{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T19:34:53Z","timestamp":1772134493998,"version":"3.50.1"},"reference-count":50,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,3,12]],"date-time":"2020-03-12T00:00:00Z","timestamp":1583971200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,3,12]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>The purpose of this paper is to introduce activity theory (AT) as a new theoretical lens to the field of information security non-compliance by explaining how research in that field can benefit from AT and to suggest eight propositions for future research.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>Based on AT, the paper suggests that employees, IT systems, task characteristics, information security policies (ISPs), community and division of labor can be viewed to form an ensemble that is labeled activity. Their characteristics and\/or the relationships that exist between them in organizational contexts are hypothesized to influence non-compliance behaviors.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>The paper suggests that AT provides a broad lens that can be useful for explaining a large variety of non-compliant behaviors related to information security.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title><jats:p>The paper focuses only on non-compliant behaviors that employees undertake with non-malicious intentions and offers avenues for future research based on the propositions that are developed in the paper.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>The paper provides a useful step toward a better understanding of non-compliant ISP behaviors. In addition, it proposes and explains new research areas in the non-compliance field.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-11-2018-0128","type":"journal-article","created":{"date-parts":[[2020,3,10]],"date-time":"2020-03-10T08:26:49Z","timestamp":1583828809000},"page":"485-501","source":"Crossref","is-referenced-by-count":12,"title":["An activity theory approach to information security non-compliance"],"prefix":"10.1108","volume":"28","author":[{"given":"Rima","family":"Khatib","sequence":"first","affiliation":[]},{"given":"Henri","family":"Barki","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"3","key":"key2020100112344917300_ref001","doi-asserted-by":"crossref","first-page":"306","DOI":"10.1108\/ICS-03-2018-0037","article-title":"Identifying and predicting the factors affecting end-users\u2019 risk-taking behavior","volume":"26","year":"2018","journal-title":"Information and Computer Security"},{"issue":"1","key":"key2020100112344917300_ref002","first-page":"1041","article-title":"Theory of workarounds","volume":"34","year":"2014","journal-title":"Communications of the AIS"},{"issue":"2","key":"key2020100112344917300_ref003","first-page":"164","article-title":"Just the boys playing on computers: an activity theory analysis of differences in the cultures of two engineering firms","volume":"15","year":"2010","journal-title":"Journal of Business and Technical Communication"},{"issue":"4","key":"key2020100112344917300_ref004","doi-asserted-by":"crossref","first-page":"421","DOI":"10.1108\/ICS-11-2016-0089","article-title":"Deterrence and punishment experience impacts on ISP compliance attitudes","volume":"25","year":"2017","journal-title":"Information and Computer Security"},{"key":"key2020100112344917300_ref005","volume-title":"Through the Interface: A Human Activity Approach to User Interface Design","year":"1991"},{"issue":"3","key":"key2020100112344917300_ref006","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"6","key":"key2020100112344917300_ref007","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1057\/ejis.2011.23","article-title":"A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings","volume":"20","year":"2011","journal-title":"European Journal of Information Systems"},{"issue":"1","key":"key2020100112344917300_ref008","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"key":"key2020100112344917300_ref009","first-page":"126","article-title":"Development as breaking away and opening up: a challenge to Vygotsky and Piaget","volume":"55","year":"1996","journal-title":"Swiss Journal of Psychology"},{"issue":"1","key":"key2020100112344917300_ref010","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1080\/13639080020028747","article-title":"Expansive learning at work: toward an activity theoretical reconceptualization","volume":"14","year":"2001","journal-title":"Journal of Education and Work"},{"key":"key2020100112344917300_ref011","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.edurev.2009.12.002","article-title":"Studies of expansive learning: foundations, findings and future challenges","volume":"5","year":"2010","journal-title":"Educational Research Review"},{"key":"key2020100112344917300_ref012","doi-asserted-by":"crossref","first-page":"336","DOI":"10.1108\/13665620710777084","article-title":"From workplace