See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/247478178

What is security: Definition through knowledge

categorization

Article in Security Journal · July 2010

DOI: 10.1057/sj.2008.18

CITATIONS READS

25 4,640

1 author:

David Jonathan Brooks

Edith Cowan University
77 PUBLICATIONS 217 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Security Body of Knolwedge View project

The Efficacy of Property Marking as a Situational Crime Prevention Strategy View project

All content following this page was uploaded by David Jonathan Brooks on 23 July 2015.

The user has requested enhancement of the downloaded file.

Original Article

What is security: Definition through knowledge

categorization
David J. Brooks
Security Research Centre (SECAU) at Edith Cowan University, Edith Cowan University, 100 Joondalup Drive,
Joondalup, Perth 6027, Australia.
E-mail: d.brooks@ecu.edu.au

Abstract There have been a number of studies that have attempted to define the concept of
security. However, as past authors have indicated, security is multidimensional in nature and
diverse in practice. This diversity leads to difficulty in providing a single all encompassing defi-
nition for the many applied domains of security. Security cannot be considered singular in con-
cept definition, as definition is dependant on applied context. This study reversed engineered an
applied security definition through the critique of 104 undergraduate security degrees, resulting
in the presentation of 13 core security knowledge categories. These 13 knowledge categories
were then integrated into an existing Australian security framework, resulting in the presentation
of the science of security framework model. This framework allowed a greater understanding of
security through knowledge structure and placed concept definition within the applied context
domain of organizational security.
Security Journal advance online publication, 12th January 2009; doi:10.1057/sj.2008.18

Keywords: security; organizational; definition; body of knowledge; framework

Introduction

The security industry incorporates diverse and multi-disciplined actors, originating and
practicing across many disciplines. This multidimensional nature of security results in both
a society and industry that has no clear understanding of a definition for the concept of secu-
rity. Moreover, the current concept of security is so broad as to be impracticable (Manunta
and Manunta, 2006). However, concept definition may be achieved once we gain under-
standing of an appropriate and relevant security body of knowledge. In addition, it is
proposed that security can only achieve definition through applied context and concept
definition (Brooks, 2007).

The Need to Understand the Concept of Security

Exposure to terrorist attacks in many parts of the world (London, 2005; Jakarta, 2004; Russia,
2004; Spain, 2004; Bali, 2002 and New York, 2001) has raised social concern over the
ability of governments to protect its citizens. For example, the 2002 Bali attacks touched all
Australians, resulting in the Federal Government committing an additional A$3.1 billion to deal

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 1

www.palgrave-journals.com/sj/
 Brooks

with the terrorist threat (Howard, 2004). In Europe, a billion Euro coherent strategy was devel-
oped to coordinate military and civilian research in security-related projects (Horvath, 2004).
However security is to a degree an undefined term (Tate, 1997), as the security industry
is broad and multidisciplined in nature (Hesse and Smith, 2001), with heterogeneous occu-
pations. Current international politics has further broadened the definition of security, in
both a national and international perspective. It has been proposed that security requires
shared meaning (Manunta, 1999), although this is capricious (ASIS International, 2003, pp.
9–11) and with no universal agreement (Fischer and Green, 2004).

Defining the Concept of Security

Security may be considered as assured freedom from poverty or want, precautions taken
to ensure against theft, espionage or a person or thing that secures or guarantees (Collins
English Dictionary and Thesaurus, 1992). According to Fischer and Green, ‘security implies
a stable, relatively predictable environment in which an individual or group may pursue its
ends without disruption or harm and without fear of such disturbance or injury’ (2004, p. 21).
A traditional definition of security may be the provision of private services in the protection of
people, information and assets for individual safety or community wellness (Craighead, 2003).
In addition, private or commercial security may be considered as the provision of paid services
in preventing undesirable, unauthorized or detrimental loss to an organization’s assets (Post and
Kingsbury, 1991).
However, security may be expanded to consider national security and the defence of a
nation, through armed force or the use of force to control a state’s citizens. Security may
also imply public policing, with state employed public servants. Still others may consider
security as crime prevention, security technology and risk management or loss prevention
(Brooks, 2007). Security may be considered as all of these, but this diversity results in a
society that has no clear understanding of what security is, with a divergence of interests
from many stakeholders (Manunta, 1999). Nevertheless, security may present very different
meaning to different people (Davidson, 2005), given the time, place and context.
Security has strong parallels with defence, as they both provide protection; however, there
are ‘disturbing differences’ between these industries (Tate, 1997, p. iii). Defence, as with other
related industries are often considered to be security. An example may be the parallelism dem-
onstrated through police and military organizations, with the increasing convergence in their
response to Australian national security challenges (Ferguson, 2004). In contrast and opposing
this convergence is the breadth of agencies who may respond, as within Australia there
are ‘over 30 separate government departments and agencies contributing to safeguarding
Australia’ (Yates, 2004, p. 3). This diverse and multidimensional approach to security cannot
support the definition of security (Morley and Vogel, 1993). As American Society for Indus-
trial Security (ASIS) International stated, ‘every time we think we’ve got the definition of the
security field nailed, somebody … starts taking some of the nails away’ (2003, p. 10).

