As mentioned earlier, there are four general types of risk-risk trade-offs that health and safety regulations may introduce, and each can be seen in the field of information security. Here’s a discussion of each of these cases. The bottom line is that managing risks of any kind is a complicated problem for which there’s often no easy and simple solution, and the risks that information security deals with are not exempt from this.
One risk-risk trade-off comes from people taking additional risks because they feel safer because of better technology or stricter regulations. This can make the overall result of the new technology or regulations a net loss rather than a net gain if more people are injured by the riskier behavior than are saved by the improved safety. This has been shown to be true in the case of seat belts, air bags, or anti-lock brakes. People using these technologies seem to feel safer and thus compensate by taking risks that they wouldn’t have taken otherwise.
Similarly, it’s probably the case that computer users who are protected by anti-virus software feel safer and tend to be less careful with dangerous attachments to e-mail than they would in the absence of anti-virus software. Add an anti-phishing product to your e-mail system and you might find people being less suspicious of potentially-dangerous e-mail.
A regulation may also reduce one risk while increasing a different risk. Banning saccharine, for example, may have reduced some health risks due to the exposure to the saccharine, but may also have increased health risks to others due to obesity caused by substituting sugar for saccharine in some diets.
Similarly, using a particular information security product may introduce new vulnerabilities even as others are reduced. Requiring that all information security products be Common Criteria certified and operating in an evaluated configuration may decrease some security risks while increasing others, for example. This happens because the inflexibility of the Common Criteria does not allow users of certified products to install patches or software updates and stay in an evaluated configuration. This leaves deployed systems exploitable by any new vulnerabilities that are discovered since the completion of the Common Criteria certification. Add a security product to your network that has an exploitable buffer overflow vulnerability and you’ve also done this.
Implementing ways to reduce risk may also result in activities that increase risks more than the original risk is reduced. Regulations that require new construction are an example of this, because the activity of construction may be more dangerous than the risk that is reduced by the results of the construction. So if reducing the levels of a toxic chemical in the water supply requires the construction of a waste water treatment plant, it may be the case that the risks to the construction workers who build the treatment facility outweigh the benefits that the facility may provide.
Deploying or supporting information security technologies can also introduce new vulnerabilities in a similar way. Giving consultants or other contractors access to your network carries the risk that they will use their access to carry out malicious activity or to otherwise subvert your network, for example.
Finally, spending limited budgets to reduce risk in one area means that the same funds are not spent on reducing risk in other areas, even ones that provide a greater benefit.
Suppose that you can spend $50,000 in one of two projects, one that reduces risk by $100,000 and another that reduces risk by $200,000. If you choose in the project with the lower return, you will have kept our exposure to risk unnecessarily high and added an unnecessary $100,000 in risk to your organization. Because it’s very difficult to get accurate estimates of the chances of security vulnerabilities being exploited and the damage caused when these vulnerabilities get exploited, it’s very difficult to avoid this particular risk-risk trade-off. This means that you may be doing it and not even knowing it.