twitter facebook rss

Why security recommendations often get ignored

Posted by on April 9, 2015.

I read very often about vulnerabilities and companies that got hacked.

Many times, the reason for which they got hacked was because some recommendation issued by some smart people (read: security minded people) are ignored.


But why are they ignored?

I found some articles where several explanations are given for what is called “information avoidance“.

These researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.”

Applying this to IT Security, it makes sense to embrace ignorance in all these areas:

  • writing secure code

Argument: To write code free of security vulnerabilities it is hard and it requires special training.

  • securing a network perimeter

Argument: Threats are permanently evolving and securing a network is a cat-mouse game

  • securing computers with anti-malware solutions

Argument: security software is expensive, makes computers slow, is ineffective.

  • investing in security

Argument: anti-hacking technologies are expensive and I will anyway never become a target.

  • patching

Argument: the software automatically updates itself anyway.

  • investing in compliance

Argument: it doesn’t apply to us anyway and it is extremely expensive to change processes to match the imposed requirements.


By avoiding addressing these topics, very often also discussion about budget, timelines, functional requirements, non functional requirements (like security) are being avoided as well. In other words, by avoiding these topics, also the situations that create stress are avoided.

So, there is no malicious intent behind lack of security, it is simple psychology.

Of course, these situations are avoided until something bad happens. Then everybody switches to “damage control mode”.

This is the worst what can happen in a stressful situation: people stop thinking at the problem overall, they are trying to kill the fire that is burning their asses.

In the end, we are back to the biggest problem in IT Security: the weakest link: the humans.


Sorin Mustaca, CSSLP, Security+, Project+


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Sorin Mustaca | Tags: , ,