In recent times, it has become evident that information security is not achieved through technology alone. Rather, it depends on a complex interplay among technology, organizational and managerial issues, and events in the external environment. Senior management attention, training, and sound operating procedures are just as important as firewalls and virtual private networks in arriving at a robust security posture. In this paper, we represent the interactions among these technical and organizational drivers using the system dynamics methodology, to develop a high level model of organizational information security. Since the basic system dynamics construct is the feedback loop, our model is able to expose the counteracting mechanics that work to reinforce and erode security, respectively. By doing so, it can inform the process of crafting an appropriate level of security—a problem facing most organizations. Since the model is based on simulation, it is also possible to test what-if scenarios of how the security posture of the organization would fare under different levels of external threats and management policies.