What is security: Definition through knowledge ...

Original Article

What is security: Definition through knowledge categorization David J. Brooks Security Research Centre (SECAU) at Edith Cowan University, Edith Cowan University, 100 Joondalup Drive, Joondalup, Perth 6027, Australia. E-mail: [email protected]

Abstract There have been a number of studies that have attempted to define the concept of security. However, as past authors have indicated, security is multidimensional in nature and diverse in practice. This diversity leads to difficulty in providing a single all encompassing definition for the many applied domains of security. Security cannot be considered singular in concept definition, as definition is dependant on applied context. This study reversed engineered an applied security definition through the critique of 104 undergraduate security degrees, resulting in the presentation of 13 core security knowledge categories. These 13 knowledge categories were then integrated into an existing Australian security framework, resulting in the presentation of the science of security framework model. This framework allowed a greater understanding of security through knowledge structure and placed concept definition within the applied context domain of organizational security. Security Journal advance online publication, 12th January 2009; doi:10.1057/sj.2008.18 Keywords: security; organizational; definition; body of knowledge; framework

Introduction The security industry incorporates diverse and multi-disciplined actors, originating and practicing across many disciplines. This multidimensional nature of security results in both a society and industry that has no clear understanding of a definition for the concept of security. Moreover, the current concept of security is so broad as to be impracticable (Manunta and Manunta, 2006). However, concept definition may be achieved once we gain understanding of an appropriate and relevant security body of knowledge. In addition, it is proposed that security can only achieve definition through applied context and concept definition (Brooks, 2007).

The Need to Understand the Concept of Security Exposure to terrorist attacks in many parts of the world (London, 2005; Jakarta, 2004; Russia, 2004; Spain, 2004; Bali, 2002 and New York, 2001) has raised social concern over the ability of governments to protect its citizens. For example, the 2002 Bali attacks touched all Australians, resulting in the Federal Government committing an additional A$3.1 billion to deal

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 www.palgrave-journals.com/sj/

1

Brooks

with the terrorist threat (Howard, 2004). In Europe, a billion Euro coherent strategy was developed to coordinate military and civilian research in security-related projects (Horvath, 2004). However security is to a degree an undefined term (Tate, 1997), as the security industry is broad and multidisciplined in nature (Hesse and Smith, 2001), with heterogeneous occupations. Current international politics has further broadened the definition of security, in both a national and international perspective. It has been proposed that security requires shared meaning (Manunta, 1999), although this is capricious (ASIS International, 2003, pp. 9–11) and with no universal agreement (Fischer and Green, 2004).

Defining the Concept of Security Security may be considered as assured freedom from poverty or want, precautions taken to ensure against theft, espionage or a person or thing that secures or guarantees (Collins English Dictionary and Thesaurus, 1992). According to Fischer and Green, ‘security implies a stable, relatively predictable environment in which an individual or group may pursue its ends without disruption or harm and without fear of such disturbance or injury’ (2004, p. 21). A traditional definition of security may be the provision of private services in the protection of people, information and assets for individual safety or community wellness (Craighead, 2003). In addition, private or commercial security may be considered as the provision of paid services in preventing undesirable, unauthorized or detrimental loss to an organization’s assets (Post and Kingsbury, 1991). However, security may be expanded to consider national security and the defence of a nation, through armed force or the use of force to control a state’s citizens. Security may also imply public policing, with state employed public servants. Still others may consider security as crime prevention, security technology and risk management or loss prevention (Brooks, 2007). Security may be considered as all of these, but this diversity results in a society that has no clear understanding of what security is, with a divergence of interests from many stakeholders (Manunta, 1999). Nevertheless, security may present very different meaning to different people (Davidson, 2005), given the time, place and context. Security has strong parallels with defence, as they both provide protection; however, there are ‘disturbing differences’ between these industries (Tate, 1997, p. iii). Defence, as with other related industries are often considered to be security. An example may be the parallelism demonstrated through police and military organizations, with the increasing convergence in their response to Australian national security challenges (Ferguson, 2004). In contrast and opposing this convergence is the breadth of agencies who may respond, as within Australia there are ‘over 30 separate government departments and agencies contributing to safeguarding Australia’ (Yates, 2004, p. 3). This diverse and multidimensional approach to security cannot support the definition of security (Morley and Vogel, 1993). As American Society for Industrial Security (ASIS) International stated, ‘every time we think we’ve got the definition of the security field nailed, somebody … starts taking some of the nails away’ (2003, p. 10).

