Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Computer security is an unsolvable problem. So instead of trying to solve it, companies should think of network security as a set of risks that are inherent in doing business online. Viewing security from that perspective will lead to better decisions and superior technological design.

Obviously, security gives rise to some straightforward problems, and businesses should examine whether they have solved them. The recent revelation that the payment protocols in some widely used e-commerce sites allowed customers to purchase even physical goods without paying is an example of a security problem that is quantifiable and solvable.

But more often, computer security is better tackled with a risk-management approach, one that does not require exact quantification. It’s a personnel problem—much like office conflict, minor theft, misrepresentation of employee credentials, and employee health. Consider that employees who take risks to get their jobs done are both assets to the organization and threats to computer security. For example, an employee who manages to tunnel around the corporate firewall to log in remotely sees the positive results of access from home. The employee’s supervisor sees only increased productivity. Security risks are part of getting the job done. Networking and connectivity inherently include risk just as hiring a human being inherently carries risk.

Security as risk management is not a new idea, but recognizing that the risks can never be entirely eliminated requires a different way of thinking. “Threats” must be countered or neutralized. In contrast, risks are mitigated or shifted. In the 1970s environmental regulators observed that the greatest risks may come from the pursuit of zero risks, and much the same can apply when critical business functionality is limited by security.

Because effective security management requires managing the human element, risk communication needs to be part of any mitigation strategy. Individuals will work around security constraints that prevent them from working effectively: “The computer wouldn’t let me” is not an acceptable reason for failure. If the choice is between computer security compliance and getting the job done, security compliance will lose every time. An employee who takes files home in order to work on the weekend experiences only increased output, and intends only the best for the organization. Conversely, if employees understand that they are indeed taking risks, and putting the organization at risk, then they can be persuaded to protect the organization. Computer security can be transformed from a set of seemingly arbitrary requirements (created by some technical others who do not understand the work to be done) into a reality of daily living, like locking the car, that everyone has to do.

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Business, Business Impact, Securing Data

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me