People commonly say they are concerned about the security of their information, but what they say frequently doesn’t match what they do. In this study, we use electroencephalography (EEG) via event-related potentials (ERPs) to measure peoples’ risk perceptions. We then show that this EEG measure of risk perception is a better predictor of users’ security behaviors than their own stated risk perceptions than users’ stated risk perceptions. Our experiments show that these self-reported measures are ineffective in predicting security behaviors under a condition in which information security is not salient. However, we show that, when security concerns become salient, self-reported measures do predict security behavior. Interestingly, EEG measures significantly predict behavior in both salient and non-salient conditions, which indicates that EEG measures are a robust predictor of security behavior.