Information security is a critically important issue in current networked business and work environments. While there is extensive publicity on the increasing incidents of numerous information security breaches and their serious consequences, recent surveys and research on information security repeatedly identify the low levels of user and managerial awareness as a key obstacle to achieving a good information security posture. The main motivation of our research emanates from this contradicting phenomenon: increased vulnerability to information security breaches yet the low level of user and managerial awareness on information security threats. In this research, we study this dissonance by addressing a cognitive bias, optimistic bias, that is, the tendency of people to believe that negative events are less likely to happen to them than to others and that positive events are more likely to happen to them than others. Using a survey, we find that users demonstrate optimistic bias in their risk perceptions associated with information security. This self-serving bias is also found to be related to a perception of controllability with information security threats. These results have practical implications for designing security awareness programs by suggesting that risk communication and management efforts are likely to fail unless they consider this bias.