Cyber threats and risks are increasing exponentially with time. For preventing and defense against these threats and risks, precise risk perception for effective mitigation is the first step. Risk perception is necessary requirement to mitigate risk as it drives the security strategy at the organizational level and human attitude at individual level. Sometime, individuals understand there is a risk that a negative event or incident can occur, but they do not believe there will be a personal impact if the risk comes to realization but instead, they believe that the negative event will impact others. This belief supports the common belief that individuals tend to think of themselves as invulnerable, i.e., optimistically bias about the situation, thus affecting their attitude for taking preventive measures due to inappropriate risk perception or overconfidence. The main motivation of this me ta-analysis is to assess that how the cyber optimistic bias or cyber optimism bias affects individual’s cyber security risk perception and how it changes their decisions. Applying a meta-analysis, this study found that optimistic bias has an overall negative impact on the cyber security due to the inappropriate risk perception and considering themselves invulnerable by biasing that the threat will not occur to them. Due to the cyber optimism bias, the individual will sometimes share passwords by considering it will not be maliciously used, lack in adopting of preventive measures, ignore security incidents, wrong perception of cyber threats and overconfidence on themselves in the context of cyber security.
Cybercrime continues unabatedly and is unlikely to cease. Simply put, cybercrime is too simple to conduct, too profitable to achieve more in less effort and time, and there are too few chances to get caught and get punished [
According to the predictions of the Cybercrime Magazine for 2023, the cybercrime damage is predicted to hit $10.5 trillion annually by 2025; global cyber security spending will exceed $1.75 trillion cumulatively from 2021 to 2025; and the cyber insurance market will predict to touch $14.8 billion annually [
Why are the statistics going so high? This is because when a CEO or CISO faces a cyber-attack or data breach, they begin to worry about their technological weaknesses and neglect to consider the very common weakness, i.e., the people (their employees) who utilize those technologies daily [
Individuals (humans), including both internal and external users, are the weakest link in cybersecurity, whether it is because of human error, script-kiddies, or deliberate attacks by skilled cybercriminals [
This study has been motivated by a cliché in the cyber security literature and community that is “understanding the cyber security issues—vulnerabilities, threats and risks—by individuals but giving low priority to address or mitigating them”. This has been investigated by whether users exhibit an optimistic bias in their assessment of cyber risk in an effort to explain the above axiom. People think they have lower odds of suffering a bad event than other people do [
Despite a very important issue that leads to incorrect or inappropriate risk perception of being invulnerable, few studies have examined cyber optimism bias in the cyber security context. It can be inferred, however, that individuals may perceive themselves to be less likely than others to be the victim of cyber attacks, which can in turn have a substantial impact on their attitude toward adopting preventive measures against such attacks or act in a different way. Therefore, it has been contended in this study that it is crucially important to understand optimism bias in the context of cyber security, as this bias may interfere with one’s decision about whether to take preventive measures to prevent cyber-attacks and breaches and consequently increase susceptibility to them. This study hypothesizes that a person with strong optimism bias holds a more unfavorable attitude toward preventive measures against cyber-attacks and adopting of preventive measures as compared to those with weak optimism bias. And as per different researchers like Komatsu et al. (2013) and Gratian et al., (2018) a person’s intentions influence their actual behavior indirectly through cognitive processes and a person having optimism bias in the context of cyber security and preventive measures, will have a different attitude due to which his or her intentions towards preventive measures of compliance with cyber security measures will be impacted [
Through a meta-analytic method, the current study aims to comprehensively evaluate the effects of cognitive biases, particularly optimism bias, on human attitudes and their perception of cyber risk and adopting of preventive measures. The sub-objectives of the study are as under: 1) this research will offer an up-to-date analysis with implications for both research and practice that are distinct, original, and practical; 2) this research will aid in determining whether or not an optimistic attitude toward cyberthreats has a negative impact on cyber security and how the optimism bias has been linked to human attitudes and cyber risk perceptions; 3) this research will find out that either the stance that people with optimism bias are more get infected and targeted as compared to other people or not.
The rest of this article is structured as follows. First, a succinct assessment of the major themes, definitions, and specifics of optimism bias are provided. Second, a discussion of the methods utilized to find pertinent literature and carry out our meta-analysis follows. The findings of this meta-analysis are then provided. We conclude by discussing the findings, their significance for both research and practice, and conclusion.
