This study presents a theoretical model to evaluate the level of information security in an organizational environment with a focus on the knowledge, attitudes and behaviour of the end user, identifying the level and origin of the gap between the information security guidelines laid down by the company and the actual practices of its internal staff, third party partners and suppliers. The model is designed to assist in meeting the objectives and policies set for the management of information security by senior management, and contributes to maintaining an effective program of training and in raising awareness on information security.