Information security is a naturally intrusive topic that has not been researched to its full extent in IS. Taking note of a previous information security study that failed and lessons learned from it, we successfully carry out a study of our own with some modifications. The purpose of the study was to successfully identify critical success factors for an effective security risk management program at a Fortune 500 firm. In this paper we detail the modified critical success factor method that was used, which we hope will prove beneficial for academic researchers. The study has practical implications in regard to being able to provide a method that corporations may find suitable when subject is being investigated.