Possibly one of the most concerning, yet common, phrases you could hear a leader say is, “if it ain’t broke don’t fix it.” On the surface this thinking makes sense, if something already works then why mess with it. But, if we go below surface level, what we are really seeing is change resistance. The problem here is that the cybersecurity landscape is dynamic and ever-changing, meaning that the nature of a potential threat will inevitably fluctuate and evolve over time.

Staying ahead of the latest security threat is likely to require a change in common business practices for all levels of the organization. This may be as simple as updating email reporting procedures, or as drastic as internal audits and the introduction of a new keycode or badge access system. These require committed and continued change to day-to-day workings and are often perceived as an unnecessary nuisance.

But, if you are not able to embrace the changes required to do so, you are not only going to be left behind as your competitors outgrow you, but you are also leaving the doors open for security breaches.

If adaptability is key, why are we so resistant to change?

Human beings are comfort seekers. We like things that make us feel safe, and thus we like that which is familiar, because it is predictable. When acting habitually, we can be certain of the outcome because we can predict it based on previous experience, but change requires some level of uncertainty. Subsequently, “human beings are creatures of habit” because familiarity is safe whilst change is risky.

Change Resistance and Cybersecurity


When we think about this from an evolutionary perspective, it makes perfect sense. Erring on the side of caution would be beneficial for survival because it would facilitate the avoidance of potential threats. If such is the case, the inclination to avoid uncertainty would be passed down via our genes and we would expect to see a biological marker of stress when faced with uncertainty. This is in fact exactly what researchers have found. Such that, the stress response (commonly known as the fight or flight response) is the default response to uncertainty, which is reflected physiologically in high vagally mediated heart rate variability. Subsequently, this leads to difficulties with emotional regulation. Thus, it’s not just that we prefer familiarity, but that we are hardwired to avoid uncertainty and change.

The concept of change itself can also be problematic for growth because change is typically associated with something being broken or poorly maintained. I am sure all of us at some point have said to ourselves, or to someone close to us, “this is not working; something has to change.” Therefore, it is understandable that the idea of change might be met with an emotionally charged reaction.

Making changes

When it comes to cybersecurity, change is inevitable. You may have the most up-to date systems and policies around, but all it takes is one attacker to come out with a new exploit and those systems may no longer be secure. Additionally, human beings are the biggest risk to security and each individual comes with their own unique set of vulnerabilities. This means that as your workforce evolves and changes, so do your security risk factors.
Try to slowly introduce appropriate changes to give yourself and your team time to adjust to each change before implementing stricter measure. However, sometimes this is just not a possibility.

If the thought of adapting your systems and protocols seems daunting, I hope it is somewhat comforting to know that it’s not just you. Change IS daunting. But there is no way to sugar coat it, if you want to keep your company secure, sometimes change cannot be avoided. As a leader, it is your duty to self-reflect, and if you recognize change resistance in yourself it might be time to adjust your behaviour.

This is a good time to stop and think about the last time you updated your security measures.

The experts at Social-Engineer can help

Don’t know where to start? The experts at Social-Engineer, LLC can help you understand where your security may be falling short and support you on your journey to change your resistance.

For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:


Written by: Dr. Abbie Maroño


Brosschot, J. F., Verkuil, B., & Thayer, J. F. (2016). The default response to uncertainty and the importance of perceived safety in anxiety and stress: An evolution-theoretical perspective. Journal of Anxiety Disorders, 41, 22-34.

Carleton, R. N. (2016). Fear of the unknown: One fear to rule them all?. Journal of anxiety disorders, 41, 5-21.