Risk and the Resistance to Change in Organizations

man on rope

There are often multiple alternative methods associated with addressing individual risks. Describe your strategy for handling and communicating the different approaches. How many alternatives should you provide in order to have effective decision-making, and what are they?

In risk management, the one-size-fits-all approach is often not applicable to the majority of situations. Security professionals worldwide, and the organizations they protect, all employ different software, hardware, and business operations, thus requiring specific risk mitigation processes. Risk identification and mitigation plans need to be tailored for the specific case, providing various alternative methods in addressing individual risks.

Researching the numerous risk identification processes available can be quite challenging; however, each provides specific attributes that make it ideal for the situation. As a risk management professional, each alternative risk method should be viewed and applied to a small fraction of an organization’s operations. Often, the risk approach’s attributes that do not work well with the situation will quickly present themselves. In some cases, one might find that a specific risk identification and management approach meets all the identified requirements. More often, though, a combination of several risk management strategies is ideal. Creating a custom risk strategy for the organization’s current needs and those in the future provides a robust and focused plan (Wheeler, 2011).

Communication is vital in assessing risk management plans and alternatives. Understanding first how upper management defines risk should be a top priority, as risk means something different depending on whom you ask. Next, the methodology the organization utilizes for its risk assessments plays a vital role, such as either qualitative, quantitative, or a combination of both. There are several risk analysis methods, such as risk probability and impact assessments, qualitative risk assessment matrixes, risk categorizations, and urgency assessments.

While a unique custom risk management system is the optimal solution, there are several frameworks one can adopt or alter in their goal of locating threats and finding solutions for them, such as the Risk Management Framework (RMF), ISO 31000 Standard Framework, and the COSO Enterprise Risk Management Framework (Computer Security Division, 2020). Providing upper management with your choice of custom or pre-made framework and other examples using their alternatives allows them to view your research and make an educated decision on which framework and methodology to adopt. In today’s modern world, only through intense research and thorough documentation can we effectively make confident decisions in how to secure our organizations now and into the future.

  • Resistance to change is a common factor in any organization. Name a few strategies for addressing resistance to the changes required to reduce risks. How do you handle the resistance when it is a key decision-maker?

In the perfect world, our superiors would listen to our risk identification and preventative measures and effectively apply our recommendations without hesitation; however, as we all know, this is often not the case. Change, in any form, is something that many tend to view as a negative thing; when change is involved in a multimillion-dollar global organization, this is especially true. Risk management strategies are just as sophisticated and complex as the systems they secure, thus involving numerous reasons for businesses to resist both their identified risks and methods of mitigating them.

As with any technology-related project proposal, the key to effectively portraying the project’s value is through research and documentation and clearly identifying the benefits of employing the changes. For risk reduction, the fear tactic is an excellent motivator and is often needed; this is due to many individuals’ belief that anything IT-related is often merely a cost and does nothing to increase revenue. To persuade even the most stubborn management of the importance of risk mitigation, providing real-world examples of other organizations’ occurrences with hackers and ransomware attacks is an excellent way to showcase why change is not something to be feared but favored (Wheeler, 2011).

We will all face situations where our risk recommendations fall on deaf ears, even when the proposed change could potentially bring the company to a halt if not administered. In such a case, having backup plans and recommendations are recommended. If the leading cause of resisting your plan is its high cost, immediately follow up with some lower-cost alternatives or even a plan that is implemented in stages. If the lack of available human resources is the cause of the resistance, providing risk mitigation solutions such as using a smart cloud-based security provider might be the right choice. Risk identification and management is never a ‘sexy’ topic, so to speak, but the potential benefits it can have can certainly be attractive as long as they are clearly presented and backed up with research, data, and real-world information.

  • Is technology an answer to all risks? Is implementing a solution the best way to reduce risks? How does technology fit in a risk mitigation approach? Provide examples to prove your point.

While technology can certainly enable the risk analysis and mitigation processes to be accomplished easier and provide more effective results, it is not the one answer for all risks. Interestingly enough, I find that many risk management frameworks focus on the technology-side too much, resulting in increased complexity and cost of the systems. For example, if an identified risk is employees in a specific department’s website usage, the first thing many would do is purchase, upgrade, or improve the antivirus, antispam, or antimalware software or settings. Instead, if you look deeper into why an employee could potentially misuse a website and, for example, download something malicious, proper employee training on internet best-practices might be the right choice for the situation and probably cost a lot less.

