This paper evaluates the perceived effectiveness of the security risk management (SRM) programs at two Fortune 500 firms using qualitative and quantitative methods. Layers of management and staff from both firms participated in the study. Perceived effectiveness of their SRM programs was based on nine critical success factors (CSFs). Six initial critical success factors (CSFs): executive management support, organizational maturity, open communication, risk management stakeholders, team member empowerment, and holistic view of an organization were extracted from organizational role theory. They were confirmed and synthesized with three additional CSFs (security maintenance, corporate security strategy, and human resource development). A survey based on the CSFs was implemented at the two firms. Although both firms are Fortune 500 technology companies, their perceptions of current perceived SRM effectiveness differ significantly.