Abstract

In recent years, ransomware has evolved from isolated incidents into a systemic threat that leverages organized platforms and commercialized tools. According to Trend Micro’s 2023 Cybersecurity Forecast Report, cybercriminal groups have increasingly adopted the Ransomware-as-a-Service (RaaS) model, enabling them to directly exfiltrate and monetize high-value corporate data through outsourced, customizable ransomware tools. Similarly, Fortinet’s 2023 Global Cybersecurity Threat Trends Report identified Cybercrime-as-a-Service (CaaS) as a dominant emerging paradigm, in which ransomware represents a key component. Under this model, malicious software is commodified and sold as a service, thereby lowering the technical threshold required for conducting cyberattacks and facilitating broader participation in cybercrime. The growing accessibility of such services poses a substantial risk to organizational security across sectors. Reflecting this vulnerability, KPMG’s 2022 Taiwan Corporate Cybersecurity Exposure Survey Report revealed that the average cybersecurity readiness score among Taiwanese enterprises ranged between 70 and 80. This score level suggests that even attackers possessing only basic technical capabilities may be capable of breaching enterprise information systems. The report further noted that chief executive officers (CEOs) of Taiwanese enterprises generally exhibited higher-than-global-average confidence in their organizations’ cybersecurity posture. However, this confidence appears to be accompanied by a form of “blind spot” in their risk perception, particularly when facing actual cybersecurity threats. This phenomenon may be interpreted through the lens of the Dunning–Kruger effect, which posits that individuals with limited expertise tend to overestimate their competence in specific domains (Kruger & Dunning, 1999). To further conceptualize these perceptual distortions, this study adopts Protection Motivation Theory (PMT; Rogers, 1975; Maddux & Rogers, 1983) as an analytical framework. PMT explains how individuals evaluate threats and formulate protective intentions based on four key components: perceived severity, perceived vulnerability, response efficacy, and self-efficacy. Within this framework, self-efficacy refers to one’s belief in their ability to execute security behaviors, while response efficacy refers to the perceived effectiveness of those behaviors in mitigating threats. When applied to organizational cybersecurity, these two variables are essential in predicting whether decision-makers will commit, and adhere to protective behaviors. Given the overconfidence revealed in the KPMG survey, a critical research question emerges: both self-efficacy and response efficacy represent forms of self-assessment. This raises the question of whether individuals may also be subject to the Dunning–Kruger effect when evaluating these two variables. Accordingly, this study aims to examine whether the Dunning–Kruger effect manifests in perceptions of self-efficacy and response efficacy. From the perspective of Protection Motivation Theory, it further seeks to explore how the presence of such cognitive bias may influence cybersecurity protection behaviors. Investigating this question can offer new insight into the cognitive mechanisms that may impede effective threat response and provide a theoretical basis for designing more targeted awareness and training programs in enterprise settings.

Comments

tpp1396

Download

Share

COinS