Historically, computer security has its roots in the military domain with its hierarchical structures and clear and normative rules that are expected to be obeyed (Adams & Sasse, 1999). The technical expertise necessary to administer most security tools stems back to the time where security was the matter of trained system administrators and expert users. A considerable amount of money and expertise is invested by companies and institutions to set up and maintain powerful security infrastructures. However, in many cases, it is the user’s behavior that enables security breaches rather than shortcomings of the technology. This has led to the notion of the user as the weakest link in the chain (Schneier, 2000), implying that the user was to blame instead of technology. The engineer’s attitude toward the fallible human and the ignorance of the fact that technology’s primary goal was to serve human turned out to be hard to overcome (Sasse, Brostoff, & Weirich, 2001).