A Supporting Security Body of Knowledge? There has been restricted research in presenting a security body of knowledge, with publications primarily by ASIS International (2003) and others (Hesse and Smith, 2001; Brooks, 2

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

What is security: Definition through knowledge categorization

2006; Security Professionals’ Taskforce, 2008; Talbot and Jakeman, 2008). These limited publications are perhaps due to the diverse nature of security, which makes research activity diffuse and security research difficult (Sarre, 2005). Although a single security body of knowledge has not been explicitly presented, there is supporting literature to develop such a body in many of the security domains. Supporting literature encompasses not only research or industry association publications but also appropriate undergraduate tertiary security courses. Researchers (Smith, 2001; Brooks, 2007) have argued that security experts have developed a rich knowledge structure, which can be extracted and defined as a consensus model (Smith, 2001). A view supported by McCrie, who stated that ‘the combination of industryspecific research and practices over the past generation has created a corpus of learning’ (2004, p. 17). Tertiary security courses may provide knowledge categories and supporting subordinate concepts, assisting in presenting a security body of knowledge and providing concept definition. Within the context of the study, undergraduate tertiary security courses were considered post-compulsory education that, in general, resulted in a Bachelor’s degree. These tertiary degree programmes, depending on regional locality, may consist of between 12 and 40 individual courses or units of study, taking 3 years of full time study to complete.

Study Objectives This paper presents one phase of a larger primary four-phase interpretive study, with this first phase developing and defining the knowledge categories of security. The primary study used multidimensional scaling to develop a psychometric concept map of security risk management. To achieve the primary objectives, the study had to define the knowledge categories of security. The knowledge categories aid, in part, a framework in defining both the science of security and a concept definition of security. A number of discrete research questions were developed, namely 1. What are the knowledge categories and subordinate concepts of security? 2. Can a science of security framework be developed and presented? In addition, the approach of the study was to consider can security be defined through applied context and concept definition? However, concept definition for most security situations is too capricious to effectively define. Therefore, applied context may be reverse engineered by considering the security body of knowledge that informed a definition of security.

Knowledge Categorization Knowledge categorization provided the scientific foundation to the inquiry, which included cognitive memory, knowledge categorization and expertise. Knowledge may be considered as ‘facts or experiences known by a person or group of people, specific information about a subject’ (Collins English Dictionary and Thesaurus, 1992, p. 557). However, according to © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

3

Brooks

Clancey, knowledge ‘is more than written scientific facts and theories’ (1997, p. 285). Knowledge is not discovered, on the contrary, it uses and expands existing concepts (Novak and Gowin, 1984; Eysenck and Keane, 2002) and is ‘a possible state of affairs, either real or imaginary’ (Eysenck and Keane, 2002, p. 533). As new knowledge is gained, change in understanding regarding existing knowledge is achieved. Knowledge is viable (Rennie and Gribble, 1999), constructed and built on previous knowledge. Knowledge is integral to memory structure – defined as the way in which memory organizes, stores and retrieves information. The memory process has a major impact on the ability of longterm memory to retain and retrieve (Eysenck and Keane, 2002), resulting in a complex interactive process (Lockhart and Craik, 1990) that requires knowledge categorization. In our everyday life, a person is exposed to information that has to be economized and abstracted into categories; generally referred to as concepts. These concepts are developed and maintained within long-term memory; however, there is a cognitive balance between the number and effectiveness of possible concepts. Concepts need to be informative, based to a degree on the natural world, economic and cohesive (Eysenck and Keane, 2002) and organized into categories (Kellogg, 2003). Similar objects are grouped together within a conceptual category and these groupings are generally a product of the learner’s environment (Eysenck and Keane, 2002), defined as an exemplar-based view and considered as the informing theory supporting knowledge categorization.

