Why security recommendations often get ignored

I read very often about vulnerabilities and companies that got hacked.

Many times, the reason for which they got hacked was because some recommendation issued by some smart people (read: security minded people) are ignored.

 

But why are they ignored?

I found some articles where several explanations are given for what is called “information avoidance“.

These researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.”

Applying this to IT Security, it makes sense to embrace ignorance in all these areas:

  • writing secure code

Argument: To write code free of security vulnerabilities it is hard and it requires special training.

  • securing a network perimeter

Argument: Threats are permanently evolving and securing a network is a cat-mouse game

  • securing computers with anti-malware solutions

Argument: security software is expensive, makes computers slow, is ineffective.

  • investing in security

Argument: anti-hacking technologies are expensive and I will anyway never become a target.

  • patching

Argument: the software automatically updates itself anyway.

  • investing in compliance

Argument: it doesn’t apply to us anyway and it is extremely expensive to change processes to match the imposed requirements.

 

By avoiding addressing these topics, very often also discussion about budget, timelines, functional requirements, non functional requirements (like security) are being avoided as well. In other words, by avoiding these topics, also the situations that create stress are avoided.

So, there is no malicious intent behind lack of security, it is simple psychology.

Of course, these situations are avoided until something bad happens. Then everybody switches to “damage control mode”.

This is the worst what can happen in a stressful situation: people stop thinking at the problem overall, they are trying to kill the fire that is burning their asses.

In the end, we are back to the biggest problem in IT Security: the weakest link: the humans.

 

This post appeared first in ITSecurity.co.uk


© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close