Many users underestimate the value of the data with which they work, and will continue to do so unless given specific feedback [Adams and Sasse, 1999]. Although some documents, for example, may seem inconsequential or even obvious, they may contain sensitive data that is not known outside a company.
A user who rightly perceives that they have no access to sensitive files could be wrong about being target for an intruder. Even a lower-privileged account can be used as a stepping stone to gain access to more sensitive data, but even when users realize that their own account is vulnerable, they do not often know how this could affect the entire system. Users underestimate their role in security. Adams and Sasse found that many users felt that since they were unimportant, they would never be targeted, although in reality an attacker may not necessarily target specific individuals but rather try to get into any account [Adams and Sasse, 1999].