B. Von Solms. “Information security-the fourth wave”. Computers & Security, 25(3), pp.165-168, 2006.
 A. Beautement, M. A. Sasse and M. Wonham. “The compliance budget: managing security behaviour in organizations”. In Proceedings of the 2008 New Security Paradigms Workshop pp. 47-58. ACM, 2008.
 C. Herley. “So Long, and No Thanks for the Externalities”. In New Security Paradigms Workshop (NSPW), 2009. [OpenAIRE]
 B. Schneier. “Secrets and lies: digital security in a networked world”. Wiley, 2000.
 I. Kirlappos, A. Beautement and M. A. Sasse. “Comply or Die Is Dead: Long live security-aware principal agents.” FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, pp.70-82, 2013. [OpenAIRE]
 T, Herath and H. R. Rao. "Protection motivation and deterrence: a framework for security policy compliance in organisations." European Journal of Information Systems 18 (2), pp. 106-125, 2009.
 P. Dourish, R. E. Grinter, J. D. De La Flor, and M. Joseph. "Security in the wild: user strategies for managing security as an everyday, practical problem." Personal and Ubiquitous Computing 8, no. 6: 391-401, 2004.
 M. Settle. “Shadow IT: Are you solving the problem or just policing it?” BMC Software, 2013.
 I. Fléchais. “Designing Secure and Usable Systems”. PhD diss., University College London, 2005. [OpenAIRE]
 A. Beautement, R. Coles, J. Griffin, C. Ioannidis, B. Monahan, D. Pym, M. A. Sasse, M. Wonham. “Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security”. In Managing Information Risk and the Economics of Security. pp.141-163. Springer US, 2009.
 H. Fulford and N. F. Doherty. “The application of information security policies in large UK-based organizations: an exploratory investigation”. Information Management & Computer Security 11(3), pp.106-114, 2003. [OpenAIRE]
 F. Björck. “Security Scandinavian style”. PhD diss., Stockholm University, 2001.
 S. Bartsch and M. A. Sasse. “How Users Bypass Access Control - And Why: The Impact Of Authorization Problems On Individuals And The Organization”. ECIS 2013: 53 [OpenAIRE]
 M. G. Morgan, B. Fischhoff., A. Bostrom., and C. J. Atman. “Risk communication: A mental models approach”. Cambridge University Press, 2001.
 C. C. Wood. “An unappreciated reason why information security policies fail”. Computer Fraud & Security, (10), pp. 13-14, 2000.