Security

TOPIC AREA

What Is Security?

Security is the discipline concerned with protecting assets, including people, information, property, and systems, from threats that could cause harm, disruption, or loss. It encompasses technical controls such as cryptographic protocols and access management systems, physical measures such as barriers and surveillance, and organizational practices such as security policies and personnel vetting. The field draws from electrical engineering, computer science, psychology, and organizational theory, integrating these perspectives because effective security must account for both technical attack surfaces and the human behaviors that create or close vulnerabilities.

Security problems are adversarial in character, distinguishing them from reliability problems where failures arise from physical wear or design imperfection rather than deliberate exploitation. An adversary actively searches for weaknesses and adapts tactics in response to defenses, so security measures must be designed not just to address known threats but to raise the cost of attacks and limit the damage when breaches occur.

Cybersecurity

Cybersecurity is the protection of computer systems, networks, and data from unauthorized access, use, disclosure, disruption, or destruction. It encompasses network security (firewalls, intrusion detection), endpoint security (antivirus, endpoint detection and response), application security (secure coding practices, vulnerability scanning), and data security (encryption, data loss prevention). The threat landscape includes malware, ransomware, phishing, supply chain attacks, and nation-state-sponsored intrusions. The NIST Cybersecurity Framework, first published in 2014 and updated in 2024, provides a widely adopted voluntary structure for organizing cybersecurity activities around five functions: Identify, Protect, Detect, Respond, and Recover. Organizations across critical infrastructure sectors, including energy, healthcare, and finance, have adopted the framework as a basis for risk management programs.

Cryptography

Cryptography is the mathematical science of securing information by transforming it into a form that is unreadable without a corresponding key or credential. Modern cryptography rests on computational hardness assumptions: problems such as integer factorization (the basis of RSA) and discrete logarithm computation (the basis of elliptic curve cryptography) are computationally intractable with current algorithms and hardware. Symmetric encryption algorithms such as AES-256 protect data in storage and transit; asymmetric public-key algorithms support key exchange and digital signatures. Hash functions such as SHA-3 provide data integrity verification. The anticipated arrival of cryptographically relevant quantum computers has driven the NIST Post-Quantum Cryptography standardization program, which in 2024 standardized the first quantum-resistant algorithms including CRYSTALS-Kyber and CRYSTALS-Dilithium.

Authentication and Access Control

Authentication is the process of verifying that an entity (a user, a device, or a service) is who or what it claims to be. Methods include knowledge factors (passwords and PINs), possession factors (hardware tokens and smart cards), and inherence factors (biometrics such as fingerprint, face, or iris recognition). Multi-factor authentication (MFA) combines two or more of these categories to increase assurance. Access control defines what authenticated entities are permitted to do, implemented through models such as role-based access control (RBAC), attribute-based access control (ABAC), and mandatory access control (MAC), each offering different tradeoffs between flexibility and policy expressibility. Biometric security systems have gained broad deployment in smartphones, border control, and enterprise identity management, with IEEE standards such as IEEE 2410 addressing biometric open protocol specifications.

Physical Security and Alarm Systems

Physical security addresses threats that require physical presence or access to a facility, system, or person. Controls include perimeter barriers (fences, bollards), controlled-access points (card readers, turnstiles, security personnel), surveillance systems (closed-circuit television, motion detectors), and environmental systems (lighting, intrusion sensors). Alarm systems detect unauthorized access or anomalous conditions and trigger alerts to security personnel or emergency services. Physical and cybersecurity are increasingly integrated: a physical intrusion into a data center can defeat technical controls, and a cyberattack on building management systems can disable physical barriers. The ASIS International security standards program develops the primary voluntary standards for physical security management, including the Physical Asset Protection standard.

Applications

Security has applications in a wide range of fields, including:

  • Critical infrastructure protection, including power grids, water systems, and communications networks
  • Financial services, protecting transactions, customer data, and trading systems from fraud
  • Healthcare information security, safeguarding electronic health records under regulations such as HIPAA
  • Government and defense, securing classified systems and communications
  • Supply chain security, verifying the integrity of hardware and software components
  • Public safety and law enforcement, through surveillance, biometric identification, and access control