learning to inter-organizational learning and back: the contribution of activity theory","volume":"19","year":"2007","journal-title":"Journal of Workplace Learning"},{"key":"key2020100112344917300_ref013","volume-title":"Perspectives on Activity Theory","year":"1999"},{"issue":"4","key":"key2020100112344917300_ref014","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1057\/palgrave.ejis.3000629","article-title":"Resist, comply or workaround? An examination of different facets of user engagement with information systems","volume":"15","year":"2006","journal-title":"European Journal of Information Systems"},{"key":"key2020100112344917300_ref015","doi-asserted-by":"crossref","first-page":"305","DOI":"10.1016\/j.socscimed.2011.02.006","article-title":"Addressing complex healthcare problems in diverse settings: insights from activity theory","volume":"74","year":"2012","journal-title":"Social Science and Medicine"},{"issue":"2","key":"key2020100112344917300_ref016","doi-asserted-by":"crossref","first-page":"203","DOI":"10.2753\/MIS0742-1222280208","article-title":"Understanding nonmalicious security violations in the workplace: a composite behavior model","volume":"28","year":"2011","journal-title":"Journal of Management Information Systems"},{"key":"key2020100112344917300_ref017","article-title":"Normalizing the shadows \u2013 the role of symbolic models for individuals\u2019 shadow IT","volume-title":"the Thirty-Fifth International Conference on Information Systems","year":"2014"},{"issue":"2","key":"key2020100112344917300_ref018","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organizations","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"2","key":"key2020100112344917300_ref019","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1016\/j.im.2011.12.005","article-title":"Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US And South Korea","volume":"49","year":"2012","journal-title":"Information and Management"},{"issue":"1","key":"key2020100112344917300_ref020","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1108\/OIR-11-2015-0358","article-title":"Why not comply with information security? An empirical approach for the causes of non-compliance","volume":"41","year":"2017","journal-title":"Online Information Review"},{"key":"key2020100112344917300_ref021","unstructured":"Identity theft resource center (2018), Data breach reports."},{"issue":"1","key":"key2020100112344917300_ref022","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/j.cose.2011.10.007","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory","volume":"31","year":"2012","journal-title":"Computers and Security"},{"issue":"1","key":"key2020100112344917300_ref023","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1007\/BF02299477","article-title":"Activity theory as a framework for designing constructivist learning environments","volume":"47","year":"1999","journal-title":"Educational Technology Research and Development"},{"key":"key2020100112344917300_ref024","first-page":"1103","article-title":"Activity theory: implications for human-computer interaction","volume-title":"Context and Consciousness: Activity Theory and Human-Computer Interaction","year":"1996"},{"key":"key2020100112344917300_ref025","volume-title":"Activity Theory in HCI: Fundamentals and Reflections","year":"2012"},{"issue":"3","key":"key2020100112344917300_ref026","doi-asserted-by":"crossref","first-page":"279","DOI":"10.1108\/ICS-11-2016-0084","article-title":"Measuring employees\u2019 compliance \u2013 the importance of value pluralism","volume":"25","year":"2017","journal-title":"Information and Computer Security"},{"issue":"6","key":"key2020100112344917300_ref027","doi-asserted-by":"crossref","first-page":"625","DOI":"10.1057\/ejis.2010.39","article-title":"User resistance determinants and the psychological contract in enterprise system implementations","volume":"19","year":"2010","journal-title":"European Journal of Information Systems"},{"key":"key2020100112344917300_ref028","article-title":"Stages of moral development as a basis for moral education","volume-title":"Moral Education","year":"1970"},{"key":"key2020100112344917300_ref029","doi-asserted-by":"crossref","first-page":"17","DOI":"10.7551\/mitpress\/2137.003.0006","article-title":"Activity theory as a potential framework for human-computer interaction research","volume-title":"Context and Consciousness: Activity Theory and Human Computer Interaction","year":"1995"},{"key":"key2020100112344917300_ref030","volume-title":"Activity, Consciousness, and Personality","year":"1978"},{"key":"key2020100112344917300_ref031","volume-title":"Problems of the Development of the Mind","year":"1981"},{"issue":"2","key":"key2020100112344917300_ref032","first-page":"57","article-title":"Implementation of \u201cactivity theory\u201d in the framework of differentiated teaching: a case study","volume":"5","year":"2017","journal-title":"International Journal of Teaching and Education"},{"issue":"2","key":"key2020100112344917300_ref033","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1057\/ejis.2009.10","article-title":"What levels of moral reasoning and values explain adherence to information security rules? An empirical study","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"key":"key2020100112344917300_ref034","volume-title":"Context and Consciousness: Activity Theory and Human-Computer Interaction","year":"1996"},{"key":"key2020100112344917300_ref035","unstructured":"Navigant (2017), Navigant cyber threat intelligence report."