Menu Expand

Cyber Risk Awareness of German SMEs: An Empirical Study on the Influence of Biases and Heuristics



Salzberger, A. Cyber Risk Awareness of German SMEs: An Empirical Study on the Influence of Biases and Heuristics. Zeitschrift für die gesamte Versicherungswissenschaft, 113(1), 55-104.
Salzberger, Alina "Cyber Risk Awareness of German SMEs: An Empirical Study on the Influence of Biases and Heuristics" Zeitschrift für die gesamte Versicherungswissenschaft 113.1, 2024, 55-104.
Salzberger, Alina (2024): Cyber Risk Awareness of German SMEs: An Empirical Study on the Influence of Biases and Heuristics, in: Zeitschrift für die gesamte Versicherungswissenschaft, vol. 113, iss. 1, 55-104, [online]


Cyber Risk Awareness of German SMEs: An Empirical Study on the Influence of Biases and Heuristics

Salzberger, Alina

Zeitschrift für die gesamte Versicherungswissenschaft, Vol. 113 (2024), Iss. 1 : pp. 55–104

Additional Information

Article Details

Author Details

Alina Salzberger, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), School of Business, Economics and Society, Lange Gasse 20, 90403 Nürnberg, Germany.


  1. Allianz Global Corporate & Specialty SE (2022): Allianz risk barometer 2022. Accessed at 10th of November 2022 under  Google Scholar
  2. Allianz Global Corporate & Specialty SE (2023): Allianz risk barometer. Identifying the major business risks for 2023. Accessed at 5th of February 2023 under  Google Scholar
  3. Aragón-Sánchez, A./Sánchez-Marín, G. (2005): Strategic orientation, management characteristics, and performance: A study of Spanish SMEs. In: Journal of Small Business Management, 43(3), 287–308.  Google Scholar
  4. Armstrong, J. S./Overton, T. S. (1977): Estimating nonresponse bias in mail surveys. In: Journal of Marketing Research – Special Issue: Recent Developments in Survey Research, 14(3), 396–402.  Google Scholar
  5. Ashby, S./Buck, T./Nöth-Zahn, S./Peisl, T. (2018): Emerging IT risks: Insights from German banking. In: Geneva Papers on Risk and Insurance – Issues and Practice, 43(2), 180–207.  Google Scholar
  6. Botzen, W. J. W./Kunreuther, H./Michel-Kerjan, E. (2015): Divergence between individual perceptions and objective indicators of tail risks: Evidence from floodplain residents in New York City. In: Judgment and Decision Making, 10(4), 365–385.  Google Scholar
  7. Bregu, K. (2022): The effect of overconfidence on insurance demand. In: The Geneva Risk and Insurance Review, 47(2), 298–326.  Google Scholar
  8. Bubeck, P./Botzen, W. J. W./Aerts, J. C. J. H. (2012): A review of risk perceptions and other factors that influence flood mitigation behavior. In: Risk Analysis, 32(9), 1481–1495.  Google Scholar
  9. Busenitz, L. W./Barney, J. B. (1997): Differences between entrepreneurs and managers in large organizations: Biases and heuristics in strategic decision-making. In: Journal of Business Venturing, 12(1), 9–30.  Google Scholar
  10. Cohen, J. (1988): Statistical power analysis for the behavioral sciences (2nd edition). New York: Lawrence Erlbaum Associates.  Google Scholar
  11. Cohen, J. (1992): A Power Primer. In: Psychological Bulletin, 112(1), 155–159.  Google Scholar
  12. Dreißigacker, A./von Skarczinski, B./Wollinger, G. R. (2021): Cyberangriffe gegen Unternehmen in Deutschland – Ergebnisse einer Folgebefragung 2020. Forschungsbericht Nr. 162, Kriminologisches Forschungsinstitut Niedersachsen e.V.  Google Scholar
  13. Eling, M./Schnell, W. (2016): What do we know about cyber risk and cyber risk insurance? In: The Journal of Risk Finance, 17(5), 474–491.  Google Scholar
  14. Engemann, P./Fischer, D./Gosdzik, B./Koller, T./Moore, N. (2017): Im Visier der Cyber-Gangster – So gefährdet ist die Informationssicherheit im deutschen Mittelstand. Accessed at 25th of July 2022 under  Google Scholar
  15. European Union (2020): User guide to the SME Definition. Accessed 20th of February 2022 under  Google Scholar
  16. Falkner, E. M./Hiebl, M. R. W. (2015): Risk management in SMEs: A systematic review of available evidence. In: The Journal of Risk Finance, 16(2), 122–144.  Google Scholar
  17. Fischhoff, B./Bruine de Bruin, W. (1999): Fifty-Fifty = 50%? In: Journal of Behavioral Decision Making, 12(2), 149–163.  Google Scholar
  18. Gatzert, N./Schubert, M. (2022): Cyber risk management in the US banking and insurance industry: A textual and empirical analysis of determinants and values. In: Journal of Risk and Insurance, 89(3), 725–763.  Google Scholar
  19. GDV (2020): Cyberrisiken im Mittelstand 2020. Accessed at 27th of April 2021 under  Google Scholar
  20. GDV (2021): Cyberrisiken im Mittelstand 2021. Accessed at 1st of April 2022 under  Google Scholar
  21. GDV (2022a): So steht es um die IT-Sicherheit im deutschen Mittelstand. Accessed at 15th of November 2022 under  Google Scholar
  22. GDV (2022b): Deutsche Unternehmen erwarten mehr Cyberangriffe – Aber nicht auf sich selbst. Accessed at 15th of November 2022 under  Google Scholar
  23. Gupta, A./Hammond, R. (2005): Information systems security issues and decisions for small businesses – An empirical examination. In: Information Management & Computer Security, 13(4), 297–310.  Google Scholar
  24. Helweg-Larsen, M./Shepperd, J. A. (2001): Do moderators of the optimistic bias affect personal or target risk estimates? A review of the literature. In: Personality and Social Psychology Review, 5(1), 74–95.  Google Scholar
  25. Henschel, T. (2003): Risikomanagement im Mittelstand – eine empirische Untersuchung. In: Controlling & Management, 47(5), 331–337.  Google Scholar
  26. Hiscox (2021): Hiscox Cyber Readiness Report 2021. Accessed at 12th of July 2021 under %20Report %202021.pdf.  Google Scholar
  27. Hiscox (2022): Hiscox Cyber Readiness Report 2022. Accessed at 5th of January 2023 under  Google Scholar
