{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:03:09Z","timestamp":1777806189240,"version":"3.51.4"},"reference-count":99,"publisher":"SAGE Publications","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCS"],"published-print":{"date-parts":[[2022,7,4]]},"abstract":"<jats:p>Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote \u2018good enough\u2019 decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.<\/jats:p>","DOI":"10.3233\/jcs-210046","type":"journal-article","created":{"date-parts":[[2022,6,10]],"date-time":"2022-06-10T11:19:23Z","timestamp":1654859963000},"page":"435-464","source":"Crossref","is-referenced-by-count":3,"title":["The boundedly rational employee: Security economics for behaviour intervention support in organizations1"],"prefix":"10.1177","volume":"30","author":[{"given":"Albes\u00eb","family":"Demjaha","sequence":"first","affiliation":[{"name":"University College London and The Alan Turing Institute, London, United Kingdom"}]},{"given":"Simon","family":"Parkin","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, The Netherlands"}]},{"given":"David","family":"Pym","sequence":"additional","affiliation":[{"name":"University College London and The Institute of Philosophy, University of London, London, United Kingdom"}]}],"member":"179","reference":[{"key":"10.3233\/JCS-210046_ref1","doi-asserted-by":"crossref","unstructured":"A.\u00a0Acquisti, Nudging privacy: The behavioral economics of personal information, IEEE Security & Privacy 7(6) (2009).","DOI":"10.1109\/MSP.2009.163"},{"key":"10.3233\/JCS-210046_ref2","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1201\/9781420052183.ch18","article-title":"What can behavioral economics teach us about privacy","volume":"18","author":"Acquisti","year":"2007","journal-title":"Digital Privacy: Theory, Technologies and Practices"},{"issue":"3","key":"10.3233\/JCS-210046_ref3","doi-asserted-by":"publisher","first-page":"613","DOI":"10.2307\/25750694","article-title":"Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions","volume":"34","author":"Anderson","year":"2010","journal-title":"MISQ"},{"key":"10.3233\/JCS-210046_ref4","doi-asserted-by":"crossref","unstructured":"G.\u00a0Anderson, G.\u00a0McCusker and D.\u00a0Pym, A logic for the compliance budget, in: International Conference on Decision and Game Theory for Security, Springer, 2016, pp.\u00a0370\u2013381.","DOI":"10.1007\/978-3-319-47413-7_21"},{"key":"10.3233\/JCS-210046_ref5","doi-asserted-by":"publisher","DOI":"10.1145\/2535813.2535823"},{"issue":"3","key":"10.3233\/JCS-210046_ref6","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MSP.2016.57","article-title":"Security dialogues: Building better relationships between security and business","volume":"14","author":"Ashenden","year":"2016","journal-title":"IEEE Security & Privacy"},{"issue":"1538","key":"10.3233\/JCS-210046_ref7","doi-asserted-by":"publisher","first-page":"281","DOI":"10.1098\/rstb.2009.0169","article-title":"Herding, social influence and economic decision-making: Socio-psychological and neuroscientific analyses","volume":"365","author":"Baddeley","year":"2010","journal-title":"Philosophical Transactions of the Royal Society B: Biological Sciences"},{"key":"10.3233\/JCS-210046_ref8","unstructured":"M.\u00a0Baddeley, Information security: Lessons from behavioural economics, in: Workshop on the Economics of Information Security, 2011."},{"issue":"1","key":"10.3233\/JCS-210046_ref9","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1080\/1350178X.2013.774845","article-title":"Herding, social influence and expert opinion","volume":"20","author":"Baddeley","year":"2013","journal-title":"Journal of Economic Methodology"},{"key":"10.3233\/JCS-210046_ref10","doi-asserted-by":"crossref","unstructured":"M.\u00a0Baddeley, Behavioural Economics: A Very Short Introduction, Vol.