Information systems security is rapidly becoming a growing concern for businesses of all sizes. As security threats and incidents become more pervasive and the legal and business stakes for information security increases, understanding an organization's information security practices becomes essential in the security planning and development process. The purpose of this article is to describe the effectiveness of information systems security practices in small and medium enterprises. To date there is no quantitative or qualitative data within the extant literature describing the state of information systems security practices in small businesses. The data that exists has been produced by commercial organizations with business interests in information systems security consulting or services, such as Deloitte & Touche and Ernst & Young, and by organisations with charter responsibilities in the information security and technology arena, such as the Computer Security Institute. The aim of this study is to contribute to the theoretical understanding of how information systems security should be pursued in small businesses and to provide evidence to assist in the development of policies, programs, and technology in support of information systems security goals in small businesses.