Admittedly, these are based on anecdotal evidence, but I suspect they are very close to the major reasons used to deflect concerns about increasing the security posture of cyber-physical systems.
- Using complex risk calculations, it can be shown that the risk is really really small.
- Even if your company gets attacked once, the probability of another similar attack is less than lightning striking the same place twice.
- Your networks are better protected than those other guys and everybody knows that hackers go after easy targets first.
- It’s just silly to invest in security expecting some kind of return. Security is just a big black hole that you dump money into if you have too much.
- If one of the above reasons don’t work for you, then there is one fail-safe reason; you just don’t want to. If you don’t want to do something, one reason is as good as another.