Unrealistic optimism on information security management

Information security is a critical issue that many firms face these days. While increasing incidents of information security breaches have generated extensive publicity, previous studies repeatedly expose low levels of managerial awareness and commitment, a key obstacle to achieving a good information security posture. The main motivation of our study emanates from this phenomenon that the increased vulnerability to information security breaches is coupled with the low level of managerial awareness and commitment regarding information security threats. We report this dissonance by addressing a cognitive bias called optimistic bias. Using a survey, we study if MIS executives are subject to such a bias in their vulnerability perceptions of information security. We find that they demonstrate optimistic bias in risk perception on information security domain. The extent of this optimistic bias is greater with a distant comparison target with fewer information sharing activities. This optimistic bias is also found to be related to perception of controllability with information security threats. In order to overcome the effects of optimistic bias, firms need more security awareness training and systematic treatments of security threats instead of relying on ad hoc approach to security measure implementation.