3 Reasons Why People Choose to Ignore Security Recommendations

There are several reasons why information security recommendations are ignored. When I outlined the rationale for this in an earlier article, I did not account for one important reason that’s grounded in psychology: people often choose to ignore information, electing to stay ignorant. In the paper Information Avoidance: Who, What, When, and Why, researchers offer several explanations for such practices.

The researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.” According to the paper, people may choose to avoid information because:

(a) the information may demand a change in beliefs,
(b) the information may demand undesired action, and
(c) the information itself or the decision to learn information may cause unpleasant emotions or diminish pleasant emotions.

These reasons for information avoidance are frequently present in situations where the organization conducted or commissioned an information security assessment. The the assessment is likely to trigger the concerns that will motivate its recipients to avoid reading or understanding the assessment’s findings.

Beliefs that might be challenged by the assessment:

  • My IT infrastructure is secure
  • I can write code that’s free of bugs and vulnerabilities
  • My anti-malware defenses are working well
  • I am an unlikely target of computer attacks

Undesired actions that might be prompted by the assessment:

  • Security patches need to be applied throughout the environment
  • The software development process needs to be overhauled to incorporate security
  • Staff needs to be trained to improve information security-related skills
  • The budget for information security needs to be increased
  • The strategy defined for the information security program needs to be revamped

Unpleasant emotional situations that might arise due to the assessment:

  • I have two “fight” with the management team to increase the security budget
  • I don’t know how to secure information
  • I spend money on the wrong information security products
  • I look bad in front of my colleagues

The relevant importance of these concerns and the extent to which they come into play varies across situations. Yet, these psychological factors of information avoidance explain not only why the findings of a security assessment may be ignored, but also why organizations may be hesitant to conduct such an assessment in the first place. What can the organization do to avoid this? Can the people conducting the assessment do anything to combat this tendency?

More articles about delivering better security assessments:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more