Some reasons that is commonly given by organization members to avoid change in the process.

1. Nothing has happened for the past X years. What is going to happen now and why do you want all these security

2. How is the organization benefited out of implementing information security practices…??? How much will be the profit…???

3. So you mean to say, once we implement information security practices, my network is completely safe.

4. We want work to be done. Do not hamper our routine to integrate your security practices

5. Security!!! Please ask IT

6. I have firewalls, IPS, two-factor authentication, anti-virus gateways, web filters, motion detectors, access control mechanisms etc implemented , what more security are you going to provide…???

7. If I change this now, nothing is gonna work. Please do not suggest any changes, it has been working, let it work