Information Systems are a key factor for firmsí competitiveness. Thus, their efficient management has become a key concern and security management one of the most relevant issues. An empirical study has been developed to determine the characteristics of security management within Small and Medium sized Enterprises (SMEs). A summary of the main data from this study is presented. The results of this study have showed that the evolution of security management within firms has evolved through similar patterns of behaviour. Some phases have been defined to explain the evolution of security management within SMEs. The defined phases are: Growth, Integration, Formalization and Involvement. To explain these phases causal loop diagrams and behaviour over time graphs have been used. Both elements help to more accurately understand the mental models of the people in charge of managing the security of information systems.