This study aims to explore the types of information can be effectively communicated in three knowledge-sharing methods and their impact on employees’ security practice. On one end, guarding the organisation’s information system against cyber-attacks is critical and improving users’ knowledge and skills is a common approach to any security program. On the other end, organisations lack a clear understanding in determining what types of security information should be delivered through various methods of communication to be effective in boosting users’ knowledge and compliance behaviour. The study employed a qualitative method using semi-structured interviews with business users in Vietnam. The initial findings indicate a single method of knowledge and skill development is not sufficient to assist users to deal with complex and constant changing security needs. It is necessary to further experiment methods of encouraging formal and peer knowledge sharing that can support individual effort in complying with security policies.