This paper will examine the difference between management’s perception of the information security risks and actual information security risks that occur within their organization, arguing that management’s perceptions are based mostly on (1)technology solutions to protect organizational information and (2) their beliefs that employees follow established information security policies. Slovic’s perception of risk theory will be used as a theoretical foundation for this study. The paper will focus on the neglected human element of information security management, with the primary focus on employees’ actions that unintentionally expose organizational information to security risks. These employee actions can threaten information contained within the organization’s computer-based systems as well as information in the form of computer-based system output, such as printed reports, customer receipts, and backup tapes. There has been substantial literature exploring the human threat to organizational information; however past research has focused on intentional behavior, typically referred to as “computer abuse”. Less research has investigated employees’ actions that unintentionally expose an organization to information security risks. Based upon this premise, the purpose of this study is to draw attention to such human threats and in turn shed light on the relationship between unintentional threats caused by employees’ behavior and information security risks. Using a case study conducted in a financial institution, this study investigates these unintentional threats and management’s perception of potential information security risks that these employees’ actions may cause. The research reveals that many of management’s taken-for-granted assumptions about information security within their organization are inaccurate. It is suggested that by increasing management’s awareness of these risks, they will take precautions to eliminate this behavior to ensure that the organization’s information is better secured.
Taylor, Richard, "Management Perception of Unintentional Information Security Risks" (2006). ICIS 2006 Proceedings. 95.