“…However, given the very topic being security, firms are reluctant to disclose their choices of practices, their level, and performance implications because they do not want others (especially offenders) to know what actions/practices they undertake and they do not want to suffer any adverse effects on their insurance premiums, reputation, and public image. Despite the continuous call for more empirical validation (Williams et al., ; Cigolini, Pero, & Sianesi, ), the effect of security related practices on security performance is still understudied (Williams, Lueg, Goffnett, LeMay, & Cook, ; Ni, Melnyk, Ritchie, & Flynn, ). Similarly, Hu, Hart, and Cooke () state that one of the major hurdles in conducting empirical research on information systems security “is acquiring access to organizations and individuals who are willing to discuss information which is understandably sensitive.…”