A Supporting Security Body of Knowledge?

There has been restricted research in presenting a security body of knowledge, with publica-
tions primarily by ASIS International (2003) and others (Hesse and Smith, 2001; Brooks,

2 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

2006; Security Professionals’ Taskforce, 2008; Talbot and Jakeman, 2008). These limited
publications are perhaps due to the diverse nature of security, which makes research
activity diffuse and security research difficult (Sarre, 2005). Although a single security body
of knowledge has not been explicitly presented, there is supporting literature to develop
such a body in many of the security domains. Supporting literature encompasses not only
research or industry association publications but also appropriate undergraduate tertiary
security courses.
Researchers (Smith, 2001; Brooks, 2007) have argued that security experts have devel-
oped a rich knowledge structure, which can be extracted and defined as a consensus model
(Smith, 2001). A view supported by McCrie, who stated that ‘the combination of industry-
specific research and practices over the past generation has created a corpus of learning’
(2004, p. 17). Tertiary security courses may provide knowledge categories and supporting
subordinate concepts, assisting in presenting a security body of knowledge and providing
concept definition. Within the context of the study, undergraduate tertiary security courses
were considered post-compulsory education that, in general, resulted in a Bachelor’s
degree. These tertiary degree programmes, depending on regional locality, may consist
of between 12 and 40 individual courses or units of study, taking 3 years of full time study
to complete.

Study Objectives

This paper presents one phase of a larger primary four-phase interpretive study, with this
first phase developing and defining the knowledge categories of security. The primary study
used multidimensional scaling to develop a psychometric concept map of security risk man-
agement. To achieve the primary objectives, the study had to define the knowledge catego-
ries of security. The knowledge categories aid, in part, a framework in defining both the
science of security and a concept definition of security. A number of discrete research ques-
tions were developed, namely

1. What are the knowledge categories and subordinate concepts of security?

2. Can a science of security framework be developed and presented?

In addition, the approach of the study was to consider can security be defined through
applied context and concept definition? However, concept definition for most security
situations is too capricious to effectively define. Therefore, applied context may be
reverse engineered by considering the security body of knowledge that informed a definition
of security.

Knowledge Categorization

Knowledge categorization provided the scientific foundation to the inquiry, which included
cognitive memory, knowledge categorization and expertise. Knowledge may be considered
as ‘facts or experiences known by a person or group of people, specific information about a
subject’ (Collins English Dictionary and Thesaurus, 1992, p. 557). However, according to

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 3

 Brooks

Clancey, knowledge ‘is more than written scientific facts and theories’ (1997, p. 285).
Knowledge is not discovered, on the contrary, it uses and expands existing concepts (Novak
and Gowin, 1984; Eysenck and Keane, 2002) and is ‘a possible state of affairs, either real or
imaginary’ (Eysenck and Keane, 2002, p. 533). As new knowledge is gained, change in
understanding regarding existing knowledge is achieved. Knowledge is viable (Rennie and
Gribble, 1999), constructed and built on previous knowledge.
Knowledge is integral to memory structure – defined as the way in which memory organizes,
stores and retrieves information. The memory process has a major impact on the ability of long-
term memory to retain and retrieve (Eysenck and Keane, 2002), resulting in a complex interac-
tive process (Lockhart and Craik, 1990) that requires knowledge categorization. In our everyday
life, a person is exposed to information that has to be economized and abstracted into categories;
generally referred to as concepts. These concepts are developed and maintained within long-term
memory; however, there is a cognitive balance between the number and effectiveness of possible
concepts. Concepts need to be informative, based to a degree on the natural world, economic and
cohesive (Eysenck and Keane, 2002) and organized into categories (Kellogg, 2003). Similar
objects are grouped together within a conceptual category and these groupings are generally a
product of the learner’s environment (Eysenck and Keane, 2002), defined as an exemplar-based
view and considered as the informing theory supporting knowledge categorization.

