Security

The broken Windows fallacy

The idea that malicious security crackers serve a greater good is an example of the broken window fallacy. Chad Perrin addresses the idea that the industry "needs" these miscreants for certain IT jobs to survive.

Frédéric Bastiat illustrated the broken window fallacy in an essay entitled That Which Is Seen and That Which Is Unseen. When someone claims that a destructive event creates opportunity and productivity benefits that outweigh the detrimental effects, that person (almost always) engages in fallacious thinking.

The term "broken window fallacy" arises from Bastiat's parable of the broken window, in which the following argument is made:

It is an ill wind that blows nobody good. Everybody must live, and what would become of the glaziers if panes of glass were never broken?

The assumption there is that, if windows didn't break, the glaziers' industry would be gutted. As a result, though the shopkeeper whose window was broken is at least momentarily inconvenienced, it seems this event may actually be a blessing in disguise, contributing to the prosperity of an entire industry. The vandal who breaks the window may even be regarded as a hero for setting such benefits in motion!

Bastiat, however, has other ideas:

It is not seen that as our shopkeeper has spent six francs upon one thing, he cannot spend them upon another. It is not seen that if he had not had a window to replace, he would, perhaps, have replaced his old shoes, or added another book to his library. In short, he would have employed his six francs in some way, which this accident has prevented.

The resources that were expended fixing the damage of the broken window were diverted from other uses. One might argue that the end result, then, is neutral — because there's nothing saying that the book binder who would otherwise have received that money is more deserving of it than the glazier who did receive the money.

This all ignores the quality of life of the shopkeeper whose window was broken, however. His money was essentially spent double-paying for something he already owned. If the window had not been broken, he might have actually improved quality of life for himself and his family by purchasing something new. Alternatively, such incidents of misfortune might prompt him to raise prices on his goods, thus impacting the lives of his customers. Given enough such incidents, he may even be forced to eventually close up his shop entirely.

The broken window fallacy is that of the person who ignores lost opportunities, some of which we may never even be able to identify because they did not arise in the first place. The cost may be, literally, immeasurable.

Compare this to statements to the effect that we "need" malicious security crackers. Apparently, these people induce software developers and vendors to make their software better. They ensure that more software developers and security professionals are employed. They, more so than vandals throwing rocks at shop windows, essentially create an entire industry! In some respects, they are surely heroes.

Similarly, when debates arise over the suitability of given pieces of software for security or stability purposes, some wit may point out that without the failures of that piece of software he or she may not even have a job:

"I'm glad Windows breaks down from time to time. It keeps me employed."

I've seen that at least half a dozen times in the last few years at TechRepublic alone.

I made a living almost exclusively at fixing broken Windows for a while. I was technically an IT consultant, working for a consultancy in Florida, but I might as well have called myself a glazier at the time. When I find upwards of 17,000 separate virus, worm, and other malware infections on a single machine, I'd say that Windows install was definitely broken. Now, I'm writing about security for TechRepublic, a job that probably wouldn't even be necessary at all if not for the activities of malicious security crackers, the vulnerabilities of poorly designed software, and the behavior of security unconscious users.

That doesn't mean I want, or ever wanted, these problems to exist so that I could make a buck. If I could make a choice to either increase the frequency and severity of IT security problems (thus increasing my services' market value) or decrease them to the extent that I have to find a new line of work — all else being equal — I would select the latter without hesitation. I can find another line of work, if necessary; I cannot, however, magically make the money spent on my services appear out of thin air, allowing the people paying me to contribute more effectively to the production of wealth in the economic environment we both share.

The next time any of you feel tempted to defend malicious security crackers or developers of low quality software, I hope you'll recognize that argument for what it is: an example of the broken Windows fallacy.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks