Considerable evidence has come to light that information systems are vulnerable to dangerously high and persistent abuse and that managers perceive this threat to be high. The organizational response to abusive potential has been to implement a computer security administrative unit with the charge of deterring and preventing computer abuse. Exactly how effective are the countermeasures employed by these units? This victimization survey of 1,211 randomly selected DPMA organizations has determined that computer abuse can be controlled through a set of deterrent administrative procedures and through preventive security software. Understanding these relationships should greatly assist IS managers in allocating resources to the security function and in disseminating this pertinent information to top management.