Extracting the Knowledge Categories of Security

The study investigated and critiqued 104 English-speaking institutions that offered tertiary
security courses at undergraduate or postgraduate level. Search methods to list these courses
used the world-wide-web, ASIS International (2007), Security Institute (Kidd, 2006),
Australian University Guide (Good Guides, 2004) and Association of Universities and
Colleges of Canada (2005). There was initially no limitation placed on the search criteria, as
all institutions that offered security and allied industry courses were assessed (Table 1). In
the world-wide-web search engines, data strings used were security; security course and
security management.
During May to July 2005 a list of courses and supporting data were gathered, independently
reviewed by three security experts (two tertiary security academics and an industrial expert).
From the 104 awards found, only undergraduate tertiary Bachelor Degree (pass)-level courses

Table 1: Location and number of security-related courses

Country of origin Institutions offering security-related courses

Australia 11
Canada 8
United Kingdom 5
United States of America 74
New Zealand 5
South Africa 1

Total 104

4 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

that contained a security major were critiqued. There could be many more security courses, as
Davidson stated there are now ‘more than 300 participating two and four year institutions’ (2005,
p. 74); however, this includes ‘research programs, technological developments, services activi-
ties, training and degree programs’ (2005, p. 74). Owing to the breadth of security awards, col-
lege certificates, diplomas and postgraduate courses were not considered. Course data were then
compared and based on this course data, the three security experts selected nine courses that
contained what they considered to be most appropriate security content.
During this examination, the security experts claimed that a large majority of these 104
courses were focused on allied or supporting industries and did not effectively represent
organizational or corporate security. These allied industries included, but were not limited
too, justice studies, police studies, political studies, criminology, law, social studies, man-
agement, business, technology and engineering. This breadth opposed the ASIS Interna-
tional list of security programmes, which stated that they only included ‘security programs;
those with criminology or criminal justice programs are not included unless a security spe-
ciality is also offered’ (ASIS International, 2007, p. 1).
A final seven courses were identified and assessed as containing security as a major area
of study. Each course contained between 8 and 14 units of study, from which full unit syl-
labi were sourced. Unit syllabi included the course overview and units of study descriptions,
objectives and overview of content.

Concept extraction from the selected undergraduate courses

Concept extraction used Linguistic Inquiry and Word Count (Pennebaker et al, 2001) and
commenced with an initial analysis of each critiqued course and unit of study titles, allow-
ing initial concept categorisation. Concepts were counted each time they were used within
the course title, although redundant words were not considered as a count (Hiemstra, 1996).
The unit title concept count resulted in a summation of security concepts and a frequency
count (f) of how often a concept was used (Table 2).

Development of the security knowledge categories

Table 2 concepts were tabled for inclusion as a knowledge category if they produced a word
frequency of two or greater (see dotted demarcation line in Table 2). The most used concepts
were information security (14), followed by criminology and investigations (9) and security
management (7). In supporting the assumption that these concepts were appropriate
knowledge category descriptors, Table 2 was compared to both the ASIS common knowl-
edge categories (American Society for Industrial Security, 2000) and the study’s pilot study
(Figure 1). The concepts security and asset protection were excluded, as security was con-
sidered an implicit concept and asset protection considered subordinate. A comparison from
the initial list of 17 concepts resulted in 13 (76.5 per cent) concepts being considered ap-
propriate knowledge categories, with minor clarification in concept definition. For example,
in Table 2 the category technology was put forward, whereas ASIS International (American
Society for Industrial Security, 2000) common knowledge category used integrated security
systems. These terms resulted in a final category label of security technology.

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 5

 Brooks

Table 2: Concepts count extracted from course units of study titles

Concept f Concept descriptor

14 Information security
9 Criminology Investigations
7 Security management
6 Law Risk management Technology
5 Security
4 Asset protection Safety
3 Fire and life safety Government security Physical security
2 Facility management Industrial procedures Business continuity management
2 Access control Intrusion detection Accounting
1 Administration Architectural design Intelligence
1 Principles Public relations

Expert
17 Knowledge validation (n=4)
categories (Table 2)

Knowledge
ASIS International
categories
common knowledge & of security
categories (Table 5)
(n=13)

15 Knowledge
categories from
the pilot study

Figure 1: Knowledge category inclusion methodology.

