Information security specialists concur that security depends on people more than on technology. Therefore, improving security depends on changing beliefs, attitudes, and behaviors of both individuals and groups. Social psychology contributes to the understanding of how best to work with human predilections and predispositions. In the area of social cognition, schemas represent self-consistent views of reality, but security policies and procedures often conflict with people's schemas. Schemas also influence what individuals perceive and what they remember. Research on counterintuitive information indicates that people's judgments are influenced by the manner in which information is presented. These judgments are easily distorted by the tendency to rely on personal anecdotes, small samples, easily available information, and faulty interpretation of statistical information. Security program implementation must engage not only the rational mind but also people's imaginations and emotions. The psychological distinction between beliefs and attitudes is examined, and techniques of persuasion and attitude change are described.