Skip to main content

Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale

Buy Article:

$54.08 plus tax (Refund Policy)


Purpose ‐ Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security. Design/methodology/approach ‐ This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality. Findings ‐ The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance. Originality/value ‐ This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear.

Keywords: Compliance; Information security; Social action theory; User behaviour; User rationale

Document Type: Research Article


Publication date: October 4, 2013

Access Key

Free Content
Free content
New Content
New content
Open Access Content
Open access content
Partial Open Access Content
Partial Open access content
Subscribed Content
Subscribed content
Free Trial Content
Free trial content
Cookie Policy
Cookie Policy
Ingenta Connect website makes use of cookies so as to keep track of data that you have filled in. I am Happy with this Find out more