Do Too Many Controls Increase Risk?

Sunday, January 09, 2011

Mark Gardner


Over the Christmas period, I listened to a Freakonomics Radio podcast entitled "The Dangers of Safety."

What this examined amongst other things was the impact of better helmets for NFL players or improved safety features in cars (road and NASCAR) in human behavior.

One of the take aways from this podcast was that the greater the level of protection, the greater the level of risks taken.

For example since the invention of face masks on NFL helmets, the helmet is used as a weapon in tackles, rather than in the pre- face mask world where, and I quote "you were worried about your nose ending up in your ear."

Is Information Security the helmet face mask of the IT world?

Our lives are spent assessing risk, and implementing controls to reduce the risks to our work and home networks. Yet are these processes lulling both our colleagues and families into a false sense of security?

Implementation of controls such as IDS / IPS / AV or non-technical controls such as screening of individuals are examples of controls that may work on implementation, but unless they are updated or re-screened over time, they do not take account of changes in circumstances.

How many times have you found viruses on home machines of friends and family but their response is "well did the anti-virus not work?" Microsoft updates to prevent exploitation of the machine are not routinely implemented.

Having these controls is a prime example of this false sense of security  "It's ok, I have anti virus on there..."

How can this be combated?

Constant risk assessment, both from a compliance perspective, but also by the system administrators for changes in the environments and threat landscapes, are an essential part of keeping the enterprise secure.

From a home perspective , keeping the applications and operating systems up to date is key.

Also, in the enterprise, keeping all employees aware of the latest security risks, and how they can play a part in keeping the companies or clients information secure.

As I have written about previously, security has never more been in the public eye more than it is now, news outlets suddenly talking about DDOS attacks, database disclosures etc. all help in the fight to keep awareness of information security principles high. 

The danger of safety may just end up opening you up to exploitation, we must remember nothing ever stands still...

Possibly Related Articles:
Antivirus IDS Risk Management Security Strategies Operating Systems IPS
Post Rating I Like this!
Bryce Mitchell Increased complexity in any system can result in an increased possibility of error; but I would agree that constant vigilance is the best solution...especially with the increased media attention.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.