The infrastructures and services related to information and telecommunications are crucial constitutive elements of our society. These elements require not only ICT security but also confidence in that security. This paper explores at a macroscopic and integrated level the main challenges, obstacles and constitutive elements that contribute to building confidence in information security. The aims of this paper are to identify some key technological elements and impacts that drive the development of information security from a long-term risk management perspective, point out the complexities in applying security to vulnerable ICT environments, clarify the need to master indicators and methodologies that contribute to identifying and applying good risk and security management practices and confidence in these, show how legislation can contribute to limiting or enhancing information security effectiveness, analyse the relationships, differences and interactions between security, confidence and compliance, and discuss how the audit process and the input of auditors can help in building confidence.