Clara Ament

3rd of July 2017

Jours fixes take place on the first monday of the month, starting at 5:00 p.m., in HoF E.01 / Deutsche Bank of the House of Finance (Campus Westend).

[Clara Ament, E-Finance Lab]

Unaware of the Own Ignorance: Overconfidence in Information Security

Organizations invest considerable resources in awareness programs and security training to enhance secure behavior among their workforce. However, employees still have an unrealistic perception of information security risks and remain overly confident in the own knowledge as well as the own ability to handle information security threats. This at worst leads to insecure behavior in uncertain situations. Therefore, the presented study investigates employees’ information security overconfidence.

To approach the issue of overconfidence, behavioral information security research is intertwined with research from psychology and learning theory. Building on evidence collected in the course of a case study, a new framework of information security overconfidence is developed. An experiment with 239 participants confirms the theory of information security overconfidence. In particular, employees unconscious of the own lack of security typically overrate their information security knowledge. A high actual security knowledge, on the contrary, often leads to an underestimation of the own security competence. Implications for research and practice are discussed.