Extracting the Knowledge Categories of Security The study investigated and critiqued 104 English-speaking institutions that offered tertiary security courses at undergraduate or postgraduate level. Search methods to list these courses used the world-wide-web, ASIS International (2007), Security Institute (Kidd, 2006), Australian University Guide (Good Guides, 2004) and Association of Universities and Colleges of Canada (2005). There was initially no limitation placed on the search criteria, as all institutions that offered security and allied industry courses were assessed (Table 1). In the world-wide-web search engines, data strings used were security; security course and security management. During May to July 2005 a list of courses and supporting data were gathered, independently reviewed by three security experts (two tertiary security academics and an industrial expert). From the 104 awards found, only undergraduate tertiary Bachelor Degree (pass)-level courses

Table 1: Location and number of security-related courses Country of origin Australia Canada United Kingdom United States of America New Zealand South Africa Total

4

Institutions offering security-related courses 11 8 5 74 5 1 104



that contained a security major were critiqued. There could be many more security courses, as Davidson stated there are now ‘more than 300 participating two and four year institutions’ (2005, p. 74); however, this includes ‘research programs, technological developments, services activities, training and degree programs’ (2005, p. 74). Owing to the breadth of security awards, college certificates, diplomas and postgraduate courses were not considered. Course data were then compared and based on this course data, the three security experts selected nine courses that contained what they considered to be most appropriate security content. During this examination, the security experts claimed that a large majority of these 104 courses were focused on allied or supporting industries and did not effectively represent organizational or corporate security. These allied industries included, but were not limited too, justice studies, police studies, political studies, criminology, law, social studies, management, business, technology and engineering. This breadth opposed the ASIS International list of security programmes, which stated that they only included ‘security programs; those with criminology or criminal justice programs are not included unless a security speciality is also offered’ (ASIS International, 2007, p. 1). A final seven courses were identified and assessed as containing security as a major area of study. Each course contained between 8 and 14 units of study, from which full unit syllabi were sourced. Unit syllabi included the course overview and units of study descriptions, objectives and overview of content.

Concept extraction from the selected undergraduate courses Concept extraction used Linguistic Inquiry and Word Count (Pennebaker et al, 2001) and commenced with an initial analysis of each critiqued course and unit of study titles, allowing initial concept categorisation. Concepts were counted each time they were used within the course title, although redundant words were not considered as a count (Hiemstra, 1996). The unit title concept count resulted in a summation of security concepts and a frequency count (f) of how often a concept was used (Table 2).

Development of the security knowledge categories Table 2 concepts were tabled for inclusion as a knowledge category if they produced a word frequency of two or greater (see dotted demarcation line in Table 2). The most used concepts were information security (14), followed by criminology and investigations (9) and security management (7). In supporting the assumption that these concepts were appropriate knowledge category descriptors, Table 2 was compared to both the ASIS common knowledge categories (American Society for Industrial Security, 2000) and the study’s pilot study (Figure 1). The concepts security and asset protection were excluded, as security was considered an implicit concept and asset protection considered subordinate. A comparison from the initial list of 17 concepts resulted in 13 (76.5 per cent) concepts being considered appropriate knowledge categories, with minor clarification in concept definition. For example, in Table 2 the category technology was put forward, whereas ASIS International (American Society for Industrial Security, 2000) common knowledge category used integrated security systems. These terms resulted in a final category label of security technology. © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

5

Brooks

Table 2: Concepts count extracted from course units of study titles Concept f

Concept descriptor

14 9 7 6 5 4 3 2 2

Information security Criminology Security management Law Security Asset protection Fire and life safety Facility management Access control

Risk management

Technology

Safety Government security Industrial procedures Intrusion detection

Physical security Business continuity management Accounting

Administration Principles

Architectural design Public relations

1 1

Investigations

Intelligence

Expert validation (n=4)

17 Knowledge categories (Table 2)

ASIS International common knowledge categories (Table 5)

&

Knowledge categories of security (n=13)

15 Knowledge categories from the pilot study Figure 1: Knowledge category inclusion methodology.

Table 3: Security knowledge categories Security categories descriptors Criminology Facility management Investigations Security law Security technology

Business continuity management Industrial security Physical security Security risk management

Fire and life safety Information and computing Safety Security management

Four (23.5 per cent) of the concepts were not inclusive in the ASIS common knowledge categories (American Society for Industrial Security, 2000) and Table 2. These concepts of accounting, access control, government security and intrusion detection were considered to be either subordinate concepts of knowledge categories or non-security concepts. For example, accounting was considered a generic business function. Access control and intrusion detection 6



were considered subordinate concepts of security technology. Government security was considered a subordinate concept of industrial procedures. These concepts were therefore suitable for inclusion as more explicit concepts, not designated knowledge categories. Analysis resulted in a final 13 security knowledge categories (Table 3) being tabulated.

