Despite the development of advanced technical devices and procedures, the information held in computer systems remains vulnerable to attack and/or inadvertent mishandling, resulting in security breaches. Increasingly, researchers and practitioners are recognising that information security is not merely a technical issue, but is heavily influenced by social and cultural factors. This paper argues that post-cognitivist approaches to human computer interaction, which focus on situated reasoning and the contextual, relational aspects of computer-mediated activities and interactions, provide a promising set of concepts with which to explore non-technical users’ everyday security practices and beliefs. We review the limited research that has been conducted in this area, focussing on the relationship between security and users’ more immediate ‘real’ work, and their perceptions on risk, and show how it is compatible with post-cognitivist understandings. We conclude by outlining some further areas for research.