You are here: Home Contents V16 N3 V16N3_Marotta.html
Personal tools

Perspectives on the Relationship between Compliance and Cybersecurity



Full text

Journal of Information System Security
Volume 16, Number 3 (2020)
Pages 151177
ISSN 1551-0123
Angelica Marotta — Sloan School of Management, Massachusetts Institute of Technology, USA
Stuart Madnick — Sloan School of Management, Massachusetts Institute of Technology, USA
Information Institute Publishing, Washington DC, USA




Today, cybersecurity is evolving, and so is compliance's critical role in influencing cybersecurity prevention and mitigation approaches. However, while compliance often acts as a lever for maturity growth, using regulatory requirements as a plan for building a cybersecurity program may result in an incomplete approach to achieving a secure organizational environment. Thus, even if an organization is compliant with the most rigorous requirements, it may still have gaps that leave room for vulnerabilities. Compliance is not black and white but rather a matter of a series of components. This paper provides an in-depth literature review of 96 publications and investigates the compliance factors that may have an impact on cybersecurity practices. This research offers three contributions. Firstly, it provides an overview of compliance. Secondly, it provides a comparison between worker safety compliance and cybersecurity compliance. Thirdly, it investigates cybersecurity compliance in different sectors.




Compliance, Cybersecurity, Compliance Management, Regulations, Risk, Safety.




Abdullah, N. S., Sadiq, S., and Indulska, M. (2010, June). Emerging challenges in information systems research for regulatory compliance management. In International Conference on Advanced Information Systems Engineering (pp. 251-265). Springer, Berlin, Heidelberg.

Adams, S. A., Brokx, M., Dalla Corte, L., Galič, M., Kala, K., Koops, B. J., Bert, J., Leenes, R., Schellekens, M., E Silva, K., Skorvánek, I. (2015). The Governance of Cybersecurity: A comparative quick scan of approaches in Canada, Estonia, Germany, the Netherlands, and the UK. Tilburg University.

Angraini, Alias, R., and Okfalisa. (2019). Information Security Policy Compliance: Systematic Literature Review. Procedia Computer Science, 161, 1216-1224. doi: 10.1016/j.procs.2019.11.235

Appari, A., and Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International journal of Internet and enterprise management, 6(4), 279-314.

Arner, D. W., Barberis, J. N., and Buckley, R. P. (2016). The Emergence of Regtech 2.0: From Know Your Customer to Know Your Data. Journal of Financial Transformation, 44, 79-86.

Arner, D. W., Barberis, J., and Buckley, R. P. FinTech, RegTech and the Reconceptualization of Financial Regulation' (2017). Northwestern Journal of International Law and Business, 37, 371.

Bailey, P. D., Haq, G., and Gouldson, A. (2002). Mind the gap! Comparing ex ante and ex post assessments of the costs of complying with environmental regulation. European Environment, 12(5), 245-256.

Bauer, J. M., and Latzer, M. (Eds.). (2016). Handbook on the Economics of the Internet. Edward Elgar Publishing.

Blum, D. (2020). Create Your Rational Cybersecurity Success Plan. In Rational Cybersecurity for Business (pp. 297-313). Apress, Berkeley, CA.

Bonakdarpour, B., Deshmukh, J. V., and Pajic, M. (2018, November). Opportunities and challenges in monitoring cyber-physical systems security. In International Symposium on Leveraging Applications of Formal Methods (pp. 9-18). Springer, Cham.

Bradbury, J. C. (2006). Regulatory federalism and workplace safety: evidence from OSHA enforcement, 1981–1995. Journal of Regulatory Economics, 29(2), 211-224.

Breaux, T. D., Antón, A. I., and Spafford, E. H. (2009). A distributed requirements management framework for legal compliance and accountability. Computers and Security, 28(1-2), 8-17.

Byrnes, W. H., and Munro, R. J. (2020). Money Laundering, Asset Forfeiture and Recovery and Compliance--A Global Guide. LexisNexis.

Caldwell, F. and Eid, T. (2007) Magic Quadrant for Finance Governance, Risk and Compliance Management Software, 2007. Gartner Inc.

