Companies often have the knowledge on procedures to prevent or mitigate against information technology security risks. Yet these companies may not take adequate measures to implement these procedures, and instead, leave themselves vulnerable to security breaches. Potential reasons for this gap between information security knowledge and implementation are provided based on interviews with information technology managers at a global automobile sales and marketing company. Four mechanisms to reduce this gap are proposed, along with a new approach to conduct a laboratory experiment to evaluate the effectiveness of these mechanisms, applied independently and in combinations.