Poor security risk decisions are seldom the result of bad people or careless analysis. They are usually the result of structural conditions — incentives, information asymmetry, decision pressure and weak governance — that make the wrong decision the easier one to make.
Boards, executives and risk owners rarely set out to misallocate security investment, accept unmeasured residual risk or adopt the wrong control mix. Yet these outcomes recur across sectors, in well-managed organisations, often becoming visible only after an incident, near-miss or external review exposes them.
Understanding why poor decisions persist is the first step in interrupting them. The patterns are recognisable, and the corrective disciplines are not complicated.
Why Poor Security Risk Decisions Recur
Six structural conditions produce most of the poor decisions observed in security risk practice. None of them is unique to security, but each is amplified by the technical nature of the subject and the limited internal challenge available to most leadership teams.
Information asymmetry. The party best informed about a proposed security solution is usually the party selling it. The decision-maker is usually a generalist executive who does not have the technical baseline to challenge specification, performance claims or fitness for purpose. Asymmetric information can produce decisions that favour the better-informed party.
Conflated advice and supply. When advice is provided by the party that will benefit commercially from implementation, the advice cannot be evaluated independently of the commercial interest. This pattern is explored in Why Security Recommendations Must Be Independent of Product Sales. It is the most common single cause of disproportionate or misdirected security expenditure.
Visible-output bias. Boards and executives are more easily reassured by visible controls than by effective ones. Cameras, guards, fences, technology and signage produce visible reassurance. Their effectiveness against the actual threat is much harder to evaluate — and is rarely tested. The pattern is examined in Why Installed Security Controls Do Not Always Reduce Risk.
Incident-driven response. Most security decisions are made under the operational pressure of a recent incident, near-miss or external event. Decisions made under that pressure are biased towards rapid, visible action and away from structured analysis. A visible control implemented quickly may be preferred to a more appropriate control selected through structured analysis.
Weak distinction between audit and assessment. Many organisations conflate compliance auditing with risk assessment. An audit confirms that controls exist and are operated as documented. A risk assessment evaluates whether the right controls are in place against credible threats and proportionate to consequence. The distinction is set out in Security Risk Assessment vs Security Audit: Why the Difference Matters. Where it is not made, organisations are repeatedly reassured by audits while assessable risk persists.
Absence of independent challenge. Security expenditure is often approved on the basis of operational recommendations alone, without the independent challenge applied to other categories of capital decision. Some boards that would not approve a comparable IT, legal or financial decision without independent assurance nevertheless approve security decisions primarily on the operator’s advice.
Recognisable Patterns of Poor Decision-Making
The structural conditions above produce a small number of recurring decision patterns. Each is observable in retrospect. Each can be anticipated.
Procurement before assessment. A specific product, technology or service provider is selected first, and the risk justification is constructed afterwards. The assessment becomes a procurement narrative rather than an analytical input.
Coverage in place of effectiveness. Investment is directed at expanding the count of controls — more cameras, more guards, more technology — without first establishing whether the existing controls are performing. The result is a higher operating cost with no measurable reduction in assessable risk.
Uniform response to asymmetric risk. A uniform control standard is applied across sites or assets whose risk profiles differ materially. Investment is consumed evenly across the estate while the highest-risk locations remain inadequately protected.
Response that solves the last incident. Each new incident produces a control that addresses the specific modus operandi of that event. The cumulative effect is a layered, expensive and disjointed control set that may still leave the next, foreseeable scenario unaddressed.
Acceptance of unmeasured residual risk. Controls are implemented; the residual risk is not re-evaluated. The organisation assumes that the expenditure has reduced risk to acceptable levels, with no evidence that it has done so.
Governance by reporting. The board receives operational reporting from the security function and treats it as risk assurance. Reporting describes activity, not effectiveness; the board accepts the assurance because no independent view is available to compare it against.
What an Avoided Poor Decision Looks Like
The corrective disciplines are well established. They are not complicated, and they do not require specialist expertise on the part of the decision-maker. They require structural separation, sequencing and assurance.
They also require risk appetite and decision thresholds to be defined before treatment options are approved.
Assessment precedes procurement. The risk is defined, structured and prioritised before any specification, product or provider is selected. The structured logic of this sequence is set out in How Structured Security Risk Analysis Works.
Advice is independent of supply. The party advising on what is needed has no commercial interest in what is implemented. The party implementing is contracted to a specification derived from the assessment, not the other way around.
Control effectiveness is tested, not assumed. Existing controls are evaluated for their performance against credible scenarios before additional controls are funded. The pattern is examined in Control Effectiveness in Practice: Three Worked Scenarios.
Risk is treated proportionately. Investment is directed where assessed risk is highest and where consequence exposure is greatest, not distributed evenly across the estate. Higher-risk sites, assets or movements receive a stronger control mix; lower-risk environments are not over-protected at the expense of higher-risk ones.
Residual risk is re-evaluated after intervention. After controls are implemented, residual risk is reassessed and reported to the relevant governance forum. The cycle closes, and the board has evidence that the expenditure achieved the intended reduction.
Independent assurance is built into governance. A periodic independent review of the security risk profile is treated as a routine governance discipline, in the same way that financial, IT and legal functions are routinely assured by parties independent of the operators.
The Role of Independent Risk Assessment
Independent risk assessment is one of the most effective disciplines for interrupting the structural conditions described above. It addresses information asymmetry by introducing a technically informed party with no commercial interest in the outcome. It separates advice from supply. It tests effectiveness rather than coverage. It produces a structured, defensible view that the board can challenge, accept or modify with evidence rather than instinct.
Independent assessment is not a substitute for the operator. The operator implements, manages and reports. The independent assessor evaluates whether what is being operated is the right thing, performing effectively, against the right risks. The two functions complement each other; they should not be performed by the same party.
This is why a physical security risk assessment, conducted by a party with no procurement or operational interest in the result, is one of the most efficient interventions available to a board concerned about the quality of its security decisions.
Conclusion
Poor security risk decisions persist because the conditions that produce them are structural, not personal. Information asymmetry, conflated advice and supply, visible-output bias, incident-driven response, audit-assessment confusion and absent independent challenge are present in most organisations most of the time. They produce predictable, recurrent patterns of misallocation, ineffective coverage and unmeasured residual risk.
The corrective disciplines are well understood. Assessment precedes procurement. Advice is separated from supply. Effectiveness is tested. Risk is treated proportionately. Residual risk is re-evaluated. Independent assurance is built into governance.
Boards that adopt these disciplines do not eliminate security risk. They eliminate the structural reasons for making the wrong decisions about it.
Keown & Associates provides independent security risk assessment and advisory services to boards, executives and risk owners who require defensible, conflict-free analysis to support their security decisions.
Discuss a Security Risk Assessment | Discuss an Advisory Requirement