Table 3: Security knowledge categories

Security categories descriptors

Criminology Business continuity management Fire and life safety

Facility management Industrial security Information and computing
Investigations Physical security Safety
Security law Security risk management Security management
Security technology

Four (23.5 per cent) of the concepts were not inclusive in the ASIS common knowledge
categories (American Society for Industrial Security, 2000) and Table 2. These concepts of
accounting, access control, government security and intrusion detection were considered to be
either subordinate concepts of knowledge categories or non-security concepts. For example,
accounting was considered a generic business function. Access control and intrusion detection

6 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

were considered subordinate concepts of security technology. Government security was

considered a subordinate concept of industrial procedures. These concepts were therefore suit-
able for inclusion as more explicit concepts, not designated knowledge categories. Analysis
resulted in a final 13 security knowledge categories (Table 3) being tabulated.

Operationalize category demarcation

The 13 security knowledge categories were considered to have demarcation; however, it

was not the prime intent of the study to provide inclusive concept definition. These
knowledge categories require further academic and industry debate, to gain a degree
of consensus.

• Criminology: Theories, principles and concepts that consider the scientific study of crime
(Collins English Dictionary and Thesaurus, 1992) and victimology; in particular, why
crime is committed. This knowledge category may include principles such as crime pre-
vention through environmental design, situational crime prevention and so on.
• Business continuity management: Disaster, crisis, incident and business recovery that in
general requires an initial response from government emergency services and support by
site security, followed by further action from the organization itself. The purpose of busi-
ness continuity management is to provide the organization with process and resources
to achieve resumption of its critical business processes (American Society for Industrial
Security, 2000; Standards Australia, 2004b). This category may be considered a subordi-
nate category of risk management – as a risk mitigation strategy; however, still a discrete
management function.
• Facility management: The technique, process and practice of managing or controlling
organizational resources to deliver the function of the built environment, in particular,
an organization’s facilities (Langston and Lauge-Kristensen, 2002). The category was
considered to include facility technology and management practices, for example facility
design, strategic planning, fixed plant and equipment, plant maintenance, energy manage-
ment and so on.
• Fire and life safety: Theories, principles and concepts that consider the scientific study
and treatment of fire and life safety, including building technology and the management
of life safety and fire protection.
• Industrial security: Application of security within specific industries, for example avia-
tion security, maritime security, critical infrastructure protection, government security,
campus security, retail security and so on.
• Information and computing: Theories, principles, concepts and practices that consider
protection methods within the digital environment, including computer technology, hard-
ware and software. Examples may include system networks, servers, firewalls, viruses,
honeypots and so on. However, Talbot and Jakeman (2008) propose that information and
computing should be divided into two discrete categories, namely information security
and information communications technology (ICT).
• Investigations: Theories, principles, concepts and practices of security investigations,
both process and technology. For example, the legal requirement during a private investi-
gation, evidence admissibility, covert surveillance management and so on.

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 7

 Brooks

• Physical security: Theories, principles and concepts that use people, equipment (Garcia,
2001) and the built environment to control access to an organization’s assets, for example
lock and keys, grills and so on. This knowledge category may include principles such as
defence in depth (DinD), deter, detect, delay, respond and recover (D3R2) and so on.
• Safety: Theories, principles, concepts and practices that consider a process for a safe
and healthy work environment (American Society for Industrial Security, 2000). In the
context of the study, this concept is considered to be Occupational Health and Safety, not
necessarily the provision of safety provided by the function of security.
• Security risk management: Theories, principles, concepts and practices that considers
risk and risk management. Risk management may combine many disciplinary areas
including, but not exclusively, mathematics, management, business and psychology.
According to the Risk Management AS/NZS4360 Standard, risk management ‘is an
integral part of good management … an iterative process of continuous improvement
that is best embedded into existing practices or business process’ (Standards Australia,
2004a, p. 7).
• Security law: Theories, principles, concepts, process and practices that consider how law
affects organizational security, including civil, criminal, liabilities, counter strategies and
so on.
• Security management: Theories, principles, concepts, technique, process and practice
of managing or controlling organizational resources to deliver the function of security
(Collins English Dictionary and Thesaurus, 1992; American Society for Industrial Security,
2000). This category may include policy and procedures, administration, operations,
training, awareness, finance, contracting, resource allocation, security decay and so on.
• Security technology: Specific security technology applied in the protection of assets, for
example intruder detection systems, closed circuit television , access control, biometric
systems and so on. The future of this knowledge category may include ICT due to the ever -
increasing use of security technology over computer networks.

These final 13 tabulated security knowledge categories (Table 3) responded, in part, to

the study’s objective 1, namely, what are the knowledge categories and subordinate concepts
of security?

