Start Date
10-12-2017 12:00 AM
Description
To enhance information security, organizations make substantial investments in awareness programs and security training. Despite these efforts, a dangerous misperception regarding the probability and consequences of information security attacks has spread among employees. Since individuals tend to be overly confident in their knowledge and ability to handle information security threats, this study investigates overconfidence in information security. Thereby, the study, in particular, builds on evidence collected in the course of a pre-test and examines overconfidence with respect to simple as well as more complex information security tasks. A multifaceted approach, distinguishing three different categories of information security overconfidence, namely overestimation, overprecision, and overplacement, is presented. Results from a survey with 239 participants confirm that individuals with a limited information security knowledge typically overrate their performance. On the contrary, a high actual knowledge regularly leads to an undervaluation of one’s security competence. Implications for research and practice are discussed.
Recommended Citation
Ament, Clara, "The Ubiquitous Security Expert: Overconfidence in Information Security" (2017). ICIS 2017 Proceedings. 2.
https://aisel.aisnet.org/icis2017/Security/Presentations/2
The Ubiquitous Security Expert: Overconfidence in Information Security
To enhance information security, organizations make substantial investments in awareness programs and security training. Despite these efforts, a dangerous misperception regarding the probability and consequences of information security attacks has spread among employees. Since individuals tend to be overly confident in their knowledge and ability to handle information security threats, this study investigates overconfidence in information security. Thereby, the study, in particular, builds on evidence collected in the course of a pre-test and examines overconfidence with respect to simple as well as more complex information security tasks. A multifaceted approach, distinguishing three different categories of information security overconfidence, namely overestimation, overprecision, and overplacement, is presented. Results from a survey with 239 participants confirm that individuals with a limited information security knowledge typically overrate their performance. On the contrary, a high actual knowledge regularly leads to an undervaluation of one’s security competence. Implications for research and practice are discussed.