{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T14:20:58Z","timestamp":1781533258969,"version":"3.54.5"},"reference-count":43,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T00:00:00Z","timestamp":1777420800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002338","name":"Ministry of Education of the People's Republic of China","doi-asserted-by":"publisher","award":["22YJC630214"],"award-info":[{"award-number":["22YJC630214"]}],"id":[{"id":"10.13039\/501100002338","id-type":"DOI","asserted-by":"publisher"}]},{"award":["22YJC630214"],"award-info":[{"award-number":["22YJC630214"]}],"id":[{"id":"https:\/\/ror.org\/01mv9t934","id-type":"ROR","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["71801125"],"award-info":[{"award-number":["71801125"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"award":["71801125"],"award-info":[{"award-number":["71801125"]}],"id":[{"id":"https:\/\/ror.org\/01h0zpd94","id-type":"ROR","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Systems"],"abstract":"<jats:p>This study examines how managerial overconfidence affects corporate cybersecurity investment and whether a breach-contingent regulatory penalty can mitigate behaviorally induced underinvestment. This study develops a behavioral game-theoretic model in which a firm chooses preventive cybersecurity investment and remedial cybersecurity investment, whereas a strategic attacker chooses attack effort, under three scenarios: rational decision making, managerial overconfidence, and managerial overconfidence with market competition. The results show that managerial overconfidence reduces cybersecurity investment by distorting perceptions of breach probability and breach losses. Specifically, breach-probability overconfidence mainly reduces preventive cybersecurity investment and increases attack effort, whereas underestimation of breach losses reduces both preventive cybersecurity investment and remedial cybersecurity investment. In addition, market competition has a conditional effect: it can strengthen preventive cybersecurity investment when managerial bias is mild but weaken it when managerial bias is strong. This study contributes by distinguishing two channels of managerial bias, identifying a conditional competition paradox, and clarifying the bounded corrective role of the breach-contingent regulatory penalty.<\/jats:p>","DOI":"10.3390\/systems14050484","type":"journal-article","created":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T08:03:47Z","timestamp":1777536227000},"page":"484","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Corporate Cybersecurity Investment Under Managerial Overconfidence: Strategic Attackers, Market Competition, and Regulatory Penalty"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-4847-8329","authenticated-orcid":false,"given":"Zhengyang","family":"Zhu","sequence":"first","affiliation":[{"name":"School of Economics and Management, Nanjing Tech University, Nanjing 211816, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1079-6183","authenticated-orcid":false,"given":"Liurong","family":"Zhao","sequence":"additional","affiliation":[{"name":"School of Economics and Management, Nanjing Tech University, Nanjing 211816, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2026,4,29]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"610","DOI":"10.1126\/science.1130992","article-title":"The economics of information security","volume":"314","author":"Anderson","year":"2006","journal-title":"Science"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"157","DOI":"10.1111\/joes.12456","article-title":"Dangerous games: A literature review on cybersecurity investments","volume":"36","author":"Fedele","year":"2022","journal-title":"J. Econ. Surv."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"502","DOI":"10.1037\/0033-295X.115.2.502","article-title":"The trouble with overconfidence","volume":"115","author":"Moore","year":"2008","journal-title":"Psychol. Rev."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1121","DOI":"10.1037\/0022-3514.77.6.1121","article-title":"Unskilled and unaware of it: How difficulties in recognizing one\u2019s own incompetence lead to inflated self-assessments","volume":"77","author":"Kruger","year":"1999","journal-title":"J. Personal. Soc. Psychol."},{"key":"ref_6","unstructured":"Kroll (2026, February 19). Cyber Risk and CFOs: Over-Confidence Is Costly. Available online: https:\/\/www.kroll.com\/en\/publications\/cyber\/cyber-risk-and-cfos."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"2661","DOI":"10.1111\/j.1540-6261.2005.00813.x","article-title":"CEO overconfidence and corporate investment","volume":"60","author":"Malmendier","year":"2005","journal-title":"J. Financ."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"474","DOI":"10.1080\/17517575.2019.1644672","article-title":"How does overconfidence affect information security investment and information security performance?","volume":"15","author":"Dong","year":"2021","journal-title":"Enterp. Inf. Syst."