This paper offers a framework for information security professionals to evaluate ISP and understand policy non-adherence. It explores the different types of non-adhering behaviors and the motivations behind them. It goes on to share information about the environmental/organizational climates in which non-compliant behaviors are more or less likely to occur and briefly touches on when users are more likely to commit them. Finally, it suggests a user review process as a critical part of information security policy design and implementation.