How long could an organization survive without its information systems working efficiently? Frequent changes of the systems to protect, significant delays between efforts and results, the large amount of involved variables and the difficulty to measure some of them make security management a challenge for current companies. Simulation models provide a virtual environment that can help analysing the dynamic balance between the affected key factors. These key factors include technical controls (Software and hardware elements to protect the system), formal controls (Procedures for guaranteeing an efficient use of technical controls) and security culture (Human factors that affect the compliance of the designed procedures).This paper presents a real modelling process, involving a university team and two companies. The paper includes information about the used methodology, the process and the preliminary results of the obtained model. This process has allowed concluding that the obtained benefits are very promising.