Developing a Framework of Security

There has been past studies (Hesse and Smith, 2001; American Society for Industrial Secu-
rity, 2002; Bazzina, 2006) to develop a security body of knowledge and it was necessary to
further contrast the study’s 13 security knowledge categories (Table 3) with these past stud-
ies. This comparison led to the development of the framework of security, integrating the 13
knowledge categories and responding to study objective 2; namely, can a science of security
framework be developed and presented?
One area of progression in the development of a security body of knowledge was the
ASIS practitioner/academic symposia (American Society for Industrial Security, 1999;
ASIS International, 2003). An outcome of these symposia was the development of a
consensual security model containing the core element of security, which was to provide a
baseline for tertiary-level course development (ASIS International, 2003). The 2000 ASIS

8 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

practitioner/academic symposium attempted to develop knowledge category descriptors for

each of their proposed common elements of security (Table 4).
Core knowledge categories, developed from the ASIS symposium (2000), resulted in
the participants proposing a revised model (Table 5). The revised common knowledge
categories increased from a previous nine concepts to 18 concepts. Further symposia
focused on these 18 common knowledge categories, defining generic core competencies
(American Society for Industrial Security, 2002) and commencing the development of a
body of security knowledge (ASIS International, 2003).
In contrast, Hesse and Smith (2001) proposed four knowledge categories appropriate
for tertiary security education – security, business and management, computing and IT and
generic (Table 6). It was postulated that through academia, these knowledge categories
would provide security managers with core knowledge for appointment in the security
industry. Although these knowledge categories may be appropriate for generic supervisory
or managerial occupations, the security knowledge categories did conflict to some degree
with those proposed by ASIS International (2003).
A collaborative project between the Australian Attorney-General’s Department, Australian
Standards and the Australian security industry attempted to identify and clarify
requirements for future security standards. The project, funded by the Australian Federal
Government, solicited and received comment from across the critical infrastructure protec-
tion network, both private and public. As part of the outcome, the project developed an
initial integrated security framework model (Figure 2), broken into five knowledge

Table 4: ASIS common knowledge categories of security model

Security

Physical security Risk management Emergency/contingency planning

Personnel security Legal aspects Fire protection
Information systems security Loss prevention Investigations

Source: American Society for Industrial Security, 2000, p. 87.

Table 5: ASIS revised common knowledge categories of security model

Security

Physical security Crisis management

Personnel security Disaster management
Information systems security Counterterrorism
Investigations Competitive intelligence
Loss prevention Executive protection
Risk management Violence in the workplace
Legal aspects Crime prevention (general)
Emergency/contingency planning CPTED
Fire protection Security architecture and engineering

Abbreviation: CPTED, Crime prevention through environmental design.

Source: American Society for Industrial Security, 2000, p. 100.

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 9

 Brooks

Table 6: Security education knowledge categories

Security Business and Management

Law Law
Threats Management theory
Security technology Technology
Security theory Business
Risk management Accounting
Technology Cultural knowledge
Investigative procedures Industrial relations
Security equipment HRM
Physical security Contract management
Security standards Duty of care
Life safety systems Equal opportunity
Cultural knowledge Ethics
Asset protection Fraud
Intelligence
Duty of care
Fraud
Security perception
Surveillance

Generic Computing and IT

Analytical IT systems
Research

Abbreviations: HRM, Human resource management; IT, Information technology.

Source: Hesse and Smith, 2001, pp. 98–99.

Strategic
Governance

Management

Operational

Technical

IT & Identity &

Physical Personnel Procedural
Computing Access Control

Figure 2: Integrated security standards framework model (Bazzina, 2006, p. 85).

categories considered at four operating levels. The five knowledge categories consider
IT and computing security, physical security, identity management and access control,
procedural security and personnel security (Bazzina, 2006, pp. 85–86).
Criticism of the integrated security standards framework model included failing to align
with the complex approach from the Australian Commonwealth Protective Security Manual
(Bazzina, 2006) and not considering risk management (Brooks, 2007). Also, the integrated

