Experience shows that it is not enough to merely impose security safeguards. Employees should know the importance and purpose of the measures; otherwise, they may be ignored in everyday work. If employees are not sufficiently aware of information security issues, their organisation's security culture, security goals, and security strategy may be at risk.