Why security recommendations often get ignored

I read very often about vulnerabilities and companies that got hacked.

Many times, the reason for which they got hacked was because some recommendation issued by some smart people (read: security minded people) are ignored.

 

But why are they ignored?

I found some articles where several explanations are given for what is called “information avoidance“.

These researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.”

Applying this to IT Security, it makes sense to embrace ignorance in all these areas:

  • writing secure code

Argument: To write code free of security vulnerabilities it is hard and it requires special training.

  • securing a network perimeter

Argument: Threats are permanently evolving and securing a network is a cat-mouse game

  • securing computers with anti-malware solutions

Argument: security software is expensive, makes computers slow, is ineffective.

  • investing in security

Argument: anti-hacking technologies are expensive and I will anyway never become a target.

  • patching

Argument: the software automatically updates itself anyway.

  • investing in compliance

Argument: it doesn’t apply to us anyway and it is extremely expensive to change processes to match the imposed requirements.

 

By avoiding addressing these topics, very often also discussion about budget, timelines, functional requirements, non functional requirements (like security) are being avoided as well. In other words, by avoiding these topics, also the situations that create stress are avoided.

So, there is no malicious intent behind lack of security, it is simple psychology.

Of course, these situations are avoided until something bad happens. Then everybody switches to “damage control mode”.

This is the worst what can happen in a stressful situation: people stop thinking at the problem overall, they are trying to kill the fire that is burning their asses.

In the end, we are back to the biggest problem in IT Security: the weakest link: the humans.

 

This post appeared first in ITSecurity.co.uk


© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

Related Posts

Security experts are FREAKing out again because of a new OpenSSL vulnerability

After Heartbleed, a new security vulnerability in SSL is making headlines and producing again headaches for security experts. As any good and mind blowing (for most people) vulnerability, it has a nice name – FREAK, a CVE number – CVE-2015-0204 and a dedicated website https://freakattack.com/ . FREAK – Factoring RSA Export Keys – affects around […]

New article on Virusbtn.com: The return of the animated spam

Click here to be redirected on the Virus Bulletin’s website. You need to register to read the articles. Don’t worry, is free of charge. http://www.virusbtn.com/resources/phishing/animated-spam.xml &copy Copyright 2007 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on CybersecurityCheck www.endpoint-cybersecurity.com for seeing the consulting services we offer.Visit www.itsecuritynews.info for latest security news in EnglishBesuchen Sie […]

Avira Techblog is online

At the beginning of this year Avira opened to the public the Technical blog: http://techblog.avira.com We publish there news which are too technical to be displayed on the www.avira.com page. I publish quite a lot things about Spam and Phishing. Have a look at it: http://techblog.avira.com There is also RSS Feed support: http://techblog.avira.com/feed/en/ &copy Copyright […]

One thought on “Why security recommendations often get ignored

  1. Pingback: Why security recommendations often get ignored | IT Security News

Comments are closed.