This piece first appeared as a LinkedIn post. I’m adding it here for completeness and to keep all my notes on Ross Anderson’s classic Security Engineering in one place.

In keeping with the rigor of a true scholar, Professor Anderson opens his book by defining terms and establishing the conceptual framework for his later analysis.
Sadly, it’s all too common for authors to skip this step, leaving plenty of room for ambiguity. Things get worse when an everyday word is used to describe a complex concept—without definition, people rely on impressions or feelings about what it must mean. The result is confusion—not only among readers but often for the author himself, who is less likely to stay consistent if he hasn’t first defined his terms.

As Professor Anderson aptly notes:
“‘Security’ is a terribly overloaded word, which often means quite incompatible things to different people. To a corporation, it might mean the ability to monitor all employees’ email and web browsing; to the employees, it might mean being able to use email and the web without being monitored.”

It’s almost amusing that even the very word ‘security’—central to our field—can be understood in such contradictory ways. After all, where you stand depends on where you sit.

As another example, Anderson goes on to clarify—or rather, to attempt to clarify—what we mean by a system. He lists six possible definitions (and I’m sure there could be more, especially from an interdisciplinary lens) and notes, beautifully:
“Confusion between the above definitions is a fertile source of errors and vulnerabilities.”

In Cybersecurity and Privacy, Language Leaks Too

What Professor Anderson doesn’t touch on—perhaps naturally, as a native English speaker—is yet another layer of linguistic precision.
The world of CyberSecurity, like IT in general, is dominated by English. While it’s undoubtedly the global lingua franca, English can sometimes be less precise than other languages—Latin, for instance—partly because it lacks grammatical gender.

Consider a simple example: “Yesterday, I was drinking wine with my neighbour”. The precision is gone already (or, as an Englishman might say, privacy preserved 🙂). The French, however, know well the not-so-subtle difference between “Hier, j’ai bu du vin avec mon voisin” and “Hier, j’ai bu du vin avec ma voisine”. Their language, by its very structure, enforces a degree of specificity they may not always welcome—for understandable reasons.
(I used a French example because very few people speak Latin today—a real pity, as learning Latin trains you to express ideas with razor-sharp precision while staying concise).

That being said, losing precision might also have consequences for CyberSecurity —and, worse yet, we may not notice them until it’s too late.

My notes on «Security Engineering» are not meant to be complete. I focus on extracting the non-obvious — finding the small gems, highlighting what’s particularly interesting, or capturing the essence of a broader idea. I often add my own observations, drawn from intersections between technology, language, philosophy, and other fields of knowledge.

Share CyberMoat