{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,23]],"date-time":"2025-10-23T11:07:36Z","timestamp":1761217656104,"version":"3.41.2"},"reference-count":51,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2013,10,7]],"date-time":"2013-10-07T00:00:00Z","timestamp":1381104000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,10,7]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1.<\/jats:italic> Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2.<\/jats:italic> An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3.<\/jats:italic> Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4.<\/jats:italic> Countermeasures should target intentional as well as unintentional non-compliance. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 This work is an extension of Hedstr\u00f6m et al.<\/jats:italic> arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedstr\u00f6m et al.<\/jats:italic> more clear.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/imcs-08-2012-0043","type":"journal-article","created":{"date-parts":[[2013,10,18]],"date-time":"2013-10-18T09:01:42Z","timestamp":1382086902000},"page":"266-287","source":"Crossref","is-referenced-by-count":25,"title":["Social action theory for understanding information security non-compliance in hospitals"],"prefix":"10.1108","volume":"21","author":[{"given":"Karin","family":"Hedstr\u00f6m","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Karlsson","sequence":"additional","affiliation":[]},{"given":"Ella","family":"Kolkowska","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022032019434234000_b2","doi-asserted-by":"crossref","unstructured":"Albrechtsen, E.\n and \n Hovden, J.\n (2010), \u201cImproving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study\u201d, Computers & Security, Vol. 29 No. 4, pp. 432-445.","DOI":"10.1016\/j.cose.2009.12.005"},{"key":"key2022032019434234000_b1","doi-asserted-by":"crossref","unstructured":"Al-Muhtadi, J.\n , \n Ranganathan, A.\n , \n Campbell, R.\n and \n Mickunas, M.D.\n (2002), \u201cA flexible, privacy-preserving authentication framework for ubiquitous computing environments\u201d, 22nd International Conference on Distributed Computing Systems Workshops, 2002, pp. 771-776.","DOI":"10.1109\/ICDCSW.2002.1030861"},{"key":"key2022032019434234000_b3","unstructured":"Argyris, C.\n and \n Sch\u00f6n, D.A.\n (1996), Organizational Learning 2. Theory, Method, and Practice, Addison-Wesley, Reading, MA."},{"key":"key2022032019434234000_b4","doi-asserted-by":"crossref","unstructured":"Baker, W.H.\n and \n Wallace, L.\n (2007), \u201cIs information security under control? Investigating quality in information security management\u201d, IEEE Security & Privacy, January\/February, pp. 36-44.","DOI":"10.1109\/MSP.2007.11"},{"key":"key2022032019434234000_b5","doi-asserted-by":"crossref","unstructured":"Banks, S.\n (1998), \u201cProfessional ethics in social work \u2013 what future?\u201d, British Journal of Social Work, Vol. 28 No. 2, pp. 213-231.","DOI":"10.1093\/oxfordjournals.bjsw.a011324"},{"key":"key2022032019434234000_b6","unstructured":"Berger, P.L.\n and \n Luckmann, T.\n (1967), The Social Construction of Reality. A Treatis in the Sociology of Knowledge, Anchor Books, New York, NY."},{"key":"key2022032019434234000_b7","doi-asserted-by":"crossref","unstructured":"Bulgurcu, B.\n , \n Cavusoglu, H.\n and \n Benbasat, I.\n (2010), \u201cInformation security compliance: an empirical study of rationality-based beliefs and information security awareness\u201d, MIS Quarterly, Vol. 34 No. 3, pp. 523-548.","DOI":"10.2307\/25750690"},{"key":"key2022032019434234000_b8","unstructured":"D'Arcy, J.\n and \n Hovav, A.\n (2007), \u201cTowards a best fit between organizational security countermeasures and information systems misuse behaviors\u201d, Journal of Information System Security, Vol. 3 No. 2."},{"key":"key2022032019434234000_b10","doi-asserted-by":"crossref","unstructured":"D'Arcy, J.\n and \n Hovav, A.\n (2009), \u201cDoes one size fit all? Examining the differential effects of IS security countermeasures\u201d, Journal of Business Ethics, Vol. 89, pp. 59-71.","DOI":"10.1007\/s10551-008-9909-7"},{"key":"key2022032019434234000_b9","doi-asserted-by":"crossref","unstructured":"D'Arcy, J.