Operationalize category demarcation The 13 security knowledge categories were considered to have demarcation; however, it was not the prime intent of the study to provide inclusive concept definition. These knowledge categories require further academic and industry debate, to gain a degree of consensus. • Criminology: Theories, principles and concepts that consider the scientific study of crime (Collins English Dictionary and Thesaurus, 1992) and victimology; in particular, why crime is committed. This knowledge category may include principles such as crime prevention through environmental design, situational crime prevention and so on. • Business continuity management: Disaster, crisis, incident and business recovery that in general requires an initial response from government emergency services and support by site security, followed by further action from the organization itself. The purpose of business continuity management is to provide the organization with process and resources to achieve resumption of its critical business processes (American Society for Industrial Security, 2000; Standards Australia, 2004b). This category may be considered a subordinate category of risk management – as a risk mitigation strategy; however, still a discrete management function. • Facility management: The technique, process and practice of managing or controlling organizational resources to deliver the function of the built environment, in particular, an organization’s facilities (Langston and Lauge-Kristensen, 2002). The category was considered to include facility technology and management practices, for example facility design, strategic planning, fixed plant and equipment, plant maintenance, energy management and so on. • Fire and life safety: Theories, principles and concepts that consider the scientific study and treatment of fire and life safety, including building technology and the management of life safety and fire protection. • Industrial security: Application of security within specific industries, for example aviation security, maritime security, critical infrastructure protection, government security, campus security, retail security and so on. • Information and computing: Theories, principles, concepts and practices that consider protection methods within the digital environment, including computer technology, hardware and software. Examples may include system networks, servers, firewalls, viruses, honeypots and so on. However, Talbot and Jakeman (2008) propose that information and computing should be divided into two discrete categories, namely information security and information communications technology (ICT). • Investigations: Theories, principles, concepts and practices of security investigations, both process and technology. For example, the legal requirement during a private investigation, evidence admissibility, covert surveillance management and so on. © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

7

Brooks

• Physical security: Theories, principles and concepts that use people, equipment (Garcia, 2001) and the built environment to control access to an organization’s assets, for example lock and keys, grills and so on. This knowledge category may include principles such as defence in depth (DinD), deter, detect, delay, respond and recover (D3R2) and so on. • Safety: Theories, principles, concepts and practices that consider a process for a safe and healthy work environment (American Society for Industrial Security, 2000). In the context of the study, this concept is considered to be Occupational Health and Safety, not necessarily the provision of safety provided by the function of security. • Security risk management: Theories, principles, concepts and practices that considers risk and risk management. Risk management may combine many disciplinary areas including, but not exclusively, mathematics, management, business and psychology. According to the Risk Management AS/NZS4360 Standard, risk management ‘is an integral part of good management … an iterative process of continuous improvement that is best embedded into existing practices or business process’ (Standards Australia, 2004a, p. 7). • Security law: Theories, principles, concepts, process and practices that consider how law affects organizational security, including civil, criminal, liabilities, counter strategies and so on. • Security management: Theories, principles, concepts, technique, process and practice of managing or controlling organizational resources to deliver the function of security (Collins English Dictionary and Thesaurus, 1992; American Society for Industrial Security, 2000). This category may include policy and procedures, administration, operations, training, awareness, finance, contracting, resource allocation, security decay and so on. • Security technology: Specific security technology applied in the protection of assets, for example intruder detection systems, closed circuit television , access control, biometric systems and so on. The future of this knowledge category may include ICT due to the ever increasing use of security technology over computer networks. These final 13 tabulated security knowledge categories (Table 3) responded, in part, to the study’s objective 1, namely, what are the knowledge categories and subordinate concepts of security?

