Admittedly, these are based on anecdotal evidence, but I suspect they are very close to the major reasons used to deflect concerns about increasing the security posture of cyber-physical systems.

  1. Using complex risk calculations, it can be shown that the risk is really really small.
  2. Even if your company gets attacked once, the probability of another similar attack is less than lightning striking the same place twice.
  3. Your networks are better protected than those other guys and everybody knows that hackers go after easy targets first.
  4. It’s just silly to invest in security expecting some kind of return. Security is just a big black hole that you dump money into if you have too much.
  5. If one of the above reasons don’t work for you, then there is one fail-safe reason; you just don’t want to. If you don’t want to do something, one reason is as good as another.

Perry Pederson