This study examines how managerial overconfidence affects corporate cybersecurity investment and whether a breach-contingent regulatory penalty can mitigate behaviorally induced underinvestment. This study develops a behavioral game-theoretic model in which a firm chooses preventive cybersecurity investment and remedial cybersecurity investment, whereas a strategic attacker chooses attack effort, under three scenarios: rational decision making, managerial overconfidence, and managerial overconfidence with market competition. The results show that managerial overconfidence reduces cybersecurity investment by distorting perceptions of breach probability and breach losses. Specifically, breach-probability overconfidence mainly reduces preventive cybersecurity investment and increases attack effort, whereas underestimation of breach losses reduces both preventive cybersecurity investment and remedial cybersecurity investment. In addition, market competition has a conditional effect: it can strengthen preventive cybersecurity investment when managerial bias is mild but weaken it when managerial bias is strong. This study contributes by distinguishing two channels of managerial bias, identifying a conditional competition paradox, and clarifying the bounded corrective role of the breach-contingent regulatory penalty.
Zhu et al. (Wed,) studied this question.