{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T22:36:10Z","timestamp":1777415770485,"version":"3.51.4"},"reference-count":74,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2017,10,9]],"date-time":"2017-10-09T00:00:00Z","timestamp":1507507200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,10,9]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>The purpose of this paper is to investigate relationships between workarounds (solutions to handling trade-offs between competing or misaligned goals and gaps in policies and procedures), perceived trade-offs, information security (IS) policy compliance, IS expertise\/knowledge and IS demands.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>The research purpose is addressed using survey data from a nationwide sample of Swedish white-collar workers (<jats:italic>N<\/jats:italic>= 156).<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>Responses reinforce the notion that workarounds partly are something different from IS policy compliance and that workarounds-as-improvisations are used more frequently by employees that see more conflicts between IS and other goals (<jats:italic>r<\/jats:italic>= 0.351), and have more IS expertise\/knowledge (<jats:italic>r<\/jats:italic>= 0.257). Workarounds-as-non-compliance are also used more frequently when IS trade-offs are perceived (<jats:italic>r<\/jats:italic>= 0.536). These trade-offs are perceived more by people working in organizations that handle information with high security demands (<jats:italic>r<\/jats:italic>= 0.265) and those who perform tasks with high IS demands (<jats:italic>r<\/jats:italic>= 0.178).<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>IS policies are an important part of IS governance. They describe the procedures that are supposed to provide IS. Researchers have primarily investigated how employees\u2019 compliance with IS policies can be predicted and explained. There has been an increased interest in how tradeoffs and conflicts between following policies and other goals lead employees to make workarounds. Workarounds may leave management unaware of how work actually is done within the organization and may besides getting work done lead to new vulnerabilities. This study furthers the understanding of workarounds and trade-offs, which should be subject to further research.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-02-2016-0017","type":"journal-article","created":{"date-parts":[[2017,8,21]],"date-time":"2017-08-21T19:14:54Z","timestamp":1503342894000},"page":"402-420","source":"Crossref","is-referenced-by-count":21,"title":["Workarounds and trade-offs in information security \u2013 an exploratory study"],"prefix":"10.1108","volume":"25","author":[{"given":"Rogier","family":"Woltjer","sequence":"first","affiliation":[]}],"member":"140","reference":[{"issue":"4","key":"key2020120613422781500_ref001","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of users\u2019 view on information security","volume":"26","year":"2007","journal-title":"Computers & Security"},{"issue":"6","key":"key2020120613422781500_ref002","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.01.003","article-title":"The information security digital divide between information security managers and users","volume":"28","year":"2009","journal-title":"Computers & Security"},{"issue":"1","key":"key2020120613422781500_ref003","first-page":"1041","article-title":"Theory of workarounds","volume":"34","year":"2014","journal-title":"Communications of the Association for Information Systems"},{"issue":"6","key":"key2020120613422781500_ref004","doi-asserted-by":"crossref","first-page":"745","DOI":"10.1016\/j.ress.2006.03.008","article-title":"A unified framework for risk and vulnerability analysis covering both safety and security","volume":"92","year":"2007","journal-title":"Reliability Engineering & System Safety"},{"issue":"3","key":"key2020120613422781500_ref005","doi-asserted-by":"crossref","first-page":"264","DOI":"10.1057\/ejis.2008.14","article-title":"Enacting computer workaround practices within a medication dispensing system","volume":"17","year":"2008","journal-title":"European Journal of Information Systems"},{"key":"key2020120613422781500_ref006","first-page":"47","article-title":"The compliance budget: managing security behaviour in organisations","volume-title":"Proceedings New Security Paradigms Workshop","year":"2009"},{"issue":"1","key":"key2020120613422781500_ref007","first-page":"13","article-title":"I want to believe: some myths about the management of industrial safety","volume":"16","year":"2012","journal-title":"Cognition, Technology & Work"},{"issue":"3","key":"key2020120613422781500_ref008","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"2","key":"key2020120613422781500_ref009","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1145\/146802.146834","article-title":"Getting around the task-artifact cycle: how to make claims and design by scenario","volume":"10","year":"1992","journal-title":"ACM Transactions on Information Systems"},{"issue":"39","key":"key2020120613422781500_ref010","first-page":"447","article-title":"Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory","volume":"2013","year":"2013","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120613422781500_ref011","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1136\/qshc.2003.009530","article-title":"Going