10 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

security framework (Figure 2) could be considered broad in approach and therefore difficult
to operationalize, in particular when considering the ASIS common knowledge categories
(Table 5). However, a further Standards Australia security standards framework was pro-
posed, rectifying these criticisms by encapsulating overall governance and management of
the organization, with risk management embedded within physical security, information
security and personnel security (Bazzina, 2006). Nevertheless, the framework did not
incorporate all of the knowledge categories proposed by either ASIS (2003) or Hesse and
Smith (2001).
After consultation with industry and government, the Risk Management Institution of
Australasia developed a Security Risk Management Body of Knowledge publication (Talbot
and Jakeman, 2008). Although focusing on security risk management, the document
represented practice areas of security, namely protective security, people security, physical
security, information security and ICT security. In a unique approach, information security
and ICT were presented as discrete and separate knowledge areas. Information security
was considered to be the protection of information, whereas ICT was considered to be the
protection of information technology systems. Consideration was made that a principles-
based approach should be taken by categorizing security into practitioner areas (Risk
Management Institution of Australasia, 2007), an approach put forward by Manunta (1999).
However, the Risk Management Institution of Australasia (2007) considered security risk
management as the prime security category. The view that security risk management is an ordi-
nate knowledge category may be opposed, as according to Manunta, ‘there are a number of
ontological discrepancies between the concept of security and that of risk, which deserve further
study and investigation’ (2002, p. 43). In addition, the majority of security knowledge categories
discussed presented risk management as a subordinate concept of security (Hesse and Smith,
2001; ASIS International, 2003). Nevertheless, this type of debate can only further assist the
development and presentation of an overarching consensual security body of knowledge.

A Framework of Security

To address some of the failings of the integrated security standards framework, the study
integrated this framework with the 13 tabulated knowledge categories of security (Table 3)
and past security standards framework (Figure 2). As these 13 knowledge categories
combined, in part, past body of knowledge studies on this model may provide a framework
for security (Figure 3). The framework responded to the study’s objective 2, namely, can
a science of security framework be developed and presented? In addition, the tabulated
knowledge categories and integrated framework provide some degree of concept definition,
assisting in the understanding of organizational security.
A number of assumptions were made during the development of the integrated frame-
work. These assumptions considered that some knowledge categories were more relevant to
security than others; therefore, the framework incorporates a hierarchy of knowledge cate-
gories. Level 1 may be considered core security knowledge categories, whereas level 2 are
non-core knowledge categories. These non-core knowledge categories may be allied indus-
tries informing or supporting the general function of organizational security.
Security, at the strategic, managerial (tactical) or operational level cannot be considered
singular in concept definition, as definition is dependant on context. Nevertheless, security

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 11

 Brooks

Strategic
Governance

Management

Operational

Risk IT &
Physical Technology Investigations Personnel Industrial Level 1
Management Computing
BCM
Facility Fire & Life
Law Criminology Safety Level 2
Management Safety

Figure 3: Integrated science of security framework.

Note: BCM = Business continuity management.

may be considered in context, if that context is defined. Security context may be considered
within the domains of international or national security, public security (Policing), private
or organizational security and individual security, to name a few. The framework of security
(Figure 3) provides some degree of concept definition within the context of private or
organizational security for the protection of people, information and assets – extrapolated as
the scientific inquiry of organizational security management (ASIS International, 2003).
This view was supported by ASIS (2000), when indicating that organizational security man-
agement is a distinct field, separate from police or justice domains. Otherwise, with the
breadth of applied security domains there could be a divergence of these distinct knowledge
categories.

Limitation of the Study

Limitations of the study were identified and include the provision of a conclusive definition
of security, the breadth of tertiary security undergraduate courses critiqued and the expert
sample size and nature.
Tertiary security courses were selected and validated by security experts. However, secu-
rity has no clear definition (Tate, 1997; Manunta, 1999; Horvath, 2004) and ‘means different
things to different people’ (Davidson, 2005, p. 73). According to Hesse and Smith, security
is diverse, without a defined knowledge or skill structure (2001, p. 89). Therefore, homoge-
neity in the selection and validation of expert groups during the study may have introduced
some degree of distortion. The study attempted to address this concern with independent
resources to triangulate data, for example the use of the ASIS International 1997–2003
Academic/Practitioner Symposiums (ASIS International, 2003).
As the courses were critiqued in the six countries (Table 1) there has been an increase in
security undergraduate course offerings, with a claim that in the United States alone there
are now ‘more than 300 two and four-year institutions that participate with homeland
security programs’ (Davidson, 2005, p. 72). However, it could be argued that these are not
necessarily appropriate organizational security undergraduate courses. Given the breadth
of security, not all security categories concepts were necessarily tabulated.
For enhanced statistical confidence, the sample size of the study could have been larger. In
addition, due to the non-probabilistic sampling approach, homogeneity of data, participants

12 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

and experts could have been experienced. These factors may have resulted in a degree of error
in the final tabulated knowledge categories. Nevertheless, the study attempted to develop and
present a consensual framework for security using international data. Such an approach, to
some degree, resulted in removing individuality of courses from the resulting framework.

