors and information security policies compliance behavior? What are the factors concluded in studies that influence information security policy compliance? This paper highlights the human behavior theories and organizational theories that are applied in existing articles. Moreover, it provides an investigation into relation between these theories and ISPC, and reviews several internal and external factors in relation to the ISPC. The results determine 35 applied human behavior theories and organizational theories, and 38 factors that could affect the ISPC. The results also showed that the theory of planned behavior, the general deterrence theory, and the protection motivation theory are the most frequently used. The most noteworthy finding revealed through this study is that most of the theories shape positively (direct or indirect) ISPC behavior. While the cost of compliance and naturalization are found in four studies to have a negative influence on ISPC behavior. Furthermore, a large number of internal and external factors have been monitored as affecting the ISPC. The findings indicate that internal factors play more of a role in motivating the ISPC behavior than external factors. Information security education, training and awareness, trust, and leadership, among many other internal and external factors, are highly used.
This study presents some limitations and provides recommendations for future research. First, although a comprehensive manual online search process was performed to select the studies, the remaining missing literature was considered as a study limitation. This literature could improve the study results, therefore, future research should implement an automated search process to gain as much as possible of targeted studies. Second, the selected inclusion and exclusion criteria could be a limitation (e.g, including only theoretical and empirical articles, excluding technical reports and guidelines), therefore, considering these issues in future research could be significant. Third, this study was conducted with a range of nine years until the end of 2020 (the close of the research project), therefore, similar SLR about ISP compliance behavior in shorter periods produce more accurate results, and concentrate the recent interest of research. Finally, the identified gaps previously described in section VII are considered a valuable direction for future research. This paper contributes to information security research, and can assist other researchers in future investigation.   [41], [8], [5], [56], [80], [58], [100] , [92], [68], [4], [65], [47], [21], [76], [60], [53] [3] [54], [77] [57]