This paper presents evidence on the economic dimension of cyber risk in the Italian private non-financial sector, based on Bank of Italy survey data. In 2016, the median amount spent on preventing cyber attacks was a modest €4,530, i.e. 15 per cent of a typical worker's annual gross wages. A wide variation exists across sectors and size classes, reflecting differences in how appealing a target a firm is to attackers and firms' awareness of threats: median values range from €3,120 for small firms to €19,080 in the ICT sector and €44,590 for large firms.
The market for cyber defence in our reference universe is worth at least €570 million. Having been attacked in the past proves to be a strong incentive to invest in security. The majority of breached firms suffered damages worth less than €10,000; 0.1 per cent reported costs of at least €200,000. Neither the sampling design nor the questionnaire were geared towards the measurement of tail events: underestimation of large incidents is likely. More information is needed before the economy-wide cost can be estimated.