Social Psychological Variables That Contribute to Resistance to Security Assessment Findings

Abstract

Abstract It is not uncommon for IT executive management to require sufficient time to review and digest the findings of a security or disaster recovery risk assessment or the recommendations of a follow-on remediation plan. This is normal and is to be expected. Security remediation or the institution of a disaster recovery plan is costly and resource intensive. But soon a milestone is passed and the security consultant realizes that by the time any action is to be taken by executive management, the findings of the assessment have decayed and the information from several months ago can no longer serve as the information for decision making today. In some instances, consultants have observed management, prompted by audit findings and resulting hard implementation dates, attempting to suddenly act on assessment findings that are months to years old. Other forms of non-action are to belatedly proceed with the security remediation, only to have the project flounder due to non-support.