\u00a0505, Oxford University Press, 2017.","DOI":"10.1093\/actrade\/9780198754992.001.0001"},{"issue":"5","key":"10.3233\/JCS-210046_ref11","doi-asserted-by":"publisher","first-page":"558","DOI":"10.1016\/j.socec.2012.04.023","article-title":"Group decision-making: An economic analysis of social influence and individual difference in experimental juries","volume":"41","author":"Baddeley","year":"2012","journal-title":"The Journal of Socio-Economics"},{"key":"10.3233\/JCS-210046_ref12","unstructured":"H.\u00a0Bateman and K.\u00a0McAdam, Dictionary of Economics, A & C Black Publishers Ltd, 2003."},{"key":"10.3233\/JCS-210046_ref13","unstructured":"A.\u00a0Beautement, I.\u00a0Becker, S.\u00a0Parkin, K.\u00a0Krol and A.\u00a0Sasse, Productive security: A scalable methodology for analysing employee security behaviours, in: Twelfth Symposium on Usable Privacy and Security (SOUPS), 2016, pp.\u00a0253\u2013270."},{"key":"10.3233\/JCS-210046_ref14","doi-asserted-by":"crossref","unstructured":"A.\u00a0Beautement, M.A.\u00a0Sasse and M.\u00a0Wonham, The compliance budget: Managing security behaviour in organisations, in: Proceedings of the 2008 Workshop on New Security Paradigms, ACM, 2009, pp.\u00a047\u201358.","DOI":"10.1145\/1595676.1595684"},{"key":"10.3233\/JCS-210046_ref15","doi-asserted-by":"crossref","unstructured":"I.\u00a0Becker, S.\u00a0Parkin and M.A.\u00a0Sasse, Finding security champions in blends of organisational culture, in: EuroUSEC 2017, 2017.","DOI":"10.14722\/eurousec.2017.23007"},{"issue":"1","key":"10.3233\/JCS-210046_ref16","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1093\/iwc\/iwx017","article-title":"The cognitive costs of upgrades","volume":"30","author":"Bergman","year":"2017","journal-title":"Interacting with Computers"},{"key":"10.3233\/JCS-210046_ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2841113.2841119"},{"issue":"5","key":"10.3233\/JCS-210046_ref18","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1109\/MSP.2013.110","article-title":"Circumvention of security: Good users do bad things","volume":"11","author":"Blythe","year":"2013","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JCS-210046_ref19","unstructured":"J.M.\u00a0Blythe, L.\u00a0Coventry and L.\u00a0Little, Unpacking security policy compliance: The motivators and barriers of employees\u2019 security behaviors, in: Eleventh Symposium on Usable Privacy and Security ({SOUPS} 2015, 2015, pp.\u00a0103\u2013122."},{"key":"10.3233\/JCS-210046_ref20","doi-asserted-by":"crossref","unstructured":"P.\u00a0Briggs, D.\u00a0Jeske and L.\u00a0Coventry, Behavior change interventions for cybersecurity, in: Behavior Change Interventions for Cybersecurity, 2017, pp.\u00a0115\u2013136.","DOI":"10.1016\/B978-0-12-802690-8.00004-9"},{"key":"10.3233\/JCS-210046_ref21","unstructured":"L.J.\u00a0Camp and S.\u00a0Lewis, Economics of Information Security, Vol.\u00a012, Springer Science & Business Media, 2006."},{"key":"10.3233\/JCS-210046_ref22","doi-asserted-by":"crossref","unstructured":"A.\u00a0Caraban, E.\u00a0Karapanos, D.\u00a0Gon\u00e7alves and P.\u00a0Campos, 23 ways to nudge: A review of technology-mediated nudging in human\u2013computer interaction, in: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019, pp.\u00a01\u201315.","DOI":"10.1145\/3290605.3300733"},{"key":"10.3233\/JCS-210046_ref23","unstructured":"T.\u00a0Caulfield, M.\u00a0Baddeley and D.\u00a0Pym, Social learning in systems security modelling, Constructions 14(15) (2016), 3."},{"issue":"5","key":"10.3233\/JCS-210046_ref24","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1109\/MSP.2015.97","article-title":"Improving security policy decisions with models","volume":"13","author":"Caulfield","year":"2015","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JCS-210046_ref25","doi-asserted-by":"crossref","unstructured":"T.\u00a0Caulfield, D.\u00a0Pym and J.