While Internet of Things (IoT) devices have increased in popularity and usage, their users have become more susceptible to cyber-attacks, thus emphasizing the need to manage the resulting security risks. However, existing works reveal research gaps in IoT security risk management frameworks where the IoT architecture – building blocks of the system – are not adequately considered for analysis. Also, security risk management includes complex tasks requiring appropriate training and teaching methods to be applied effectively. To address these points, we first proposed a security risk management framework that captures the IoT architecture perspective as an input to further security risk management activities. We then proposed a hackathon learning model as a practical approach to teach hackathon participants to apply the IoT security risk management framework. To evaluate the benefits of the framework and the hackathon learning model, we conducted an action research study that integrated the hackathon learning model into a cybersecurity course, where students learn how to apply the framework. Our findings show that the IoT-SRM framework was beneficial in guiding students towards IoT security risk management and producing repeatable outcomes. Additionally, the study demonstrated the applicability of the hackathon model and its interventions in supporting the learning of IoT security risk management and applying the proposed framework to real-world scenarios.