The development of information and communication technologies and networks, and in particular that of the Internet, has gone hand in hand with the emergence of new types of malevolent actions called cyber-crime: viruses, worms, Trojan horses, and the like. Cyber-crime has considerably evolved over the years to become a real threat to society. Attack tools have become much more sophisticated, new technologies have brought new vulnerabilities, and critical infrastructures have become dependent on the security of information systems and networks. Determining the role governments have to play in order to tackle cyber-criminality, reduce vulnerabilities and achieve an acceptable level of security in information systems and networks is not a straightforward task. To date, the development of information technology and networks has been essentially driven by market forces. While a number of factors make a strong case for governmental action in the area of information security, there are also important limits to what governments can achieve. Government policies, therefore, have to be carefully crafted and take advantage of the substantial body of national and international initiatives undertaken in past years. The review builds on this experience in order to identify areas of good practice among Norway's policies for information security, as well as areas where improvements could be made. With respect to the latter, it proposes opportunities for action and, when possible, suggests alternatives. This is the first country review conducted within the framework of the OECD Futures Project on Risk Management Policies.