IT security has become a major issue for organizations as they need to protect their assets, including IT resources, intellectual property and business processes, against security attacks. Disruptions of IT-based business activities can easily lead to economic damage, such as loss of productivity, revenue and reputation. \ \ Organizations need to decide (1) which assets need which level of protection, (2) which technical,managerial and organizational security countermeasures lead to this protection and (3) how much should be spent on which countermeasure in the presence of budget constraints. Answering these questions requires both making IT security investment decisions and evaluating the effectiveness and efficiency of these decisions. \ \ The literature has contributed to this field adopting approaches from micro-economics, finance and management, among others. However, the literature is rather fragmented and lacks a shared theoretical basis. As a consequence, it remains partly open what we can learn from past research and how we can \ direct and stimulate still missing research activities. \ \ In order to address these deficiencies, we draw on the resource-based view (RBV) and provide a theoretical model for IT security investments. We use this RBV model to review the IT security investment literature and to identify research gaps.