\u00a0Williams, Compositional security modelling, in: International Conference on Human Aspects of Information Security, Privacy, and Trust, Springer, 2014, pp.\u00a0233\u2013245.","DOI":"10.1007\/978-3-319-07620-1_21"},{"issue":"3","key":"10.3233\/JCS-210046_ref26","doi-asserted-by":"publisher","first-page":"484","DOI":"10.1257\/0002828041464461","article-title":"Distinguishing informational cascades from herd behavior in the laboratory","volume":"94","author":"\u00c7elen","year":"2004","journal-title":"American Economic Review"},{"key":"10.3233\/JCS-210046_ref27","doi-asserted-by":"crossref","unstructured":"C.P.\u00a0Chamley, Rational Herds: Economic Models of Social Learning, Cambridge University Press, 2004.","DOI":"10.1017\/CBO9780511616372"},{"key":"10.3233\/JCS-210046_ref28","unstructured":"J.\u00a0Clear, Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones, Penguin, 2018."},{"key":"10.3233\/JCS-210046_ref29","unstructured":"M.\u00a0Collinson, B.\u00a0Monahan and D.\u00a0Pym, A Discipline of Mathematical Systems Modelling, College Publications, 2012."},{"issue":"2","key":"10.3233\/JCS-210046_ref30","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1016\/j.apergo.2013.02.009","article-title":"Advancing socio-technical systems thinking: A call for bravery","volume":"45","author":"Davis","year":"2014","journal-title":"Applied ergonomics"},{"issue":"2","key":"10.3233\/JCS-210046_ref31","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1016\/0007-6813(83)90092-7","article-title":"Corporate cultures: The rites and rituals of corporate life","volume":"26","author":"Deal","year":"1983","journal-title":"Business Horizons"},{"key":"10.3233\/JCS-210046_ref32","doi-asserted-by":"crossref","unstructured":"S.\u00a0Dekker, Just Culture: Balancing Safety and Accountability, CRC Press, 2016.","DOI":"10.4324\/9781315251271"},{"key":"10.3233\/JCS-210046_ref33","doi-asserted-by":"crossref","unstructured":"A.\u00a0Demjaha, T.\u00a0Caulfield, M.A.\u00a0Sasse and D.\u00a0Pym, 2 fast 2 secure: A case study of post-breach security changes, in: 4th European Workshop on Usable Security (EuroUSEC), 2019.","DOI":"10.1109\/EuroSPW.2019.00028"},{"issue":"1","key":"10.3233\/JCS-210046_ref34","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1207\/s15324834basp0101_3","article-title":"The costs of asking for help","volume":"1","author":"DePaulo","year":"1980","journal-title":"Basic and Applied Social Psychology"},{"issue":"6","key":"10.3233\/JCS-210046_ref35","doi-asserted-by":"publisher","first-page":"391","DOI":"10.1007\/s00779-004-0308-5","article-title":"Security in the wild: User strategies for managing security as an everyday, practical problem","volume":"8","author":"Dourish","year":"2004","journal-title":"Personal and Ubiquitous Computing"},{"key":"10.3233\/JCS-210046_ref36","doi-asserted-by":"crossref","unstructured":"J.\u00a0Dutson, D.\u00a0Allen, D.\u00a0Eggett and K.\u00a0Seamons, \u201cDon\u2019t punish all of us\u201d: Measuring user attitudes about two-factor authentication, in: EuroUSEC 2019, 2019.","DOI":"10.1109\/EuroSPW.2019.00020"},{"key":"10.3233\/JCS-210046_ref37","unstructured":"J.P.\u00a0Friedman, Dictionary of Business and Economic Terms, Simon and Schuster, 2012."},{"key":"10.3233\/JCS-210046_ref38","doi-asserted-by":"crossref","unstructured":"A.\u00a0Frik, N.\u00a0Malkin, M.\u00a0Harbach, E.\u00a0Peer and S.\u00a0Egelman, A promise is a promise: The effect of commitment devices on computer security intentions, in: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, ACM, 2019, p.\u00a0604.","DOI":"10.1145\/3290605.3300834"},{"issue":"2","key":"10.3233\/JCS-210046_ref39","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1016\/S1361-3723(09)70019-3","article-title":"From culture to disobedience: Recognising the varying user acceptance of it security","volume":"2009","author":"Furnell","year":"2009","journal-title":"Computer Fraud & Security"},{"issue":"4","key":"10.3233\/JCS-210046_ref40","doi-asserted-by":"publisher","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM Transactions on Information and System Security (TISSEC)"},{"key":"10.3233\/JCS-210046_ref41","unstructured":"J.