This paper reviews the IS security literature for the period 1990-2004. More specifically three security

journals and the top twenty IS journals were examined. In total 1280 IS security papers were analysed in

terms of theories, research methods and research topics. Our research found that 1043 of the papers

contained no theory. In addition, almost 1000 of the papers were categorized as ‘subjectiveargumentative’ in terms of methodology, with field experiments, surveys, case studies and action research

accounting for less that 10% (8.10%) of all the papers. Fifty nine research topics were identified with

fourteen of these topics totaling 71.05% of the articles.

This papers offers implications for future research directions on IS security, scholars to publish IS

security research, tenure practice, and IS security classification schemas.