There can be various reasons why employees do not implement information security requirements. They include a lack of a security culture in the employees' organisation or a failure by its top management to set a good example. However, excessive security requirements can also result in employees dismissing security safeguards. Problems can also arise when certain user rights or certain hardware or software are viewed as status symbols. Restrictions in these areas may meet with significant resistance.