Small and medium-sized enterprises (SME) represent more than 95 percent of all businesses worldwide, yet organizational IT security research has largely neglected SME or superimposed certain theoretical assumptions that are not necessarily applicable in