Security engineering

Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy.

In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years.

Due to recent catastrophic events, most notably 9/11, Security Engineering has quickly become a rapidly growing field. In fact, in a recent report completed in 2006, it was estimated that the global security industry was valued at US$150 billion.^{[citation needed]}

Security engineering involves aspects of social science, psychology (such as designing a system to 'fail well' instead of trying to eliminate all sources of error) and economics, as well as physics, chemistry, mathematics, architecture and landscaping.^[1] Some of the techniques used, such as fault tree analysis, are derived from safety engineering.

Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.

Qualifications

Typical qualifications for a security engineer are:

Professional Engineer, Chartered Engineer, Chartered Professional Engineer
Certified Protection Professional (CPP) - International certification by ASIS International
Physical Security Professional (PSP) - International certification by ASIS International
Certified Information Systems Security Professional (CISSP)

However, multiple qualifications, or several qualified persons working together, may provide a more complete solution.^[2]

Security stance

The two possible default positions on security matters are:

1. Default deny - "Everything, not explicitly permitted, is forbidden"

Improves security at a cost in functionality.

This is a good approach if you have lots of security threats.

2. Default permit - "Everything, not explicitly forbidden, is permitted"

Allows greater functionality by sacrificing security.

This is only a good approach in an environment where security threats are non-existent or negligible.

See computer insecurity for an example of the failure of this approach in the real world.

Core practices

Sub-fields

Physical security

deter attackers from accessing a facility, resource, or information stored on physical media.

Information security

protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.
See esp. Computer security and Malice Engineering

Technical surveillance counter-measures
Economics of security

the economic aspects of economics of privacy and computer security.

Methodologies

Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters.

Web applications

According to the Microsoft Developer Network the patterns & practices of Security Engineering consists of the following activities:

Security Objectives
Security Design Guidelines
Security Modeling
Security Architecture and Design Review
Security Code Review
Security Testing
Security Tuning
Security Deployment Review

These activities are designed to help meet security objectives in the software life cycle.

Physical

Canadian Embassy in Washington, D.C. showing planters being used as vehicle barriers, and barriers and gates along the vehicle entrance

Understanding of a typical threat and the usual risks to people and property.
Understanding the incentives created both by the threat and the countermeasures.
Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
Overview of common physical and technological methods of protection and understanding their roles in deterrence, detection and mitigation.
Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.

Target hardening

Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing Jersey barriers, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of visitor management and some new electronic locks take advantage of technologies such as fingerprint scanning, iris or retinal scanning, and voiceprint identification to authenticate users.

Employers of security engineers

US Department of State, Bureau of Diplomatic Security (ABET certified institution degree in engineering or physics required)^[3]
Google^[4]
Financial Services Industry, Health Care Industry,^[5] Energy Sector^[6]

Criticisms

Use of the term engineer

Some criticize this field^[who?] as not being a bona fide field of engineering because the methodologies of this field are less formal or excessively ad-hoc compared to other fields and many in the practice of security engineering have no engineering degree.

[1] Lua error in package.lua at line 80: module 'strict' not found.

[2] ttp://www.asla.org/safespaces/pdf/design_brochure.pdf

[3] ttp://careers.state.gov/specialist/opportunities/seceng.html

[4] ttp://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for-suspected-state.html

[5] Lua error in package.lua at line 80: module 'strict' not found.

[6] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

v t e Engineering
Civil engineering	Architectural Construction Earthquake Hydraulic Mining Structural Geotechnical Transportation Environmental
Mechanical engineering	Aerospace Acoustical Automotive Marine Mechatronics Railway
Electrical engineering	Computer Control Electronics Electromechanics Optical Power Photonics Telecommunications Radio Frequency
Chemical engineering	Biochemical Biological Molecular Nanotechnology Process Reaction Thermodynamics Transport phenomena
Interdisciplinarity	Audio Mathematics and Computing Biomedical Fire Industrial Materials science Robotics Military Nuclear Security Systems Privacy
List of engineering branches Category:Engineering Engineering portal

Security engineering

Contents

Qualifications

Security stance

Core practices

Sub-fields

Methodologies

Web applications

Physical

Target hardening

Employers of security engineers

Criticisms

Use of the term engineer

See also

Further reading

Articles and papers

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools