Can Zealous Security Cause Harm?

Image for post
Image for post

Good security is about balancing Risks, Costs, and Usability. Too much or too little of each can be unhealthy and lead to unintended consequences. We are entering an era where the risks of connected technology can exceed the inconveniences of interrupted online services or the release of sensitive data. Failures can create life-safety issues and major economic impacts. The modernization of healthcare, critical infrastructure, transportation, and defense industries is beginning to push the boundaries and directly impact people’s safety and prosperity. Lives will hang in the balance and it is up to the technology providers, users, and organizations to ensure the necessary balance of security is present.

We are all cognizant of the risks in situations where insufficient security opens the door to exposure and the compromise of systems. Vulnerabilities allow threats to undermine the availability of systems, confidentiality of data, and integrity of transactions. On the other end of the spectrum, too much security can also cause serious issues.

A recent incident described how a piece of medical equipment crashed during a heart procedure due to an overly aggressive anti-virus scan setting. The device, a Merge Hemo, is used to supervise heart catheterization procedures, while doctors insert a catheter inside blood vesicles to diagnose various types of heart diseases. The module is connected to a PC that runs software to record and display data. During a recent procedure, the application crashed due to the security software which began scanning for potential threats. The patient remained sedated while the system was rebooted, before the procedure could be completed. Although the patient was not harmed, the misconfiguration of the PC security software caused an interruption during an invasive medical procedure.

Security is not an absolute. There is a direct correlation between the increasing integration of highly connected and empowered devices, and the risks of elevated attack frequency with a greater severity of impacts. The outcome of this particular situation was fortunate, but we should recognize the emerging risks and prepare to adapt as technology rapidly advances.

Striking a balance is important. It may not seem intuitive, but yes, too much security can be a problem as well. Protection is not free. Benefits come with a cost. Security functions can create overhead to performance, reduce productivity, and ruin users’ experiences. Additionally, security can increase the overall cost of products and services. These and other factors can create ripples in complex systems and result in unintended consequences. We all agree security must also be present, but the reality is, there must be an appropriate balance. The key is to achieve an optimal level, by tuning the risk management, costs, and usability aspects for any given environment and usage.

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

Originally published at https://www.linkedin.com.

Written by

Cybersecurity Strategist and CISO specializing in the evolution of threats, opportunities, and risks in pursuit of optimal security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store