The development of information and communication technologies and networks, and in particular that of the Internet, has gone hand in hand with the emergence of new types of malevolent actions called cyber-crime: viruses, worms, Trojan horses, and the like. While a number of factors make a strong case for governmental action in the area of information security, there are also important limits to what governments can achieve. This review, the first in a series of risk management policy reviews being conducted by the OECD, identifies areas of good practice in Norway's policies for information security, as well as areas where improvements could be made. For areas that could benefit from improvement, it proposes opportunities for action and, when possible, suggests alternatives.