Reasons Why Secure Systems Fail in Organisations

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Reasons Why Secure Systems Fail in Organizations 1



Security is an important organizational concept that describes the process of protecting valuable assets that include an individual, a community, a state or an organization from any potential harm. Security provides controls that help to separate the valuable asset from the perceived threat, which can include instilling significant changes on either the threat or the asset. Insights linked to security tend to vary and hence being poorly matched with reckonable objective security. Similarly, perceptions in relation to the effectiveness of secure systems employed may sometimes be distinct from the actual level of security offered by these systems (Haley, C. 2011, 133). This is because the presence of secure systems may even be confused for security itself. Two computer programs may for example be interfering and even limiting each other’s effectiveness while the owner may on the other hand be thinking that she/he is receiving double the security from both programs. This shows that secure systems employed in organizations may not always succeed (Mather, T. 2009, 22). This paper analyses the various reasons why secure systems in organizations fail. It will also highlight various examples where such failures have occurred to help come up with suitable recommendations on how this can be improved to allow for future management and development.

The Reasons why Security Systems Fail in Organizations

Secure systems in contemporary business environments play an important role in promoting organizations’ ability to attain the targeted benchmarks and success initiatives. Whether organizations need to enhance the level of performance and dependability of back-office infrastructures or to improve technology infrastructures for front-office security solutions, they ought to integrate secure systems that can ensure that the organization performs at peak levels (Sindre, G. 2005, 34). This means that organizations should be able to develop a multifaceted assemblage of technological systems, processes, and individuals that can work together to provide the wider organization with the capacity to process, share, and store organizational products in an effective manner that supports a wide range of organizational missions and functions (Mather, T. 2009, 38). The degree to which this assemblage of systems, processes, and individuals contribute to the success of organizational missions and functions depends on the extent to which security policies created by an organization’s risk management mechanism and decisions made contribute to effective security controls.

Research has however indicated that risk management practices through security policies created by organizations’ risk management mechanisms may attribute to failure in secure systems in organizations. As explained by Anderson (2008, 815), risk management is one of the biggest global industries that encompass victim services, road security, insurers, and a huge part of the legal profession but it has been startling how little the subject is understood. On this note, engineers, economists, and lawyers among other professionals take different perspectives and adopt distinct languages when developing security policies and hence arrive at mismatched conclusions pertaining to organizational security. This has seen most organizations adopting a culture that distinguishes risk as originating from where the odds are well-known rather than the outcomes being even from uncertainties where the odds are not clear (Sindre, G. 2005, 36). On this note, most organizations have proven to be uncertainty-averse rather than being risk-averse, hence, they present odds as being unswervingly perceptible, thereby dealing with them intuitively. Their reactions are further covered by an array of cognitive biases, and as such, they develop security policies that are governed by all sorts or prejudices that attribute to the ultimate secure systems to fail. This is particularly because the risk management mechanism employed in such organizations is not founded on actuarial sciences but on security uncertainties held by respective organizations. As argued by Mather (2009, 45), the purpose of any given business organization is to generate profit, which in return acts as the ultimate reward for taking risk. This is because security mechanisms employed in such business organizations can always make all the difference by enhancing a risk-reward equation. It is however the responsibility of organizational board of directors to enhance this equation. Secure systems intended to address the risks may however fail if the sort of advice that the board of directors receive from lawyers, security experts, and financial teams only revolve around a direct attack on secure systems and does not address other operational risks that may include fire, exchange rates, and legal risks (Haley, C. 2011, 142).

A supermarket in a European country is a suitable example of an organization that proved to be uncertainty averse rather than being risk averse, and hence, it employed a security policy that would only deal with security threats intuitively. According to Anderson (2008, 821), management in this supermarket believed that the company’s inability to generate profits was attributed by professional thieves and thus intended to introduce a Radio-Frequency Identification (RFID) to address this problem. They however realized that the strategy could not work, and therefore they opted to create a face-recognition system that could alert the security personnel whenever a villain would enter the store (Mather, T. 2009, 78). This method was as well ineffective since the modern technology could not accurately detect villains without making a significant amount of errors. The supermarket further opted for a civil recovery strategy, which included taking a villain before a magistrate where he could be charged for any loss incurred and time wasted in the attempt to recover stolen items. The company’s management however ended up spending most of its time attempting to recover stolen items and to get vengeance rather than increasing the company sales. The company had eventually shifted its attention from marketing to organizational security, and hence, being uncertainty averse attributed to the ultimate failure of the company’s secure system (Sindre, G. 2005, 39).

