The importance of information security risk management (ISRM) and its potential strategic role in protecting organisational information assets is widely studied in literature. Less attention is given to how ISRM can be enhanced using security analytics to contribute to a competitive advantage. This paper proposes a model showing that security analytics capabilities (the ability to effectively use security data for informed security related decision making) and ISRM capabilities (the ability to effectively identify and protect organizational information assets) indirectly influence competitive advantage in ISRM through two key mediating links: analytics-enabled ISRM capabilities (the ability to effectively leverage insights gleaned from security data to make informed ISRM decisions) and ISRM dynamic capabilities (the ability to reconfigure analytics-enabled ISRM capabilities to address turbulent environments). Environmental turbulence moderates the process by which security analytics and ISRM capabilities influence competitive advantage. The paper concludes by calling for evaluation and refinement of the research model.