In our paper we argue that effective information system (IS) security mainly has to take employees as users into account. We focus on an informal behavioral level of IS security discussing individuals’ behavior within an organization–exploring assessments of risks and barriers amongst a well chosen sample of IT-professionals, decision makers and scientists in German-speaking countries. Among other issues the results of our empirical study show that it is still the “old threat” in the sense of mistakes and carelessness behavior of employees which brings up the most important danger for information security–regardless of an organization’s size or branch. According to the opinion of our respondents, behavioral training is needed and seen as an effective counter measure. Additionally, a strong support of IS security by the top management and compliance with the organization’s behavioral guidelines are important factors to be considered.