How information security is like trying to lose weight

Information security is an exercise in managing the risks that come with modern IT systems. This is much harder than it might sound at first because the behavior of people isn't always like you'd expect it to be. In particular, when people feel safer from one risk they may increase other risks to keep their overall level of risk at roughly the same level. There's been an ongoing debate for several years, for example, over whether or not using seatbelts actually saves lives. Some experts claim that they do. Others claim that drivers feel safer wearing seat belts and then tend to drive in a more dangerous way to compensate for this, essentially transferring their risk to nearby pedestrians and bicyclists (an interesting, if somewhat biased, discussion of this can be found here (PDF)).

In information security, it might be the case that people who are protected by anti-virus software are less careful about opening attachments, clicking on links, etc. I haven't seen any reliable data that could be used to test this hypothesis, but I certainly wouldn't be surprised if it turned out to be true.

I was reminded of how hard it is to manage risks when I recently came across an article about weight loss. This particular article suggests that exercise may actually be counterproductive if you're trying to lose weight because it may increase your appetite and lead you to eat additional food that more than makes up for what you might have burned off in the exercise. Here's a more technical version of that from the abstract of this paper:

Weight loss resulting from an exercise intervention tends to be lower than predicted. Modest weight loss can arise from an increase in energy intake, physiological reductions in resting energy expenditure, an increase in lean tissue or a decrease in non-exercise activity. Lower than expected, weight loss could also arise from weak and invalidated assumptions within predictive models. To investigate these causes, we systematically reviewed studies that monitored compliance to exercise prescriptions and measured exercise-induced change in body composition. Changed body energy stores were calculated to determine the deficit between total daily energy intake and energy expenditures. This information combined with available measurements was used to critically evaluate explanations for low exercise-induced weight loss. We conclude that the small magnitude of weight loss observed from the majority of evaluated exercise interventions is primarily due to low doses of prescribed exercise energy expenditures compounded by a concomitant increase in caloric intake.

So this reminded me that there are almost always unexpected side-effects when people are involved. If you try to change one aspect of their behavior, don't be surprised if some other aspect of their behavior also changes, and in some cases this change can more than make up for the first change. It may be true when it comes to seat belts. It may be true when it comes to weight loss. And it may also be true for information security.

Leave a Reply

Your email address will not be published. Required fields are marked *