After a series of recent high profile information security breach incidents, the role of Chief Information Officers, particularly their role in information security risk management, has been in a heated debate among practitioners. However, little is known in academic literature about how a CIOs� risk aversion level affects the effectiveness of information security management. Using reported information security breach incidents during 2003-2015, this study examines how a CIO�s risk aversion level is associated to the possibility of information security incidents. In addition, we investigate the moderating effect of CEOs� risk aversion level and whether the CIO is on the board on the aforementioned effect. Our preliminary results show that a CIO�s risk aversion level is significantly associated with a lower likelihood of information security breaches. We further document that such association varies depending on types of security breaches.