Information technologies have enabled the business to streamline their management information flow through their organizational boundaries. However, the ever-increasing dependency on IT also made information security an emerging risk. Theoretical model suggests that rational decision-making paradigm should be followed in order to deal with such problems. However, this study interviewed nine high-level MIS managers in five Taiwanese publicly-listed companies and found otherwise. When those CIOs deal with management problems related to information security risk, they seemed rarely make decisions based on probability estimation of risks or cost-benefit-analysis of security control alternatives. Rather, they relied on subjective perception and decision shortcuts. Based on the results of literature review and this exploratory research, we propose a research model for the relationship between CIO's risk perception and business information security risk management. To prevent insidious impact of information security risk control decisions based on personal cognitive biases and errors, we would like to bring attentions to CIOs.