Developing a Framework of Security There has been past studies (Hesse and Smith, 2001; American Society for Industrial Security, 2002; Bazzina, 2006) to develop a security body of knowledge and it was necessary to further contrast the study’s 13 security knowledge categories (Table 3) with these past studies. This comparison led to the development of the framework of security, integrating the 13 knowledge categories and responding to study objective 2; namely, can a science of security framework be developed and presented? One area of progression in the development of a security body of knowledge was the ASIS practitioner/academic symposia (American Society for Industrial Security, 1999; ASIS International, 2003). An outcome of these symposia was the development of a consensual security model containing the core element of security, which was to provide a baseline for tertiary-level course development (ASIS International, 2003). The 2000 ASIS 8



practitioner/academic symposium attempted to develop knowledge category descriptors for each of their proposed common elements of security (Table 4). Core knowledge categories, developed from the ASIS symposium (2000), resulted in the participants proposing a revised model (Table 5). The revised common knowledge categories increased from a previous nine concepts to 18 concepts. Further symposia focused on these 18 common knowledge categories, defining generic core competencies (American Society for Industrial Security, 2002) and commencing the development of a body of security knowledge (ASIS International, 2003). In contrast, Hesse and Smith (2001) proposed four knowledge categories appropriate for tertiary security education – security, business and management, computing and IT and generic (Table 6). It was postulated that through academia, these knowledge categories would provide security managers with core knowledge for appointment in the security industry. Although these knowledge categories may be appropriate for generic supervisory or managerial occupations, the security knowledge categories did conflict to some degree with those proposed by ASIS International (2003). A collaborative project between the Australian Attorney-General’s Department, Australian Standards and the Australian security industry attempted to identify and clarify requirements for future security standards. The project, funded by the Australian Federal Government, solicited and received comment from across the critical infrastructure protection network, both private and public. As part of the outcome, the project developed an initial integrated security framework model (Figure 2), broken into five knowledge

Table 4: ASIS common knowledge categories of security model Security Physical security Personnel security Information systems security

Risk management Legal aspects Loss prevention

Emergency/contingency planning Fire protection Investigations

Source: American Society for Industrial Security, 2000, p. 87.

Table 5: ASIS revised common knowledge categories of security model Security Physical security Personnel security Information systems security Investigations Loss prevention Risk management Legal aspects Emergency/contingency planning Fire protection

Crisis management Disaster management Counterterrorism Competitive intelligence Executive protection Violence in the workplace Crime prevention (general) CPTED Security architecture and engineering

Abbreviation: CPTED, Crime prevention through environmental design. Source: American Society for Industrial Security, 2000, p. 100.


9

Brooks

Table 6: Security education knowledge categories Security

Business and Management

Law Threats Security technology Security theory Risk management Technology Investigative procedures Security equipment Physical security Security standards Life safety systems Cultural knowledge Asset protection Intelligence Duty of care Fraud Security perception Surveillance

Law Management theory Technology Business Accounting Cultural knowledge Industrial relations HRM Contract management Duty of care Equal opportunity Ethics Fraud

Generic

Computing and IT

Analytical Research

IT systems

Abbreviations: HRM, Human resource management; IT, Information technology. Source: Hesse and Smith, 2001, pp. 98–99.

Strategic Governance Management Operational Technical IT & Computing

Identity & Access Control

Physical

Personnel

Procedural

Figure 2: Integrated security standards framework model (Bazzina, 2006, p. 85).

categories considered at four operating levels. The five knowledge categories consider IT and computing security, physical security, identity management and access control, procedural security and personnel security (Bazzina, 2006, pp. 85–86). Criticism of the integrated security standards framework model included failing to align with the complex approach from the Australian Commonwealth Protective Security Manual (Bazzina, 2006) and not considering risk management (Brooks, 2007). Also, the integrated 10