 Technology might not be the only answer to the long list of threats and risks an organization faces every day, but it can indeed be the best answer regarding the quick identification, ranking, mitigation, and continuous upkeep of finding and applying solutions. In the world of risk management, nothing stays the same for long, thus requiring constant supervision and alterations of all found risks and the steps to resolve them; due to this, developing a smart, automated solution for tracking and responding to identified threats allows an organization’s security team to evolve with the always-changing needs of the company (Eppler, 2008).

In many scenarios, risk starts from a non-technological path, such as user error, improperly configured system settings, incorrect data entry, or even failing to educate employees. Thinking outside of the box and learning the ‘chicken-and-the-egg’ approach allows risk assessors to find the real cause of the expensive and time-consuming risk mitigation solutions that upper management resist and fear. What came first, the fact that an intruder was able to gain access to a system, thus requiring a full analysis of the security hardware and software, potentially requiring a complete revamp and possibly spending thousands on a new method of protection, or the fact that the staff responsible for updating the software for that specific system were recently tasked with assisting in setting up a company picnic the week of the malicious intruder? One of the abovementioned solutions would be extremely expensive and most likely lead upper management to resist it, thus opening entirely new attack vectors in the future. In contrast, the other solution might only require a quick meeting with the individual tasked with planning the company picnic.

  • Pretend you are a security analyst conducting a risk assessment for your organization. Your manager refuses to take action on any of the risks you have identified. He says, “We’re not yet ready for this.” How do you handle this situation? How do you protect yourself and your organization? Provide examples.

Managerial staff are well known to view risk assessments as something that can be postponed in lieu of funding a project that will potentially increase the revenue of the organization. Then, when the previously identified threat finally occurs, management often wonders why their security analysis did not do anything to prevent it. In such a scenario, it is vital to remember that both the organization and the security analyst’s reputation and status are what matters. There are several methods one can utilize to prevent any fallout from occurring after disaster finally strikes.

Security analysts will always be presented with challenges trying to bring attention to security events that can possibly happen. Organizations often react to security threats once they occur rather than adapt to overcome the chance that they will happen. To protect one’s self of the inevitable fallout from management frantically trying to put the blame on the security team, proper documentation is vital. Anytime an organization makes the choice to not proceed with a recommended security change in response to a possible risk, recording the date and time of the meeting, as well as getting a signature of the manager in question, will enable the blame of the security event to not fall on the individual who tried to prevent it in the first place.

The best method of ensuring the protection of an organization and those who identify and mitigate its risks is to merely succeed in presenting threats in an effective manner. A proper risk analysis of each identified threat will allow risk researchers to identify which threats need to be solved in order of importance, thus providing managers with a cost-effective plan that slowly unfolds, rather than an instant high-cost plan of attack. If cost or human resources is the primary resistance to enabling a risk mitigation procedure for a specific threat, alternative methods should be presented to management varying in cost and sophistication.

Finally, identified threats that are resisted by an organization should always still be presented to the cybersecurity team for thorough review; while they may not be fully mitigated, they should have full warning that the risks might actually occur, as well as a plan of action if they do. For example, if an identified risk of, for example, ransomware infecting computers via a social engineering attack, has its mitigation plan turned down by upper management, cybersecurity should be alerted to the threat and its probability of occurrence. Often, there may be low to no-cost alternatives security professionals can implement at the very least, such as creating an extra backup of critical data and taking it off of the network in the form of an external data storage device. Disaster can, and will, strike every organization. Protecting both the company and the risk analyst’s reputation and safety is always the top priority, regardless of the feedback one gets from their risk recommendations (Eppler, 2008).


Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved November 17, 2020, from

Institute, F. (n.d.). The FAIR Institute. Retrieved November 17, 2020, from

Computer Security Division, I. (2020, October 13). Risk Management Framework (RMF) Overview – FISMA Implementation Project: CSRC. Retrieved November 17, 2020, from

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s