solid\u201d: a model of system dynamics and consequences for patient safety","volume":"14","year":"2005","journal-title":"Quality and Safety in Health Care"},{"issue":"7237","key":"key2020120613422781500_ref012","doi-asserted-by":"crossref","first-page":"791","DOI":"10.1136\/bmj.320.7237.791","article-title":"Gaps in the continuity of care and progress on patient safety","volume":"320","year":"2000","journal-title":"British Medical Journal"},{"issue":"4","key":"key2020120613422781500_ref013","doi-asserted-by":"crossref","first-page":"593","DOI":"10.1518\/001872096778827224","article-title":"Adapting to new technology in the operating room","volume":"38","year":"1996","journal-title":"Human Factors"},{"issue":"3","key":"key2020120613422781500_ref014","doi-asserted-by":"crossref","first-page":"391","DOI":"10.1177\/0013164404266386","article-title":"My current thoughts on coefficient alpha and successor procedures","volume":"64","year":"2004","journal-title":"Educational and Psychological Measurement"},{"key":"key2020120613422781500_ref015","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2012.09.010","article-title":"Future directions for behavioral information security research","volume":"32","year":"2013","journal-title":"Computers & Security"},{"issue":"3","key":"key2020120613422781500_ref016","doi-asserted-by":"crossref","first-page":"233","DOI":"10.1016\/S0003-6870(03)00031-0","article-title":"Failure to adapt or adaptations that fail: contrasting models on procedures and safety","volume":"34","year":"2003","journal-title":"Applied Ergonomics"},{"issue":"4","key":"key2020120613422781500_ref017","first-page":"381","article-title":"Follow the procedure or survive","volume":"1","year":"2001","journal-title":"Human Factors and Aerospace Safety"},{"key":"key2020120613422781500_ref018","volume-title":"Ten Questions about Human Error: A New View of Human Factors and System Safety","year":"2004"},{"issue":"3","key":"key2020120613422781500_ref019","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1007\/s10111-008-0110-7","article-title":"Just culture: who gets to draw the line?","volume":"11","year":"2009","journal-title":"Cognition, Technology & Work"},{"issue":"4","key":"key2020120613422781500_ref020","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1057\/palgrave.ejis.3000629","article-title":"Resist, comply or workaround? an examination of different facets of user engagement with information systems","volume":"15","year":"2006","journal-title":"European Journal of Information Systems"},{"key":"key2020120613422781500_ref021","volume-title":"Predicting and Changing Behavior: The Reasoned Action Approach","year":"2010"},{"issue":"3","key":"key2020120613422781500_ref022","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/S1361-3723(12)70053-2","article-title":"Understanding the influences on information security behaviour","volume":"2012","year":"2012","journal-title":"Computer Fraud and Security"},{"issue":"3","key":"key2020120613422781500_ref023","doi-asserted-by":"crossref","first-page":"205","DOI":"10.1145\/214427.214429","article-title":"The integration of computing and routine work","volume":"4","year":"1986","journal-title":"ACM Transactions on Information Systems"},{"issue":"1","key":"key2020120613422781500_ref024","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1097\/NNA.0b013e31827860ff","article-title":"Measuring nursing workarounds: tests of the reliability and validity of a tool","volume":"43","year":"2013","journal-title":"Journal of Nursing Administration"},{"issue":"1","key":"key2020120613422781500_ref025","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1097\/01.HMR.0000304495.95522.ca","article-title":"Work-arounds in health care settings: literature review and research agenda","volume":"33","year":"2008","journal-title":"Health Care Management Review"},{"issue":"6","key":"key2020120613422781500_ref026","first-page":"207","article-title":"Working to rule, or working safely? Part 1: a state of the art review","volume":"55","year":"2013","journal-title":"Safety Science"},{"issue":"4","key":"key2020120613422781500_ref027","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1016\/j.jsis.2011.06.001","article-title":"Value conflicts for information security management","volume":"20","year":"2011","journal-title":"The Journal of Strategic Information Systems"},{"issue":"2","key":"key2020120613422781500_ref028","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"issue":"6","key":"key2020120613422781500_ref029","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1109\/MIS.2011.97","article-title":"Beyond Simon\u2019s slice: five fundamental trade-offs that bound the performance of macrocognitive work systems","volume":"26","year":"2011","journal-title":"IEEE Intelligent Systems"},{"key":"key2020120613422781500_ref030","volume-title":"Human Error (Position Paper for NATO Conference on Human Error, August 1983, Bellagio)","year":"1983"},{"key":"key2020120613422781500_ref031","volume-title":"Barriers and Accident Prevention","year":"2004"},{"key":"key2020120613422781500_ref032","volume-title":"The ETTO Principle: Efficiency-Thoroughness Trade-off: Why Things That Go Right Sometimes Go