\u00a0Grossklags and A.\u00a0Acquisti, When 25 cents is too much: An experiment on willingness-to-sell and willingness-to-protect personal information, in: WEIS, 2007."},{"issue":"1","key":"10.3233\/JCS-210046_ref42","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1109\/MSP.2013.134","article-title":"More is not the answer","volume":"12","author":"Herley","year":"2013","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JCS-210046_ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3498891.3498902"},{"key":"10.3233\/JCS-210046_ref44","unstructured":"R.\u00a0Horne, J.\u00a0Weinman, N.\u00a0Barber, R.\u00a0Elliott, M.\u00a0Morgan, A.\u00a0Cribb and I.\u00a0Kellar, Concordance, Adherence and Compliance in Medicine Taking. NCCSDO, London, 2005, 40\u20136."},{"issue":"1","key":"10.3233\/JCS-210046_ref45","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1016\/j.im.2013.10.001","article-title":"Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition","volume":"51","author":"Ifinedo","year":"2014","journal-title":"Information & Management"},{"key":"10.3233\/JCS-210046_ref46","unstructured":"Information Security Forum: From promoting awareness to embedding behaviours: Secure by choice, not by chance, 2014."},{"issue":"2","key":"10.3233\/JCS-210046_ref47","doi-asserted-by":"publisher","first-page":"434","DOI":"10.1016\/j.ejor.2011.05.050","article-title":"Information security trade-offs and optimal patching policies","volume":"216","author":"Ioannidis","year":"2012","journal-title":"European Journal of Operational Research"},{"issue":"2","key":"10.3233\/JCS-210046_ref48","doi-asserted-by":"publisher","first-page":"487","DOI":"10.1007\/s11002-012-9186-1","article-title":"Beyond nudges: Tools of a choice architecture","volume":"23","author":"Johnson","year":"2012","journal-title":"Marketing Letters"},{"key":"10.3233\/JCS-210046_ref49","doi-asserted-by":"publisher","DOI":"10.1142\/9789814417358_0006"},{"issue":"3","key":"10.3233\/JCS-210046_ref50","doi-asserted-by":"publisher","first-page":"279","DOI":"10.1108\/ICS-11-2016-0084","article-title":"Measuring employees\u2019 compliance \u2013 the importance of value pluralism","volume":"25","author":"Karlsson","year":"2017","journal-title":"Information & Computer Security"},{"key":"10.3233\/JCS-210046_ref52","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41320-9_5"},{"key":"10.3233\/JCS-210046_ref53","doi-asserted-by":"crossref","unstructured":"I.\u00a0Kirlappos, S.\u00a0Parkin and M.A.\u00a0Sasse, Learning from \u201cshadow security\u201d: Why understanding non-compliance provides the basis for effective security, in: Workshop on Usable Security (USEC) 2014, 2014.","DOI":"10.14722\/usec.2014.23007"},{"issue":"1","key":"10.3233\/JCS-210046_ref54","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1145\/2738210.2738216","article-title":"Shadow security as a tool for the learning organization","volume":"45","author":"Kirlappos","year":"2015","journal-title":"ACM SIGCAS Computers and Society"},{"key":"10.3233\/JCS-210046_ref55","doi-asserted-by":"crossref","unstructured":"I.\u00a0Kirlappos and M.A.\u00a0Sasse, What usable security really means: Trusting and engaging users, in: International Conference on Human Aspects of Information Security, Privacy, and Trust, Springer, 2014, pp.\u00a069\u201378.","DOI":"10.1007\/978-3-319-07620-1_7"},{"key":"10.3233\/JCS-210046_ref56","doi-asserted-by":"crossref","unstructured":"I.\u00a0Kirlappos and M.A.