3 Reasons Why People Choose to Ignore Security Recommendations

3 Reasons Why People Choose to Ignore Security Recommendations

The researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.” According to the paper, people may choose to avoid information because:

(a) the information may demand a change in beliefs,

(b) the information may demand undesired action, and

(c) the information itself or the decision to learn information may cause unpleasant emotions or diminish pleasant emotions.

These reasons for information avoidance are frequently present in situations where the organization conducted or commissioned an information security assessment.

Beliefs that might be challenged by the assessment:

My IT infrastructure is secure

I can write code that’s free of bugs and vulnerabilities

My anti-malware defenses are working well

I am an unlikely target of computer attacks

Undesired actions that might be prompted by the assessment:

Security patches need to be applied throughout the environment

The software development process needs to be overhauled to incorporate security

Staff needs to be trained to improve information security-related skills

The budget for information security needs to be increased

The strategy defined for the information security program needs to be revamped

Unpleasant emotional situations that might arise due to the assessment:

I have two “fight” with the management team to increase the security budget

I don’t know how to secure information

I spend money on the wrong information security products

I look bad in front of my colleagues

The relevant importance of these concerns and the extent to which they come into play varies across situations. Yet, these psychological factors of information avoidance explain not only why the findings of a security assessment may be ignored, but also why organizations may be hesitant to conduct such an assessment in the first place. What can the organization do to avoid this? Can the people conducting the assessment do anything to combat this tendency?