&. Ernst and . Young, Moving beyond compliance, Global Information Security survey, 2008.

A. Mattia and G. Dhillon, Applying double loop learning to interpret implications for information systems security design, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme, System Security and Assurance (Cat. No.03CH37483), 2003.
DOI : 10.1109/ICSMC.2003.1244262

M. Lapke and G. Dhillon, Power relationships in information systems security policy formulation and implementation, the 16th Annual European Conference on Information Systems (ECIS), 2008.

S. Mishra and G. Dhillon, Information systems security governance research: a behavioral perspective, the 1st Annual Symposium on Information Assurance, academic track of 9th annual NYS cyber security conference, 2006.

K. L. Thomson, Information Security Conscience: a precondition to an Information Security Culture, 8th Annual Security Conference, pp.15-16, 2009.

S. Ramachandran, V. S. Rao, and T. Goles, Information Security Cultures of Four Professions: A Comparative Study, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), 2008.
DOI : 10.1109/HICSS.2008.201

A. B. Ruighaver, S. B. Maynard, and S. Chang, Organisational security culture: Extending the end-user perspective, Computers & Security, vol.26, issue.1, pp.56-62, 2007.
DOI : 10.1016/j.cose.2006.10.008

R. Von-solms and B. Von-solms, From policies to culture, Computers & Security, vol.23, issue.4, pp.275-279, 2004.
DOI : 10.1016/j.cose.2004.01.013

E. Albrechtsen and J. Hovden, The information security digital divide between information security managers and users, Computers & Security, vol.28, issue.6, pp.476-490, 2009.
DOI : 10.1016/j.cose.2009.01.003

K. Hedström, E. Kolkowska, F. Karlsson, J. Allan, and P. , Value conflicts for information security management, The Journal of Strategic Information Systems, vol.20, issue.4, pp.373-384, 2011.
DOI : 10.1016/j.jsis.2011.06.001

E. Vast, Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare, The Journal of Strategic Information Systems, vol.16, issue.2, pp.130-152, 2007.
DOI : 10.1016/j.jsis.2007.05.003

R. Baskerville and M. Siponen, An information security meta???policy for emergent organizations, Logistics Information Management, vol.15, issue.5/6, pp.337-346, 2002.
DOI : 10.1108/09685229610126940

M. Siponen and R. Wilson, Information security management standards: Problems and solutions, Information & Management, vol.46, issue.5, pp.267-270, 2009.
DOI : 10.1016/j.im.2008.12.007

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.624.7089

C. Vroom and R. Von-solms, Towards information security behavioural compliance, Computers & Security, vol.23, issue.3, pp.191-198, 2004.
DOI : 10.1016/j.cose.2004.01.012

K. L. Thomson, R. Von-solms, and L. Louw, Cultivating an organizational information security culture, Computer Fraud & Security, vol.2006, issue.10, pp.7-11, 2006.
DOI : 10.1016/S1361-3723(06)70430-4

M. Siponen, A conceptual foundation for organizational information security awareness, Information Management & Computer Security, vol.8, issue.1, pp.31-41, 2000.
DOI : 10.1057/ejis.1992.2

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.195.5335

S. M. Furnell, M. Gennatou, and P. S. Dowland, A prototype tool for information security awareness and training, Logistics Information Management, vol.15, issue.5/6, pp.352-357, 2002.
DOI : 10.1108/09576050210447037

E. Kolkowska, A Value Perspective on Information System Security -Exploring IS security objectives, problems and value conflicts, 2009.

R. Sasaki, T. Hidaka, M. Moriya, H. Taniyama, K. Yajima et al., Development and applications of a multiple risk communicator, Risk Analysis VI, pp.241-249, 2008.
DOI : 10.2495/RISK080251

E. Mumford, Values, Technology and Work, 1981.
DOI : 10.1007/3-540-08934-9_76

E. Schein, The corporate culture survival guide, 1999.

G. Dhillon, Principles of information systems security: text and cases, 2007.

M. D. Myers, Qualitative research in business & management, 2009.

J. Lagsten, Utvärdera Informationssystem: Pragmatiskt perspektiv och metod, 2009.

D. Silverman, Interpreting qualitative data. Methods for analyzing talk, text and interaction, Sage, 2001.

E. Kolkowska, Lack of compliance with IS security rules: value conflicts in Social Services in Sweden, 8^th Annual Security Conference 15-16 April, 2009.

R. Lamb and R. Kling, Reconceptualizing users as social actors in information systems research, MIS Quarterly, vol.27, issue.2, pp.197-235, 2003.

K. Hedström, G. Dhillon, and F. Karlsson, Using Actor Network Theory to Understand Information Security Management, the 25th Annual IFIP TC, pp.20-23, 2010.
DOI : 10.1007/978-0-387-34872-8_16

D. Straub and W. Nance, Discovering and Disciplining Computer Abuse in Organizations: A Field Study, MIS Quarterly, vol.14, issue.1, pp.45-60, 1990.
DOI : 10.2307/249307

A. Kankanhalli, H. H. Teo, B. C. Tan, and K. K. Wei, An integrative study of information systems security effectiveness, International Journal of Information Management, vol.23, issue.2, pp.139-154, 2003.
DOI : 10.1016/S0268-4012(02)00105-6

M. Siponen, An analysis of the traditional IS security approaches: implications for research and practice, European Journal of Information Systems, vol.6, issue.3, pp.303-315, 2005.
DOI : 10.1287/isre.6.4.376