Reducing Insecurity in Security Engineering

Marc W Tobias

Marc W. Tobias, J.D. earns his living designing security systems – and then breaking into them.

At the University of Pittsburgh, he has also taught students at the Swanson School of Engineering how to circumvent poor lock design – to help them learn how to build a better lock.

And now he’s written his latest book on physical security – and what he calls insecurity engineering in lock and systems design.

“Tobias on Locks and Insecurity Engineering,” published this month by Wiley, is his grand compendium on the history of lock engineering and the art of discovering and exploiting security vulnerabilities.

“From childhood, I was fascinated with taking things apart and figuring out how they worked – much to the chagrin of my parents,” Tobias says. “Eventually, my focus trained on locks and physical security systems – not how to make them, but how to break them and learn how something designed to keep things safe could so easily be defeated and therefore make them better.”

In his eighth book, Tobias writes about how locks have evolved over thousands of years. From pins and large keys to small tumblers and computer codes, lock systems have always faced one challenge – the human desire to compromise them. And as lock technology and engineering have become more advanced and complex, Tobias says this is why they have become easier to exploit.

“Engineers are brilliant individuals who create and build complex things that advance humanity. But there is also an artistic component required to anticipate how a complex thing can be broken,” he explains. “That’s why we are never captivated by the person who designs a lock, but rather by the eleven-year-old who can defeat a complex firewall in less than a minute with just their ingenuity and understanding of how to find that one failure point.”

This shortcoming in lock design, or “insecurity engineering,” as Tobias calls it, isn’t because of the companies that spend millions designing lock systems. Rather, he feels it is more of a focus on complex engineering in design and not thinking about how a professional might defeat it.

Ethical understanding of a criminal act

When he first established the Security Engineering Laboratory at Pitt’s Swanson School of Engineering with Visiting Assistant Professor Eric Winter, Tobias remembers the hesitancy of some students to try to defeat a lock or security mechanism.

“I would encounter students who, when I explained what an assignment would be, thought it was “unethical” to try to break into something designed for security,” Tobias says. “And that’s when I thought what we’re dealing with is “insecurity engineering” – an unrealistic fear to find fault in a design. That’s not necessarily antithetical to engineering -

“Yet that’s what I and others do to help companies design better physical security systems because I’ll tell you one thing – the safecracker or criminal doesn’t care if trying to find a vulnerability is unethical.”

WILEY JACKET FINAL DESIGN

A treatise on securing physical systems for future

Across 27 chapters, Tobias imparts more than 50 years of experience to explore the different types of physical security systems across history and both the high- and low-tech means to thwart them. He reviews his own basic engineering rules not to describe how these systems work, but rather how to minimize or eliminate vulnerabilities.

He also goes into detail about the legal side of physical security – how flaws in design, both human and mechanical engineering, exponentially increase a company’s liability. Here, Tobias’ education and experience in law and law enforcement shines through, especially his decades of consulting – publicly and confidentially – with the world’s top security companies.

His results are also reflected in 31 patents and numerous appearances as an expert witness in criminal cases. The 700-page book ends with a compendium of his “Design Rules, Axioms, and Guidelines” for security engineering and an epilogue that, despite advances in technology, mechanical locks will always be needed.

“No matter how complex a security system is, someone with imagination will be able to defeat it. That’s why I believe our engineering schools and STEM programs need to go beyond textbook learning and integrate programming that stimulates curiosity and imagination in the curriculum,” Tobias notes. “That’s why each semester, as part of our Security Engineering Lab course at Pitt, we sponsor projects for the School’s Design Expo. This is critical for workforce development and helping security companies reduce product vulnerability as much as possible.”

Tobias said that the book is written for design engineers: risk managers, lawyers, law enforcement agencies, crime labs, and engineering students. “In today’s environment, engineering students must be conversant with liability and intellectual property law and how it can apply to the systems they design.”

###