{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,16]],"date-time":"2026-04-16T10:18:52Z","timestamp":1776334732968,"version":"3.51.2"},"reference-count":109,"publisher":"Elsevier BV","issue":"1","license":[{"start":{"date-parts":[[2017,3,1]],"date-time":"2017-03-01T00:00:00Z","timestamp":1488326400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2016,9,13]],"date-time":"2016-09-13T00:00:00Z","timestamp":1473724800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"Swedish Civil Contingency Agency"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["The Journal of Strategic Information Systems"],"published-print":{"date-parts":[[2017,3]]},"DOI":"10.1016\/j.jsis.2016.08.005","type":"journal-article","created":{"date-parts":[[2016,9,9]],"date-time":"2016-09-09T01:10:45Z","timestamp":1473383445000},"page":"39-57","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":67,"title":["Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method"],"prefix":"10.1016","volume":"26","author":[{"given":"Ella","family":"Kolkowska","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Karlsson","sequence":"additional","affiliation":[]},{"given":"Karin","family":"Hedstr\u00f6m","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.jsis.2016.08.005_b0005","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1145\/322796.322806","article-title":"Users are not the enemy","volume":"42","author":"Adams","year":"1999","journal-title":"Commun. ACM"},{"key":"10.1016\/j.jsis.2016.08.005_b0010","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of user\u2019s view on information security","volume":"26","author":"Albrechtsen","year":"2007","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0015","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.01.003","article-title":"The information security digital divide between information security managers and users","volume":"28","author":"Albrechtsen","year":"2009","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0020","series-title":"Organizational Learning II. Theory, Method, and Practice","author":"Argyris","year":"1996"},{"key":"10.1016\/j.jsis.2016.08.005_b0025","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1109\/MSP.2007.11","article-title":"Is information security under control? Investigating quality in information security management","volume":"5","author":"Baker","year":"2007","journal-title":"IEEE Secur. Priv."},{"key":"10.1016\/j.jsis.2016.08.005_b0030","doi-asserted-by":"crossref","first-page":"369","DOI":"10.2307\/248684","article-title":"The case research strategy in studies of information systems","volume":"11","author":"Benbasat","year":"1987","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0035","doi-asserted-by":"crossref","first-page":"253","DOI":"10.1016\/j.cose.2003.09.002","article-title":"Computer security impaired by legitimate users","volume":"23","author":"Besnard","year":"2004","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0040","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1057\/ejis.2009.8","article-title":"If someone is watching, I\u2019ll do what I\u2019m asked: mandatoriness, control and information security","volume":"18","author":"Boss","year":"2009","journal-title":"Eur. J. f Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0045","doi-asserted-by":"crossref","first-page":"275","DOI":"10.1016\/0950-5849(95)01059-9","article-title":"Method engineering: engineering of information systems development methods and tools","volume":"38","author":"Brinkkemper","year":"1996","journal-title":"Inf. Softw. Technol."},{"key":"10.1016\/j.jsis.2016.08.005_b0050","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","author":"Bulgurcu","year":"2010","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0055","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1080\/15536548.2005.10855772","article-title":"Perceptions of information security in the workplace: linking information security climate to compliant behavior","volume":"1","author":"Chan","year":"2005","journal-title":"J. Inf. Privacy Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0060","unstructured":"Cisco, 2014. Cisco 2014 Annual Security Report."},{"key":"10.1016\/j.jsis.2016.08.005_b0065","series-title":"Federal Security Breaches Traced to User Noncompliance","author":"Corbin","year":"2013"},{"key":"10.1016\/j.jsis.2016.08.005_b0070","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2012.09.010","article-title":"Future directions for behavioral information security research","volume":"32","author":"Crossler","year":"2013","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0075","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1145\/1290958.1290971","article-title":"Deterring internal information systems misuse","volume":"50","author":"D\u2019Arcy","year":"2007","journal-title":"Commun. ACM"},{"key":"10.1016\/j.jsis.2016.08.005_b0080","first-page":"3","article-title":"Towards a best fit between organizational security countermeasures and information systems misuse behaviors","volume":"3","author":"D\u2019Arcy","year":"2007","journal-title":"J. Inf. Syst. