Why there aren’t more information security research studies

Noting a serious lack of empirical research in the area of security risk management (SRM), we proposed a conceptual model based on the study of SRM at the firm level. Although considerable time and effort were expended in attempting to validate the usefulness of the proposed model, we were not successful. We provide here a description of our conceptual model, the methodology designed to test this model, the problems we faced while attempting to test the model, and our suggestions for those who attempt to conduct work in highly sensitive areas.