“…Although these approaches touch on human components such as awareness and training, they do not focus on the employee or on how to direct, measure and change his/her behaviour. A number of research projects on information security focus on the human component, for instance information security awareness (Puhakainen, 2006;Kruger and Kearney, 2006), insider computer crime (Cardinali, 1995) and information security policy obedience (Vroom and Von Solms, 2004;Siponen et al, 2007). All are aimed at minimising the threat that user behaviour poses to the protection of information assets.…”