Luther Martin of Voltage Security looks at risk-risk trade-offs.

The practise of information security concerns managing the risks that accompany the use of information technology. We can deal with such risks in four general ways.

We can invest in technology that reduces a risk, say by deploying an intrusion detection system that helps us detect and react to malicious activity on our networks.

Secondly, we can transfer a risk to someone else, either by buying insurance or outsourcing part of the operation of our networks.

We might also decide that it is better to accept the risks and absorb any losses that this might entail.

A final option is to decide to not accept a risk at all. If a new severe vulnerability is discovered in an application that we use, for example, we might decide that the risk from the vulnerability exceeds the benefits we gain from using the application and discontinue its use.

Deciding which alternative is best requires an understanding of the implications of each choice, and it turns out that fully understanding risks is more difficult than we would first hope.

Part of this difficulty is due to the way in which reducing one risk can increase another risk, possibly causing our attempt to reduce a particular risk to actually increase our overall exposure to risk. Public health and safety regulations provide examples of how this can happen.

Research has shown, for example, that adding additional safety features to automobiles like air bags or anti-lock brakes actually increase the number of traffic accidents (S. Peterson, G. Hoffer and E. Millner, 'Are Drivers of Air-Bag-Equipped Cars More Agressive? A Test of the Offsetting Behaviour Hypothesis,' Journal of Law & Economics 38, pp. 251-64, Oct. 1995), and that requiring the use of seat belts in automobiles does not reduce the number of overall fatalities (S. Peltzman, 'The Effects of Automobile Regulation,' Journal of Political Economy 83(4), pp. 677-726, 1975).

People seem to feel safer while protected by additional safety features and compensate by engaging in more risky driving behaviour. Reducing the risk of injury in an automobile accident seems to actually cause additional risky behaviour that may cause as much loss as the additional safety features prevented. In particular, the risk may be shifted away from the driver and passengers of a car to pedestrians and bicyclists who are not protected by the additional safety features.

Child-resistant packaging is another example of a regulation that intended to reduce risks but instead actually increased the risks for the population overall. One study (W. Viscusi, 'The Lulling Effect: The Impact of Child-resistant Packaging on Aspirin and Analgesic Ingestions,' American Economic Review, 2, pp. 324-327, 1984) showed that safety caps on aspirin bottles actually led to additional poisoning deaths of young children because adults either left bottles open to avoid operating the safety cap or left bottles of aspirin in reach of children, assuming that the safety cap would prevent them opening the bottle.

Managing risks can be difficult, and the choices made can have unexpected implications or side-effects. Information security is not exempt from this problem.

Risk-risk tradeoffs in information security

There are four general types of risk-risk tradeoffs that health and safety regulations may introduce (W. Viscusi and J. Aldy, 'The Value of a Statistical Life: A Critical Review of Market Estimates throughout the World,' Related Publication 03-2, AEI-Brookings Joint Center for Regulatory Studies, January 2003), and we can see analogous cases for each of them in the risks that information security practitioners manage.

One risk-risk tradeoff comes from individuals increasing their risky behaviour because they feel safer when protected by risk-reducing technology or the effects of risk-reducing regulations, like in the case of seat belts, air bags, or anti-lock brakes.

Similarly, it may be the case that computer users who are protected by antivirus software feel safe from computer viruses and tend to be less careful with dangerous attachments to email than they would in the absence of antivirus software.

A regulation may also reduce one risk while increasing a different risk. Banning saccharine, for example, may have reduced some health risks due to the exposure to the saccharine, but may also have increased health risks to others due to obesity caused by substituting sugar for saccharine in some diets.

Similarly, using a particular information security product may introduce new vulnerabilities even as others are reduced. Requiring that all information security products be common criteria certified and operating in an evaluated configuration may decrease some security risks while increasing others.

This happens because the inflexibility of the common criteria does not allow users of certified products to install patches or software updates and stay in an evaluated configuration. This leaves deployed systems exploitable by any new vulnerabilities that are discovered since the completion of the common criteria certification.

Or an information security product may fulfil its role perfectly, but also introduce exploitable buffer overflow vulnerabilities. Or if long, strong passwords are used, users will tend to write down their passwords instead of remembering them, making it much easier for their password to be compromised.

Implementing ways to reduce risk may also result in activities that increase risks more than the original risk is reduced. Regulations that require new construction are an example of this, because the activity of construction may be more dangerous than the risk that is reduced by the results of the construction.

So if reducing the levels of a toxic chemical in the water supply requires the construction of a waste water treatment plant, it may be the case that the risks to the construction workers who build the treatment facility outweigh the benefits that the facility may provide.

Deploying or supporting information security technologies can also introduce new vulnerabilities in a similar way. Giving consultants or other contractors access to corporate networks carries the risk that they will use their access to carry out malicious activity or to otherwise subvert the networks to which they have temporary access, for example.

Finally, investing limited budgets to reduce risk in one area means that the same funds are not invested in reducing the risk in other areas, even ones that provide a greater reduction in risk.

If we can invest £50,000 in two projects, for example, one that reduces our expected loss by £100,000 and another that reduces our expected loss by £200,000, if we invest in the project with the lower return, we will have kept our exposure to risk unnecessarily high.

In some cases it will turn out that a business will be able to lower its overall risks by investing in areas other that information security, an unfortunate fact that needs to be understood by information security practitioners.

Summary

Understanding the implications of any effort that is designed to reduce risks is extremely difficult.

Government health and safety regulations have a history of unintended consequences that were not expected by the proponents of the regulations, and we should expect information security to experience similar difficulties.

Because of this we should be prepared to revisit information security strategies if evidence of any such unintended consequences starts to become apparent.