Social Factors in Policy Compliance -- Evidence Found in Literature to Assist the Development of Policies in Information Security Management

Researchers and practitioners of Information Systems Security (ISS) operate semi-disconnected. Standards and frameworks born out of the cumulated best-practice experiences have filled this gap. But without the rigor of the scientific process their validity is in question. To aid in building the required scientific foundation, existing empirical evidence needs to be processed further than the scope of a single research endeavor may allow. Other fields of science, such as medicine, have long recognized the need for higher level analyses of research. In our paper we perform an exhaustive literature research in the realm of empirical ISS research. As one of the research hotspots of recent years, we then perform a systematic review of research results in Information Security Policy (ISP) compliance. We analyze and discuss the heterogeneity of research results and suggest a presentation format that may allow ISS practitioners to base their ISP design decisions on.