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"747","DOI":"10.1057\/s41274-017-0263-y","article-title":"Comparison of information security decisions under different security and business environments","volume":"69","author":"Wu","year":"2018","journal-title":"J. Oper. Res. Soc."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1080\/10864415.2004.11044320","article-title":"The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers","volume":"9","author":"Cavusoglu","year":"2004","journal-title":"Int. J. Electron. Commer."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"716","DOI":"10.1080\/01605682.2020.1854631","article-title":"A game-theoretical model of firm security reactions responding to a strategic hacker in a competitive industry","volume":"73","author":"Wu","year":"2022","journal-title":"J. Oper. Res. Soc."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"6104","DOI":"10.3934\/jimo.2022208","article-title":"A competitive analysis of information security investment: The role of hacker attacks","volume":"19","author":"Gao","year":"2023","journal-title":"J. Ind. Manag. Optim."},{"key":"ref_13","first-page":"318","article-title":"A model of information security and competition","volume":"45","author":"Taylor","year":"2024","journal-title":"Mark. Sci."},{"key":"ref_14","first-page":"5","article-title":"The optimistic bias in cyber risk perception of German enterprises: Do organizational and personal moderators matter?","volume":"5","author":"Salzberger","year":"2025","journal-title":"Organ. Cybersecur. J. Pract. Process People"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1257\/jep.29.4.37","article-title":"Behavioral CEOs: The role of managerial overconfidence","volume":"29","author":"Malmendier","year":"2015","journal-title":"J. Econ. Perspect."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"104450","DOI":"10.1016\/j.cose.2025.104450","article-title":"Contrasting the optimal resource allocation to cybersecurity controls and cyber insurance using prospect theory versus expected utility theory","volume":"154","author":"Joshi","year":"2025","journal-title":"Comput. Secur."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"87","DOI":"10.1145\/1005817.1005828","article-title":"A model for evaluating IT security investments","volume":"47","author":"Cavusoglu","year":"2004","journal-title":"Commun. ACM"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1016\/j.ijpe.2008.04.002","article-title":"An economic analysis of the optimal information security investment in the case of a risk-averse firm","volume":"114","author":"Huang","year":"2008","journal-title":"Int. J. Prod. Econ."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"2034","DOI":"10.1080\/00207543.2023.2206923","article-title":"Supply chain cybersecurity investments with interdependent risks under different information exchange modes","volume":"62","author":"Xu","year":"2024","journal-title":"Int. J. Prod. Res."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1290","DOI":"10.1057\/s41274-016-0134-y","article-title":"A game-theoretic analysis of information security investment for multiple firms in a network","volume":"68","author":"Qian","year":"2017","journal-title":"J. Oper. Res. Soc."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"110519","DOI":"10.1016\/j.cie.2024.110519","article-title":"Cybersecurity investments in supply chains with two-stage risk propagation","volume":"197","author":"Dash","year":"2024","journal-title":"Comput. Ind. Eng."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"277","DOI":"10.1007\/s10479-015-1925-2","article-title":"Information security investment for competitive firms with hacker behavior and security requirements","volume":"235","author":"Gao","year":"2015","journal-title":"Ann. Oper. Res."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"tyae019","DOI":"10.1093\/cybsec\/tyae019","article-title":"Economics and optimal investment policies of attackers and defenders in cybersecurity","volume":"10","author":"Ebel","year":"2024","journal-title":"J. Cybersecur."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"8979","DOI":"10.1287\/mnsc.2022.4300","article-title":"Economics of ransomware: Risk interdependence and large-scale attacks","volume":"68","author":"August","year":"2022","journal-title":"Manag. Sci."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1016\/j.cose.2011.12.001","article-title":"Unrealistic optimism on information security management","volume":"31","author":"Rhee","year":"2012","journal-title":"Comput. Secur."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"1469","DOI":"10.1287\/mnsc.1110.1374","article-title":"CEO overconfidence and innovation","volume":"57","author":"Galasso","year":"2011","journal-title":"Manag. Sci."