Abstract
Users play an important role in the information security performance of organisations bytheir security awareness and cautious behaviour. Interviews of users at an IT-company anda bank were qualitatively analyzed in order to explore users’ experience of informationsecurity and their personal role in the information security work. The main patterns ofthe study were: (1) users state to be motivated for information security work, but do notperform many individual security actions; (2) high information security workload createsa conflict of interest between functionality and information security; and (3) documentedrequirements of expected information security behaviour and general awareness campaignshave little effect alone on user behaviour and awareness. The users considera user-involving approach to be much more effective for influencing user awareness andbehaviour.
