There are several reasons why information security recommendations are ignored. When I outlined the rationale for this in an earlier article, I did not account for one important reason that’s grounded in psychology: people often choose to ignore information, electing to stay ignorant. In the paper Information Avoidance: Who, What, When, and Why, researchers offer several explanations for such practices.
The researchers define information avoidance as “any behavior intended to prevent or delay the acquisition of available but potentially unwanted information.” According to the paper, people may choose to avoid information because:
(a) the information may demand a change in beliefs,
(b) the information may demand undesired action, and
(c) the information itself or the decision to learn information may cause unpleasant emotions or diminish pleasant emotions.
These reasons for information avoidance are frequently present in situations where the organization conducted or commissioned an information security assessment. The the assessment is likely to trigger the concerns that will motivate its recipients to avoid reading or understanding the assessment’s findings.
Beliefs that might be challenged by the assessment:
- My IT infrastructure is secure
- I can write code that’s free of bugs and vulnerabilities
- My anti-malware defenses are working well
- I am an unlikely target of computer attacks
Undesired actions that might be prompted by the assessment:
- Security patches need to be applied throughout the environment
- The software development process needs to be overhauled to incorporate security
- Staff needs to be trained to improve information security-related skills
- The budget for information security needs to be increased
- The strategy defined for the information security program needs to be revamped
Unpleasant emotional situations that might arise due to the assessment:
- I have two “fight” with the management team to increase the security budget
- I don’t know how to secure information
- I spend money on the wrong information security products
- I look bad in front of my colleagues
The relevant importance of these concerns and the extent to which they come into play varies across situations. Yet, these psychological factors of information avoidance explain not only why the findings of a security assessment may be ignored, but also why organizations may be hesitant to conduct such an assessment in the first place. What can the organization do to avoid this? Can the people conducting the assessment do anything to combat this tendency?
More articles about delivering better security assessments:
- 4 Reasons Why Security Assessment Recommendations Get Ignored
- Security Assessment Report as Critique, Not Criticism
- Dealing with Misinformation During Security Assessments and Forensic Investigations