The article describes an empirical investigation concerning the relationship between what is known about information security incidents which occurred within an organisation and the actual perception of information risk. Information security incident awareness takes into account an estimation of thefrequency of incidents which occurred in the past as well as the magnitude of information assets impairment caused by them. Information risk perception relies on a subjective assessment of the expected frequency of a specified typeof incident having a potentially adverse effect on information resources as wellas the expected magnitude of the consequent future loss. Survey instrumentswere distributed to information security managers of 101 Italian companies anddata were collected through telephone interviews. Hypotheses about theinfluence of two awareness factors (namely, information security incident reporting and the existence of an information security policy) on risk perceived by information security managers are formulated and tested through ANOVA techniques.
Investigating effects of security incident awareness on information risk perception
VOLPENTESTA, Antonio Palmiro;AMMIRATO, Salvatore;PALMIERI, Roberto
2011-01-01
Abstract
The article describes an empirical investigation concerning the relationship between what is known about information security incidents which occurred within an organisation and the actual perception of information risk. Information security incident awareness takes into account an estimation of thefrequency of incidents which occurred in the past as well as the magnitude of information assets impairment caused by them. Information risk perception relies on a subjective assessment of the expected frequency of a specified typeof incident having a potentially adverse effect on information resources as wellas the expected magnitude of the consequent future loss. Survey instrumentswere distributed to information security managers of 101 Italian companies anddata were collected through telephone interviews. Hypotheses about theinfluence of two awareness factors (namely, information security incident reporting and the existence of an information security policy) on risk perceived by information security managers are formulated and tested through ANOVA techniques.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
