Ongoing field work centered at the Information Technology Process Institute (ITPI) is finding that change and access controls simultaneously reduce security risk and increase the efficiency and effectiveness of information technology (IT) management and operations. The CERTŪ Coordination Center is building on this work. This paper describes a system dynamics model that embodies our current hypothesis of why and how these controls reduce the problematic behavior of the low-performing IT operation. We have also started to extend the model in ways that reflect the improved performance seen by high performers. In the longer term, we hope this model will help to understand, specify, and justify a prescriptive process for integrating change and access controls into their business processes in a way that most effectively reduces security risk and increases IT operational effectiveness and efficiency.