With the significant growth and high business dependency on cyber space nowadays, organizations are exposed to dangers such as attacks coming from Internet than ever before. The existence of this actual issue alerts organizations to develop and always use up to date cyber security measures. The current trends indicate that most vulnerable organizations to cyber-attacks are small and medium enterprises (SMEs). According to previous studies the primary reason for this occurrence is SMEs’ lack of investment in cyber security. However, this study considers that there are additional contributors for SMEs being more often cyber-attacked than large enterprises. In order to understand these additional contributors a theoretical framework has been developed that considers cyber security from three aspects: organizational, technological and psychological. The organizational aspect presupposes that the ones who create cyber security measures are exposed to unclear and undefined decision processes and rights that lead to system vulnerabilities. The technological aspect focuses on disclosing IT professionals’ failure in their organizations to meet foundational technological measures, such as the existence of Internet firewall, logs of system events, existence of hardware and software inventory list, data backup, antivirus software and password rules. Lastly, the psychological aspect, explains how guilt and shame affect counterproductive work behavior and therefore influence the cyber security decisions made by IT professionals. The collected data analysis, that is based on interviews with IT professionals across 6 organizations in Republic of Slovakia, show that cyber-security is yet to be developed among SMEs and it is an issue that must not be taken lightly. Results show that the IT professionals in these organizations need to strengthen and develop their security thinking and to bring their awareness to a higher level, in order to decrease the vulnerability of informational assets among SMEs. It is believed that a perspective on understanding decision-making processes upon the cyber security measures by IT professionals in SMEs may bring a theoretical redirection in the literature, as well as an important feedback to practice.