Increasing numbers of security incidents such as malware or hacker attacks prompt companies to spend billions of dollars on protecting their information systems. In this context IT risk management (ITRM) has become an important organizational function to control internal and external risks associated with IT. Much effort has been put on mitigating IT risks by means of physical, procedural, and technological solutions. However, the socio-cultural perspective of managing these risks has largely been ignored and thus a “cultural gap” in ITRM can be identified. This paper introduces risk culture as an essential component of an integrated IT risk management and presents a theoretically motivated framework for analyzing the construct risk culture. Based on this framework we conducted a case study that underpins the crucial role of a vital risk culture in an organization. From the empirical findings we derived important factors for establishing risk culture such as (among others) communication campaigns or top-management involvement.