\n , \n Hovav, A.\n and \n Galletta, D.\n (2009), \u201cUser awareness of security countermeasures and its impact on information security misuse: a deterrence approach\u201d, Information Systems Research, Vol. 20 No. 1, pp. 79-98.","DOI":"10.1287\/isre.1070.0160"},{"key":"key2022032019434234000_b11","doi-asserted-by":"crossref","unstructured":"Da Veiga, A.\n and \n Eloff, J.H.P.\n (2007), \u201cAn information security governance framework\u201d, Information Systems Management, Vol. 24 No. 4, pp. 361-372.","DOI":"10.1080\/10580530701586136"},{"key":"key2022032019434234000_b12","doi-asserted-by":"crossref","unstructured":"Dhillon, G.\n (1999), \u201cManaging and controlling computer misuse\u201d, Information Management & Computer Security, Vol. 7 No. 4, pp. 171-175.","DOI":"10.1108\/09685229910292664"},{"key":"key2022032019434234000_b13","doi-asserted-by":"crossref","unstructured":"Dhillon, G.\n and \n Torkzadeh, G.\n (2006), \u201cValue-focused assessment of information system security in organizations\u201d, Information Systems Journal, Vol. 16 No. 3, pp. 293-314.","DOI":"10.1111\/j.1365-2575.2006.00219.x"},{"key":"key2022032019434234000_b14","doi-asserted-by":"crossref","unstructured":"Guenther, M.\n (2004), \u201cSecurity\/privacy compliance: culture change\u201d, EDPACS: The EDP Audit, Control, and Security Newsletter, Vol. 31 No. 12, pp. 19-24.","DOI":"10.1201\/1079\/44332.31.12.20040601\/81836.3"},{"key":"key2022032019434234000_b15","doi-asserted-by":"crossref","unstructured":"Harnesk, D.\n and \n Lindstr\u00f6m, J.\n (2011), \u201cShaping security behaviour through discipline and agility\u201d, Implications for Information Security Management. Information Management & Computer Security, Vol. 19 No. 4, pp. 262-276.","DOI":"10.1108\/09685221111173076"},{"key":"key2022032019434234000_b16","doi-asserted-by":"crossref","unstructured":"Hedstr\u00f6m, K.\n , \n Dhillon, G.\n and \n Karlsson, F.\n (2010), \u201cUsing actor network theory to understand information security management\u201d, SEC 2010 in Brisbane, Australia, Springer, Berlin, pp. 43-54.","DOI":"10.1007\/978-3-642-15257-3_5"},{"key":"key2022032019434234000_b17","doi-asserted-by":"crossref","unstructured":"Hedstr\u00f6m, K.\n , \n Kolkowska, E.\n , \n Karlsson, F.\n and \n Allen, J.P.\n (2011), \u201cValue conflicts for information security management\u201d, The Journal of Strategic Information Systems, Vol. 20 No. 4, pp. 373-384.","DOI":"10.1016\/j.jsis.2011.06.001"},{"key":"key2022032019434234000_b18","doi-asserted-by":"crossref","unstructured":"Herath, T.\n and \n Rao, H.R.\n (2009a), \u201cEncouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness\u201d, Decision Support Systems, Vol. 47 No. 2, pp. 154-165.","DOI":"10.1016\/j.dss.2009.02.005"},{"key":"key2022032019434234000_b19","doi-asserted-by":"crossref","unstructured":"Herath, T.\n and \n Rao, H.R.\n (2009b), \u201cProtection motivation and deterrence: a framework for security policy compliance in organisations\u201d, European Journal of Information Systems, Vol. 18 No. 2, pp. 106-125.","DOI":"10.1057\/ejis.2009.6"},{"key":"key2022032019434234000_b20","unstructured":"Hoffer, J.\n and \n Straub, D.W.\n (1989), \u201cThe 9 to 5 underground: are you policing computer crimes?\u201d, Sloan Management Review, Vol. 30, pp. 35-43."},{"key":"key2022032019434234000_b21","unstructured":"Information Systems Security Association\n (2003), \u201cGenerally accepted information security principles\u201d, available at: www.issa.org\/."},{"key":"key2022032019434234000_b22","doi-asserted-by":"crossref","unstructured":"Kalberg, S.\n (1980), \u201cMax Weber's types of rationality: cornerstones for the analysis of rationalization processes in history\u201d, American Journal of Sociology, Vol. 85 No. 5, pp. 1145-1179.","DOI":"10.1086\/227128"},{"key":"key2022032019434234000_b23","doi-asserted-by":"crossref","unstructured":"Kankanhalli, A.\n , \n Teo, H.H.\n , \n Tan, B.C.Y.\n and \n Wei, K.K.