An understanding of ‘communities of practice’ can help to make sense of existing security and privacy issues within organizations; the same understanding can be used proactively to help bridge the gap between organizational and end-user perspectives on these matters. Findings from two studies within the health domain reveal contrasting perspectives on the ‘enemy within’ approach to organizational security. Ethnographic evaluations involving in-depth interviews, focus groups and observations with 93 participants (clinical staff, managers, library staff and IT department members) were conducted in two hospitals. All of the data was analysed using the social science methodology ‘grounded theory’. In one hospital, a community and user-centred approach to the development of an organizational privacy and security application produced a new communication medium that improved corporate awareness across the organization. User involvement in the development of this application increased the perceived importance, for the designers, of application usability, quality and aesthetics. However, other initiatives within this organization produced clashes with informal working practices and communities of practice. Within the second hospital, poor communication from IT about security mechanisms resulted in their misuse by some employees, who viewed them as a socially controlling force. Authentication mechanisms were used to socially exclude users who were formally authorized to access systems but whose access was unacceptable within some local communities of practice. The importance of users’ security awareness and control are reviewed within the context of communities of practice.