We argue that most organizations fail to internalize information security policies (ISPs) and only ceremonially adopt them because the adoption decision is generally driven by external legitimization purposes rather than efficiency gains. Based on the data collected from semi structured interviews of senior executives, our preliminary findings reveal that ISPs are not integrated to the existing organizational routines until there is an external jolt such as a security breach. However, given the sudden nature of these jolts, ISPs do not gain internal legitimacy. We propose that after the implementation and before the internalization of ISPs, organizations need to actively integrate ISPs into their existing routines, with the aim of internal legitimization in the eyes of the organizational members.