This study used two techniques to ensure people accurately reported attitudes on information security in the workplace. A key finding was those who believed information security to be the responsibility of the organisation felt security risks to be overstated, whereas those who believed information security to be the responsibility of individuals felt warnings over security risks were valid and justified.