Information security is a management problem, not a technology one. Experience indicates that technology cannot provide all the answers to the problems posed by people in the context of information security management (ISM). Although many different frameworks and guidelines have been proposed by researchers, practitioners, consultants, government and organizations, current information security objectives and practices are inconsistent or misleading to practitioners. Concepts in the field of ISM are largely based on case studies, anecdotal evidence and the prescription of industry "leaders". There is little consensus on which security objectives should be achieved, which factors are critical to achieve successful security initiatives, and what is the relationship between best practices and objectives. To help practitioners effectively achieve their information security goals, this study aims to answer these questions.