},{"key":"key2020100112344917300_ref07a","doi-asserted-by":"crossref","first-page":"131","DOI":"10.1016\/j.chb.2013.07.057","article-title":"Activity theory as a framework for building adaptive e-learning systems: a case to provide empirical evidence","volume":"30","year":"2014","journal-title":"Computers in Human Behavior"},{"issue":"4","key":"key2020100112344917300_ref036","doi-asserted-by":"crossref","first-page":"326","DOI":"10.1108\/ICS-10-2014-0067","article-title":"Stress-based security compliance model \u2013 an exploratory study","volume":"24","year":"2016","journal-title":"Information and Computer Security"},{"issue":"4","key":"key2020100112344917300_ref037","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"3","key":"key2020100112344917300_ref038","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: new insights into the problem of employee information systems security policy violations","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020100112344917300_ref039","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1108\/IMCS-08-2012-0045","article-title":"Variables influencing information security policy compliance: a systematic review of quantitative studies","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"issue":"5","key":"key2020100112344917300_ref040","doi-asserted-by":"crossref","first-page":"494","DOI":"10.1108\/ICS-07-2016-0054","article-title":"Information security management and the human aspect in organizations","volume":"25","year":"2017","journal-title":"Information and Computer Security"},{"issue":"3","key":"key2020100112344917300_ref041","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1109\/MIC.2017.52","article-title":"Humans are dynamic- our tools should be too","volume":"21","year":"2017","journal-title":"IEEE Internet Computing"},{"issue":"6","key":"key2020100112344917300_ref042","doi-asserted-by":"crossref","first-page":"664","DOI":"10.2307\/2089195","article-title":"Techniques of neutralization: a theory of delinquency","volume":"22","year":"1957","journal-title":"American Sociological Review"},{"issue":"5","key":"key2020100112344917300_ref043","doi-asserted-by":"crossref","first-page":"1047","DOI":"10.1108\/ITP-02-2017-0052","article-title":"Are users competent to comply with information security policies? an analysis of professional competence models","volume":"31","year":"2018","journal-title":"Information Technology and People"},{"issue":"3\/4","key":"key2020100112344917300_ref044","first-page":"190","article-title":"Motivating is security compliance: insights from habit and protection motivation theory","volume":"49","year":"2012","journal-title":"Information and Management"},{"key":"key2020100112344917300_ref045","unstructured":"Verizon (2018), Data breach investigation report, 11th ed."},{"key":"key2020100112344917300_ref046","doi-asserted-by":"crossref","unstructured":"Verizon (2019), Data breach investigation report, 12th ed.","DOI":"10.1016\/S1361-3723(19)30060-0"},{"key":"key2020100112344917300_ref047","article-title":"Thinking and speech","volume-title":"The Collected Works of L.S. Vygotsky. Vol. I: Problems of General Psychology, Including the Volume Thinking and Speech","year":"1987"},{"issue":"4","key":"key2020100112344917300_ref048","doi-asserted-by":"crossref","first-page":"402","DOI":"10.1108\/ICS-02-2016-0017","article-title":"Workarounds and trade-offs in information security \u2013 an exploratory study","volume":"25","year":"2017","journal-title":"Information and Computer Security"},{"issue":"3","key":"key2020100112344917300_ref049","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1023\/A:1011902718709","article-title":"Transforming the \u2018weakest link\u2019 a human\/computer interaction approach to usable and effective security","volume":"19","year":"2001","journal-title":"BT Technology Journal"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2018-0128\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2018-0128\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:19Z","timestamp":1753406599000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/485-501\/112404"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3,12]]},"references-count":50,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,3,12]]}},"alternative-id":["10.1108\/ICS-11-2018-0128"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2018-0128","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,3,12]]}}}