Organizations invest considerable resources in information security awareness programs to enhance secure behavior among their workforce. However, employees still have an unrealistic perception of information security risks and remain overly confident in their own knowledge as well as their own ability to handle information security threats. As this can lead to insecure behavior in uncertain situations, the presented study investigates employees’ information security overconfidence. To approach the issue of overconfidence, information security research is intertwined with research from psychology and learning theory. Building on evidence collected in the course of a case study, a new framework of information security overconfidence is developed. Results confirm the tendency of employees to suffer from false self-assessment. In particular, individuals unconscious of their own lack of security knowledge typically overrate their information security awareness. A high actual information security awareness, on the contrary, leads to an underestimation. Implications for research and practice are discussed.