The responsibility for information security, or more accurately, information assurance, permeates throughout all facets of modern organisations, and consequently encompasses a variety of stakeholders (i.e., lay people), each with their own perceptions as to the value, and risks to this information. Although a wide range of disciplines have provided important contributions to our understanding of the way that people perceive risk, this paper will predominantly focus on psychological explanations, in order to examine the disparity between lay and expert perceptions of risk, and what impact this has upon an information security risk assessment in terms of both data collection, and the recommendation of countermeasures.