\u00a0Sasse, Fixing security together: Leveraging trust relationships to improve security in organizations, in: Proceedings of the Workshop on Usable Security and Privacy (USEC\u201915), Internet Society, 2015.","DOI":"10.14722\/usec.2015.23013"},{"issue":"500","key":"10.3233\/JCS-210046_ref57","doi-asserted-by":"publisher","first-page":"200","DOI":"10.1111\/j.1468-0297.2004.00966.x","article-title":"The decision maker matters: Individual versus group behaviour in experimental beauty-contest games","volume":"115","author":"Kocher","year":"2005","journal-title":"The Economic Journal"},{"key":"10.3233\/JCS-210046_ref58","unstructured":"R.\u00a0Koppel, S.W.\u00a0Smith, J.\u00a0Blythe and V.H.\u00a0Kothari, Workarounds to computer access in healthcare organizations: You want my password or a dead patient? in: ITCH, 2015, pp.\u00a0215\u2013220."},{"key":"10.3233\/JCS-210046_ref59","doi-asserted-by":"crossref","unstructured":"S.\u00a0Kraemer and P.\u00a0Carayon, Computer and information security culture: Findings from two studies, in: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol.\u00a049, 2005, pp.\u00a01483\u20131488.","DOI":"10.1177\/154193120504901605"},{"issue":"4","key":"10.3233\/JCS-210046_ref60","first-page":"471","article-title":"Are groups more rational than individuals? A review of interactive decision making in groups","volume":"3","author":"Kugler","year":"2012","journal-title":"Wiley Interdisciplinary Reviews: Cognitive Science"},{"issue":"3","key":"10.3233\/JCS-210046_ref61","doi-asserted-by":"publisher","first-page":"336","DOI":"10.1006\/obhd.1997.2746","article-title":"When the going gets tough, do the tough ask for help? Help seeking and power motivation in organizations","volume":"72","author":"Lee","year":"1997","journal-title":"Organizational Behavior and Human Decision Processes"},{"key":"10.3233\/JCS-210046_ref63","unstructured":"A.\u00a0Mathur, J.\u00a0Engel, S.\u00a0Sobti, V.\u00a0Chang and M.\u00a0Chetty, \u201cThey keep coming back like zombies\u201d: Improving software updating interfaces, in: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), 2016, pp.\u00a043\u201358."},{"key":"10.3233\/JCS-210046_ref64","doi-asserted-by":"publisher","DOI":"10.1186\/1748-5908-6-42"},{"key":"10.3233\/JCS-210046_ref65","doi-asserted-by":"crossref","unstructured":"C.\u00a0Morisset, I.\u00a0Yevseyeva, T.\u00a0Gro\u00df and A.\u00a0van Moorsel, A formal model for soft enforcement: Influencing the decision-maker, in: International Workshop on Security and Trust Management, Springer, 2014, pp.\u00a0113\u2013128.","DOI":"10.1007\/978-3-319-11851-2_8"},{"key":"10.3233\/JCS-210046_ref66","doi-asserted-by":"crossref","unstructured":"J.\u00a0Morris, I.\u00a0Becker and S.\u00a0Parkin, In control with no control: Perceptions and reality of Windows 10 home edition update features, in: Workshop on Usable Security and Privacy (USEC), 2019.","DOI":"10.14722\/usec.2019.23008"},{"key":"10.3233\/JCS-210046_ref67","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyaa017"},{"key":"10.3233\/JCS-210046_ref68","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2007.206"},{"key":"10.3233\/JCS-210046_ref70","doi-asserted-by":"crossref","unstructured":"S.\u00a0Parkin, S.\u00a0Driss, K.\u00a0Krol and M.A.\u00a0Sasse, Assessing the user experience of password reset policies in a university, in: International Conference on Passwords, Springer, 2015, pp.\u00a021\u201338.","DOI":"10.1007\/978-3-319-29938-9_2"},{"key":"10.3233\/JCS-210046_ref71","doi-asserted-by":"publisher","DOI":"10.1145\/2995959.2995967"},{"key":"10.3233\/JCS-210046_ref72","doi-asserted-by":"publisher","DOI":"10.1145\/1900546.1900553"},{"issue":"2","key":"10.3233\/JCS-210046_ref73","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1177\/1555343415575152","article-title":"The influence of organizational information security culture on information security decision making","volume":"9","author":"Parsons","year":"2015","journal-title":"Journal of Cognitive Engineering and Decision Making"},{"key":"10.3233\/JCS-210046_ref74","doi-asserted-by":"publisher","DOI":"10.1145\/1866898.1866907"},{"key":"10.3233\/JCS-210046_ref75","doi-asserted-by":"crossref","unstructured":"J.