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"tyae009","DOI":"10.1093\/cybsec\/tyae009","article-title":"Interdependent security games in the Stackelberg style: How first-mover advantage impacts free riding and security (under-)investment","volume":"10","author":"Huang","year":"2024","journal-title":"J. Cybersecur."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"606","DOI":"10.1287\/isre.1100.0341","article-title":"When hackers talk: Managing information security under variable attack rates and knowledge dissemination","volume":"22","author":"Mookerjee","year":"2011","journal-title":"Inf. Syst. Res."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"4199","DOI":"10.3934\/jimo.2022127","article-title":"Competitive information security investment under hacker knowledge dissemination","volume":"19","author":"Gao","year":"2023","journal-title":"J. Ind. Manag. Optim."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"123","DOI":"10.2753\/MIS0742-1222300104","article-title":"Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements","volume":"30","author":"Zhao","year":"2013","journal-title":"J. Manag. Inf. Syst."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1287\/isre.2015.0607","article-title":"Mandatory standards and organizational information security","volume":"27","author":"Lee","year":"2016","journal-title":"Inf. Syst. Res."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"107376","DOI":"10.1016\/j.jaccpubpol.2025.107376","article-title":"Cybersecurity risk governance and companies\u2019 cybersecurity risk disclosures in their 10-K filings","volume":"54","author":"Gao","year":"2025","journal-title":"J. Account. Public Policy"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"106993","DOI":"10.1016\/j.jaccpubpol.2022.106993","article-title":"Changes in corporate cybersecurity risk disclosures after SEC comment letters","volume":"41","author":"Calderon","year":"2022","journal-title":"J. Account. Public Policy"},{"key":"ref_34","unstructured":"National People\u2019s Congress (2026, February 19). Data Security Law of the People\u2019s Republic of China, Available online: https:\/\/en.spp.gov.cn\/2021-06\/10\/c_948426_2.htm."},{"key":"ref_35","unstructured":"National People\u2019s Congress (2026, February 19). Personal Information Protection Law of the People\u2019s Republic of China, Available online: https:\/\/en.spp.gov.cn\/2021-12\/29\/c_948419_2.htm."},{"key":"ref_36","unstructured":"Cyberspace Administration of China (2026, February 19). Measures for the Security Assessment of Outbound Data Transfers, Available online: https:\/\/www.cac.gov.cn\/2022-07\/07\/c_1658811536396503.htm."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"106079","DOI":"10.1016\/j.clsr.2024.106079","article-title":"Cross-border data flow in China: Shifting from restriction to relaxation?","volume":"56","author":"Guo","year":"2025","journal-title":"Comput. Law Secur. Rev."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"104182","DOI":"10.1016\/j.irfa.2025.104182","article-title":"Navigating digital frontiers: The impact of China\u2019s cybersecurity Law on corporate digital innovation","volume":"103","author":"Chen","year":"2025","journal-title":"Int. Rev. Financ. Anal."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"107171","DOI":"10.1016\/j.frl.2025.107171","article-title":"Does cybersecurity regulation reduce corporate data-breach risk?","volume":"78","author":"Gao","year":"2025","journal-title":"Financ. Res. Lett."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1007\/s10207-025-01192-z","article-title":"A bonus and penalty mechanism as an incentive for cybersecurity investments","volume":"25","author":"Yautsiukhin","year":"2026","journal-title":"Int. J. Inf. Secur."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1016\/j.ijpe.2012.06.022","article-title":"Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints","volume":"141","author":"Huang","year":"2013","journal-title":"Int. J. Prod. Econ."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"719","DOI":"10.1016\/j.jfineco.2019.05.019","article-title":"Risk management, firm reputation, and the impact of successful cyberattacks on target firms","volume":"139","author":"Kamiya","year":"2021","journal-title":"J. Financ. Econ."},{"key":"ref_43","first-page":"394","article-title":"Understanding security behaviors in personal computer usage: A threat avoidance perspective","volume":"11","author":"Liang","year":"2010","journal-title":"J. Assoc. Inf. Syst."}],"container-title":["Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/5\/484\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,15]],"date-time":"2026-05-15T04:22:52Z","timestamp":1778818972000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/5\/484"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,29]]},"references-count":43,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2026,5]]}},"alternative-id":["systems14050484"],"URL":"https:\/\/doi.org\/10.3390\/systems14050484","relation":{},"ISSN":["2079-8954"],"issn-type":[{"value":"2079-8954","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4,29]]}}}