\n (2003), \u201cAn integrative study of information systems security effectiveness\u201d, International Journal of Information Management, Vol. 23 No. 2, pp. 139-154.","DOI":"10.1016\/S0268-4012(02)00105-6"},{"key":"key2022032019434234000_b24","unstructured":"Kroll Advisory Solutions\n (2012), HIMSS Analytics Report: Security of Patient Data, Kroll Advisory Solutions, New York, NY."},{"key":"key2022032019434234000_b25","doi-asserted-by":"crossref","unstructured":"Lee, S.M.\n , \n Lee, S.-G.\n and \n Yoo, S.\n (2004), \u201cAn integrative model of computer abuse based on social control and deterrence theories\u201d, Information & Management, Vol. 41 No. 6, pp. 707-718.","DOI":"10.1016\/j.im.2003.08.008"},{"key":"key2022032019434234000_b26","doi-asserted-by":"crossref","unstructured":"Liginlal, D.\n , \n Sim, I.\n , \n Khansa, L.\n and \n Fearn, P.\n (2012), \u201cHIPAA privacy rule compliance: an interpretive study using Norman's action theory\u201d, Computers & Security, Vol. 31 No. 2, pp. 206-220.","DOI":"10.1016\/j.cose.2011.12.002"},{"key":"key2022032019434234000_b29","unstructured":"McCarthy, M.P.\n and \n Campbell, S.\n (2001), Security Transformation, McGraw-Hill, New York, NY."},{"key":"key2022032019434234000_b27","doi-asserted-by":"crossref","unstructured":"Magklaras, G.B.\n and \n Furnell, S.M.\n (2002), \u201cInsider threat prediction tool: evaluating the probability of IT misuse\u201d, Computers & Security, Vol. 21 No. 1, pp. 62-73.","DOI":"10.1016\/S0167-4048(02)00109-8"},{"key":"key2022032019434234000_b28","unstructured":"Magklaras, G.B.\n and \n Furnell, S.M.\n (2004), \u201cThe insider misuse threat survey: investigating IT misuse from legitimate users\u201d, Proceedings of the 5th Australian Information Warfare & Security Conference, Perth, Western Australia."},{"key":"key2022032019434234000_b30","unstructured":"Ministry of Justice\n (2008), Personal Data Act (SFS 1998:204), Ministry of Justice, Stockholm."},{"key":"key2022032019434234000_b31","doi-asserted-by":"crossref","unstructured":"Myles, G.\n , \n Friday, A.\n and \n Davies, N.\n (2003), \u201cPreserving privacy in environments with location-based applications\u201d, IEEE Pervasive Computing, Vol. 2 No. 1, pp. 56-64.","DOI":"10.1109\/MPRV.2003.1186726"},{"key":"key2022032019434234000_b32","doi-asserted-by":"crossref","unstructured":"Myyry, L.\n , \n Siponen, M.\n , \n Pahnila, S.\n , \n Vartiainen, T.\n and \n Vance, A.\n (2009), \u201cWhat levels of moral reasoning and values explain adherence to information security rules? An empirical study\u201d, European Journal of Information Systems, Vol. 18 No. 2, pp. 126-139.","DOI":"10.1057\/ejis.2009.10"},{"key":"key2022032019434234000_b33","doi-asserted-by":"crossref","unstructured":"Pahnila, S.\n , \n Siponen, M.\n and \n Mahmood, A.\n (2007), \u201cEmployees' behavior towards IS security policy compliance\u201d, paper presented at 40th Hawaii International Conference on System Sciences (HICSS'07), Hawaii, USA.","DOI":"10.1109\/HICSS.2007.206"},{"key":"key2022032019434234000_b34","unstructured":"Patton, M.Q.\n (1990), Qualitative Evaluation and Research Methods, Sage, Newbury Park, CA."},{"key":"key2022032019434234000_b35","doi-asserted-by":"crossref","unstructured":"Pieters, W.\n and \n Coles-Kemp, L.\n (2011), \u201cReducing normative conflicts in information security\u201d, paper presented at NSPW'11, Marin County, CA, USA.","DOI":"10.1145\/2073276.2073279"},{"key":"key2022032019434234000_b36","unstructured":"PwC\n (2010), Respected \u2013 but Still Restrained. Findings from the 2011 Global State of Information Security Survey, PricewaterhouseCoopers, London, CIO Magazine and CSO Magazine."},{"key":"key2022032019434234000_b37","unstructured":"PwC\n (2011), Eye of the Storm. Key Findings from the 2012 Global State of Information Security Survey, PricewaterhouseCoopers (PwC), London, CIO Magazine and CSO Magazine."},{"key":"key2022032019434234000_b38","doi-asserted-by":"crossref","unstructured":"Salomon, R.M.\n , \n Blackford Urbano, J.\n , \n Rosenbloom, T.\n , \n Seidel, S.\n , \n Wright Clayton, E.\n , \n Dilts, D.M.\n and \n Finder, S.G.