A deficiency exists in the Information Systems Security literature because of the tendency to regard IT threat avoidance and IT security adoption as separate behaviours. In addressing the deficiency this research in progress focuses on SMEs, for several reasons including their strategic importance globally, the current trend among cybercriminals to conduct more high volume, low risk attacks against weaker targets and also because of the individualistic behavioural patterns in SMEs. Drawing on several well-established behavioural theories, this paper synthesises elements of these theories into a holistic model, with coping theory placed firmly at is centre. This study will make several contributions to the field, initially creating an empirically validated model for behaviours surrounding both avoidance and preventative actions in small firms and also in presenting and prioritising a specific view of the external factors influencing how threats are appraised, assessed and dealt with.