Journal of Management Information Systems

Volume 33 Number 2 2016 pp. 597-620

Perverse Effects in Defense of Computer Systems: When More Is Less

Wolff, Josephine

ABSTRACT:

With computer security spending on the rise, organizations seem to have accepted the notion that buying more—and more expensive—defenses allows them to better protect their computer systems. In the context of complex computer systems, however, defenses can also have the opposite effect, creating new, unforeseen vulnerabilities in the systems they are intended to protect. Advocacy for defense-in-depth and diverse security measures has contributed to this “more is better” mentality for defending computer systems, which fails to consider the complex interaction of different components in these systems, especially with regard to what impact new security controls may have on the operation and functionality of other, preexisting defenses. We give examples of several categories of perverse effects in defending computer systems and draw on the theory of unintended consequences and the duality of technology to analyze the origins of these perverse effects, and to develop a classification scheme for the different types and some methods for avoiding them.

Key words and phrases: complex systems, computer systems, cyber defense, cybersecurity, defense-in-depth, information security