Drawing on the extant literature on information security and neo-institutional theory, we develop and test a theoretical model to investigate the antecedents and consequences of the establishment of information security knowledge sharing (ISKS) in organizations. The model was tested using survey data from 403 top managers, who are aware of information security policies of their organizations. Our results suggest that external information security knowledge resources find their way into the organization by normative, mimetic, and coercive means, but much of their influence on ISKS practices are mediated by ISKS beliefs held by top management. Results highlight that firms face uncertainty in their ISKS practices and find themselves simply mirroring the practices of their peers without a real understanding of how that approach fits their organization’s capacity for ISKS. Our findings emphasize the importance of ISKS practices for ensuring security compliance and the establishment and proliferation of an effective security culture.