Information systems (IS) security breaches cause significant losses to organizations worldwide. Many approaches have been introduced in order to improve employees’ security behavior. Earlier research shows that only seven out of 59 approaches are based on sound theoretical background, and the research in the area of IS security awareness and security behavior has neglected the use of relevant theories of psychology, pedagogy and management. The lack of utilizing theories may have a negative impact on the effectiveness of IS security training and on understanding how to change and improve employees’ security behavior towards compliance to organizational information security policies. In this paper we describe a theoretically grounded approach to IS security training based on constructivism. The approach is empirically validated in a telecommunications company. The results show that the approach has a positive impact on employees’ security behavior.