Ross Anderson (1956–2023) was Professor of Security Engineering at the University of Cambridge and one of the most influential security researchers of his generation. His work spans technical security (particularly in the areas of tamper resistance, side-channel attacks, and embedded systems security) and the field he helped found: security economics — the analysis of how incentive structures, not just technical vulnerabilities, determine security outcomes. Anderson's parallel intellectual trajectory to Schneier's makes him one of the most important figures for understanding Schneier's broader project.
Security Engineering
Anderson's textbook Security Engineering (first edition 2001, second 2008, third 2020) is the closest equivalent to applied-cryptography in the broader security field: a comprehensive technical reference that attempts to cover the entire discipline. Where applied-cryptography focused on cryptographic algorithms, Anderson's text encompassed physical security, access control, network security, psychology of security, and the institutional dimensions of making systems secure. The evolution of the book across three editions documents the field's evolution — including the growing importance of economics and human factors that Schneier was simultaneously developing in his own writing.
Anderson was also a significant technical contributor: his work on tamper resistance in smart cards, his analysis of banking security failures, and his contributions to understanding covert channels and information-theoretic security were all foundational. His empirical work on ATM fraud and banking security — revealing that banks were systematically misrepresenting security failures and blaming customers for fraud that their own systems enabled — exemplified the combination of technical rigor and policy relevance that characterizes his best work.
Security Economics
Anderson was a co-founder of the field of security economics — the study of how market failures, misaligned incentives, and institutional structures explain why security is systematically underprovided. The core insight, developed in a series of papers beginning around 2001, is that many security failures are not technical failures but economic ones: the party who bears the cost of insecurity is often not the party who makes the security investment decisions. Banks that can externalize fraud costs to customers will invest less in fraud prevention than is socially optimal.
This framework directly parallels Schneier's security-economics thinking, which Schneier has credited Anderson with helping to develop. Both reached similar conclusions by different routes: Schneier from the practical observation that security products often failed not because of cryptographic weaknesses but because of deployment and incentive failures; Anderson from a more formal economic analysis. Their convergence on security economics represents one of the most important intellectual contributions to security thinking in the 2000s — it shifted the policy conversation from "how do we build technically better systems?" to "how do we create incentive structures that reward security?"
Clipper Chip and Crypto Wars
Anderson was among the most technically rigorous critics of key escrow schemes during the clipper-chip-announcement period. His analysis of the cryptographic weaknesses in the Skipjack algorithm (the cipher inside the Clipper Chip) and his broader arguments about why government-mandated backdoors were both dangerous and ineffective were influential in the technical community. He operated in parallel with Schneier, who was making similar arguments from his counterpane-internet-security and public writing platforms — the two British-and-American voices of technical credibility against key escrow were Anderson and Schneier.
Relationship to Schneier
Schneier and Anderson are intellectual peers who developed parallel and mutually reinforcing frameworks. They are not collaborators in the direct sense (they did not co-author papers or books) but intellectual interlocutors who cited each other, appeared on the same platforms, and pushed the field in similar directions. Anderson's security economics provided Schneier with a formal analytical vocabulary for observations Schneier had been making from practitioner experience. Schneier's public-intellectual reach — his crypto-gram-newsletter and schneier-on-security-blog — gave Anderson's academic work a wider audience than it might otherwise have reached. The complementary nature of their roles is reflected in economist-security-guru, a media characterization of Schneier from 2003 that coincided with the period when both were developing security economics frameworks.
Anderson's death in 2023 removed one of the field's most rigorous and wide-ranging thinkers. His Security Engineering textbook remains the most comprehensive technical treatment of the field Schneier helped define.