People, process, and technology is a term coined by Bruce Schneier to describe the main elements of security. It refers to the strengths and weaknesses of each element.

People refers to human strengths and weaknesses. For example, although people may know to keep their passwords secret, they may write them down in easily accessible locations, endangering security. Security education is therefore a way to improve the ’people’ aspect of security.

Process refers to procedural actions performed in order to manage the weaknesses of either people of technology, in order to maintain good security. For example, regular password changes are considered part of a good security process for people, and a regular manual data backup is considered to be a good alternative to relying solely on internet synchronised data hosting.

Technology refers to any kind of engineering to improve security, whether software or hardware, useful due to the fact that they are able to perform their jobs in much faster time than humans would be able to. For example, this can be a firewall (software), or a fingerprint lock on a laptop (hardware).


Last updated: 5 September 2017