Faculty of Economics and Business Administration Publications Database

The Ubiquitous Security Expert: Overconfidence in Information Security

Link External Source: Online Version
Year: 2017

To enhance information security, organizations make substantial investments in awareness programs and security training. Despite these efforts, a dangerous misperception regarding the probability and consequences of information security attacks has spread among employees. Since individuals tend to be overly confident in their knowledge and ability to handle information security threats, this study investigates overconfidence in information security. Thereby, the study, in particular, builds on evidence collected in the course of a pre-test and examines overconfidence with respect to simple as well as more complex information security tasks. A multifaceted approach, distinguishing three different categories of information security overconfidence, namely overestimation, overprecision, and overplacement, is presented. Results from a survey with 239 participants confirm that individuals with a limited information security knowledge typically overrate their performance. On the contrary, a high actual knowledge regularly leads to an undervaluation of one’s security competence. Implications for research and practice are discussed.