Abstract

This article aims to evaluate the effectiveness of the incident notification tool, a key component of post-incident recovery in Italian cybersecurity policy. The article presents a theory-based evaluation using the realist synthesis method to reconstruct the assumptions underlying the tool’s operation and test its implementation. Our results reveal that the tool's effectiveness is based on its dual role as an alerting system and a learning mechanism. However, its performance varies, depending on factors such as the ability of the actors involved and the capacity of the administrations. Recommendations are proposed to improve the design and implementation of the tool, emphasising the need for corrective measures to ensure its effectiveness in both alerting and facilitating post-incident learning.