The authors argue that Information Security Management (ISM) would benefit from studies that examine the social and psychological mechanisms that, when in evidence, generate employee aware¬ness of information security (IS) related issues. Properly instilled, IS awareness has the power to en¬gender a proactive wariness beyond mechanical guidelines, however detailed. To study how awareness travels in com¬plex organisations the authors devise a framework to catch mecha¬nisms grounded in psychological and sociological theories. To illustrate the framework, the authors then turn to an empirical study of a medium-sized company where they sound managers for definitions of IS and ISM; for initiatives intended to influence IS and IS awareness among em¬ployees; and for their views on learning related to IS and ISM. The study highlights the difficulties facing mana¬gers charged with IS matters, whose responsibilities are often considered peripheral by the general em¬ployee. It also provides several pointers how to go about the complex business of aware¬ness-building.