ROSS ANDERSON is Professor of Security Engineering at Cambridge University in England. He is widely recognized as one of the world's foremost authorities on security. In 2015 he won the Lovelace Medal, Britain's top award in computing. He is a Fellow of the Royal Society and the Royal Academy of Engineering. He is one of the pioneers of the economics of information security, peer-to-peer systems, API analysis and hardware security. Over the past 40 years, he has also worked or consulted for most of the tech majors.

Preface to the Third Edition xxxvii
 
Preface to the Second Edition xli
 
Preface to the First Edition xliii
 
Formy daughter, and other lawyers... xlvii
 
Foreword xlix
 
Part I
 
Chapter 1 What Is Security Engineering? 3
 
1.1 Introduction 3
 
1.2 A framework 4
 
1.3 Example 1 - a bank 6
 
1.4 Example 2 - a military base 7
 
1.5 Example 3 - a hospital 8
 
1.6 Example 4 - the home 10
 
1.7 Definitions 11
 
1.8 Summary 16
 
Chapter 2 Who Is the Opponent? 17
 
2.1 Introduction 17
 
2.2 Spies 19
 
2.2.1 The Five Eyes 19
 
2.2.1.1 Prism 19
 
2.2.1.2 Tempora 20
 
2.2.1.3 Muscular 21
 
2.2.1.4 Special collection 22
 
2.2.1.5 Bullrun and Edgehill 22
 
2.2.1.6 Xkeyscore 23
 
2.2.1.7 Longhaul 24
 
2.2.1.8 Quantum 25
 
2.2.1.9 CNE 25
 
2.2.1.10 The analyst's viewpoint 27
 
2.2.1.11 Offensive operations 28
 
2.2.1.12 Attack scaling 29
 
2.2.2 China 30
 
2.2.3 Russia 35
 
2.2.4 The rest 38
 
2.2.5 Attribution 40
 
2.3 Crooks 41
 
2.3.1 Criminal infrastructure 42
 
2.3.1.1 Botnet herders 42
 
2.3.1.2 Malware devs 44
 
2.3.1.3 Spam senders 45
 
2.3.1.4 Bulk account compromise 45
 
2.3.1.5 Targeted attackers 46
 
2.3.1.6 Cashout gangs 46
 
2.3.1.7 Ransomware 47
 
2.3.2 Attacks on banking and payment systems 47
 
2.3.3 Sectoral cybercrime ecosystems 49
 
2.3.4 Internal attacks 49
 
2.3.5 CEO crimes 49
 
2.3.6 Whistleblowers 50
 
2.4 Geeks 52
 
2.5 The swamp 53
 
2.5.1 Hacktivism and hate campaigns 54
 
2.5.2 Child sex abuse material 55
 
2.5.3 School and workplace bullying 57
 
2.5.4 Intimate relationship abuse 57
 
2.6 Summary 59
 
Research problems 60
 
Further reading 61
 
Chapter 3 Psychology and Usability 63
 
3.1 Introduction 63
 
3.2 Insights from psychology research 64
 
3.2.1 Cognitive psychology 65
 
3.2.2 Gender, diversity and interpersonal variation 68
 
3.2.3 Social psychology 70
 
3.2.3.1 Authority and its abuse 71
 
3.2.3.2 The bystander effect 72
 
3.2.4 The social-brain theory of deception 73
 
3.2.5 Heuristics, biases and behavioural economics 76
 
3.2.5.1 Prospect theory and risk misperception 77
 
3.2.5.2 Present bias and hyperbolic discounting 78
 
3.2.5.3 Defaults and nudges 79
 
3.2.5.4 The default to intentionality 79
 
3.2.5.5 The affect heuristic 80
 
3.2.5.6 Cognitive dissonance 81
 
3.2.5.7 The risk thermostat 81
 
3.3 Deception in practice 81
 
3.3.1 The salesman and the scamster 82
 
3.3.2 Social engineering 84
 
3.3.3 Phishing 86
 
3.3.4 Opsec 88
 
3.3.5 Deception research 89
 
3.4 Passwords 90
 
3.4.1 Password recovery 92
 
3.4.2 Password choice 94
 
3.4.3 Difficulties with reliable password entry 94
 
3.4.4 Difficulties with remembering the password 95
 
3.4.4.1 Naïve choice 96
 
3.4.4.2 User abilities and training 96
 
3.4.4.3 Design errors 98
 
3.4.4.4 Operational failures 100
 
3.4.4.5 Social-engineering attacks 101
 
3.4.4.6 Customer education 102
 
3.4.4.7 Phishing warnings 103
 
3.4.5 System issues 104
 
3.4.6 Can you deny service? 105
 
3.4.7 Protecting oneself or others? 105

Now that there's software in everything, how can you make anything secure? Understand how to engineer dependable systems with this newly updated classic
 
In Security Engineering: A Guide to Building Dependable Distributed Systems, Third Edition Cambridge University professor Ross Anderson updates his classic textbook and teaches readers how to design, implement, and test systems to withstand both error and attack.
 
This book became a best-seller in 2001 and helped establish the discipline of security engineering. By the second edition in 2008, underground dark markets had let the bad guys specialize and scale up; attacks were increasingly on users rather than on technology. The book repeated its success by showing how security engineers can focus on usability.
 
Now the third edition brings it up to date for 2020. As people now go online from phones more than laptops, most servers are in the cloud, online advertising drives the Internet and social networks have taken over much human interaction, many patterns of crime and abuse are the same, but the methods have evolved. Ross Anderson explores what security engineering means in 2020, including:
* How the basic elements of cryptography, protocols, and access control translate to the new world of phones, cloud services, social media and the Internet of Things
* Who the attackers are - from nation states and business competitors through criminal gangs to stalkers and playground bullies
* What they do - from phishing and carding through SIM swapping and software exploits to DDoS and fake news
* Security psychology, from privacy through ease-of-use to deception
* The economics of security and dependability - why companies build vulnerable systems and governments look the other way
* How dozens of industries went online - well or badly
* How to manage security and safety engineering in a world of agile development - from reliability engineering to DevSecOps
 
The third edition of Security Engineering ends with a grand challenge: sustainable security. As we build ever more software and connectivity into safety-critical durable goods like cars and medical devices, how do we design systems we can maintain and defend for decades? Or will everything in the world need monthly software upgrades, and become unsafe once they stop?