liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale
Örebro University, Sweden.
Örebro University, Sweden.
Örebro University, Sweden.
2013 (English)In: Information Management & Computer Security, ISSN 0968-5227, Vol. 21, no 4, 266-287 p.Article in journal (Refereed) Published
Abstract [en]

Purpose – Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.

Design/methodology/approach – This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.

Findings – The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.

Originality/value – This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2013. Vol. 21, no 4, 266-287 p.
Keyword [en]
Compliance, Information security, Social action theory, User behaviour, User rationale
National Category
Information Systems, Social aspects
URN: urn:nbn:se:liu:diva-100228DOI: 10.1108/IMCS-08-2012-0043OAI: diva2:661019
Available from: 2013-10-31 Created: 2013-10-31 Last updated: 2013-12-19Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full text

Search in DiVA

By author/editor
Hedström, Karin
In the same journal
Information Management & Computer Security
Information Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Altmetric score

Total: 27 hits
ReferencesLink to record
Permanent link

Direct link