The swiftness and considerable political impact of the widespread conceptualisation of IT as a security problem makes it a particularly fruitful case for analysing threat politics – how and why some threat images but not others end up on the political agenda. A conceptual framework combining theories of framing, securitisation, agenda setting and policy diffusion is developed, which is applied to the case of IT security policy in Sweden. The analysis emphasises the impact of the end of the Cold War, the uncertainty following the breakthrough of the information age, the tradition of focusing on information and technological development in military affairs, the adaptability to ‘widened security thinking’ within the military-bureaucratic establishment, and the lack of opposition to the securitisation of IT.