Wrong","year":"2009"},{"key":"key2020120613422781500_ref033","volume-title":"FRAM: The Functional Resonance Analysis Method - Modelling Complex Socio-Technical Systems","year":"2012"},{"issue":"1","key":"key2020120613422781500_ref034","first-page":"21","article-title":"Is safety a subject for science?","volume":"67","year":"2014","journal-title":"Safety Science"},{"key":"key2020120613422781500_ref035","article-title":"The emperor\u2019s new clothes - or - whatever happened to \u2018human error\u2019?","volume-title":"Proceedings of the 4th International Workshop on Human Error, Safety and Systems Development (HESSD)","year":"2001"},{"key":"key2020120613422781500_ref036","volume-title":"Resilience Engineering in Practice: A Guidebook","year":"2011"},{"key":"key2020120613422781500_ref037","volume-title":"Resilience Engineering: Concepts and Precepts","year":"2006"},{"issue":"1","key":"key2020120613422781500_ref038","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/j.cose.2011.10.007","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory","volume":"31","year":"2012","journal-title":"Computers & Security"},{"key":"key2020120613422781500_ref039","first-page":"1","article-title":"Tools for local critical infrastructure protection: computational support for identifying safety and security interdependencies between local critical infrastructures","volume-title":"Proceedings of the 3rd IET International Conference on System Safety","year":"2008"},{"issue":"3","key":"key2020120613422781500_ref040","doi-asserted-by":"crossref","first-page":"245","DOI":"10.1016\/j.jsr.2004.03.013","article-title":"Adversarial safety analysis: borrowing the methods of security vulnerability assessments","volume":"35","year":"2004","journal-title":"Journal of Safety Research"},{"issue":"6","key":"key2020120613422781500_ref041","doi-asserted-by":"crossref","first-page":"e135","DOI":"10.1016\/j.ijmedinf.2008.07.008","article-title":"A longitudinal study of usability in health care: does time heal?","volume":"79","year":"2010","journal-title":"International Journal of Medical Informatics"},{"key":"key2020120613422781500_ref042","article-title":"Cognitive task analysis of teams","volume-title":"Cognitive Task Analysis","year":"2000"},{"key":"key2020120613422781500_ref043","first-page":"1561","article-title":"Work coordination, workflow, and workarounds in a medical context","year":"2005"},{"key":"key2020120613422781500_ref044","article-title":"Security subcultures in an organization - exploring value conflicts","year":"2011"},{"issue":"6","key":"key2020120613422781500_ref045","doi-asserted-by":"crossref","first-page":"565","DOI":"10.1080\/1463922X.2012.672597","article-title":"Remaining safe by working at the edge of compliance and adaptation: reflective practices in aviation and air traffic control","volume":"14","year":"2013","journal-title":"Theoretical Issues in Ergonomics Science"},{"issue":"6","key":"key2020120613422781500_ref046","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1109\/MIS.2003.1249172","article-title":"Work-arounds, make-work, and kludges","volume":"18","year":"2003","journal-title":"IEEE Intelligent Systems"},{"issue":"7","key":"key2020120613422781500_ref047","doi-asserted-by":"crossref","first-page":"509","DOI":"10.1016\/j.cose.2009.04.006","article-title":"Human and organizational factors in computer and information security: pathways to vulnerabilities","volume":"28","year":"2009","journal-title":"Computers & Security"},{"key":"key2020120613422781500_ref048","volume-title":"Safeware: System Safety and Computers","year":"1995"},{"key":"key2020120613422781500_ref049","volume-title":"To Do No Harm: Ensuring Patient Safety in Health Care Organizations","year":"2005"},{"key":"key2020120613422781500_ref050","first-page":"11","article-title":"Preface: seeking resilience","volume-title":"Resilience Engineering in Practice: Volume 2 - Becoming Resilient","year":"2014"},{"key":"key2020120613422781500_ref051","volume-title":"Resilience Engineering Perspectives Vol 2: Preparation and Restoration","year":"2009"},{"issue":"5","key":"key2020120613422781500_ref052","doi-asserted-by":"crossref","first-page":"673","DOI":"10.1016\/j.cose.2012.04.004","article-title":"Taxonomy of compliant information security behavior","volume":"31","year":"2012","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120613422781500_ref053","doi-asserted-by":"crossref","first-page":"381","DOI":"10.1086\/209405","article-title":"Meta-analysis of Cronbach\u2019s coefficient alpha","volume":"21","year":"1994","journal-title":"Journal of Consumer Research"},{"key":"key2020120613422781500_ref054","doi-asserted-by":"crossref","first-page":"110","DOI":"10.1016\/j.ress.2012.09.011","article-title":"Cross-fertilization between safety and security engineering","volume":"110","year":"2013","journal-title":"Reliability Engineering & System Safety"},{"issue":"2","key":"key2020120613422781500_ref055","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1016\/j.ijcip.2010.06.003","article-title":"The SEMA referential framework: avoiding ambiguities in the terms \u201csecurity\u201d and \u201csafety","volume":"3","year":"2010","journal-title":"International Journal of Critical Infrastructure Protection"},{"issue":"4","key":"key2020120613422781500_ref056","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly: Management