This paper examines user participation in information systems security risk management and its influence in the context of regulatory compliance via a multi-method study at the organizational level.