Investments to protect against known vulnerabilities are necessary but not sufficient to assure a firm’s information security. New threats are continuously being designed and deployed to exploit vulnerabilities that defending firms have not yet discovered. Extant literature has identified the advantages for firms to share information about vulnerabilities, attacks and damages from breaches. Yet firms are hesitant to share information. I seek to understand that paradox. First I explicate the relationship between firm IT strategy and risk exposure. Next I delineate between known and unknown threats to explain organizational learning required to manage exposure. Finally I propose a relationship between risk exposure and security information exchange.