Information Systems"},{"issue":"1","key":"key2020120613422781500_ref057","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1177\/1555343413498753","article-title":"Resilience in everyday operations: a framework for analyzing adaptations in high-risk work","volume":"8","year":"2014","journal-title":"Journal of Cognitive Engineering and Decision Making"},{"issue":"2\/3","key":"key2020120613422781500_ref058","first-page":"183","article-title":"Risk management in a dynamic society: a modelling problem","volume":"27","year":"1997","journal-title":"Safety Science"},{"issue":"4","key":"key2020120613422781500_ref059","doi-asserted-by":"crossref","first-page":"1124","DOI":"10.1016\/j.jss.2012.12.002","article-title":"Comparing risk identification techniques for safety and security requirements","volume":"86","year":"2013","journal-title":"Journal of Systems and Software"},{"issue":"11","key":"key2020120613422781500_ref060","doi-asserted-by":"crossref","first-page":"1549","DOI":"10.1080\/001401399184884","article-title":"Safe operation as a social construct","volume":"42","year":"1999","journal-title":"Ergonomics"},{"key":"key2020120613422781500_ref061","doi-asserted-by":"crossref","unstructured":"Sarma, S.E., Weis, S.A. and Engels, D.W. (2002), White Paper: RFID Systems, Security & Privacy Implications Sanjay (Report No. MIT-AUTOID-WH-014), Cambridge, MA.","DOI":"10.1007\/3-540-36400-5_33"},{"issue":"2","key":"key2020120613422781500_ref062","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: an empirical investigation","volume":"43","year":"2010","journal-title":"IEEE Computer"},{"issue":"7","key":"key2020120613422781500_ref063","doi-asserted-by":"crossref","first-page":"445","DOI":"10.17705\/1jais.00095","article-title":"Six design theories for IS security","volume":"7","year":"2006","journal-title":"Journal of the Association for Information Systems"},{"issue":"3","key":"key2020120613422781500_ref064","first-page":"289","article-title":"Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations","volume":"23","year":"2013","journal-title":"European Journal of Information Systems"},{"issue":"1","key":"key2020120613422781500_ref065","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1108\/IMCS-08-2012-0045","article-title":"Variables influencing information security policy compliance: a systematic review of quantitative studies","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"issue":"1","key":"key2020120613422781500_ref066","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.cose.2004.10.005","article-title":"Information security obedience: a definition","volume":"24","year":"2005","journal-title":"Computers & Security"},{"issue":"5","key":"key2020120613422781500_ref067","doi-asserted-by":"crossref","first-page":"475","DOI":"10.1080\/1463922X.2012.656153","article-title":"Improvisation: theory, measures and known influencing factors","volume":"14","year":"2013","journal-title":"Theoretical Issues in Ergonomics Science"},{"issue":"1","key":"key2020120613422781500_ref068","doi-asserted-by":"crossref","first-page":"21","DOI":"10.4018\/joeuc.2012010102","article-title":"IS security policy violations","volume":"24","year":"2012","journal-title":"Journal of Organizational and End User Computing"},{"issue":"7","key":"key2020120613422781500_ref069","doi-asserted-by":"crossref","first-page":"680","DOI":"10.1111\/j.1365-2923.2009.03395.x","article-title":"Routine and adaptive expert strategies for resolving ICT mediated communication problems in the team setting","volume":"43","year":"2009","journal-title":"Medical Education"},{"issue":"1","key":"key2020120613422781500_ref070","doi-asserted-by":"crossref","first-page":"1","DOI":"10.25300\/MISQ\/2013\/37.1.01","article-title":"Beyond deterrence: an expanded view of employee computer abuse","volume":"37","year":"2013","journal-title":"MIS Quarterly: Management Information Systems"},{"key":"key2020120613422781500_ref071","unstructured":"Woltjer, R. (2009), \u201cFunctional modeling of constraint management in aviation safety and command and control\u201d, PhD Thesis, Link\u00f6ping Studies in Science and Technology Dissertation No. 1249, Link\u00f6ping."},{"issue":"2","key":"key2020120613422781500_ref072","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1007\/s10111-010-0144-5","article-title":"Hollnagel\u2019 s test: being \u201cin control\u201d of highly interdependent multi-layered networked systems","volume":"12","year":"2010","journal-title":"Cognition, Technology & Work"},{"key":"key2020120613422781500_ref073","volume-title":"Behind Human Error","year":"2010","edition":"2nd edn"},{"key":"key2020120613422781500_ref074","volume-title":"Behind Human Error: Cognitive Systems, Computers and Hindsight","year":"1994"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2016-0017\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2016-0017\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:40Z","timestamp":1753406560000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/4\/402-420\/201102"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,9]]},"references-count":74,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,10,9]]}},"alternative-id":["10.1108\/ICS-02-2016-0017"],"URL":"https:\/\/doi.org\/10.1108\/ics-02-2016-0017","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,10,9]]}}}