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0085","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information security misuse: a deterrence approach","volume":"20","author":"D\u2019Arcy","year":"2009","journal-title":"Inf. Syst. Res."},{"key":"10.1016\/j.jsis.2016.08.005_b0090","doi-asserted-by":"crossref","first-page":"196","DOI":"10.1016\/j.cose.2009.09.002","article-title":"A framework and assessment instrument for information security culture","volume":"29","author":"Da Veiga","year":"2010","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0095","series-title":"Principles of Information Systems Security: Text and Cases","author":"Dhillon","year":"2007"},{"key":"10.1016\/j.jsis.2016.08.005_b0100","first-page":"11","article-title":"Current directions in IS security research: towards socio-organisational perspectives","author":"Dhillon","year":"2001","journal-title":"Inf. Syst. J."},{"key":"10.1016\/j.jsis.2016.08.005_b0105","doi-asserted-by":"crossref","first-page":"293","DOI":"10.1111\/j.1365-2575.2006.00219.x","article-title":"Value-focused assessment of information security in organizations","volume":"16","author":"Dhillon","year":"2006","journal-title":"Inf. Syst. J."},{"key":"10.1016\/j.jsis.2016.08.005_b0110","unstructured":"Enisa, 2014. ENISA Threat Landscape 2014. Overview of Current and Emerging Cyber-Threats. European Union Agency for Network and Information Security."},{"key":"10.1016\/j.jsis.2016.08.005_b0115","unstructured":"European Commission, 2013. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace."},{"key":"10.1016\/j.jsis.2016.08.005_b0120","doi-asserted-by":"crossref","first-page":"507","DOI":"10.1016\/S0142-694X(03)00039-5","article-title":"Theory construction in design research: criteria, approaches, and methods","volume":"24","author":"Friedman","year":"2003","journal-title":"Des. Stud."},{"key":"10.1016\/j.jsis.2016.08.005_b0125","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1361-3723(06)70419-5","article-title":"Malicious or misinformed? Exploring a contributor to the insider threat","volume":"9","author":"Furnell","year":"2006","journal-title":"Comput. Fraud Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0130","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1361-3723(09)70019-3","article-title":"From culture to disobedience: recognising the varying user acceptance of IT security","author":"Furnell","year":"2009","journal-title":"Comput. Fraud Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0135","unstructured":"Gassp, 1999. Generally Accepted System Security Principles (GASSP) Version 2.0. Information Systems Security, 8."},{"key":"10.1016\/j.jsis.2016.08.005_b0140","series-title":"Comput. Secur.","author":"Gollmann","year":"1999"},{"key":"10.1016\/j.jsis.2016.08.005_b0145","series-title":"WSEAS International Conference on Information Security","article-title":"A framework for human factors in information security","author":"Gonzalez","year":"2002"},{"key":"10.1016\/j.jsis.2016.08.005_b0150","doi-asserted-by":"crossref","first-page":"257","DOI":"10.2307\/249656","article-title":"The effects of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions","volume":"20","author":"Harrington","year":"1996","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0155","doi-asserted-by":"crossref","first-page":"266","DOI":"10.1108\/IMCS-08-2012-0043","article-title":"Social action theory for understanding information security non-compliance in hospitals: the importance of user rationale","volume":"21","author":"Hedstr\u00f6m","year":"2013","journal-title":"Inf. Manage. Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0160","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1016\/j.jsis.2011.06.001","article-title":"Value conflicts for information security management","volume":"20","author":"Hedstr\u00f6m","year":"2011","journal-title":"J. Stra. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0165","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","author":"Herath","year":"2009","journal-title":"Decis. Support Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0170","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","author":"Herath","year":"2009","journal-title":"Eur. J. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0175","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design science in information systems research","volume":"28","author":"Hevner","year":"2004","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0180","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1016\/j.im.2011.12.005","article-title":"Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea","volume":"49","author":"Hovav","year":"2012","journal-title":"Inf. Manage."