Security engineering is the process of incorporating

security controls Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such co ...

into an

information system An information system (IS) is a formal, sociotechnical, organizational system designed to collect, process, Information Processing and Management, store, and information distribution, distribute information. From a sociotechnical perspective, info ...

so that the controls become an integral part of the system's operational capabilities. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user

requirements In engineering, a requirement is a condition that must be satisfied for the output of a work effort to be acceptable. It is an explicit, objective, clear and often quantitative description of a condition to be satisfied by a material, design, pro ...

, but it has the added dimension of preventing misuse and malicious behavior. Those constraints and restrictions are often asserted as a

security policy Security policy is a definition of what it means to ''be secure'' for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms ...

. In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of

locksmithing Locksmithing is the work of creating and bypassing locks. Locksmithing is a traditional trade and in many countries requires completion of an apprenticeship. The level of formal education legally required varies by country, ranging from no formal ...

and

security printing Security printing is the field of the printing industry that deals with the printing of items such as banknotes, cheques, passports, tamper-evident labels, security tapes, product authentication, stock certificates, postage stamps, and identity c ...

have been around for many years. The concerns for modern security engineering and computer systems were first solidified in a RAND paper from 1967, "Security and Privacy in Computer Systems" by Willis H. Ware. This paper, later expanded in 1979, provided many of the fundamental information security concepts, labelled today as Cybersecurity, that impact modern computer systems, from cloud implementations to embedded IoT. Recent catastrophic events, most notably

9/11 The September 11 attacks, also known as 9/11, were four coordinated Islamist terrorist suicide attacks by al-Qaeda against the United States in 2001. Nineteen terrorists hijacked four commercial airliners, crashing the first two into ...

, have made security engineering quickly become a rapidly-growing field. In fact, in a report completed in 2006, it was estimated that the global security industry was valued at US $150 billion. Security engineering involves aspects of

social science Social science (often rendered in the plural as the social sciences) is one of the branches of science, devoted to the study of societies and the relationships among members within those societies. The term was formerly used to refer to the ...

psychology Psychology is the scientific study of mind and behavior. Its subject matter includes the behavior of humans and nonhumans, both consciousness, conscious and Unconscious mind, unconscious phenomena, and mental processes such as thoughts, feel ...

(such as designing a system to " fail well", instead of trying to eliminate all sources of error), and

economics Economics () is a behavioral science that studies the Production (economics), production, distribution (economics), distribution, and Consumption (economics), consumption of goods and services. Economics focuses on the behaviour and interac ...

as well as

physics Physics is the scientific study of matter, its Elementary particle, fundamental constituents, its motion and behavior through space and time, and the related entities of energy and force. "Physical science is that department of knowledge whi ...

chemistry Chemistry is the scientific study of the properties and behavior of matter. It is a physical science within the natural sciences that studies the chemical elements that make up matter and chemical compound, compounds made of atoms, molecules a ...

mathematics Mathematics is a field of study that discovers and organizes methods, Mathematical theory, theories and theorems that are developed and Mathematical proof, proved for the needs of empirical sciences and mathematics itself. There are many ar ...

, criminology

architecture Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and construction, constructi ...

, and

landscaping Landscaping refers to any activity that modifies the visible features of an area of land, including the following: # Living elements, such as flora or fauna; or what is commonly called gardening, the art and craft of growing plants with a goal ...

. Some of the techniques used, such as

fault tree analysis Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify the ...

, are derived from

safety engineering Safety engineering is an engineering Branches of science, discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety en ...

. Other techniques such as

cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...

were previously restricted to military applications. One of the pioneers of establishing security engineering as a formal field of study is Ross Anderson.

Qualifications

No single qualification exists to become a security engineer. However, an undergraduate and/or graduate degree, often in

computer science Computer science is the study of computation, information, and automation. Computer science spans Theoretical computer science, theoretical disciplines (such as algorithms, theory of computation, and information theory) to Applied science, ...

computer engineering Computer engineering (CE, CoE, or CpE) is a branch of engineering specialized in developing computer hardware and software. It integrates several fields of electrical engineering, electronics engineering and computer science. Computer engi ...

, or physical protection focused degrees such as Security Science, in combination with practical work experience (systems, network engineering,

software development Software development is the process of designing and Implementation, implementing a software solution to Computer user satisfaction, satisfy a User (computing), user. The process is more encompassing than Computer programming, programming, wri ...

