Sensitive company information can leak to unauthorized parties in case employees do not perform effective protective measures while using application systems for their day-to-day tasks. To reduce the risks for such information leakage incidents, many companies require their employees to follow information systems (IS) security policies and promote awareness programs to increase IS security awareness. The design of effective IS security awareness approaches is addressed by existing research. However, understanding how environmental and organizational factors influence organizations individuals’ IS security awareness is limited. Using grounded theory as qualitative research approach we collect empirical data from 22 informants. The interview data of company outsiders and company insiders is analyzed to identify contextual factors and explain associations among them. Our stated propositions help to understand why individuals in one organization are well aware of IS security threats and policies, while another organization’s individuals have a lower level of IS security awareness.