Further Research

It is proposed that future research will use psychometric multidimensional scaling to con-
cept map security experts view of the presented security knowledge categories (Figure 3).
This psychometric concept mapping may provide a deeper understanding of these security
categories relationships. For example, according to Standards Australia, business continuity
management should be integrated with risk management (2004b). However, to what extent
do security experts consider the strength of this relationship? In addition, how related is
security technology to physical security, ICT and so on? Such mapping will allow further
expert validation of the integrated framework.

Conclusion

Security is capricious in nature and application, practised across many domains and with
heterogeneous actors. Owing to this multidimensional nature, the concept of security is dif-
ficult to define. However, the study proposed that the concept of security may be defined
when understanding the applied context. In addition, by developing and presenting a con-
sensual body of knowledge within the applied context, concept definition may be achieved.
Therefore, the study objectives were the tabulation of the knowledge categories of security
and the presentation of these within an integrated framework.
To achieve these outcomes, the study critiqued 104 English-speaking tertiary undergrad-
uate degree courses, from six countries. This critique resulted in a final seven courses being
analysed, with 13 security knowledge categories extracted from the syllabi and validated by
similar studies. These knowledge categories included criminology, business contingency
management, facility management, fire and life safety, industrial security, information and
computer security, investigations, physical security, principles, security risk management,
security law, security management and security technology.
These 13 knowledge categories were integrated into the Australian security standards
framework (Figure 2), addressing some of the criticism directed at this framework. This
integration resulted in the proposed science of security framework (Figure 3), considering
both core security knowledge categories and allied supporting concepts. Nevertheless,
the study proposed that this framework may only consider the context of security within the
domain of organizational or corporate security.

References

American Society for Industrial Security. (1999) Proceedings of the 1999 Academic/Practitioner Symposium.
Reno: American Society for Industrial Security, University of Nevada.

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 13

 Brooks

American Society for Industrial Security. (2000) Proceedings of the 2000 Academic/Practitioner Symposium.
Oklahoma: American Society for Industrial Security, The University of Oklahoma.
American Society for Industrial Security. (2002) Proceedings of the 2002 Academic/Practitioner Symposium.
Ohio: ASIS International, The University of Cincinnati.
ASIS International. (2003) Proceedings of the 2003 Academic/Practitioner Symposium. Maryland: ASIS Interna-
tional, The University of Maryland.
ASIS International. (2007) Academic institutions offering degrees and/or courses in security, http://www.asisonline.
org/education/universityPrograms/traditionalprograms.pdf, accessed 7 March 2007.
Association of Universities and Colleges of Canada. (2005) Speaking for Canada’s universities at home and abroad,
http://oraweb.aucc.ca/pls/, accessed 28 July 2005.
Bazzina, M. (2006) Security Standards and Support Systems Report: A Collaborative Project Between the
Commonwealth Attorney-General’s Department and Standards Australia. Sydney, NSW: Standards Australia
International.
Brooks, D.J. (2006) Mapping the consensual knowledge of security risk management experts. In: C. Valli and
A. Woodward (eds.) Proceedings of the 7th Australian Information Warfare and Security Conference. Perth,
Western Australia: School of Computing and Information Science, Edith Cowan University, pp. 9–17.
Brooks, D.J. (2007) Defining the Science of Security through Knowledge Categorisation. Paper presented at the
Criminology and Victimlogical Society of Southern Africa (CRIMSA) Conference 2007, October, University of
Pretoria, Pretoria.
Clancey, W.J. (1997) The Conceptual Nature of Knowledge, Situations, and Activity. In: P.J. Feltovich, K.M.
Ford and R.R. Hoffman (eds.) Expertise in Context: Human and Machine. Menlo Park, CA: The MIT Press,
pp. 247–291.
Collins English Dictionary and Thesaurus. (1992) Sydney, NSW: HarperCollins Publishers.
Craighead, G. (2003) High-Rise Security and Fire Life Safety. Woburn, MA: Butterworth-Heinemann.
Davidson, M.A. (2005) A matter of degrees. Security Management 49(12): 72–99.
Eysenck, M.W. and Keane, M.T. (2002) Cognitive Psychology: A Student’s Handbook. New York: Psychology
Press.
Ferguson, G. (2004) Policing conference returns to Adelaide. Australian Defence Magazine 12(8): 54.
Fischer, R.J. and Green, G. (2004) Introduction to Security. Boston, MA: Butterworth-Heinemann.
Garcia, M.L. (2001) The Design and Evaluation of Physical Protection Systems. Boston, MA: Butterworth-
Heinemann.
Good Guides. (2004) Helping you make decisions about where and what to study in Australia, http://www.
thegoodguides.com.au/ggcontent/course/id, accessed 28 October 2004.
Hesse, L. and Smith, C.L. (2001) Core Curriculum in Security Science. In: H. Armstrong (ed.) Proceedings of the
5th Australian Security Research Symposium. Perth, Western Australia: School of Computing and Information
Science, Edith Cowan University, pp. 87–104.
Hiemstra, R. (1996) What’s in a word? Changes in self-directed learning language over a decade, http://www-distance.
syr.edu/word.html, accessed 20 October 2005.
Horvath, J. (2004) The fear factor, http://www.telepolis.de/english/inhalt/te/18187/1.html, accessed 3 September
2004.
Howard, J. (2004) Business government forum on national security, http://www.safeguardingaustralia.org.au/
Questions/Howard-address-23June04.doc, accessed 3 July 2004.
Kellogg, R.T. (2003) Cognitive Psychology. Thousand Oaks, CA: Sage Publications.
Kidd, S. (2006) The Security Institute yearbook and directory of qualifications 2006, http//www.security-institute.
org/pdf/2006%20Yearbook.pdf, accessed 25 June 2007.
Langston, C. and Lauge-Kristensen, R. (2002) Strategic Management of Built Facilities. Boston, MA: Butterworth-
Heinemann.
Lockhart, R.S. and Craik, F.I.M. (1990) Levels of processing: A retrospective commentary on a framework for
memory research. Canadian Journal of Psychology 44: 87–112.
Manunta, G. (1999) What is security? Security Journal 12(3): 57–66.
Manunta, G. (2002) Risk and security: Are they compatible concepts? Security Journal 15(2): 43–55.
Manunta, G. and Manunta, R. (2006) Theorizing about Security. In: M. Gill (ed.) The Handbook of Security.
New York: Palgrave Macmillan, pp. 629–657.
McCrie, R.D. (2004) The history of expertise in security management practice and litigation. Security Journal
17(3): 11–19.

