Full text

1. Introduction

Today's organizations are highly dependent on information systems (IS). Consequently, they implement technical measures to mitigate threats to information security (Aurigemma and Panko, 2007). To achieve IS security, the literature proposes information security policies (ISPs) (Bulgurcu et al. , 2010; Pahnila, 2007a, 2007b) and Security Education, Training and Awareness (SETA) programs (Abraham, 2011; D'Arcy and Hovav, 2009) as non-technical measures for preventing security breaches by employees. Because literature refers to employees as the weakest link in IS security (Spears and Barki, 2010; Siponen et al. , 2006), employees' information security awareness (ISA) and behavior has garnered increasing academic attention over the past decade. In this interdisciplinary research domain, theories from social psychology and criminology were adopted to IS literature (Mishra and Dhillon, 2005) to explain and predict employees' security-related behavior and awareness. Despite the huge amount of studies conducted within this context, there is still no up-to-date overview of used theories and main results.

Therefore, in this paper, we present the results of a comprehensive literature review that was designed to identify applied theories and understand the cognitive determinants in the research field of employees' ISA and behavior within the past decade. A prior literature analysis was conducted by Siponen (2000a, 2000b). The authors analyzed different approaches to minimizing user-related faults in information security. Although the underlying theories were identified, the focus of the study was approach-related. An up-to-date overview of applied theories is necessary to guide further research, as the previous study was published 12 years ago. Another literature analysis by Abraham (2011) focused on factors that influence security behavior (i.e. policies, communication practices, peer influences, etc.) and not on theories. In addition, several target-oriented literature reviews were conducted. "Target oriented" means that the literature review was conducted to provide the theoretical basis for further research within the same article (e.g. model construction) and is not the essential part of the article. For instance, Mishra and Dhillon (2005) gave a short overview of behavioral theories in IS security literature to introduce the theory of anomie to the research field. Another paper by Aurigemma and Panko (2007) surveyed behavioral theories to present an ISP behavioral compliance framework.

The aim of this paper is to provide an up-to-date overview of applied theories by discussing...