Abstract
Organizations often underinvest in cybersecurity and delay escalation even as cyber risk rises. Prior research usually attributes these failures to resource constraints, limited awareness, or noncompliance. We examine a different explanation: persistent miscalibration in managerial beliefs about organizational resilience, referred to as cybersecurity overconfidence. Our study defines cybersecurity overconfidence as the gap between perceived and actual organizational resilience (Moore & Healy, 2008; Pikulina et al., 2017). Because true resilience is hard to observe directly, decision-makers rely on indirect signals and outcome feedback that may be incomplete or misleading. We argue that these weak learning conditions, especially feedback ambiguity and near-miss events, allow cybersecurity overconfidence to persist across repeated decisions. Ambiguous feedback obscures whether current posture is adequate, while near-misses may be read as evidence of capability rather than luck. We test these arguments using a repeated-measures experiment in which participants act as organizational decision-makers across 12 cybersecurity rounds. In each round, participants assess perceived resilience, allocate a fixed budget across competing priorities, and decide whether to escalate response. Objective risk exposure and normative benchmarks vary exogenously across rounds, allowing us to measure overconfidence as perceived minus actual resilience and strategic miscalibration as deviation from normative investment and escalation thresholds. We expect three findings. Greater overconfidence will predict cybersecurity underinvestment and delayed escalation relative to objective risk conditions. These effects will be stronger under ambiguous feedback. Near-miss events will reinforce overconfidence, increasing later miscalibration rather than correcting it. This study will contribute to behavioral IS and cybersecurity research by shifting attention from capability and compliance failures to belief-driven strategic miscalibration. It shows that organizations may fail not because they lack resources or awareness, but because decision-makers misread what their current security posture implies.
Recommended Citation
Smith, Kane; Ganye, Derrick; Liang, Xueping; and Valdez, Jose, "Persistent Cybersecurity Overconfidence: Strategic Miscalibration Under Ambiguous Feedback" (2026). AMCIS 2026 TREOs. 34.
https://aisel.aisnet.org/treos_amcis2026/34