In general, when faced with real threats, people react positively. The issue is that what we perceive is frequently not reality but a biased perspective, either because we lack the knowledge necessary to accurately estimate the hazards or because we have a motivation to underestimate the risk [
The term “bias” refers to a person’s propensity to see things from a specific point of view. This viewpoint makes it impossible for the person to remain unbiased and objective. Numerous cybersecurity concerns have been found to be caused by cognitive biases [
An analyst or investigator may focus incorrectly on a person during investigation because of their affiliation with a certain group for example, a highly technical person with extensive access rights or admin, rather than the facts or forensic data that appropriately define the person and their conduct in a security inquiry. Focusing on a specific person as a result of an incorrect application of characteristics might cause investigators to look for evidence to back up their presumptions and postpone finding the real cause of security problems, which can have an impact on security [
It seems incredible that people purchase lottery tickets given the extremely slim possibilities of winning. Despite evidence to the contrary, many people purchase tickets because they feel they will perform better than most other participants in the same activity.
Optimistic bias, also referred to as social comparison bias, reflects the difference between perceived risk to oneself and to a selected other or generally to others [
Overestimating the likelihood of positive events and underestimating the likelihood of undesired events are just a few examples of how this optimism bias manifests itself [
The consequences of optimism bias include that users may believe they are immune to cyberattacks even when others have been demonstrated to be vulnerable because these people underestimate the risk. For instance, optimism bias could make spear phishing possible in which the attackers impersonate himself or herself as a trusted person and the messages seeming to come from that trusted source, trying to gain unauthorized access to data in a particular organization. Additionally, optimism bias might lead people to disregard preventative actions like patching or installing anti-virus because they believe they won’t be impacted [
People who deal with cybercrime are at a psychological disadvantage [
Even though they have the best of intentions, analysts risk wasting a lot of time by focusing their search on causes or problems that support their own hypotheses or insights rather than those that are more general or less personal or real based on facts and figures and analysis. For seasoned analysts who might “decide” what happened before analyzing an incident, this is especially important. Although extremely helpful, their knowledge and experience may be a hindrance if they just look at incidents to confirm their preconceived notions. For example, if a manager is not believing on the theory that air gap can also be breached, then how can he invest on it? Thus, causing serious security issues.
Rhee et al., performed a survey for assessing the impacts of optimism bias and illusion of control in the context of information security. The authors found that the more aware the staff or managers are, the more they are optimistically biased, and they have wrong illusion of control on the information security. The aware employees are more optimistically biased that negative cyber events or incidents will occur to others instead of them and they will inappropriately perceive cyber risk which will lead to a gap in the cyber domain [
Hewitt & White studied the optimistic bias of the users and its impacts on the security incidents on the home computers. The authors surveys college and university students and lead to the findings that those students which are surer they will be a target of cyber attack but doesn’t care much about by optimism that it will not be serious or doesn’t consider them serious will then visit more untrusted sites and will experience security incidents [
Phishing is a serious cyber security threat and unaware employees or individual having optimism bias are mostly fall victim to the phishing attacks. Lei et al., studied the precautions taken against phishing attacks and the role of optimism bias. The authors found that although individuals who are more aware of the phishing risks and threats are positive in implementing the behaviors and precautionary measures against phishing, but the optimism bias weakens this phenomenon. Having optimism bias, the individuals then consider themselves invulnerable which thus weakens their decision in opting precautions or taking care [
Chen & Yuan, 2022 adopted protection motivation theory to study the intentions of employees to cope with information security treats based on awareness of the threats and coping appraisals. The authors collected data from 356 Chinese respondents and analyzed through Structure equation modelling (SEM). The authors found that optimism bias led to lower perception of information security risks although the lack of knowledge of those risks does not significantly affect the perceived threat [
Mostly the literature found the negative impact of optimism bias on the adopting of preventive measures, inappropriate cyber risk perception and threat appraisal but some researchers have pointed positive impacts of optimism bias. Therefore, it is crucial to conduct a meta-analysis to find a collective effect of cyber optimism or cyber optimistic bias and its impacts on individuals risk perception and cyber security. In the next section, the research model for the impacts of optimism bias on the attitudes of the employees in the form of inappropriate risk perception, not adopting preventive measures, ignoring incidents, security overconfidence has been presented.
