This paper presents findings of an empirical study of information system (IS) security values adhered to by user managers in a cross section of firms in various industries. Using Keeneyís (1999) value-focused thinking approach, 73 managers were interviewed to identify a set of fundamental and means values that are essential in protecting the information resources of a firm. The findings are used to develop a theoretical framework for conceptualizing individual and organizational issues in managing IS security. The proposed framework will be an appropriate underpinning for the development of an instrument for measuring IS security concerns.