Research on the effects of IT security warning messages has increased in the last several years. Most studies empirically examining such warning messages chiefly focus on warning content and/or aesthetics and their effects on attention and/or behavior. Many of these studies cite the Communication-Human Information Processing (C-HIP) model as a foundation, yet this model includes other important and under-researched constructs, including perceptions of the source of a message, comprehension of a message, attitudes and beliefs, and fear. In this study, we performed a comprehensive literature review of empirically published studies on IT security warning messages. We propose a comprehensive theoretical model that entails both C-HIP and Protection Motivation Theory. We then categorize our catalog of IT security warning message research papers according to which propositions in our model have been previously studied. We focus specifically in this paper on those under-researched areas that provide opportunities for future research.