  28. Hoppe, F./Gatzert, N./Gruner, P. (2021): Cyber risk management in SMEs: Insights from industry surveys. In: The Journal of Risk Finance, 22(3/4), 240–260.  Google Scholar
  29. Icks, A./Kranzusch, P. (2022): Zukünftige Herausforderungen im Verarbeitenden Gewerbe und Reaktionen des Mittelstands, in: IfM Bonn, Chartbook, Bonn.  Google Scholar
  30. IfM Bonn (2022): Mittelstand im Einzelnen – KMU im EU-Vergleich. Accessed at 20th of July 2022 under  Google Scholar
  31. ISO 31000 (2018): Risk management – Guidelines. Accessed at 03rd of July 2021 under  Google Scholar
  32. Jalali, M. S./Siegel, M./Madnick, S. (2019): Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment. In: The Journal of Strategic Information Systems, 28(1), 66–82.  Google Scholar
  33. Kahneman, D. (2013): Thinking, fast and slow. New York: Farrar, Straus and Giroux.  Google Scholar
  34. Kamiya, S./Kang, J.-K./Kim, J./Milidonis, A./Stulz, R. M. (2021): Risk management, firm reputation, and the impact of successful cyberattacks on target firms. In: Journal of Financial Economics, 139(3), 719–749.  Google Scholar
  35. Kellens, W./Terpstra, T./De Maeyer, P. (2013): Perception and communication of flood risks: A systematic review of empirical research. In: Risk Analysis, 33(1), 24–49.  Google Scholar
  36. Kostyuk, N./Wayne, C. (2021): The microfoundations of state cybersecurity: Cyber risk perceptions and the mass public. In: Journal of Global Security Studies, 6(2), ogz077, 1–25.  Google Scholar
  37. Kuusisto, T./Ilvonen, I. (2003): Information security culture in small and medium size enterprises. In: Frontiers of E-Business Research 2003, 431–439.  Google Scholar
  38. López, O. L./Hiebl, M. R. W. (2015): Management accounting in small and medium-sized enterprises: Current knowledge and avenues for further research. In: Journal of Management Accounting Research, 27(1), 81–119.  Google Scholar
  39. Quinn, M. (2011): Routines in management accounting research: Further exploration. In: Journal of Accounting & Organizational Change, 7(4), 337–357.  Google Scholar
  40. Rhee, H. S./Ryu, Y. U./Kim, C.-T. (2012): Unrealistic optimism on information security management. In: Computers & Security, 31(2), 221–232.  Google Scholar
  41. Russo, J. E./Schoemaker, P. J. H. (2018): Overconfidence. In: Augier, M. & Teece, D. J. (Eds.), The Palgrave Encyclopedia of Strategic Management. London: Palgrave Macmillan UK, pp. 1236–1246.  Google Scholar
  42. Sandroni, A./Squintani, F. (2007): Overconfidence, insurance, and paternalism. In: The American Economic Review, 97(5), 1994–2004.  Google Scholar
  43. Santos-Olmo, A./Sánchez, L. E./Caballero, I./Camacho, S./Fernandez-Medina, E. (2016): The importance of the security culture in SMEs as regards the correct management of the security of their assets. In: Future Internet, 8(3), 1–27.  Google Scholar
  44. Schapira, M. M./Davids, S. L./McAuliffe, T. L./Nattinger, A. B. (2004): Agreement between scales in the measurement of breast cancer risk perceptions. In: Risk Analysis, 24(3), 665–673.  Google Scholar
  45. Shepherd, D. A./Williams, T. A./Patzelt, H. (2015): Thinking about entrepreneurial decision making: Review and research agenda. In: Journal of Management, 41(1), 11–46.  Google Scholar
  46. de Smidt, G./Botzen, W. (2018): Perceptions of corporate cyber risks and insurance decision-making. In: The Geneva Papers on Risk and Insurance: Issues and Practice, 43(2), 239–274.  Google Scholar
  47. Taber, K. S. (2018): The use of Cronbach’s alpha when developing and reporting research instruments in science education. In: Research in Science Education, 48(6), 1273–1296.  Google Scholar
  48. Thomann, C./Pascalau, R./Graf von der Schulenburg, J.-M. (2012): Corporate management of highly dynamic risks: Evidence from the demand for terrorism insurance in Germany. In: The Geneva Risk and Insurance Review, 37(1), 57–82.  Google Scholar
  49. Tversky, A./Kahneman, D. (1973): Availability: A heuristic for judging frequency and probability. In: Cognitive Psychology, 5(2), 207–232.  Google Scholar
  50. Tversky, A./Kahneman, D. (1974): Judgement under uncertainty: Heuristics and biases. In: Science, 185(4157), 1124–1131.  Google Scholar
  51. Tyler, T. R./Cook, F. L. (1984): The Mass Media and Judgments of Risk: Distinguishing Impact on Personal and Societal Level Judgments. In: Journal of Personality and Social Psychology, 47(4), 693–708.  Google Scholar
  52. Ulrich, P. S./Timmermann, A./Frank, V. (2022): Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate? In: Organizational Cybersecurity Journal: Practice, Process and People, 2(1), 21–40.  Google Scholar
  53. Valli, C./Martinus, I./Johnstone, M. (2014): Small to medium enterprise cyber security awareness: an initial survey of Western Australian business. In: Proceedings of International Conference on Security and Management (pp. 71–75). Las Vegas, USA. Accessed at 3rd of February 2022 under  Google Scholar
  54. Weinstein, N. D. (1980): Unrealistic Optimism About Future Life Events. In: Journal of Personality and Social Psychology, 39(5), 806–820.  Google Scholar
  55. Weinstein, N. D. (1989): Optimistic biases about personal risks. In: Science, 246(4935), 1232–1233.  Google Scholar
  56. Weinstein, N. D./Klein, W. M. (1996): Unrealistic optimism: Present and future. In: Journal of Social and Clinical Psychology, 15(1), 1–8.  Google Scholar
  57. Welter, F./May-Strobl, E./Holz, M./Pahnke, A./Schlepphorst, S./Wolter, H.-J. (2015): Mittelstand zwischen Fakten und Gefühl. IfM Bonn: IfM-Materials Number 234, Bonn.  Google Scholar
  58. Wolf, T./Fueglistaller, U./Müller, J. (2018): KMU und Entscheidungen. Accessed at 23rd of August 2022 under  Google Scholar