Cojocaru, I., and Cojocaru, I. (2019). A BIBLIOMETRIC ANALYSIS OF CYBERSECURITY. Paper presented at Programme CEE e|Dem and e|Gov Days 2019, Budapest, Hungary. doi: 10.24989/ocg.v335.12

Coventry, L., Briggs, P., Blythe, J., and Tran, M. (2014). Using behavioural insights to improve the public’s use of cyber security best practices. Gov. UK report.

Croce, T. (2017). From Bitcoin to the Internet of Things: the role of the Blockchain. Annali della Facoltà Giuridica dell’Università di Camerino, 6, 17.

Cuaresma, J. C. (2002). The gramm-leach-bliley act. Berkeley Tech. LJ, 17, 497.

Daud, M., Rasiah, R., George, M., Asirvatham, D., and Thangiah, G. (2018). Bridging the gap between organisational practices and cyber security compliance: Can cooperation promote compliance in organisations?. International Journal of Business and Society, 19(1).

Dayabhai, S. (2017). Application vs Security: The cyber-security requirements in a modern substation automation system. Proceedings of the Southern African Power System Protection and Automation Conference, Johannesburg, South Africa.

De Guzman, M. L. (2007). Compliance looms over IT security. Network World Canada, 23(5), N_A.

Deelman, E., Stodden, V., Taufer, M., and Welch, V. (2019, June). Initial Thoughts on Cybersecurity and Reproducibility. In Proceedings of the 2nd International Workshop on Practical Reproducible Evaluation of Computer Systems (pp. 13-15). ACM.

Doganata, Y., and Curbera, F. (2009, September). Effect of using automated auditing tools on detecting compliance failures in unmanaged processes. In International Conference on Business Process Management (pp. 310-326). Springer, Berlin, Heidelberg.

Donalds, C., and Osei-Bryson, K. M. (2020). Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents. International Journal of Information Management, 51, 102056.

Donaldson, S. E., Siegel, S. G., Williams, C. K., and Aslam, A. (2015). Meeting the cybersecurity challenge. In Enterprise Cybersecurity (pp. 27-44). Apress, Berkeley, CA.

Douglas, J. L. (2016). New wine into old bottles: Fintech meets the bank regulatory world. NC Banking Inst., 20,17.

El Kharbili, M. (2012, January). Business process regulatory compliance management solution frameworks: A comparative evaluation. In Proceedings of the Eighth Asia-Pacific Conference on Conceptual Modelling, 130 (pp. 23-32). Australian Computer Society, Inc.

Foorthuis, R. M. (2012). Tactics for Internal Compliance: A Literature Review. Project Compliance with Enterprise Architecture, 153-198.

Foorthuis, R., and Bos, R. (2011, June). A framework for organizational compliance management tactics. In International Conference on Advanced Information Systems Engineering (pp. 259-268). Springer, Berlin, Heidelberg.

Grandison, T., and Bhatti, R. (2012). Regulatory compliance and the correlation to privacy protection in healthcare. In Innovations in Data Methodologies and Computational Algorithms for Medical Applications (pp. 108-124). IGI Global.

Grossman, W. M. (2008). Complying to a false sense of security. Infosecurity, 5(7), 24-27.

Han, J., Kim, Y. J., and Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers and Security, 66, 52-65.

Herath, T., and Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165.

Hildenbrandt, K., and van Beurden, I. (2019). Integration of Automation Lifecycles: Leveraging Functional Safety, Cybersecurity, and Alarm Management Work Processes. Chemical Engineering Transactions, 77, 625-630.

Hornbuckle, R. (n.d.) Security vs. Compliance. Retrieved from

Jenik, I., and Lauer, K. (2017). Regulatory sandboxes and financial inclusion. Washington, DC: CGAP.

Joshi V., Patel, R., Adhikari, M., Singh, R., Gehlot, A. (2019). Industrial Automation. Delhi, India: BPB Publications.

Kharbili, M. E., Medeiros, A. K. A. D., Stein, S., and van der Aalst, W. M. (2008). Business process compliance checking: Current state and future challenges. In: Proc MobIS'08, 107–113

Kingsbury, B. (1997). The concept of compliance as a function of competing conceptions of international law. Mich. J. Int'l L., 19, 345.

Kirtley, J. E., and Memmel, S. (2018). Rewriting the Book of the Machine: Regulatory and Liability Issues for the Internet of Things. Minn. JL Sci. and Tech., 19, 455.

