IsacaRoma: Hello, Professor Anderson and thanks for speaking to us too. Some days ago [2], you persuaded your publisher to let you put your book "Security Engineering" online for free download [3]. What was you goal?
Ross Anderson: Two goals. First, I want to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I think that many publishers (especially of music and software) are too defensive of copyright. I don't expect to lose money by making this book available for free: more people will read it, and those of you who find it useful will hopefully buy a copy.
IR: What Is Security Engineering?
RA: Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance and formal methods to a knowledge of applied psychology, organizational and audit methods and the law. System engineering skills, from business process analysis through software engineering to evaluation and testing, are also important; but they are not sufficient, as they deal only with error and mischance rather than malice.
IR: The book was written in January 2001 and your conclusion was that the protection of information in computer systems was no longer a scientific discipline, but an engineering one. What is the difference?
RA: Like any engineering problem, the protection of information needs a solid intellectual foundation - which comes from core disciplines such as cryptology, access control, information flow and signal detection. The security engineer must also understand the basics of management: how accounts work, the principles of economics and the business processes of her client. Applying science within business constraints is what engineering is all about. It also depends on learning from experience, and in my book I collect a lot of case histories of how security systems have failed. We have to learn from these, just as civil engineers learn more from the few bridges that fall down than from the many which don't.
IR: Thanks Professor.
Security Engineering - The Book [4]
- What is Security Engineering?
- Protocols
- Passwords
- Access Control
- Cryptography
- Distributed Systems
- Multilevel Security
- Multilateral Security
- Banking and Bookkeeping
- Monitoring Systems
- Nuclear Command and Control
- Security Printing and Seals
- Biometrics
- Physical Tamper Resistance
- Emission Security
- Electronic and Information Warfare
- Telecom System Security
- Network Attack and Defense
- Protecting E-Commerce Systems
- Copyright and Privacy Protection
- E-Policy
- Management Issues
- System Evaluation and Assurance
- Conclusions
- Bibliography
IsacaRoma Newsletter links
- Intervista a Ross Anderson [5] (Italian)
- Interview with Ross Anderson [6] (English)
- Ross Anderson: Perché la sicurezza delle informazioni è ardua - Una prospettiva economica [7] (Italian)
- Ross Anderson presenta WEIS 2006 [8] (Italian)
- Ross Anderson on WEIS 2006, the fifth Workshop on the Economics of Information Security (WEIS 2006) [9] (English)
- Privacy in the Digital Age [10] (Italian)
- Bruce Schneier: Questions & Answers [11] (English)
- Bruce Schneier: domande e risposte [12] (Italian)
- Bruce Schneier: le vulnerabilità dei software e le responsabilità [13] (Italian)