, physical protection system modelling etc.) most qualifies an individual to succeed in the field. Other degree qualifications with a security focus exist. Multiple certifications, such as the

Certified Information Systems Security Professional CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the International Information System Security Certification Consortium, also known as ISC2. As of July 2022, there were 1 ...

, or Certified Physical Security Professional are available that may demonstrate expertise in the field. Regardless of the qualification, the course must include a knowledge base to diagnose the security system drivers, security theory and principles including defense in depth, protection in depth, situational crime prevention and crime prevention through environmental design to set the protection strategy (professional inference), and technical knowledge including physics and mathematics to design and commission the engineering treatment solution. A security engineer can also benefit from having knowledge in cyber security and information security. Any previous work experience related to privacy and computer science is also valued. All of this knowledge must be braced by professional attributes including strong communication skills and high levels of literacy for engineering report writing. Security engineering also goes by the label Security Science.

Related-fields

Cybersecurity engineering Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, mainte ...

:*See especially

Information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...

and

Computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

:*protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access. *

Physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physi ...

:*deter attackers from accessing a facility, resource, or information stored on physical media. *

Technical surveillance counter-measures Countersurveillance refers to measures that are usually undertaken by the public to prevent surveillance, including covert surveillance. Countersurveillance may include electronic methods such as technical surveillance counter-measures, which is t ...

Economics of security The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational “homo economicus” as well as behavioral economics. Economics of se ...

:*the economic aspects of economics of privacy and computer security.

Methodologies

Technological advances, principally in the field of

computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...

s, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also

coercion Coercion involves compelling a party to act in an involuntary manner through the use of threats, including threats to use force against that party. It involves a set of forceful actions which violate the free will of an individual in order to i ...

fraud In law, fraud is intent (law), intentional deception to deprive a victim of a legal right or to gain from a victim unlawfully or unfairly. Fraud can violate Civil law (common law), civil law (e.g., a fraud victim may sue the fraud perpetrato ...

, and

deception Deception is the act of convincing of one or many recipients of untrue information. The person creating the deception knows it to be false while the receiver of the information does not. It is often done for personal gain or advantage. Tort of ...

by confidence tricksters.

Web applications

According to the ''

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

Developer Network'' the patterns and practices of security engineering consist of the following activities: * Security Objectives * Security Design Guidelines * Security Modeling * Security Architecture and Design Review * Security Code Review * Security Testing * Security Tuning * Security Deployment Review These activities are designed to help meet security objectives in the

software life cycle The software release life cycle is the process of developing, testing, and distributing a software product (e.g., an operating system). It typically consists of several stages, such as pre-alpha, alpha, beta, and release candidate, before the fi ...

Physical

* Understanding of a ''typical'' threat and the usual risks to people and property. * Understanding the incentives created both by the threat and the countermeasures. * Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility. * Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds. * Overview of common physical and technological methods of protection and understanding their roles in deterrence, detection and mitigation. * Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.

Product

Product security engineering is security engineering applied specifically to the products that an organization creates, distributes, and/or sells. Product security engineering is distinct from corporate/enterprise security, which focuses on securing corporate networks and systems that an organization uses to conduct business. Product security includes security engineering applied to: * Hardware devices such as cell phones, computers,

Internet of things Internet of things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks. The IoT encompasse ...

devices, and cameras. * Software such as operating systems, applications, and firmware. Such security engineers are often employed in separate teams from corporate security teams and work closely with product engineering teams.

Target hardening

Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorized persons. Methods include placing

Jersey barrier A Jersey barrier, Jersey wall, or Jersey bump is a modular concrete or plastic barrier employed to separate lanes of traffic. It is designed to minimize vehicle damage in cases of incidental contact while still preventing vehicle crossovers resu ...

s, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of visitor management and some new electronic locks take advantage of technologies such as

fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfa ...

scanning, iris or

retinal scan A retinal scan is a biometric technique that uses unique patterns on a person's retina blood vessels. It is not to be confused with other ocular-based technologies: iris recognition, commonly called an "iris scan", and eye vein verification that ...

ning, and voiceprint identification to authenticate users.

Qualifications

Related-fields

Methodologies

Web applications

Physical

Product

Target hardening

See also

References

Further reading

Articles and papers