Purpose – Information systems security management is a knowledge-intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system. Design/methodology/approach – The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed. Findings – Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management. Originality/value – In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security-related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security-focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.