},{"key":"10.1016\/j.jsis.2016.08.005_b0185","doi-asserted-by":"crossref","first-page":"615","DOI":"10.1111\/j.1540-5915.2012.00361.x","article-title":"Managing employee compliance with information security policies: the critical role of top management and organizational culture","volume":"43","author":"Hu","year":"2012","journal-title":"Decis. Sci. J."},{"key":"10.1016\/j.jsis.2016.08.005_b0190","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1145\/1953122.1953142","article-title":"Does deterrence work in reducing information security policy abuse by employees?","volume":"54","author":"Hu","year":"2011","journal-title":"Commun. ACM"},{"key":"10.1016\/j.jsis.2016.08.005_b0195","first-page":"68","article-title":"Analyzing enterprise security using social networks and structuration theory","volume":"11","author":"Huebner","year":"2006","journal-title":"J. Appl. Manage. Entrep."},{"key":"10.1016\/j.jsis.2016.08.005_b0200","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/j.cose.2011.10.007","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory","volume":"31","author":"Ifinedo","year":"2012","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0205","unstructured":"Intel Security, 2014. Net Losses: Estimating the Global Cost of Cybercrime. Center for Strategic and International Studies."},{"key":"10.1016\/j.jsis.2016.08.005_b0210","unstructured":"Iso, 2005. ISO\/IEC 27002:2005, Information Technology \u2013 Secuirty Techniques \u2013 Code of Practice for Information Management Systems \u2013 Requirements. International Organization for Standardization (ISO)."},{"key":"10.1016\/j.jsis.2016.08.005_b0215","unstructured":"Iso, 2013. ISO\/IEC 27002:2013 Information technology \u2014 Security techniques \u2014 Code of practice for information security controls. International Organization for Standardization (ISO)."},{"key":"10.1016\/j.jsis.2016.08.005_b0220","doi-asserted-by":"crossref","first-page":"549","DOI":"10.2307\/25750691","article-title":"Fear appeals and information security behaviors: an empirical study","volume":"34","author":"Johnston","year":"2010","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0225","doi-asserted-by":"crossref","first-page":"1145","DOI":"10.1086\/227128","article-title":"Max Weber\u2019s types of rationality: cornerstones for the analysis of rationalization processes in history","volume":"85","author":"Kalberg","year":"1980","journal-title":"Am. J. Sociol."},{"key":"10.1016\/j.jsis.2016.08.005_b0230","unstructured":"Karjalainen, M., 2011. Improving Employees\u2019 Information Systems (IS) Security Behavior - Toward a Meta-Theory of IS Security Training and a New Framework for Understanding Employees\u2019 IS Security Behavior. PhD. University of Oulu."},{"key":"10.1016\/j.jsis.2016.08.005_b0235","unstructured":"Karlsson, F., Hedstr\u00f6m, K., 2008. Exploring the conceptual structure of security rationale. AIS SIGSEC Workshop on Information Security & Privacy, WISP 2008. Paris, France."},{"key":"10.1016\/j.jsis.2016.08.005_b0240","series-title":"Financial Cryptography and Data Security \u2013 FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, 2013, Revised Selected Papers","article-title":"\u201cComply or Die\u201d Is Dead: Long live security-aware principal agents","author":"Kirlappos","year":"2013"},{"key":"10.1016\/j.jsis.2016.08.005_b0245","unstructured":"Kolkowska, E., 2005. Value Sensitive Approach to Information System Security. Americas Conference on Information Systems 2005, August 11\u2013August 14, 2005. Omaha, Nebraska, USA."},{"key":"10.1016\/j.jsis.2016.08.005_b0250","unstructured":"Kolkowska, E., 2006. Value Sensitive Approach to Information System Security - A Pilot Study. 12th Americas Conference On Information Systems (AMCIS) August 4\u20136, 2006. Acapulco, Mexico."},{"key":"10.1016\/j.jsis.2016.08.005_b0255","series-title":"A Value Perspective on Information System Security \u2013 Exploring IS Security Objectives, Problems and Value Conflicts","author":"Kolkowska","year":"2009"},{"key":"10.1016\/j.jsis.2016.08.005_b0260","unstructured":"Kolkowska, E., 2011. Security subcultures in an organization-exploring value conflicts. In: 19th European Conference on Information Systems (ECIS 2011), 2011 Helsinki, Finland. AIS Electronic Library, Paper 237."},{"key":"10.1016\/j.jsis.2016.08.005_b0265","series-title":"Information Security and Privacy Research \u2013 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, Heraklion, Crete, Greece, June 4\u20136, 2012. Proceedings.","article-title":"Analyzing value conflicts for a work-friendly ISS policy implementation","author":"Kolkowska","year":"2012"},{"key":"10.1016\/j.jsis.2016.08.005_b0270","doi-asserted-by":"crossref","first-page":"685","DOI":"10.1016\/S0167-4048(03)00007-5","article-title":"Improving user security behaviour","volume":"22","author":"Leach","year":"2003","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0275","doi-asserted-by":"crossref","first-page":"707","DOI":"10.1016\/j.im.2003.08.008","article-title":"An integrative model of computer abuse based on social control and deterrence theories","volume":"41","author":"Lee","year":"2004","journal-title":"Inf. Manage."