The author analyzes roles of the human factor in guaranteeing information security and ways to influence the personnel in order to accept changes in organizational rules and habits. Trends in attitudes to computer crimes are outlined. The focus in this article is on information security policy and staff responsibilities. Main roles of management in changing organizational culture are to support, to facilitate and to control the stages in information security programs. A particular emphasis is placed on risk assessment and staff security. Primary goals of management are to establish responsibilities and rules for protection of information in order to prevent loss or misuse of information; to establish responsibilities and accountability for information resources; to ensure confidentiality requirements for information resources; to establish a basis for security procedures and to organize educational programs; to protect management options in case of loss or misuse of information resources. We need further efforts in ethical education, in creating and establishing modern professional ethical codes, especially for staff using IT, but based on good old human values.