Alan May 5, 2008 6:52 PM

In 2003, were there more mobile phones connected to the internet than computers?

Mark May 5, 2008 7:14 PM

Alan, I read that too & was a bit surprised at that comment… Does Ross still refer to Bruce as Prince Schneier? That was awesome…

Anonymous May 5, 2008 8:03 PM

In my intro to engineering class (some years back now), I learned something about engineering:

“Engineering is the art of applying mathematics to the solution of real world problems.”

Our class, like others before and after us, went over that definition in some depth. It’s a compact description –perhaps even elegant– and there’s enough packed into it to make a good hour-long lecture.

I’m sorry, but I don’t think security “engineering” is an engineering discipline yet. It may be an art, with a recognized body of knowledge common among practitioners, but it’s still too much black art and too little mathematics.


Kim May 5, 2008 11:47 PM


“Engineering is the art of applying mathematics to the solution of real world problems.”

I’ve always thought of engineering being the application of (repeatable) science to the solution of real world problems.

Does it have to be mathematics? Or can be broadened to observed and tested phenomenon?


Chris Samuel May 6, 2008 7:44 AM

I wish my copy would arrive already!

I pre-ordered mine through Amazon and I know it’s on the way, but being in Australia it takes an age to get here.. 🙁

Kevin D. S. May 6, 2008 7:53 AM

I purchased a copy last week. I’ve only read the first few chapters of this edition but I’m enjoying it at least as much as the first. My only wish is for book to be published in two volumes. It gets a bit tricky to lug it around with a laptop and lunch box! 🙂

Regarding “Security” and “Engineering:” Certainly “Security Engineering” is not as mature as its siblings. However, this book helps to speed the maturation process. When we can recognize the underlying elements, we can begin to develop and mature standardized methods.

Thanks, Ross! Outstanding!

Anonymous May 6, 2008 9:02 AM

“I’ve always thought of engineering being the application of (repeatable) science to the solution of real world problems.”


I don’t think we’re disagreeing in substance. There might be a slight difference in superfical style or emphasis.

The word “mathematics” is the one I do remember from my introductory lecture–but perhaps that word choice is part of the reason the compact description takes some commentary to unfold.

In my comment above, I almost used the phrase “mathematical models”. Implicit in the idea of “applying mathematics” is the idea that there is an acceptable model of a real-world phenomen.

Those mathematical models must originate from repeatable science.

It’s precisely the lack of modelling that I’m criticizing in security “engineering”.

When Bruce criticizes the TSA, for instance, as he does often enough here on this blog, he doesn’t usually make what I would consider “engineering” criticisms. That is, he doesn’t say “here is a validated model for air transport security” and “here is the result of my calculations based on that model”. No one does that. Because, in all honesty, we don’t know how yet. The underlying security science isn’t there yet to be turned into engineering art.

P.E. Dabbler May 6, 2008 9:10 AM

engineer == small engine mechanic who could afford to go to university


Ross May 6, 2008 1:49 PM

One of the messages I try to get across in my book is that a security engineer can use many different models – that is, many types of mathematics – to analyse protection problems. In addition to the well-known models from cryptography (number theory, statistics) and computer science (complexity, semantics), we can draw on electrical engineering (Maxwell’s equations) and economics (microeconomic analysis) to explain other phenomena. There are other, less mathematical, disciplines that matter too – from psychology to locksmithing

Keith May 6, 2008 2:36 PM

Re: What is engineering. I always thought it was the art of making things work.

My memory (20+ yrs ago so permit some memory lapse) is of the material science lectures in the 1st year, an entire year on the maths of semiconductors. On the other hand the circuits guy said the pn potential is between 0.6V and 0.7V use 0.65V, it’s close enough and works. Now that is engineering.

Pat Cahalan May 6, 2008 3:52 PM

Here’s a couple of definitions for ya’ll to chew on.

Engineering: The process of using existing scientific and mathematical knowledge to design and create an object for the express purpose of realizing a solution to a problem within a given context and set of failure scenarios.

Science: The process of exposing phenomena to observation for the purpose of creating predictive or explanatory models.

Mathematics: The process of developing or exploring logically consistent closed systems.

Design: The process of exposing underlying assumptions to observation for the purpose of ensuring engineering takes place within the proper context.

Reader X May 6, 2008 4:35 PM

Readers of this blog may also enjoy Ross Anderson’s blog, Light Blue Touchpaper (

Got my copy of the 2e last week. Among other things, I think we finally have a robust-enough textbook for a graduate-level security class (for IT, engineering, MBA, etc.)

Scott Shorter May 8, 2008 5:57 AM

Got my copy a couple of days ago, will have time to curl up with it this weekend.

Eli May 8, 2008 3:30 PM

My eyes! The typos!

The information in the online pdfs is interesting, but the number of typos in the text is astounding.

I think I’ll wait for the next printing to purchase.

devoman May 9, 2008 5:57 AM

My own definition of engineering:

“Engineering is the art of making the right compromises”

Mark Bacchus July 22, 2008 6:07 AM

I am planning to read this book but it comes in 2 editions, what are the differences and is it worth reading the first free version out there?


Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.