Why "security" fails (and how to prevent it, maybe)
It is not uncommon that serious organizational interest in improving security occurs after "security" fails. Sure, there are exceptions; however it is not an uncommon phenomena.
Why then does security fail?
If we never changed the oil in our car we would not wonder why it stopped working.
If we were to over draw our bank account, having never put money into it, we would not wonder why there was no more money.
So why then consider organizational security any differently?