The information security discipline has a common body of knowledge comprised of many facts, techniques, and ways for its practitioners to accomplish the objectives of securing the information assets of the companies by which they are employed. Sometimes these practitioners simply do things the way they have always been done. Perhaps some of the practices need to be reexamined. One that needs attention is the way that risk-based decision making is applied in places that it may not improve the outcomes of the problems being addressed.