Information technology and information systems are embedded in almost all aspects of daily operations within today’s organizations, and dependence on the Internet is increasing daily [
From literature, it is clear that the humans are the weakest link and almost 82% of cyber breaches are attributed to humans. One of the main causes is the wrong perception of risks and lack in adopting of preventive measures against the cyber risks and threats due to optimism bias and wrong risk perception. It is hypothesized that cyber optimistic bias leads to inappropriate cyber risk perception that will results in decrease of overall cyber security through lack of adopting preventive measures, ignore security incidents, sharing passwords, wrong perception of cyber threats and overconfidence on themselves.
The following figure (
This research will show how people who have an optimistic bias concerning cyber incidents are more victims than those who are not biased. Therefore, the following hypothesis has been formulated.
H1: Optimism bias has negative influence on cyber security implying that individuals who have some bias perceives risk inappropriately which thus affects their attitude for taking rational decision and adopting more effective solutions or preventive measures for cyber security.
PRISMA methodology was adopted for systematic review and analysis which
stand for Preferred Reporting Items for Systematic Reviews and Meta-Analyses, and it comprises of following four stages i.e., identification, screening, eligibility, and inclusion. Some benefits of using the PRISMA method include, improved transparency and clarity of reporting, which allows for easier replication and evaluation of the review; increased consistency in reporting across different studies and fields, which facilitates comparison and synthesis of findings; enhanced ability to identify and address potential biases and limitations in the review; greater accountability and credibility of the review, as it demonstrates that the review team has followed established best practices for conducting and reporting systematic reviews and meta-analyses [
Initially 945 articles were identified by searching keywords in online research databases and 35 papers through other sources and expert recommendations. 65 duplicate records were removed which were matching bibliographic information and duplicate information. 915 records were identified for screening. 880 publications were excluded from the study during the abstract level screening process. Full text screening was conducted for the remaining 35 articles with inclusion/exclusion criteria. Eligibility of these studies were assessed at this stage, in which 26 articles were excluded and 9 articles were finally included for meta-analysis after quality assessment to find the impact of optimistic bias on cyber security. The final selection papers were limited to those articles which had relation with optimistic bias in cyber security thus publications with most relevant information were selected for final meta-analysis.
Quantitative results of nine research empirical studies have been synthesized in this paper. Out of these studies 5 studies were carried out in USA, two in UK, one in Nigeria and one in Germany. Hypothesis relevant to the optimistic bias were selected from each article and used in the meta-analysis. The following table (
Results in these papers were not in the same effect size and scale. Two papers were showing correlation, five papers have beta correlation, one paper has F test,
| Sr. No | Author, Year | Sample Size | Test Type | Test Statistic | p-value | r |
|---|---|---|---|---|---|---|
| 1 | [ | 248 | Correlation | 0.561 | 0.000 | 0.561 |
| 2 | [ | 234 | Correlation | 0.148 | 0.024 | 0.148 |
| 3 | [ | 616 | Beta coefficient | 0.100 | 0.01 | 0.148 |
| 4 | [ | 196 | Beta coefficient | −0.204 | 0.009 | −0.19992 |
| 5 | [ | 945 | Beta coefficient | 0.42 | 0.01 | 0.4616 |
| 6 | [ | 630 | Beta coefficient | 0.18 | 0.08 | 0.2264 |
| 7 | [ | 116 | F−Test | 0.474 | 0.493 | 0.06377 |
| 8 | [ | 370 | Beta coefficient | 0.217 | 0.05 | 0.26266 |
| 9 | [ | 239 | T−Test | 1.23 | 0.22 | 0.0796 |
and one has T test. According to Hak et al. (2016) the effect size should be in same scale across all the studies included in the Meta Analysis to compare them [
The meta-analysis calculation was done in the Comprehensive Meta Analysis (MCA). The random effect model was used for analysis in this studying and included nine studies using correlation as index of effect size. It is assumed that random samples were taken in all the studies [
The analysis shows mean effect size, or the summary effect size is 0.351 with a 95% confidence interval of 0.079 to 0.574. This shows the optimistic bias has relatively more effect on the cyber security. The effect size comparable studies can be anywhere in this interval. The Z-value is 2.500 with p = 0.012. Using a criterion alpha of 0.050. The Z-value tests the null hypothesis that the mean effect size is zero. Hence the null hypothesis is rejected, and it is concluded that mean effect size is not precisely zero in the populations of comparable studies included in the analysis. In the random effect model, actual effect size can vary among studies. Q-test is performed to check the heterogeneity among the studies and test the null hypothesis to see the sharing of common effect size. If the Q is equal to the degree of freedom, it is concluded that all studies share same true effect size. The criterion alpha for the Q-test is typically set at 0.100. The following table (
The Q-value of this study is 576.988 with 8 degrees of freedom and p < 0.001.