Kosseff, J. (2016). Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System. Chap. L. Rev., 19, 401.

Kosseff, J. (2017). Defining cybersecurity law. Iowa L. Rev., 103, 985.

Kosseff, J. (2019). Cybersecurity law. John Wiley and Sons.

Kwon, J., and Johnson, M. E. (2011). The impact of security practices on regulatory compliance and security performance. In Proceedings of the 32nd International Conference on Information Systems, AIS.

Kwon, J., and Johnson, M. E. (2012). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-51.

Kwon, J., and Johnson, M. E. (2013, January). Healthcare security strategies for regulatory compliance and data security. In 2013 46th Hawaii International Conference on System Sciences (pp. 3972-3981). IEEE.

Laprie, J. (2005, July). Resilience for the scalability of dependability. In Fourth IEEE International Symposium on Network Computing and Applications (pp. 5-6). IEEE.

Leander, B., Čaušević, A., and Hansson, H. (2019, August). Applicability of the IEC 62443 standard in Industry 4.0/IIoT. In Proceedings of the 14th International Conference on Availability, Reliability and Security (p. 101). ACM.

Li, L., He, W., Xu, L., Ash, I., Anwar, M., and Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24.

Lodge M (2004) Accountability and Transparency in Regulation: Critiques, Doctrines, and Instruments. In: Jordana J, Levi‐Faur D (eds) The Politics of Regulation: Institutions and Regulatory Reforms for the Age of Governance, pp. 124–144. Edward Elger, Cheltenham, UK.

Loshin, D. (2010). The practitioner's guide to data quality improvement. Elsevier.

Lyons S (2016). Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program. Auerbach Publications.

MacLean, T. L., and Behnam, M. (2010). The dangers of decoupling: The relationship between compliance programs, legitimacy perceptions, and institutionalized misconduct. Academy of Management Journal, 53(6), 1499-1520.

Mashaw, J. L. (2006). Accountability and institutional design: Some thoughts on the grammar of governance. Public Law Working Paper, (116), 115-156.

Mathavi, M. S., Vanitha, D., Jeyanthi, S., and Senthil, P. (2012). The smart home: renewable energy management system for smart grid based on ISM band communications. International Journal of Scientificand Engineering Research, 3(3), 1-8.

May, P. J. (2007). Regulatory regimes and accountability. Regulation and Governance, 1(1), 8-26.

McBride, M., Carter, L., and Warkentin, M. (2012). Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. RTI International-Institute for Homeland Security Solutions, 5(1), 1.

Millán Anglés, S., Ganah, A., García Santos, A., Jiménez Leube, F. J., and Higuera Rincón, Ó. (2014). Determination of the influence of specific building regulations in smart buildings. Intelligent Buildings International, 6(4), 239-254.

Miller, A. R., and Tucker, C. (2009). Privacy protection and technology diffusion: The case of electronic medical records. Management Science, 55(7), 1077-1093.

Moeller, R. R. (2011). COSO enterprise risk management: establishing effective governance, risk, and compliance processes (Vol. 560). John Wiley and Sons.

Mohammed, D. (1970). Cybersecurity Compliance in The Financial Sector. The Journal of Internet Banking and Commerce, 20(1), 1-11.

Mohammed, D. (2017). US Healthcare Industry: Cybersecurity Regulatory and Compliance Issues. Journal of Research in Business, Economics and Management, 9(5), 1771-1776.

Muckin, M., and Fitch, S. C. (2014). A Threat-Driven Approach to Cyber Security. Lockheed Martin Corporation.

Mushkat, R. (2009). Dissecting International Legal Compliance: An Unfinished Odyssey. Denv. J. Int'l L. and Pol'y, 38, 161.

Nawar, Y. S., and Dagam, O. V. (2015). Organisational Culture Perspective. Practice, 2(4).

Novaes, N., Madnick, S. E., Moraes G. de Paula, A. and Malara Borges, N., (2020). A Case Study of the Capital One Data Breach. Available at SSRN: or

Oltsik, J. (2011). The ESG Information Security Management Maturity Model. Enterprise Strategy Group, Milford, Massachusetts.

Packin, N. G. (2018). RegTech, compliance and technology judgment rule. Chi.-Kent L. Rev., 93, 193.

