I am Professor of Security Engineering at Cambridge University Computer Laboratory.
Security Engineering is about building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.

The focus of my work in academia has been building security engineering into a discipline. Fifteen years ago, some tractable parts of it – cryptography, protocols and operating system security – had well-developed theory, but the experts mostly didn’t talk to each other. Other aspects, such as software security, were a practitioners’ art, while yet other aspects (such as hardware security) were a combination of snake-oil and black magic.

Over the last fifteen years I’ve started strong research threads in neglected areas, ranging from hardware security to the uses of signal processing. I’ve also documented the evolution of a number of interesting new applications from ATMs to medical records, which have failure modes from which engineers can learn. In the past seven years I’ve developed security economics as an alternative framework for understanding the subject: very often systems fail not because of some technical mistake but because of misaligned incentives. For example, the people guarding a system are often not the people who suffer when it fails. I have written a book, ‘Security Engineering – A Guide to Building Dependable Distributed Systems’ [88, 155], which is now the standard reference. Along the way I’ve contributed to the design of a number of widely-deployed systems, from peer-to-peer systems through prepayment utility meters to the HomePlug standard for power-line communications.

Security engineering will replace ‘information security’ or ‘computer security’ as a subject because of the spread of computation and communications. There may already be more mobile phones connected to the Internet than computers. Within a few years we will see many of the world’s fridges, heart monitors, bus ticket dispensers, burglar alarms, and utility meters talking IP. Computing will be embedded invisibly everywhere; and many of the problems we’ve experienced with PCs are starting to turn up in other applications. Many insecure systems are built, and the resulting safety, privacy and crime prevention problems (both real and perceived) are a significant impediment to building the ‘electronic society’. The resulting policy issues – privacy, surveillance, forensics, DRM, competition policy – are steadily moving up the political agenda.

I chair the Foundation for Information Policy Research, the UK’s premier information think-tank, and am an elected member of my University’s governing body, the Council, for 2003-2010. I also teach courses in security and software engineering, and a service course in economics and law for computer scientists. I also co-organise our Laboratory’s group projects, which give students a foretaste of professional life.