A theoretical framework and research strategy is proposed to gain insight into perceptions and decisions as to how SMBs make decisions regarding cybersecurity hygiene measures, which could lead to betterinformed decisions regarding insurance as part of an ISA program, as well as have a bearing on policy structures and pricing for such insurance. This is because the definition of “cybersecurity hygiene habits”(CHH) as a task appears to vary within the industry and makes the practice hard to measure and evaluate. Research suggests that there may be a poorly understood connection between CHHs undertaken by organizations and their perceptions and/or adoption of cybersecurity insurance as well, thus leading to gaps or holes within business security perimeters. Homeostatic Risk Theory (HRT) has been observed in other venues in which the use of risk mitigation measures (including insurance) leads to more risky behavior; this may have a bearing on why so many organizations, particularly Small and Medium Businesses (SMBs) are very slow to adopt Information Security Assurance (ISA) measures at all or do so minimally. This paper presents a theoretical framework and proposed research, which will provide greater clarity on these issues while highlighting areas where further research is required.