},{"key":"10.1016\/j.jsis.2016.08.005_b0280","doi-asserted-by":"crossref","first-page":"635","DOI":"10.1016\/j.dss.2009.12.005","article-title":"Understanding compliance with internet use policy from the perspective of rational choice theory","volume":"48","author":"Li","year":"2010","journal-title":"Decis. Support Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0285","first-page":"394","article-title":"Understanding security behaviors in personal computer usage: a threat avoidance perspective","volume":"11","author":"Liang","year":"2010","journal-title":"J. Assoc. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0290","series-title":"IEEE International Conference on Systems, Man and Cybernetics, 2003.","article-title":"Applying double loop learning to interpret implications for information systems security design","author":"Mattia","year":"2003"},{"key":"10.1016\/j.jsis.2016.08.005_b0295","first-page":"3","article-title":"Anchoring information security governance research: sociological groundings and future directions","volume":"2","author":"Mcfadzean","year":"2006","journal-title":"J. Inf. Syst. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0300","unstructured":"Mishra, S., Dhillon, G., 2006. Information systems security governance research: a behavioral perspective. In: 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference, 2006 New York."},{"key":"10.1016\/j.jsis.2016.08.005_b0305","doi-asserted-by":"crossref","first-page":"377","DOI":"10.1016\/0167-4048(96)82560-0","article-title":"Electronic communications risk management: a checklist for business management","volume":"15","author":"Moulton","year":"1996","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0310","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1057\/ejis.2009.10","article-title":"What levels of moral reasoning and values explain adherence to information security rules? An empirical study","volume":"18","author":"Myyry","year":"2009","journal-title":"Eur. J. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0315","unstructured":"Nash, K.S., Greenwood, D., 2008. The Global State of Information Security. CIO Magazine (reprinted by PriceWaterhouseCoopers)."},{"key":"10.1016\/j.jsis.2016.08.005_b0320","doi-asserted-by":"crossref","first-page":"815","DOI":"10.1016\/j.dss.2008.11.010","article-title":"Studying users\u2019 computer security behavior using the health belief model","volume":"46","author":"Ng","year":"2009","journal-title":"Decis. Support Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0325","series-title":"Information Security Handbook: A Guide for Managers","author":"Nist","year":"2006"},{"key":"10.1016\/j.jsis.2016.08.005_b0330","unstructured":"Nist, 2012. NIST Special Publication 800-30 - Revision 1: Guide for Conducting Risk Assessments Gaithersburg, MD: National Institute of Standards and Technology (NIST), U.S. Department of Commerce."},{"key":"10.1016\/j.jsis.2016.08.005_b0335","series-title":"40th Annual Hawaii International Conference on System Sciences (HICSS\u201907)","first-page":"1561","article-title":"Employees\u2019 behavior towards IS security policy compliance","author":"Pahnila","year":"2007"},{"key":"10.1016\/j.jsis.2016.08.005_b0340","series-title":"40th Hawaii International Conference on System Sciences (HICSS 2007)","first-page":"156","article-title":"Employees\u2019 behavior towards IS security policy compliance","author":"Pahnila","year":"2007"},{"key":"10.1016\/j.jsis.2016.08.005_b0345","series-title":"Computer Security Management","author":"Parker","year":"1981"},{"key":"10.1016\/j.jsis.2016.08.005_b0350","doi-asserted-by":"crossref","first-page":"45","DOI":"10.2753\/MIS0742-1222240302","article-title":"A design science research methodology for information systems research","volume":"24","author":"Peffers","year":"2008","journal-title":"J. Manage. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0355","series-title":"The Tacit Dimension","author":"Polanyi","year":"1983"},{"key":"10.1016\/j.jsis.2016.08.005_b0360","unstructured":"Pwc, 2013. Defending Yesterday \u2013 Key Findings from The Global State of Information Security Survey, 2014."},{"key":"10.1016\/j.jsis.2016.08.005_b0365","unstructured":"Pwc, 2014a. The Information Security Breaches Survey - Technical Report. Department for Business, Innovation and Skills (BIS), London, UK."},{"key":"10.1016\/j.jsis.2016.08.005_b0370","unstructured":"Pwc, 2014b. Managing Cyber Risks in an Interconnected World - Key findings from The Global State of Information Security Survey 2015. PriceWaterhouseCoopers."},{"key":"10.1016\/j.jsis.2016.08.005_b0375","first-page":"163","article-title":"Variations in information security cultures across professions: a qualitative study","volume":"33","author":"Ramachandran","year":"2013","journal-title":"Commun. Assoc. