The study is the first step in trying to highlight effective approaches and strategies that might help organizations to achieve good information security through looking at success factors for the implementation. The dissertation focused on human factors by looking at what concerns employees about information security. It explored the importance of information security policy in organizations, and employee's attitudes to compliance with organizations' policies. The research has been divided into four stages. Each stage was developed in light of the results from the previous. The first two stages were conducted in the Sultanate of Oman for the reason to use a population just started out in the information security area. The third stage was conducted in the UK at Glasgow University because employees are somewhat familiar with the idea of information security. The fourth stage takes the findings of the three studies and brings them together to give recommendations about how to formulate a security policy to encourage compliance and therefore reduce security threats.