Posted by Sorin Mustaca on April 9, 2015.
I read very often about vulnerabilities and companies that got hacked.
Many times, the reason for which they got hacked was because some recommendation issued by some smart people (read: security minded people) are ignored.
But why are they ignored?
I found some articles where several explanations are given for what is called “information avoidance“.
These researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.”
Applying this to IT Security, it makes sense to embrace ignorance in all these areas:
Argument: To write code free of security vulnerabilities it is hard and it requires special training.
Argument: Threats are permanently evolving and securing a network is a cat-mouse game
Argument: security software is expensive, makes computers slow, is ineffective.
Argument: anti-hacking technologies are expensive and I will anyway never become a target.
Argument: the software automatically updates itself anyway.
Argument: it doesn’t apply to us anyway and it is extremely expensive to change processes to match the imposed requirements.
By avoiding addressing these topics, very often also discussion about budget, timelines, functional requirements, non functional requirements (like security) are being avoided as well. In other words, by avoiding these topics, also the situations that create stress are avoided.
So, there is no malicious intent behind lack of security, it is simple psychology.
Of course, these situations are avoided until something bad happens. Then everybody switches to “damage control mode”.
This is the worst what can happen in a stressful situation: people stop thinking at the problem overall, they are trying to kill the fire that is burning their asses.
In the end, we are back to the biggest problem in IT Security: the weakest link: the humans.
Sorin Mustaca, CSSLP, Security+, Project+
Submitted in: Expert Views, Sorin Mustaca |