Information is the life blood of all modern organizations yet the news media continue to report stories of critical information loss. The purpose of information security is to protect valuable assets, such as information, hardware, software and people. The majority of information security specialists believe that promoting good end user behavior and constraining bad end user behavior is an important component of an effective Information Security Management System (ISMS). Implementing effective information security involves understanding security-related risk, then developing and implementing appropriate controls. In general the better employees are at applying the controls the more secure the organization will be, because even the best designed technical controls and procedures will be of limited value if the staff involved do not understand why they have been implemented and what they are accomplishing. Achieving the required level of understanding usually requires more than an annual awareness training initiative and represents a major challenge for most organizations. In fact, for many organizations it will involve a cultural change to ensure the integration of information security concepts into the organizational culture.