Inadequate decisions can as well attribute to failure in secure systems within organizations. It is apparent that advisers should be able to strictly recognize each other’s roles and work together towards promoting an effective secure system rather than undermining each other. Undermining each other, as is often perpetuated by the human nature, inhibits organizational advisers from reaching a consensus relating to the type of decisions that ought to be made when certain risky situations arise. This causes organizational managers to make faulty decisions that drift away from the reality about how risky situations should be addressed. Biased organizational advisers may for example fail to advice organizational managers about the need to change their system auditors in order to perpetuate an external influence on group thinking. This limits outsiders that might be conversant with a problem from introducing new ways to address them, which attributes to ultimate failure in secure systems (Haley, C. 2011, 148).

The decision by organizational stakeholders to adopt limited internal control can as well attribute to ultimate secure systems failure. As explained by Mather (2009, 89), inadequate internal control tend to result in a system where most transactions within the organization go wrong, and hence, they always have to be fixed manually. This may result from a high tolerance of chaos, which may in return undermine the need to implement effective control measures. This reduces the degree at which errors can be detected hence attributing to ultimate failure in secure systems. Decisions related to problem solving may as well attribute to failure in secure systems, especially when organizational leaders opt to solve the wrong problems. As explained by Sindre (2005, 41), organizational leaders, when faced with complex problems, may often opt to hastily address easy ones. This may include activity displacement, particularly in situations where an organization is unable to protect an invaded system from probing and analysis. The inability to deal with uncertainties may as well render organizational managers to decide employing approaches that can allow for systematic procedures that would demand for little managerial attention and supervision. This allows bureaucratic guidelines to displace critical thoughts. This in return prevents system designers from critically thinking about how they can enhance protection requirements, thereby attributing to ultimate failure of secure systems. Waitrose supermarket is a suitable example of an organization that has experienced failure in secure systems after making inadequate decisions (Haley, C. 2011, 150). This supermarket had, in 2001, introduced self-scanning equipment that would reduce risks for insecurity on one hand while reducing management efforts needed to enhance security on the other. The system would allow consumers to scan purchased products and ultimately check with the scanner to obtain a list of the item that they bought. This however proved risky, especially because customers could gradually learn how the system worked and they could thus drop some items in their shopping bags without scanning them (Mather, T. 2009, 92).

An important lesson that organizations can learn from failures in various companies is that software engineering should be all about adopting engineering principles that can allow for security-oriented software to effectively work towards addressing issues of uncertainty. This means that security-oriented software should be all about managing complexities rather than directly addressing risks associated with immediate less-complex situations. This means that organizations should aim at addressing complex security problems by breaking them down into smaller sub-problems that can be addressed using relevant security policies, managerial practices, and decisions.


Secure systems play a crucial role in promoting daily activities of a business organization, thereby promoting its capacity to accomplish its missions and goals. Security policies generated from risk management mechanisms and inadequate decisions may however attribute to failure in secure systems within organizations, thus, affecting security as a whole. Being uncertainty averse rather than risk averse attributes to organizations creating inadequate security policies that only allow organizational leaders to deal with security issues intuitively. Inadequate decisions to adopt limited internal control, activity displacement, and solving the wrong problems may cause secure systems in organizations to fail. Organizations should however learn that adopting science-based engineering procedures as well as aiming to address complex problems could prevent secure systems from failing.


Anderson, R 2008, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, Indianapolis.

Haley, C 2011, “Security Requirements Engineering: A Framework for Representation and Analysis,” IEEE Trans Softw Eng, 34 no. 2, pp. 133-153.

Mather, T 2009, Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance, O’Reilly Media, California.

Sindre, G 2005, “Eliciting Security Requirements with Misuse Cases,” Requirements Eng, 19 no. 3, pp. 34-44.