This article describes an empirical investigation about the relationship between what is known about information security incidents which occurred within an organisation and the actual perception of information risk. Information security incident awareness takes into account an estimation of the frequency of incidents which occurred in the past as well as the magnitude of information assets impairment caused by them. Information risk perception relies on a subjective assessment of the expected frequency of a specified type of incident having a potentially adverse effect on information resources as well as the expected magnitude of the consequent future loss. Survey instruments were distributed to information security managers of 101 Italian companies and data were collected through telephone interviews. Hypotheses about the influence of two awareness factors (namely, information security incident reporting and existence of an information security policy) on risk perceived by information security managers are formulated and tested through ANOVA techniques.
Keywords: security incident awareness, information risk perception, information security managers, IS manager, Italy, technology management