Browse Definitions :
Definition

law of unintended consequences

Contributor(s): Ivy Wigmore

The law of unintended consequences is a frequently-observed phenomenon in which any action has results that are not part of the actor's purpose.

The superfluous consequences may or may not be foreseeable or even immediately observable and they may be beneficial, harmful or neutral in their impact. In the best-case scenario, an action produces both the desired results and unplanned benefits; in the worst-case scenario, however, the desired results fail to materialize and there are negative consequences that make the original problem worse.

Examples of the law of unintended consequences in play:

A company mandates security mechanisms, such as strong passwords or multifactor authentication, to protect sensitive data. However, because the new passwords are too difficult to remember or the procedures too cumbersome, users find ways to circumvent the mechanisms, such as writing passwords on sticky notes on the monitor.

In the United States, the Patriot Act expanded the power of law enforcement and government agencies to monitor and intercept the data of private citizens. One unintended consequence was a reluctance of companies and individuals to allow any of their data to be stored in the U.S.

As machine-to-machine (M2M) communications and the Internet of Things (IoT) develop, an increasing number of devices have the capacity to transmit data over a network. However, these devices are often things that have not traditionally had any ability to communicate and as such have no security mechanisms in place to protect them. An unintended consequence is security attacks on IoT devices, which have included a light bulb hack.

Factors that reduce the likelihood of unintended consequences include an understanding of the systems involved, careful planning and an attention to detail during execution. In recent years, the law of unintended consequences is often evoked in reference to complex systems, which by definition cannot be fully understood. As a result, any action that involves a complex system is certain to have unintended consequences.

In this TED talk, historian Edward Tenner discusses the gap between our ability to innovate and our ability to foresee the consequences:

This was last updated in February 2016

Continue Reading About law of unintended consequences

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Thanks Margaret. I can't help but think about this law in terms of information security. A few examples include:
  1. Patching to be more secure that ends up taking systems offline or breaking applications. Risks increase.
  2. When implementing a new security control, the time and effort required to keep it rolling often take away from other important work. Risks increase.
  3. When documenting and enforcing a security policy, it gets in the way of doing business. Risks increase.

This is an important law that must always be considered before implementing anything new in/around security.

Cancel
I think the most fascinating aspect of this law is the phenomenon that is mentioned above regarding computer passwords.  It is when we react to a problem with a solution that unintendedly ends up causing exactly what it was designed to prevent.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCompliance

  • risk management

    Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.

  • compliance as a service (CaaS)

    Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (...

  • data protection impact assessment (DPIA)

    A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, ...

SearchSecurity

  • spyware

    Spyware is a type of malicious software -- or malware -- that is installed on a computing device without the end user's knowledge.

  • application whitelisting

    Application whitelisting is the practice of specifying an index of approved software applications or executable files that are ...

  • botnet

    A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things ...

SearchHealthIT

SearchDisasterRecovery

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • disaster recovery team

    A disaster recovery team is a group of individuals focused on planning, implementing, maintaining, auditing and testing an ...

  • cloud insurance

    Cloud insurance is any type of financial or data protection obtained by a cloud service provider. 

SearchStorage

  • DRAM (dynamic random access memory)

    Dynamic random access memory (DRAM) is a type of semiconductor memory that is typically used for the data or program code needed ...

  • RAID 10 (RAID 1+0)

    RAID 10, also known as RAID 1+0, is a RAID configuration that combines disk mirroring and disk striping to protect data.

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

Close