Information Technology (IT) security breaches and the extent of damage they may cause to an organization are inherently uncertain. Therefore, managers’ decisions about whether to make IT security investment (ITSI) and how much, depend upon a subjective assessment of the economic value of the investment and the likelihood of the damage to the organization. When managers delay or fail to decide on whether and how much to invest in IT security, it can make organizations vulnerable to operational and strategic perils. Based upon interviews, document reviews, and observations in three organizations in Finland that made ITSI decisions to acquire a secure email application system, we examined the process through which ITSI decisions were made. Using institutional logics as the theoretical scaffolding, we find that ITSI decisions are driven by more than economic and financial analyses. We find that when stakeholders’ logics conflict with each other’s logics, framing through discourse gives way to a dominant logic, or a hybrid logic which in turn results in an ITSI decision outcome. Trigging events, within or outside the organizations, can lead to iterations of the decision-making process. Using the metaphor of a spiral, we illustrate the repetitive iterations through which institutional logics shape stakeholders’ ITSI decision-making process.