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0380","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1108\/09685221211267666","article-title":"Health service employees and information security policies: an uneasy partnership?","volume":"20","author":"Renaud","year":"2012","journal-title":"Inf. Manage. Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0385","doi-asserted-by":"crossref","first-page":"816","DOI":"10.1016\/j.cose.2009.05.008","article-title":"Self-efficacy in information security: its influence on end users\u2019 information security practice behavior","volume":"28","author":"Rhee","year":"2009","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0390","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1023\/A:1011902718709","article-title":"Transforming the weakest link \u2013 a human\/computer interaction approach to usable and effective security","volume":"19","author":"Sasse","year":"2001","journal-title":"BT Technol. J."},{"key":"10.1016\/j.jsis.2016.08.005_b0395","series-title":"The Corporate Culture Survival Guide","author":"Schein","year":"1999"},{"key":"10.1016\/j.jsis.2016.08.005_b0400","series-title":"The 14th International Workshop on Database and Expert Systems Applications (DEXA\u201903)","first-page":"405","article-title":"Analyzing information security culture: increased trust by an appropriate information security culture","author":"Schlienger","year":"2003"},{"key":"10.1016\/j.jsis.2016.08.005_b0405","doi-asserted-by":"crossref","first-page":"339","DOI":"10.1016\/j.infoandorg.2004.11.001","article-title":"Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods","volume":"15","author":"Siponen","year":"2005","journal-title":"Inf. Organ."},{"key":"10.1016\/j.jsis.2016.08.005_b0410","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1057\/palgrave.ejis.3000537","article-title":"An analysis of the traditional IS security approaches: implications for research and practice","volume":"14","author":"Siponen","year":"2005","journal-title":"Eur. J. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0415","first-page":"725","article-title":"A design theory for secure information security design methods","volume":"7","author":"Siponen","year":"2006","journal-title":"J. Assoc. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0420","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1016\/j.im.2013.08.006","article-title":"Employees\u2019 adherence to information security policies: an exploratory field study","volume":"51","author":"Siponen","year":"2014","journal-title":"Inf. Manage."},{"key":"10.1016\/j.jsis.2016.08.005_b0425","series-title":"IFIP International Federation for Information Processing, New Approaches for Security, Privacy and Trust in Complex Environments","doi-asserted-by":"crossref","DOI":"10.1007\/978-0-387-72367-9_12","article-title":"Employees\u2019 adherence to information security policies: an empirical study","author":"Siponen","year":"2007"},{"key":"10.1016\/j.jsis.2016.08.005_b0430","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: an empirical investigation","volume":"43","author":"Siponen","year":"2010","journal-title":"Computer"},{"key":"10.1016\/j.jsis.2016.08.005_b0435","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: new insights into the problem of employee information systems security policy violations","volume":"34","author":"Siponen","year":"2010","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0440","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1057\/ejis.2012.59","article-title":"Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations","volume":"23","author":"Siponen","year":"2013","journal-title":"Eur. J. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0445","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1016\/j.im.2011.07.002","article-title":"Out of fear or desire? Toward a better understanding of employees\u2019 motivation to follow IS security policies","volume":"48","author":"Son","year":"2011","journal-title":"Inf. Manage."},{"key":"10.1016\/j.jsis.2016.08.005_b0450","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1111\/j.1365-2575.2011.00378.x","article-title":"Information security policies in the UK healthcare sector: a critical evaluation","volume":"22","author":"Stahl","year":"2012","journal-title":"Inf. Syst. J."},{"key":"10.1016\/j.jsis.2016.08.005_b0455","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/j.cose.2004.07.001","article-title":"Analysis of end user security behaviors","volume":"24","author":"Stanton","year":"2005","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0460","doi-asserted-by":"crossref","DOI":"10.1287\/isre.1.3.255","article-title":"Effective IS security: an empirical study","volume":"1","author":"Straub","year":"1990","journal-title":"Inf. Syst. Res."},{"key":"10.1016\/j.jsis.2016.08.005_b0465","doi-asserted-by":"crossref","first-page":"45","DOI":"10.2307\/249307","article-title":"Discovering and disciplining computer abuse in organizations: a field study","volume":"14","author":"Straub","year":"1990","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0470","volume":"vol. 19","author":"Symantec Corporation","year":"2014"},{"key":"10.1016\/j.jsis.2016.08.005_b0475","unstructured":"Thomson, K.