\u00a0Reason, Human Error, Cambridge University Press, 1990.","DOI":"10.1017\/CBO9781139062367"},{"key":"10.3233\/JCS-210046_ref76","doi-asserted-by":"publisher","DOI":"10.1145\/3219166.3219185"},{"issue":"5","key":"10.3233\/JCS-210046_ref77","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1109\/MSP.2017.3681050","article-title":"152 simple steps to stay safe online: Security advice for non-tech-savvy users","volume":"15","author":"Reeder","year":"2017","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JCS-210046_ref78","doi-asserted-by":"crossref","unstructured":"L.\u00a0Reinfelder, R.\u00a0Landwirth and Z.\u00a0Benenson, Security managers are not the enemy either, in: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, ACM, 2019, p.\u00a0433.","DOI":"10.1145\/3290605.3300663"},{"key":"10.3233\/JCS-210046_ref79","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-07620-1_32"},{"key":"10.3233\/JCS-210046_ref80","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1016\/j.ijhcs.2018.05.011","article-title":"Ethical guidelines for nudging in information security & privacy","volume":"120","author":"Renaud","year":"2018","journal-title":"International Journal of Human\u2013Computer Studies"},{"issue":"6","key":"10.3233\/JCS-210046_ref81","doi-asserted-by":"crossref","first-page":"658","DOI":"10.2307\/256963","article-title":"Monkey see, monkey do: The influence of work groups on the antisocial behavior of employees","volume":"41","author":"Robinson","year":"1998","journal-title":"Academy of Management Journal"},{"issue":"2","key":"10.3233\/JCS-210046_ref82","first-page":"12","article-title":"The board\u2019s role in managing cybersecurity risks","volume":"59","author":"Rothrock","year":"2018","journal-title":"MIT Sloan Management Review"},{"key":"10.3233\/JCS-210046_ref83","unstructured":"E.H.\u00a0Schein, Organizational Culture and Leadership, Vol.\u00a02, John Wiley & Sons, 2010."},{"key":"10.3233\/JCS-210046_ref84","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-35586-3_15"},{"key":"10.3233\/JCS-210046_ref85","doi-asserted-by":"crossref","unstructured":"E.\u00a0Shafir, The Behavioral Foundations of Public Policy, Princeton University Press, 2013.","DOI":"10.1515\/9781400845347"},{"key":"10.3233\/JCS-210046_ref86","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101961"},{"issue":"2","key":"10.3233\/JCS-210046_ref87","first-page":"181","article-title":"Conversation, information, and herd behavior","volume":"85","author":"Shiller","year":"1995","journal-title":"The American Economic Review"},{"issue":"1","key":"10.3233\/JCS-210046_ref88","doi-asserted-by":"publisher","first-page":"99","DOI":"10.2307\/1884852","article-title":"A behavioral model of rational choice","volume":"69","author":"Simon","year":"1955","journal-title":"The Quarterly Journal of Economics"},{"issue":"2","key":"10.3233\/JCS-210046_ref89","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1037\/h0042769","article-title":"Rational choice and the structure of the environment","volume":"63","author":"Simon","year":"1956","journal-title":"Psychological Review"},{"key":"10.3233\/JCS-210046_ref90","doi-asserted-by":"crossref","unstructured":"H.A.\u00a0Simon, Models of Bounded Rationality: Empirically Grounded Economic Reason, Vol.\u00a03, MIT Press, 1997.","DOI":"10.7551\/mitpress\/4711.001.0001"},{"key":"10.3233\/JCS-210046_ref91","doi-asserted-by":"crossref","unstructured":"M.P.\u00a0Steves, K.K.\u00a0Greene and M.F.