Can Zealous Security Cause Harm?

Security Balance.jpg

Good security is about balancing Risks, Costs, and Usability.  Too much or too little of each can be unhealthy and lead to unintended consequences.  We are entering an era where the risks of connected technology can exceed the inconveniences of interrupted online services or the release of sensitive data.  Failures can create life-safety issues and major economic impacts.  The modernization of healthcare, critical infrastructure, transportation, and defense industries is beginning to push the boundaries and directly impact people’s safety and prosperity.  Lives will hang in the balance and it is up to the technology providers, users, and organizations to ensure the necessary balance of security is present.

We are all cognizant of the risks in situations where insufficient security opens the door to exposure and the compromise of systems.  Vulnerabilities allow threats to undermine the availability of systems, confidentiality of data, and integrity of transactions.  On the other end of the spectrum, too much security can also cause serious issues.

A recent incident described how a piece of medical equipment crashed during a heart procedure due to an overly aggressive anti-virus scan setting.  The device, a Merge Hemo, is used to supervise heart catheterization procedures, while doctors insert a catheter inside blood vesicles to diagnose various types of heart diseases.  The module is connected to a PC that runs software to record and display data.  During a recent procedure, the application crashed due to the security software which began scanning for potential threats.  The patient remained sedated while the system was rebooted, before the procedure could be completed.  Although the patient was not harmed, the mis-configuration of the PC security software caused an interruption during an invasive medical procedure. 

Security is not an absolute.  There is a direct correlation between the increasing integration of highly connected and empowered devices, and the risks of elevated attack frequency with a greater severity of impacts.  The outcome of this particular situation was fortunate, but we should recognize the emerging risks and prepare to adapt as technology rapidly advances.

Striking a balance is important.  It may not seem intuitive, but yes, too much security can be a problem as well.  Protection is not free.  Benefits come with a cost.  Security functions can create overhead to performance, reduce productivity, and ruin users’ experiences.  Additionally, security can increase the overall cost of products and services.  These and other factors can create ripples in complex systems and result in unintended consequences.  We all agree security must also be present, but the reality is, there must be an appropriate balance.  The key is to achieve an optimal level, by tuning the risk management, costs, and usability aspects for any given environment and usage.

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

Published on Categories SecurityTags ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.