In this paper the historically persistent mismatch between the information systems development and security paradigms is revisited. By considering the human activity systems as a point of reference rather than a variable in information systems security, we investigate the necessity for a change in the information systems security agenda, accepting that a viable system would be more user-centric by accommodating and balancing human processes rather then entertaining an expectation of a one sided change of behaviour of the end user. This is done by drawing upon well established information systems methodologies and research.