Pham, H., Brennan, L., and Richardson, J. (2017, June). Review of behavioural theories in security compliance and research challenge. In InSITE 2017: Informing Science + IT Education Conferences: Vietnam (pp. 065-076).

Panitz, J. C., Wiener, M., and Amberg, M. (2011, October). Factors facilitating compliance implementation case study results from multinational enterprises. In ECIS (p. 3).

Paul, S., and Rioux, L. (2015). Over 20 Years Of Research Into Cybersecurity And Safety Engineering: A Short Bibliography. In Safety and Security Engineering (Vol. 5, pp. 335-349). WIT Press.

Pererva, P. G., Kosenko, O., and Tkachov, M. (2017). Compliance Program of An Industrial Enterprise: The Essence and Content. In Mérleg és Kihívások” X. Nemzetközi Tudományos Konferencia, 87-93

Pupke, D. (2008). Compliance and corporate performance: the impact of compliance coordination on corporate performance. BoD–Books on Demand.

Regens, J. L., Dietz, T. M., and Rycroft, R. W. (1983). Risk assessment in the policy-making process: environmental health and safety protection. Public Administration Review, 137-145.

Romzek, B. S., and Dubnick, M. J. (1987). Accountability in the public sector: Lessons from the challenger tragedy. Public Administration Review, 47(3), 227–238

Romzek, B.S., Ingraham, P.W. (2000) Cross Pressures of Accountability: Initiative, Command, and Failure in the Ron Brown Plane Crash. Public Administration Review, 60, 240–253.

Scott, C. (2000) Accountability in the Regulatory State. Journal of Law and Society 27, 38–60.

Scully, T. (2011). The cyber threat, trophy information and the fortress mentality. Journal of business continuity and emergency planning, 5(3), 195-207.

Shen, J.J., Samson, L.F., Washington, E.L., Johnson, P., Edwards, C. and Malone, A. (2006) 'Barriers of HIPAA regulation to implementation of health services research', Journal of Medical Systems, 30,(1), 65.

Silvius, A. G., and Dols, T. (2012). Factors influencing Non-Compliance behavior towards Information Security Policies. In CONF-IRM (p. 39).

Smith, K. (1992). Environmental Hazards: Assessing Risk and Reducing Disaster. Routledge, London

Smith, R. (2013). Compilation of state and federal privacy laws. Providence, RI: Privacy Journal.

Tattam, D. (2017). Short Guide to Operational Risk. Milton: Taylor and Francis.

Thaw, D. (2013). The efficacy of cybersecurity regulation. Ga. St. UL Rev., 30, 287.

Thomas, M., and Dhillon, G. (2012). Interpreting deep structures of information systems security. The Computer Journal, 55(10), 1148-1156.

Trivedi, K. S., Kim, D. S., Roy, A., and Medhi, D. (2009, October). Dependability and security models. In 2009 7th International Workshop on Design of Reliable Communication Networks (pp. 11-20). IEEE.

Tuptuk, N., and Hailes, S. (2018). Security of smart manufacturing systems. Journal of manufacturing systems, 47, 93-106.

Usnick, L. E. E., and Usnick, R. (2013). Compliance program auditing: The growing need to insure that compliance programs themselves comply. Southern Law Journal, 23, 311.

Warkentin, M., Johnston, A., and Adams, A. (2006). User interaction with healthcare information systems: Do healthcare professionals want to comply with HIPAA?. AMCIS 2006 Proceedings, 326.

VanLengen, C. A. (2008). What should IS majors know about regulatory compliance? Working paper series--08-12.

Vroom, C., and Von Solms, R. (2004). Towards information security behavioural compliance. Computers and security, 23(3), 191-198.

Weber, R. H., and Studer, E. (2016). Cybersecurity in the Internet of Things: Legal aspects. Computer Law and Security Review, 32(5), 715-728.

Wells Jr, J. W. (2013). Commitment, Ethics and Compliance: A Look at Perceptions in the SHandE Profession. Professional Safety, 58(09), 62-68.

Wright, C. (2014). The IT Regulatory and Standards Compliance Handbook. Burlington: Elsevier Science.

Yimam, D., and Fernandez, E. B. (2016). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1), 5.

Zimmermann, V., and Renaud, K. (2019). Moving from a 'human-as-problem" to a 'human-as-solution" cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169-187.