\u00a0Theofanos, A phish scale: Rating human phishing message detection difficulty, in: Workshop on Usable Security (USEC), 2019.","DOI":"10.14722\/usec.2019.23028"},{"issue":"3","key":"10.3233\/JCS-210046_ref92","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1007\/s10602-008-9043-7","article-title":"Why incoherent preferences do not justify paternalism","volume":"19","author":"Sugden","year":"2008","journal-title":"Constitutional Political Economy"},{"issue":"1","key":"10.3233\/JCS-210046_ref93","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1016\/0167-2681(80)90051-7","article-title":"Toward a positive theory of consumer choice","volume":"1","author":"Thaler","year":"1980","journal-title":"Journal of Economic Behavior & Organization"},{"key":"10.3233\/JCS-210046_ref95","doi-asserted-by":"publisher","DOI":"10.1145\/2783446.2783588"},{"key":"10.3233\/JCS-210046_ref96","doi-asserted-by":"publisher","DOI":"10.1145\/2556288.2557275"},{"key":"10.3233\/JCS-210046_ref97","unstructured":"M.L.\u00a0Vasu, D.W.\u00a0Stewart and G.D.\u00a0Garson, Organizational Behavior and Public Management, Revised and Expanded. Routledge, 2017."},{"key":"10.3233\/JCS-210046_ref99","doi-asserted-by":"crossref","unstructured":"K.D.\u00a0Vohs, R.F.\u00a0Baumeister, B.J.\u00a0Schmeichel, J.M.\u00a0Twenge, N.M.\u00a0Nelson and D.M.\u00a0Tice, Making choices impairs subsequent self-control: A limited-resource account of decision making, self-regulation, and active initiative, Journal of Personality and Social Psychology (2014).","DOI":"10.1037\/2333-8113.1.S.19"},{"issue":"3","key":"10.3233\/JCS-210046_ref100","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1016\/j.cose.2004.01.012","article-title":"Towards information security behavioural compliance","volume":"23","author":"Vroom","year":"2004","journal-title":"Computers & Security"},{"issue":"3","key":"10.3233\/JCS-210046_ref101","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1057\/ejis.2010.72","article-title":"The influence of the informal social learning environment on information privacy policy compliance efficacy and intention","volume":"20","author":"Warkentin","year":"2011","journal-title":"European Journal of Information Systems"},{"key":"10.3233\/JCS-210046_ref102","unstructured":"R.\u00a0Wash, E.\u00a0Rader, K.\u00a0Vaniea and M.\u00a0Rizor, Out of the loop: How automated software updates cause unintended security consequences, in: 10th Symposium on Usable Privacy and Security (SOUPS 2014), 2014, pp.\u00a089\u2013104."},{"issue":"5","key":"10.3233\/JCS-210046_ref103","doi-asserted-by":"publisher","first-page":"791","DOI":"10.1111\/isj.12271","article-title":"Peers matter: The moderating role of social influence on information security policy compliance","volume":"30","author":"Yazdanmehr","year":"2020","journal-title":"Information Systems Journal"},{"key":"10.3233\/JCS-210046_ref104","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1016\/j.ijhcs.2019.05.005","article-title":"Moving from a \u2018human-as-problem\u2019 to a \u2018human-as-solution\u2019 cybersecurity mindset","volume":"131","author":"Zimmermann","year":"2019","journal-title":"International Journal of Human\u2013Computer Studies"}],"container-title":["Journal of Computer Security"],"original-title":[],"link":[{"URL":"https:\/\/content.iospress.com\/download?id=10.3233\/JCS-210046","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:37Z","timestamp":1777495537000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/full\/10.3233\/JCS-210046"}},"subtitle":[],"editor":[{"given":"Thomas","family":"Gro\u00df","sequence":"additional","affiliation":[]},{"given":"Luca","family":"Vigan\u00f2","sequence":"additional","affiliation":[]}],"short-title":[],"issued":{"date-parts":[[2022,7,4]]},"references-count":99,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.3233\/jcs-210046","relation":{},"ISSN":["1875-8924","0926-227X"],"issn-type":[{"value":"1875-8924","type":"electronic"},{"value":"0926-227X","type":"print"}],"subject":[],"published":{"date-parts":[[2022,7,4]]}}}