Die Zahl erfolgreicher Cyberangriffe auf kleine und mittlere Unternehmen (KMU) steigt stetig an, während verschiedene Studien bereits gezeigt haben, dass insbesondere in KMU oft ein angemessenes Bewusstsein für die eigene Cyberrisikoexposition fehlt. Ziel dieser Arbeit ist es daher, die Cyber-Risikowahrnehmung deutscher KMU zu analysieren und den Einfluss von Verzerrungen und Heuristiken auf das Cyber-Risikobewusstsein deutscher KMU anhand einer Fragebogenerhebung mit 1.540 Inhabern und Führungskräften deutscher KMU mit bis zu 250 Mitarbeitern zu untersuchen. Die Ergebnisse zeigen, dass die wahrgenommene Wahrscheinlichkeit für Cyberangriffe auf das eigene Unternehmen signifikant niedriger eingeschätzt wird als für vergleichbare Unternehmen, was auf den Einfluss einer optimistischen Verzerrung in Bezug auf die Risikoeinschätzung hinweist. Darüber hinaus variiert das wahrgenommene Cyber-Risiko auch signifikant in Abhängigkeit von direkter und indirekter Erfahrung sowie dem angegebenen Grad des Vertrauens in die eigenen Cyber-Risikomanagement Fähigkeiten, was auf die Verfügbarkeitsheuristik und eine Verzerrung durch Selbstüberschätzung in der Cyber-Risikowahrnehmung hinweist.