Perception deception: security risks created by optimistic perceptions

The purpose of the paper is to determine whether management’s optimistic perceptions of their organization’s level of information security preparedness can ultimately result in increased information security risks.

A case study was conducted in a financial institution. In all, 24 employees were interviewed. These employees came from all functional areas and various positions, from tellers to executives. Interviews were conducted, internal policies and examiners’ reports were made available and access was given to observe the employees during working hours and to observe the facilities after hours.

Executives were overly optimistic about the level of information security at their organization. These optimistic perceptions guided security priorities; however, the findings show that their perceptions were misguided leaving their organization open to increased security threats. More specifically, the results show that optimist perceptions by management can put an organization’s information at risk.

The paper uses existing theory and evaluates it in a “real-world” setting. For security research, it can be difficult to get honest responses from questionnaires; however, the hands-on approach provided a deeper insight to the problem of optimistic perceptions in an organizational setting. For practitioners, the case can raise managements’ awareness of perceptional inaccuracies, resulting in more informed information security decisions and ultimately improved security for their organization.