| Number Studies | Effect Size and 95% Interval | Tau | Tau2 | Heterogeneity statistics | |||||
|---|---|---|---|---|---|---|---|---|---|
| Point estimate | Lower limit | Upper limit | Q-Value | df (Q) | P-value | I2 | |||
| 9 | 0.351 | 0.079 | 0.574 | 0.435 | 0.189 | 576.988 | 8 | 0.000 | 98.613 |
Using a criterion alpha of 0.100 the null hypothesis of homogeneity is rejected, and it is proved that the true effect size varies in these studies, and it has high variability. The Q values or the associated p-value just tell if there is any variation or not, but it does not tell the size of variation. How much the effect size vary, can be found through prediction interval I-square (I2) which tell how much the effect size varies across studies. I2 is 99% which shows 99% variance in the true effect size. The remaining 1% can be sampling error. Similarly, the Tau-squared (Tau2) indicates the variance of true effect sizes which is 0.189 in Fisher’s Z units. Tau, the standard deviation of true effect sizes, is 0.435 in Fisher’s Z units in this study. If it is assumed that the true effects are normally distributed (in Fisher’s Z units), it can be estimated that the prediction interval is −0.617 to 0.896. The true effect size in 95% of all comparable samples falls in this interval [
Egger Regression Test was conducted to check the publication bias using funnel plot asymmetry. The value of intersection (B0) is -14.55679, 95% confidence interval (−33.68383, 4.57026), with t=1.79962, df = 7. The 1-tailed p-value (recommended) is 0.05747, and the 2-tailed p-value is 0.11495. The p-value is not significance in both tails which indicate there is no publication bias. Furthermore, the standard error is 8.0883 which close to the line of regression or degree of freedom (df) which reassure that there is no publication bias. Begg and Mazumdar rank correlation shows P-value (1-tailed) is 0.03817 and P-value (2-tailed) is 0.07633 which means no publication bias exists.
The funnel plot is graphical representation used to assess the publication bias. The following funnel plot (
In the absence of publication bias it would be expected the studies to be distributed symmetrically about the combined effect size. By contrast, in the presence of bias, we would expect that the bottom of the plot would show a higher concentration of studies on one side of the mean than the other.
The results of this meta-analysis have been based on 9 studies available and fulfilled the criteria of the meta-analysis. For these studies sufficient empirical data existed which can be used to infer meta-analysis and calculate effect size.
All the research included in the meta-analysis selected cyber optimism bias or optimistic bias as an independent variable and cyber risk perception and adopting of preventive measures as dependent variable. Although the wordings were
different, but the theme of the dependent and independent variables were the same. The factors like share passwords by considering it will not be maliciously used, lacks adopting of preventive measures, ignore security incidents, wrong perception of cyber threats and overconfidence on themselves in the context of cyber security are the outcomes after wrong perception of risks or threats and illusion of control on the information risks and threats. Therefore, only one hypothesis has been formulated.
The purpose of the meta-analysis was to understand the impact of optimism bias on human perception about cyber security. There is strong correlation between the optimistic bias and the human risk perception which is a potential factor which impact the cyber security. Incorrect cyber risk perception leads to thinking that the individual has preventive measures, or the risk is low, not very serious and I will not be a target. Ament (2017) stated that optimism bias will lead to overconfidence on the skills of the individual as well as create a thinking that I will not be a target thus will not opt preventive measures due to that overconfidence and optimism bias [
The results of the meta-analysis confirms that cyber optimism bias impacts the perception of cyber risks and that incorrect or wrong perception of threats and risks will impact the decision and the individual will involve in risk behaviors and actions like sharing of passwords by considering it will not be maliciously used, lack adopting of preventive measures, ignore security incidents, wrong perception of cyber threats and overconfidence on himself or herself in the context of cyber security. These results are consistent with the results of most of the individual studies of optimistic bias in the context of cyber security. Chen & Yuan, in a recent study found that due to optimistic bias, the decisions of the analysts will not be objective and will be biased and flawed [
The study of meta-analysis is consistent with the literature showing a relationship between optimism bias of human perception and cyber security. The optimistic bias has adverse impact on the cyber security due to wrong perception of cyber threats and risks.
