Software Compliance Requirements, Factors, and Policies: A Systematic Literature Review

Background: Recent statistics reveal that 56% of software attacks are caused by insider negligence and 26% are caused by malicious insiders. They also show that 67% of organizations experience at least 21 incidents per year. Most of these incidents require significant time and effort to contain them. In this re-gard, ensuring compliance with corporate policies, regulations, and industry best practices is paramount.Purpose: This study investigates software compliance requirements, factors, and policies together with the challenges they address. By taking a wider perspective, this study aims at bringing an understanding of existing research foci, evolving issues, and research directions.Method: The study uses a systematic literature review and keyword analysis, to identify relevant studies that address the derived research questions. Considering scholarly articles published in the last decade, 4,772 results were retrieved and checked through an initial screening. A thorough screening is then con-ducted to further reduce the results to 77 primary articles.Findings: The requirement on security of end users is gaining more attention. There is an emphasis on the gap between domain and compliance experts on the one side and software engineers on the other side. The review also identified 55 factors (and their underlying theories) that impact behavioral com-pliance with a majority of them focusing on individuals. Our results also list nineteen policies and com-pliance challenges they address. No distinction is found between open-source and proprietary software among the reviewed studies. The most mentioned policies are security education, training, and awareness (SETA), compliance automation, and organizational climate. The evolving topics in the field are: theory of workarounds, compliance and privacy by design, policy as code, security stress, and home-office users.Implications: The review provides 9 recommendations, comprising practical implications for decision makers, theoretical implications for future research, and potential enhancement of the underlying the-ories.(c) 2022 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ )