ABSTRACT
Information security professionals through the years have long sought support in enforcing the
information security policies of their companies. The support they have received has usually come
from internal or external audit and has had limited success in influencing the individuals who make up
the bulk of the user community. Internal and external auditors have their own agendas and do not usually
consider themselves prime candidates for the enforcement role.