Aligned with the strategy-as-practice research tradition, this paper investigates how organisational insiders understand and perceive their surrounding information security practices, how they interpret them, and how they turn such interpretations into strategic actions. The study takes a qualitative case study approach, and participants are employees at the Research & Development department of a multinational original brand manufacturer. The paper makes an important contribution to organisational information security management. It addresses the behaviour of organisational insidersa group whose role in the prevention, response and mitigation of information security incidents is critical. The paper identifies a set of organisational insiders' perceived components of effective information security practices (organisational mission statement; common understanding of information security; awareness of threats; knowledge of information security incidents, routines and policy; relationships between employees; circulation of stories; role of punishment provisions; and training), based on which more successful information security strategies can be developed.