This purpose of this paper is to show how the implementation of information systems security policies in an organization can be improved by applying a power exercise model. It argues that stakeholders’ awareness of the power being exercised by the policy enforcers, affects the success of the policy implementation. The model is developed by adapting, and extending, a power exercise framework presented by Markus and Bjørn-Andersen [20]. The information systems security policy model is applied to the introduction and compliance of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at HealthCo Systems, a non-profit health care organization in a major United States city.

One person's "paranoia" is another person's "engineering redundancy".

- Marcus J. Ranum

The superior man, when resting in safety, does not forget that danger may come. When in state of security he does not forget disorder may come. Thus his person is not endangered and his states and all their clans are preserved.

- Confucius (551-479 BC)

Securing a computer system has traditionally been a battel of wits: the penetrator tries to find the holes, and the designer tries to close them.

- Gosser