Users play an important role in the information security performance of organisations by their security awareness and cautious behaviour. Interviews of users at an IT-company and a bank were qualitatively analyzed in order to explore users' experience of information security and their personal role in the information security work. The main patterns of the study were: (1) users state to be motivated for information security work, but do not perform many individual security actions; (2) high information security workload creates a conflict of interest between functionality and information security; and (3) documented requirements of expected information security behaviour and general awareness campaigns have little effect alone on user behaviour and awareness. The users consider a user-involving approach to be much more effective for influencing user awareness and behaviour.

• 出版日期2007-6