Horne et al. Theory on InfoSec Pilot Study Proceedings of the 14th Pre-ICIS Workshop on Information Security and Privacy, Munich, December 15, 2019. 1 A Theory on Information Security: A Pilot Study Craig A. Horne 1 School of Computing and Information Systems, The University of Melbourne, Parkville, Victoria, Australia Sean B. Maynard School of Computing and Information Systems, The University of Melbourne, Parkville, Victoria, Australia Atif Ahmad School of Computing and Information Systems, The University of Melbourne, Parkville, Victoria, Australia ABSTRACT This paper 2 extends a proposed theory on information security using pilot data to further refine and elaborate. We argue that the goal of information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognized as the confidentiality, integrity and availability of information however we argue that the goal is actually to create business resources. This paper responds to calls for more theory in information systems and challenges our thinking. In a phenomenological grounded theory study, this paper identifies the core concepts of information security, and describes the relationships between these concepts. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications, and future research suggestions. Keywords: Information security, resources, controls, threats, theory development. 1 Corresponding author. hornec@unimelb.edu.au +61 3 8344 1573 2 An earlier version of this paper without data was published in proceedings at Australasian Conference on Information Systems 2016, see: Horne, C.A., Ahmad, A., and Maynard, S.B. 2016. "A Theory on Information Security," The 27th Australasian Conference on Information Systems, Wollongong, Australia.