\n (2010), \u201cOpenness of patients' reporting with use of electronic records: psychiatric clinicians' views\u201d, Journal of American Medical Information Association, Vol. 17 No. 1, pp. 54-60.","DOI":"10.1197\/jamia.M3341"},{"key":"key2022032019434234000_b39","unstructured":"Sch\u00f6n, D.A.\n (1991), The Reflective Practitioners. How Professionals Think in Action, Basic Books, Aldershot."},{"key":"key2022032019434234000_b40","doi-asserted-by":"crossref","unstructured":"Siponen, M.\n and \n Vance, A.\n (2010), \u201cNeutralization: new insights into the problem of employee information systems security policy violations\u201d, MIS Quarterly, Vol. 34 No. 3, pp. 487-502.","DOI":"10.2307\/25750688"},{"key":"key2022032019434234000_b41","doi-asserted-by":"crossref","unstructured":"Stanton, J.M.\n , \n Stam, K.R.\n , \n Mastrangelo, P.\n and \n Jolton, J.\n (2005), \u201cAnalysis of end user security behaviors\u201d, Computers & Security, Vol. 24 No. 2, pp. 124-133.","DOI":"10.1016\/j.cose.2004.07.001"},{"key":"key2022032019434234000_b42","doi-asserted-by":"crossref","unstructured":"Stoneburner, G.\n , \n Goguen, A.\n and \n Feringa, A.\n (2002), Risk Management Guide for Information Technology Systems, National Institute for Standards and Technology, Department of Commerce, Gaithersburg, MD.","DOI":"10.6028\/NIST.SP.800-30"},{"key":"key2022032019434234000_b43","doi-asserted-by":"crossref","unstructured":"Straub, D.W.\n (1990), \u201cEffective IS security: an empirical study\u201d, Information System Research, Vol. 1 No. 3, pp. 255-276.","DOI":"10.1287\/isre.1.3.255"},{"key":"key2022032019434234000_b44","doi-asserted-by":"crossref","unstructured":"Straub, D.W.\n and \n Welke, R.J.\n (1998), \u201cCoping with systems risk: security planning models for management decision making\u201d, MIS Quarterly, Vol. 22 No. 4, pp. 441-469.","DOI":"10.2307\/249551"},{"key":"key2022032019434234000_b45","doi-asserted-by":"crossref","unstructured":"Thomson, K.-L.\n and \n Nierkerk, V.J.\n (2012), \u201cCombating information security apathy by encouraging prosocial organisational behaviour\u201d, Information Management & Computer Security, Vol. 20 No. 1, pp. 39-46.","DOI":"10.1108\/09685221211219191"},{"key":"key2022032019434234000_b46","doi-asserted-by":"crossref","unstructured":"Von Solms, B.\n (2006), \u201cInformation security \u2013 the fourth wave\u201d, Computers & Security, Vol. 25 No. 3, pp. 165-168.","DOI":"10.1016\/j.cose.2006.03.004"},{"key":"key2022032019434234000_b47","doi-asserted-by":"crossref","unstructured":"Von Solms, R.\n and \n Von Solms, B.\n (2004), \u201cFrom policies to culture\u201d, Computers & Security, Vol. 23 No. 4, pp. 275-279.","DOI":"10.1016\/j.cose.2004.01.013"},{"key":"key2022032019434234000_b48","doi-asserted-by":"crossref","unstructured":"Von Solms, R.\n and \n Von Solms, S.H.\n (2006), \u201cInformation security governance: a model based on the direct-control cycle\u201d, Computer & Security, Vol. 25 No. 6, pp. 408-412.","DOI":"10.1016\/j.cose.2006.07.005"},{"key":"key2022032019434234000_b49","doi-asserted-by":"crossref","unstructured":"Vroom, C.\n and \n Von Solms, R.\n (2004), \u201cTowards information security behavioural compliance\u201d, Computers & Security, Vol. 23 No. 3, pp. 191-198.","DOI":"10.1016\/j.cose.2004.01.012"},{"key":"key2022032019434234000_b50","unstructured":"Weber, M.\n (1978), Economy and Society, University of California Press, Berkeley, CA."},{"key":"key2022032019434234000_b51","unstructured":"Yin, R.K.\n (1994), Case Study Research. Design and Methods, Sage, Thousand Oaks, CA."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-08-2012-0043","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-08-2012-0043\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-08-2012-0043\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:47Z","timestamp":1753393847000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/21\/4\/266-287\/185532"}},"subtitle":["The importance of user rationale"],"short-title":[],"issued":{"date-parts":[[2013,10,7]]},"references-count":51,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2013,10,7]]}},"alternative-id":["10.1108\/IMCS-08-2012-0043"],"URL":"https:\/\/doi.org\/10.1108\/imcs-08-2012-0043","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2013,10,7]]}}}