Every organization is concerned with information security nowadays. In some organizations (e.g. high reliability organizations like aviation), the core business is to provide safety and security. In most organizations, however, security is only one goal among many. If an organization’s main goals compete with security goals, employees have to walk a fine line to perform well in their jobs without breaching security too much. Sommestad et al. (2014) conducted a review of more than a hundred publications, containing a total of 29 studies dealing with employee information security policy compliance. Although several of the examined variables like perceived behavioral control, perceived justice of punishment, threat appraisal or normative beliefs seem to explain employee security policy compliance to some extent, no ‘clear winner’ could be identified. Furthermore, predictive power of some constructs differed considerably between the individual studies (for example, effect sizes for the influence of attitude towards compliance on the intention to comply ranged from β=۰٫۱۵ to β=۰٫۶۴). However, none of the studies focused explicitly on the subject of conflicting goals. To close this gap, we conducted a survey with a diverse sample of German employees to further investigate the implications of conflicting (security and productivity) goals. Furthermore, we included the employees’ evaluation of security policies, organizational culture, top management participation in security promotion and affective commitment to the organization, as these factors seem to influence security compliance (e.g. Sommestad et al., 2014). The results of this survey imply that productivity goals indeed hinder secure behavior in organizations. Therefore, we developed a concept to include information security goals into the goal setting process in organizations. To investigate this concept, we evaluated it in three small to medium-sized organizations (SMEs). The results indicate our concept is actionable in practice, when certain preconditions are met. In particular, the results of our study point out aspects which should receive special attention when implementing our concept in practice The remainder of this paper is organized as follows: The second section provides the theoretical background for the explanation of security compliance behavior as well as the survey hypotheses and the third section describes the survey. Section four then introduces our concept for security goal setting in organizations. Section five describes the study performed to evaluate the concept. Section six summarizes and concludes.