Friday, July 22, 2011

3 Reasons Why People Choose to Ignore Security Recommendations


3 Reasons Why People Choose to Ignore Security Recommendations






The researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.” According to the paper, people may choose to avoid information because:

(a) the information may demand a change in beliefs,
(b) the information may demand undesired action, and
(c) the information itself or the decision to learn information may cause unpleasant emotions or diminish pleasant emotions.

These reasons for information avoidance are frequently present in situations where the organization conducted or commissioned an information security assessment.

Beliefs that might be challenged by the assessment:
My IT infrastructure is secure
I can write code that’s free of bugs and vulnerabilities
My anti-malware defenses are working well
I am an unlikely target of computer attacks

Undesired actions that might be prompted by the assessment:
Security patches need to be applied throughout the environment
The software development process needs to be overhauled to incorporate security
Staff needs to be trained to improve information security-related skills
The budget for information security needs to be increased
The strategy defined for the information security program needs to be revamped

Unpleasant emotional situations that might arise due to the assessment:
I have two “fight” with the management team to increase the security budget
I don’t know how to secure information
I spend money on the wrong information security products
I look bad in front of my colleagues
The relevant importance of these concerns and the extent to which they come into play varies across situations. Yet, these psychological factors of information avoidance explain not only why the findings of a security assessment may be ignored, but also why organizations may be hesitant to conduct such an assessment in the first place. What can the organization do to avoid this? Can the people conducting the assessment do anything to combat this tendency?