One of the contributing factors to
poor management of IT security risk is attributed to the fact that
IT security risk management is often left to the technical security
technologist who do not necessarily employ formal risk
management tools and reasoning.