Perception deception: security risks created by optimistic perceptions
| Pages | 2-17 |
| Date | 14 March 2016 |
| Published date | 14 March 2016 |
| DOI | https://doi.org/10.1108/JSIT-07-2015-0062 |
| Author | Richard G. Taylor,Jeff Brice, Jr.,Sammie L. Robinson |
| Subject Matter | Information & knowledge management,Information systems |
Perception deception:
security risks created by
optimistic perceptions
Richard G. Taylor, Jeff Brice, Jr and Sammie L. Robinson
Jesse H. Jones School of Business, Texas Southern University,
Houston, Texas, USA
Abstract
Purpose – The purpose of the paper is to determine whether management’s optimistic perceptions of
their organization’s level of information security preparedness can ultimately result in increased
information security risks.
Design/methodology/approach – A case study was conducted in a nancial institution. In all, 24
employees were interviewed. These employees came from all functional areas and various positions,
from tellers to executives. Interviews were conducted, internal policies and examiners’ reports were
made available and access was given to observe the employees during working hours and to observe the
facilities after hours.
Findings – Executives were overly optimistic about the level of information security at their
organization. These optimistic perceptions guided security priorities; however, the ndings show that
their perceptions were misguided leaving their organization open to increased security threats. More
specically, the results show that optimist perceptions by management can put an organization’s
information at risk.
Originality/value – T he paper uses existing theory and evaluates it in a “real-world” setting. For security
research, it can be difcult to get honest responses from questionnaires; however, the hands-on approach
provided a deeper insight to the problem of optimistic perceptions in an organizational setting. For
practitioners, the case can raise managements’ awareness of perceptional inaccuracies, resulting in more
informed information security decisions and ultimately improved security for their organization.
Keywords Optimism, Perception, Organizational behavior, Information security
Paper type Research paper
Introduction
Managers hold differing perceptions about the real value of information security.
Without a major loss because of poor or nonexistent measures, it may be that
information security concerns will generally be quite low. In fact, it may take a major
loss to convince managers of information security risks. For example, the losses that
Target and Neiman Marcus experienced during the 2013 Christmas season may serve as
an eye opener for managers regarding their organizations’ level of information security
preparedness.
Current managerial views of information security remain technology oriented,
resulting in heavy spending on technology-based solutions to protect organization
information from outside breaches (Taylor, 2008). These technology-based preventative
measures are an integral part of an organizations overall security infrastructure;
however, these technologies alone do not provide an appropriate level of information
security protection (Straub and Welke, 1998;Dhillon, 2001). These preventative
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1328-7265.htm
JSIT
18,1
2
Received 14 July 2015
Revised 28 December 2015
Accepted 8 January 2016
Journalof Systems and
InformationTechnology
Vol.18 No. 1, 2016
pp.2-17
©Emerald Group Publishing Limited
1328-7265
DOI 10.1108/JSIT-07-2015-0062
technology-based countermeasures can create a false sense of security for organizations
resulting in management being overly optimistic about their level of information
security protection (Frolick, 2003;Taylor and Brice, 2012).
When key managers ignore the likelihood that information security incidents may
occur within their organizations, their optimism forms the basis for behavior that is
reactionary when negative information security events occur, instead of taking overt
action to prevent them from occurring at all (Slovic et al., 1974). A security incident at
their organization or one that they learn about becomes the sole basis for their decision
to reevaluate their information security strategy. In essence, the information security
strategy, which should be a major strategic consideration at all times, becomes a
signicant organizational priority only as an afterthought to adverse activity. Although
the folly of this knee-jerk behavior may seem obvious, many organizations, however,
continue to invest in technology-based security technologies following this reactive
behavior pattern. They are compelled to “put out res” to meet the latest threat rather
than developing, managing and evolving comprehensive security management
programs over time. As Whitman (2003, p. 46) explains:
[…] we often overlook the human solution and instead opt for technology solutions, when in
fact the human factor must be addressed rst, with technology assisting in the enforcement of
desired human behaviors.
To better protect an organization’s information, management must adopt security
countermeasures that also address the human threats that can come from employees
within their organization (Dhillon and Backhouse, 2001). Understanding information
security as a social issue calls for an investigation of organizational behavior issues that
may impact information security risks. Although several such issues may merit
consideration, this paper will demonstrate the inuence of perception and optimism on
organizations’ overall information security strategy and seek to determine if erroneous
managerial perception is a primary contributor to the frequency of employee
risk-causing activity.
Perception
Perception involves the process by which people organize and translate external cues
into a rational and sense-based integrated idea about the world around them (Lindsay
and Norman, 1977). Managers receive informational cues from the environment that
exists outside of and within the rm’s boundaries. Such information is ltered through
their own perceptual lens (Mezias and Starbuck, 2003). Although these perceptions may
be based on information that is incomplete or even unreliable, perception is commonly
accepted as reality and directs general human behavior (Daniels, 2003).
Management decisions are limited by bounded rationality (Cyert and March, 1963).
Managers attempt to be rational actors, but they have restrictions on their capacity to
process information (Simon, 1956;Bromiley and Euske, 1986). In other words, managers
make decisions based on the information and knowledge they have at hand, ignoring
critical information that may be unknown to them. These business decisions reect their
information processing limitations because of bounded rationality and may lead to
managerial misperceptions. Thus, managers draw conclusions based on inaccurate
perceptions rather than on a critical review of all available environmental information
(Starbuck and Mezias, 1996).
3
Perception
deception
To continue reading
Request your trial