14 © 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15

 What is security: Definition through knowledge categorization

Morley, H.N. and Vogel, R.E. (1993) The higher education dilemma for the private security professional: Delivery
methodologies and core curriculum from the practitioner’s perspective. Security Journal 4(3): 122–127.
Novak, J.D. and Gowin, D.B. (1984) Learning How to Learn. Cambridge: Cambridge University Press.
Pennebaker, J.W., Francis, M.E. and Booth, R.J. (2001) Linguistic Inquiry and Word Count (LIWC2001). Mahwah,
NJ: Erlbaum Publishers.
Post, R.S. and Kingsbury, A.A. (1991) Security Administration: An Introduction to the Protection Services. Boston,
MA: Butterworth-Heinemann.
Rennie, L.J. and Gribble, J. (1999) A Guide to Preparing Your Application for Candidacy. Perth, Western Australia:
Curtin University of Technology.
Risk Management Institution of Australasia. (2007) Security risk management body of knowledge, http://www.
securityprofessionals.org.au/, accessed 24 January 2007.
Sarre, R. (2005) Researching private policing: Challenges and agendas for researchers. Security Journal 18(3):
57–70.
Security Professionals’ Taskforce. (2008) Advancing security professionals: A discussion paper to identify the
key actions required to advance security professionals and their contribution to Australia, http://www.
securityprofessionals.org.au/.
Smith, C.L. (2001) Security science: An emerging applied science. Journal of the Science Teachers Association of
Western Australia 37(2): 8–10.
Standards Australia. (2004a) AS/NZS4360:2004 Risk Management. Sydney, NSW: Standards Australia International.
Standards Australia. (2004b) HB221 Business Continuity Planning. Sydney, NSW: Standards Australia International.
Talbot, J. and Jakeman, M. (2008) Security Risk Management Body of Knowledge. Carlton South: Risk
Management Institution of Australasia.
Tate, P.W. (1997) Report on the Security Industry Training: Case Study of an Emerging Industry. Perth: Western
Australian Department of Training, Western Australian Government Publishing.
Yates, A. (2004) Australia’s Homeland Security Market and Industry’s Role. Canberra: Australian Homeland
Security Research Centre.

© 2009 Palgrave Macmillan 0955–1622 Security Journal 1–15 15

View publication stats