security framework (Figure 2) could be considered broad in approach and therefore difficult to operationalize, in particular when considering the ASIS common knowledge categories (Table 5). However, a further Standards Australia security standards framework was proposed, rectifying these criticisms by encapsulating overall governance and management of the organization, with risk management embedded within physical security, information security and personnel security (Bazzina, 2006). Nevertheless, the framework did not incorporate all of the knowledge categories proposed by either ASIS (2003) or Hesse and Smith (2001). After consultation with industry and government, the Risk Management Institution of Australasia developed a Security Risk Management Body of Knowledge publication (Talbot and Jakeman, 2008). Although focusing on security risk management, the document represented practice areas of security, namely protective security, people security, physical security, information security and ICT security. In a unique approach, information security and ICT were presented as discrete and separate knowledge areas. Information security was considered to be the protection of information, whereas ICT was considered to be the protection of information technology systems. Consideration was made that a principlesbased approach should be taken by categorizing security into practitioner areas (Risk Management Institution of Australasia, 2007), an approach put forward by Manunta (1999). However, the Risk Management Institution of Australasia (2007) considered security risk management as the prime security category. The view that security risk management is an ordinate knowledge category may be opposed, as according to Manunta, ‘there are a number of ontological discrepancies between the concept of security and that of risk, which deserve further study and investigation’ (2002, p. 43). In addition, the majority of security knowledge categories discussed presented risk management as a subordinate concept of security (Hesse and Smith, 2001; ASIS International, 2003). Nevertheless, this type of debate can only further assist the development and presentation of an overarching consensual security body of knowledge.

A Framework of Security To address some of the failings of the integrated security standards framework, the study integrated this framework with the 13 tabulated knowledge categories of security (Table 3) and past security standards framework (Figure 2). As these 13 knowledge categories combined, in part, past body of knowledge studies on this model may provide a framework for security (Figure 3). The framework responded to the study’s objective 2, namely, can a science of security framework be developed and presented? In addition, the tabulated knowledge categories and integrated framework provide some degree of concept definition, assisting in the understanding of organizational security. A number of assumptions were made during the development of the integrated framework. These assumptions considered that some knowledge categories were more relevant to security than others; therefore, the framework incorporates a hierarchy of knowledge categories. Level 1 may be considered core security knowledge categories, whereas level 2 are non-core knowledge categories. These non-core knowledge categories may be allied industries informing or supporting the general function of organizational security. Security, at the strategic, managerial (tactical) or operational level cannot be considered singular in concept definition, as definition is dependant on context. Nevertheless, security © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

11

Brooks

Strategic Governance Management Operational Risk Management

IT & Computing

Physical

BCM Law

Criminology

Technology Facility Management

Investigations Fire & Life Safety

Personnel

Safety

Industrial

Level 1

Level 2

Figure 3: Integrated science of security framework. Note: BCM = Business continuity management.

may be considered in context, if that context is defined. Security context may be considered within the domains of international or national security, public security (Policing), private or organizational security and individual security, to name a few. The framework of security (Figure 3) provides some degree of concept definition within the context of private or organizational security for the protection of people, information and assets – extrapolated as the scientific inquiry of organizational security management (ASIS International, 2003). This view was supported by ASIS (2000), when indicating that organizational security management is a distinct field, separate from police or justice domains. Otherwise, with the breadth of applied security domains there could be a divergence of these distinct knowledge categories.

Limitation of the Study Limitations of the study were identified and include the provision of a conclusive definition of security, the breadth of tertiary security undergraduate courses critiqued and the expert sample size and nature. Tertiary security courses were selected and validated by security experts. However, security has no clear definition (Tate, 1997; Manunta, 1999; Horvath, 2004) and ‘means different things to different people’ (Davidson, 2005, p. 73). According to Hesse and Smith, security is diverse, without a defined knowledge or skill structure (2001, p. 89). Therefore, homogeneity in the selection and validation of expert groups during the study may have introduced some degree of distortion. The study attempted to address this concern with independent resources to triangulate data, for example the use of the ASIS International 1997–2003 Academic/Practitioner Symposiums (ASIS International, 2003). As the courses were critiqued in the six countries (Table 1) there has been an increase in security undergraduate course offerings, with a claim that in the United States alone there are now ‘more than 300 two and four-year institutions that participate with homeland security programs’ (Davidson, 2005, p. 72). However, it could be argued that these are not necessarily appropriate organizational security undergraduate courses. Given the breadth of security, not all security categories concepts were necessarily tabulated. For enhanced statistical confidence, the sample size of the study could have been larger. In addition, due to the non-probabilistic sampling approach, homogeneity of data, participants 12



and experts could have been experienced. These factors may have resulted in a degree of error in the final tabulated knowledge categories. Nevertheless, the study attempted to develop and present a consensual framework for security using international data. Such an approach, to some degree, resulted in removing individuality of courses from the resulting framework.

