Perverse Effects in Defense of Computer Systems: When More Is Less
Journal of Management Information Systems
With computer security spending on the rise, organizations seem to have accepted the notion that buying more-and more expensive-defenses allows them to better protect their computer systems and, accordingly, their business and customers. In the context of complex computer systems, however, defenses can also have the opposite effect, creating new, unforeseen vulnerabilities in the systems they are intended to protect. Advocacy for defense-indepth and diverse security measures has contributed to
... has contributed to creating this "more is better" mentality for defending computer systems which fails to consider the complex interaction of different components in these systems, especially with regard to what impact new security controls may have the operation and functionality of other, pre-existing defenses. In this paper, we describe and give examples of several categories of perverse effects in defending computer systems and draw on the theory of unintended consequences and the duality of technology to provide some analysis of the origins of these perverse effects as well as some methods for avoiding them and directions for future research.