-L., 2009. Information Security Conscience: a prediction to an Information Security Culture. In: 8th Annual Security Conference, April 15\u201316, 2009. Las Vegas, Nevada, USA."},{"key":"10.1016\/j.jsis.2016.08.005_b0480","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1016\/S1361-3723(06)70356-6","article-title":"Towards an information security competence maturity model","volume":"2006","author":"Thomson","year":"2006","journal-title":"Comput. Fraud Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0485","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1016\/S1361-3723(06)70430-4","article-title":"Cultivating an organizational information security culture","volume":"2006","author":"Thomson","year":"2006","journal-title":"Comput. Fraud Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0490","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1016\/j.jsis.2007.05.003","article-title":"Danger is in the eye of the beholders: social representations of Information Systems security in healthcare","volume":"16","author":"Vaast","year":"2007","journal-title":"J. Strat. Inf. Syst."},{"key":"10.1016\/j.jsis.2016.08.005_b0495","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.10.005","article-title":"Information security culture: a management perspective","volume":"29","author":"Van Niekerk","year":"2010","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0500","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.im.2012.04.002","article-title":"Motivating IS security compliance: insights from habit and protection motivation theory","volume":"49","author":"Vance","year":"2012","journal-title":"Inf. Manage."},{"key":"10.1016\/j.jsis.2016.08.005_b0505","doi-asserted-by":"crossref","first-page":"299","DOI":"10.1016\/S0167-4048(03)00406-1","article-title":"A taxonomy for information security technologies","volume":"22","author":"Venter","year":"2003","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0510","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2006.03.004","article-title":"Information security \u2013 the fourth wave","volume":"25","author":"Von Solms","year":"2006","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0515","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1016\/j.cose.2004.01.012","article-title":"Towards information security behavioural compliance","volume":"23","author":"Vroom","year":"2004","journal-title":"Comput. Secur."},{"key":"10.1016\/j.jsis.2016.08.005_b0520","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1057\/ejis.2010.72","article-title":"The influence of the informal social learning environment on information privacy policy compliance efficacy and intention","volume":"20","author":"Warkentin","year":"2011","journal-title":"Eur. J. Inf. Syst. J."},{"key":"10.1016\/j.jsis.2016.08.005_b0525","series-title":"Economy and Society","author":"Weber","year":"1978"},{"key":"10.1016\/j.jsis.2016.08.005_b0530","first-page":"13","article-title":"Analyzing the past to prepare for the future: writing a literature review","volume":"26","author":"Webster","year":"2002","journal-title":"MIS Q."},{"key":"10.1016\/j.jsis.2016.08.005_b0535","series-title":"Computer Security: A Comprehensive Controls Checklist","author":"Wood","year":"1987"},{"key":"10.1016\/j.jsis.2016.08.005_b0540","series-title":"Case Study Research: Design and Methods","author":"Yin","year":"1994"},{"key":"10.1016\/j.jsis.2016.08.005_b0545","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1108\/09685220910993980","article-title":"Impact of perceived technical protection on security behaviors","volume":"17","author":"Zhang","year":"2009","journal-title":"Inf. Manage. Comput. Secur."}],"container-title":["The Journal of Strategic Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0963868716301639?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0963868716301639?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2019,9,13]],"date-time":"2019-09-13T08:43:16Z","timestamp":1568364196000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0963868716301639"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3]]},"references-count":109,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,3]]}},"alternative-id":["S0963868716301639"],"URL":"https:\/\/doi.org\/10.1016\/j.jsis.2016.08.005","relation":{},"ISSN":["0963-8687"],"issn-type":[{"value":"0963-8687","type":"print"}],"subject":[],"published":{"date-parts":[[2017,3]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method","name":"articletitle","label":"Article Title"},{"value":"The Journal of Strategic Information Systems","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.jsis.2016.08.005","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2016 The Authors. Published by Elsevier B.V.","name":"copyright","label":"Copyright"}]}}