Further Research It is proposed that future research will use psychometric multidimensional scaling to concept map security experts view of the presented security knowledge categories (Figure 3). This psychometric concept mapping may provide a deeper understanding of these security categories relationships. For example, according to Standards Australia, business continuity management should be integrated with risk management (2004b). However, to what extent do security experts consider the strength of this relationship? In addition, how related is security technology to physical security, ICT and so on? Such mapping will allow further expert validation of the integrated framework.

Conclusion Security is capricious in nature and application, practised across many domains and with heterogeneous actors. Owing to this multidimensional nature, the concept of security is difficult to define. However, the study proposed that the concept of security may be defined when understanding the applied context. In addition, by developing and presenting a consensual body of knowledge within the applied context, concept definition may be achieved. Therefore, the study objectives were the tabulation of the knowledge categories of security and the presentation of these within an integrated framework. To achieve these outcomes, the study critiqued 104 English-speaking tertiary undergraduate degree courses, from six countries. This critique resulted in a final seven courses being analysed, with 13 security knowledge categories extracted from the syllabi and validated by similar studies. These knowledge categories included criminology, business contingency management, facility management, fire and life safety, industrial security, information and computer security, investigations, physical security, principles, security risk management, security law, security management and security technology. These 13 knowledge categories were integrated into the Australian security standards framework (Figure 2), addressing some of the criticism directed at this framework. This integration resulted in the proposed science of security framework (Figure 3), considering both core security knowledge categories and allied supporting concepts. Nevertheless, the study proposed that this framework may only consider the context of security within the domain of organizational or corporate security.

References American Society for Industrial Security. (1999) Proceedings of the 1999 Academic/Practitioner Symposium. Reno: American Society for Industrial Security, University of Nevada.


13

Brooks

American Society for Industrial Security. (2000) Proceedings of the 2000 Academic/Practitioner Symposium. Oklahoma: American Society for Industrial Security, The University of Oklahoma. American Society for Industrial Security. (2002) Proceedings of the 2002 Academic/Practitioner Symposium. Ohio: ASIS International, The University of Cincinnati. ASIS International. (2003) Proceedings of the 2003 Academic/Practitioner Symposium. Maryland: ASIS International, The University of Maryland. ASIS International. (2007) Academic institutions offering degrees and/or courses in security, http://www.asisonline. org/education/universityPrograms/traditionalprograms.pdf, accessed 7 March 2007. Association of Universities and Colleges of Canada. (2005) Speaking for Canada’s universities at home and abroad, http://oraweb.aucc.ca/pls/, accessed 28 July 2005. Bazzina, M. (2006) Security Standards and Support Systems Report: A Collaborative Project Between the Commonwealth Attorney-General’s Department and Standards Australia. Sydney, NSW: Standards Australia International. Brooks, D.J. (2006) Mapping the consensual knowledge of security risk management experts. In: C. Valli and A. Woodward (eds.) Proceedings of the 7th Australian Information Warfare and Security Conference. Perth, Western Australia: School of Computing and Information Science, Edith Cowan University, pp. 9–17. Brooks, D.J. (2007) Defining the Science of Security through Knowledge Categorisation. Paper presented at the Criminology and Victimlogical Society of Southern Africa (CRIMSA) Conference 2007, October, University of Pretoria, Pretoria. Clancey, W.J. (1997) The Conceptual Nature of Knowledge, Situations, and Activity. In: P.J. Feltovich, K.M. Ford and R.R. Hoffman (eds.) Expertise in Context: Human and Machine. Menlo Park, CA: The MIT Press, pp. 247–291. Collins English Dictionary and Thesaurus. (1992) Sydney, NSW: HarperCollins Publishers. Craighead, G. (2003) High-Rise Security and Fire Life Safety. Woburn, MA: Butterworth-Heinemann. Davidson, M.A. (2005) A matter of degrees. Security Management 49(12): 72–99. Eysenck, M.W. and Keane, M.T. (2002) Cognitive Psychology: A Student’s Handbook. New York: Psychology Press. Ferguson, G. (2004) Policing conference returns to Adelaide. Australian Defence Magazine 12(8): 54. Fischer, R.J. and Green, G. (2004) Introduction to Security. Boston, MA: Butterworth-Heinemann. Garcia, M.L. (2001) The Design and Evaluation of Physical Protection Systems. Boston, MA: ButterworthHeinemann. Good Guides. (2004) Helping you make decisions about where and what to study in Australia, http://www. thegoodguides.com.au/ggcontent/course/id, accessed 28 October 2004. Hesse, L. and Smith, C.L. (2001) Core Curriculum in Security Science. In: H. Armstrong (ed.) Proceedings of the 5th Australian Security Research Symposium. Perth, Western Australia: School of Computing and Information Science, Edith Cowan University, pp. 87–104. Hiemstra, R. (1996) What’s in a word? Changes in self-directed learning language over a decade, http://www-distance. syr.edu/word.html, accessed 20 October 2005. Horvath, J. (2004) The fear factor, http://www.telepolis.de/english/inhalt/te/18187/1.html, accessed 3 September 2004. Howard, J. (2004) Business government forum on national security, http://www.safeguardingaustralia.org.au/ Questions/Howard-address-23June04.doc, accessed 3 July 2004. Kellogg, R.T. (2003) Cognitive Psychology. Thousand Oaks, CA: Sage Publications. Kidd, S. (2006) The Security Institute yearbook and directory of qualifications 2006, http//www.security-institute. org/pdf/2006%20Yearbook.pdf, accessed 25 June 2007. Langston, C. and Lauge-Kristensen, R. (2002) Strategic Management of Built Facilities. Boston, MA: ButterworthHeinemann. Lockhart, R.S. and Craik, F.I.M. (1990) Levels of processing: A retrospective commentary on a framework for memory research. Canadian Journal of Psychology 44: 87–112. Manunta, G. (1999) What is security? Security Journal 12(3): 57–66. Manunta, G. (2002) Risk and security: Are they compatible concepts? Security Journal 15(2): 43–55. Manunta, G. and Manunta, R. (2006) Theorizing about Security. In: M. Gill (ed.) The Handbook of Security. New York: Palgrave Macmillan, pp. 629–657. McCrie, R.D. (2004) The history of expertise in security management practice and litigation. Security Journal 17(3): 11–19.