The research has both theoretical and practical implications. Theoretically the meta-analysis is first of its kind on this topic and subject. Although the optimism bias has very serious impact on cyber security risks perception, overall risks, and assessment but there were very limited and dispersed studies available. This meta-analysis combined all the studies and provided a combined effect size that confirms that optimism bias will lead to inappropriate risk perception which will results in wrong or subjective decisions that will lack objectivity.
Practically, the research provide insight to the organizational management that while deciding on the cyber security matters, perceived risks, and vulnerabilities, they should be objective and unbiased. The organizational management like CISOs must aware employees of this bias by stating that although the individuals doesn’t think that are biased but in reality, they are. Therefore, the workforce must follow the instructions given to them by the security teams from time to time and comply with the cyber security policies and requirements. Realization of this bias by an individual at the individual level or by an organization at the organizational or team level is the first step for its mitigation.
Furthermore, this research has significance in many ways. Meta-analysis in studying optimism bias in cyber security lies in its ability to provide a comprehensive and robust examination of the phenomenon across multiple studies. By pooling data from multiple studies, this meta-analysis has provided a more precise estimate of the true effect size of optimism bias, which can help to identify the magnitude and scope of the problem.
This meta-analysis provided a comprehensive and robust examination of the phenomenon across multiple studies. It provided a precise estimate of the true effect size, identify moderating factors, and guide future research. The overall significance of this research is that it can help organizations and individuals to better understand and mitigate the risks associated with optimism bias, which can lead to more effective cyber security practices and a reduction in the number of security breaches.
Cyber security is dependent on the decision of human beings which are the operators and administrators of the systems, and they are considered the major cause of cyber breaches. While doing cyber security decisions and assessing risks, the assessors must be objective and not biased. But unfortunately, research stated that at times the individuals at any capacity dealing with the systems and risks, perceive the risks inappropriately due to a thinking that “I/we am (are) not vulnerable or overconfident on the security measures or think that I will not be a target”. This is optimistic bias. Due to this thinking, the perceived risk is flawed, and the decisions are not objective. This meta-analysis was conducted by combining all the available studies which were fulfilling the criteria of meta-analysis about optimism bias in the cyber security context. The results of the meta-analysis found that optimism bias has a huge impact on the overall cyber insecurity due to the inappropriate risk perceptions. Administrators, analysis, investigators, and operators/users should be very objective while considering the cyber related events, risks, threats and incidents. Otherwise, research states that people with optimistic bias in the cyber security context are more targeted than others which is contrary to the thinking of people having optimistic bias.
There are several directions that future research on optimism bias and its impact on cyber security could take:
Longitudinal studies: Longitudinal studies that track the development and evolution of optimism bias over time could provide a more detailed understanding of how optimism bias arises and how it changes over time. This could help to identify the factors that contribute to optimism bias and to develop interventions that are more effective at reducing the risk of security breaches. Interventions: Research on interventions that aim to reduce the risk of security breaches by reducing optimism bias could be valuable. This could include studies that test the effectiveness of different types of interventions, such as training programs, awareness campaigns, and other types of educational initiatives. Cultural studies: Research on the cultural factors that influence optimism bias could provide insights into how different cultures approach cyber security and how this affects their level of optimism bias. Comparative studies: Comparative studies that examine the level of optimism bias in different countries or regions could provide insights into how optimism bias varies across different cultures and regions, and how it can be mitigated in these contexts. Artificial Intelligence and Machine Learning: With the increasing use of AI and Machine Learning in cyber security, future research could focus on how these technologies can be used to detect and mitigate optimism bias. Human and Organizational Factors: Studies that focus on the human and organizational factors that contribute to optimism bias, such as decision-making processes, communication patterns, and organizational culture, could provide valuable insights into how to mitigate the risks associated with optimism bias.
Overall, future research on optimism bias and its impact on cyber security should aim to provide a more detailed and comprehensive understanding of the phenomenon, and to develop effective interventions that can reduce the risk of security breaches.
The authors declare no conflicts of interest regarding the publication of this paper.
Alnifie, K.M. and Kim, C. (2023) Appraising the Manifestation of Optimism Bias and Its Impact on Human Perception of Cyber Security: A Meta Analysis. Journal of Information Security, 14, 93-110. https://doi.org/10.4236/jis.2023.142007