http://orcid.org/0000-0002-5139-5554
![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
Abstract
With computer security spending on the rise, organizations seem to have accepted the notion that buying more—and more expensive—defenses allows them to better protect their computer systems. In the context of complex computer systems, however, defenses can also have the opposite effect, creating new, unforeseen vulnerabilities in the systems they are intended to protect. Advocacy for defense-in-depth and diverse security measures has contributed to this “more is better” mentality for defending computer systems, which fails to consider the complex interaction of different components in these systems, especially with regard to what impact new security controls may have on the operation and functionality of other, preexisting defenses. We give examples of several categories of perverse effects in defending computer systems and draw on the theory of unintended consequences and the duality of technology to analyze the origins of these perverse effects, and to develop a classification scheme for the different types and some methods for avoiding them.
Additional information
Notes on contributors
Josephine Wolff
Josephine Wolff ([email protected]) is an assistant professor in the Public Policy Department at Rochester Institute of Technology and a member of the extended faculty of the Computing Security Department. She is a faculty associate at the Harvard Berkman Center for Internet & Society and a fellow at the New America Cybersecurity Initiative. She holds a master’s degree in technology and policy and a Ph.D. in engineering systems from MIT. Previously, she worked at Microsoft, the Center for Democracy and Technology, and the Department of Defense. Her research interests include cybersecurity policy, impacts of computer security controls, economics of information security, and liability regimes for cybersecurity incidents. Her academic writing has been published in Telecommunications Policy and presented at the Research Conference on Communications, Information, and Internet Policy. Her writing has also appeared in Slate, The Atlantic, Scientific American, Newsweek, the New Republic, and the New York Times.