14



Morley, H.N. and Vogel, R.E. (1993) The higher education dilemma for the private security professional: Delivery methodologies and core curriculum from the practitioner’s perspective. Security Journal 4(3): 122–127. Novak, J.D. and Gowin, D.B. (1984) Learning How to Learn. Cambridge: Cambridge University Press. Pennebaker, J.W., Francis, M.E. and Booth, R.J. (2001) Linguistic Inquiry and Word Count (LIWC2001). Mahwah, NJ: Erlbaum Publishers. Post, R.S. and Kingsbury, A.A. (1991) Security Administration: An Introduction to the Protection Services. Boston, MA: Butterworth-Heinemann. Rennie, L.J. and Gribble, J. (1999) A Guide to Preparing Your Application for Candidacy. Perth, Western Australia: Curtin University of Technology. Risk Management Institution of Australasia. (2007) Security risk management body of knowledge, http://www. securityprofessionals.org.au/, accessed 24 January 2007. Sarre, R. (2005) Researching private policing: Challenges and agendas for researchers. Security Journal 18(3): 57–70. Security Professionals’ Taskforce. (2008) Advancing security professionals: A discussion paper to identify the key actions required to advance security professionals and their contribution to Australia, http://www. securityprofessionals.org.au/. Smith, C.L. (2001) Security science: An emerging applied science. Journal of the Science Teachers Association of Western Australia 37(2): 8–10. Standards Australia. (2004a) AS/NZS4360:2004 Risk Management. Sydney, NSW: Standards Australia International. Standards Australia. (2004b) HB221 Business Continuity Planning. Sydney, NSW: Standards Australia International. Talbot, J. and Jakeman, M. (2008) Security Risk Management Body of Knowledge. Carlton South: Risk Management Institution of Australasia. Tate, P.W. (1997) Report on the Security Industry Training: Case Study of an Emerging Industry. Perth: Western Australian Department of Training, Western Australian Government Publishing. Yates, A. (2004) Australia’s Homeland Security Market and Industry’s Role. Canberra: Australian Homeland Security Research Centre.


15