This research sought to shed light on information systems security (ISS) by conceptualizing an organization's use of countermeasures using general deterrence theory, positing a non-recursive relationship between threats and countermeasures, and by extending the ISS construct developed in prior research. Industry affiliation and organizational size are considered in terms of differences in threats that firms face, the different countermeasures in use by various firms, and ultimately, how a firm's ISS effectiveness is affected. Six information systems professionals were interviewed in order to develop the appropriate instruments necessary to assess the research model put forth; the final instrument was further refined by pilot testing with the intent of further clarifying the wording and layout of the instrument. Finally, the Association of Information Technology Professionals was surveyed using an online survey. The model was assessed using SmartPLS and a two-stage least squares analysis. Results indicate that a non-recursive relationship does indeed exist between threats and countermeasures and that countermeasures can be used to effectively frame an organization's use of countermeasures. Implications for practitioners include the ability to target the use of certain countermeasures to have desired effects on both ISS effectiveness and future threats. Additionally, the model put forth in this research …