This paper extends a proposed theory on information security using pilot data to further refine and elaborate. We argue that the goal of information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognized as the confidentiality, integrity and availability of information however we argue that the goal is actually to create business resources. This paper responds to calls for more theory in information systems and challenges our thinking. In a phenomenological grounded theory study, this paper identifies the core concepts of information security, and describes the relationships between these concepts. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications, and future research suggestions.