This study proposes a new framework to help organisations nurture a culture of information security. The framework consists of factors known to affect security behaviour, such as: management; risk assessment; policies; education; and conduct, among others.