One of the effects of the war in Ukraine refers to the acknowledged need for a better capacity to sustain the military operations, felt at North Atlantic Treaty Organization (NATO) and European Union (EU) leaders’ level. In this direction, a first step was made with the adoption in 2022 of the NATO Strategic Concept and of the EU Strategic Compass. While prevention is at the core of the formulated intentions, the sustainable character of the concrete actions is often underlined (NATO, 2022, pp.6-9). To make it real, the attention was shifted towards integrating emerging technologies, while not overlooking the cyber vulnerabilities that need to be addressed also through cooperation with the private sector (NATO, 2022, p. 7). Thus, protecting the military systems and the technologies they depend on is a declared intention of the Transatlantic community, as adversaries “ conduct malicious activities in cyberspace” (NATO, 2022, p. 10). This view is also embraced at the EU level, cyber defence being considered a “strategic enabler”, especially when it comes to military mobility, so important for the sustainability of military operations (The Council of the European Union, 2022, p. 32).
To overcome the need for military equipment and systems, the development of the defence industry is seen as a prerequisite. Therefore, at the EU level, it needs to be performant by 2035, to sustain the readiness of military forces (European Parliamentary Research Service, 2024, p. 2). To facilitate this outcome, the EU adopted the Security Action for Europe (SAFE), an instrument that supports the financial effort in this direction and considers the possibility that Member States perform common procurement procedures for a wide area of highly technologized systems, such as drones or cyber equipment (The Council of the European Union, 2025, p. 8). As a result, the context is favorable not only to scaling production, but also to tackle cyber issues, especially because the EU has published a regulation for essential cybersecurity requirements that manufacturers must respond to (The European Parliament, The Council of the EU, 2024, p. 2).
Additionally, a good understanding of the “industry language” is mentioned in the recently published NATO doctrine on the sustainment of military operations, having the potential to increase the sustainability. That is why it is seen as an activity prior to the execution of military operations. However, little attention is given to mentioning the exact prerequisite moments or to developing the component actions that need to be taken, so that industrial products be able to respond effectively to the operational needs. Although the requirement to share information with industry is mentioned, and the possibility that some of the produced systems – particularly information systems – could be cyberattacked is identified as a threat to the sustainability of operations (NATO Standardization Office, 2025, pp. 5-55), the existing literature lacks a detailed, common approach by the civilian and military actors for enhancing the cybersecurity of military equipment and systems.
A solution in this respect is represented by the adoption of “security by design” measures (Bellasio & Silfversten, 2020, pp. 88-108). Therefore, the objective of this research is two-folded: 1) to clarify the conceptual delineations of the security by design; 2) to explore the good practices in this area, to identify the process that could be followed by decision-makers in both civilian and military domains. The importance of developing such a “check-list” was highlighted by previous researchers, who acknowledged its usefulness if cybersecurity risks must be diminished (Hassan et al., 2025, p. 1; Fluchs et al., 2023, p. 3).
In strong connection with the objective, the research question posed by this study is: How the security by design measures should be implemented through civil-military cooperation, to facilitate the sustainability of military operations and missions? To answer this question, the case study method was used, based on the review of the available literature.
The study falls within the scope of control theory, which provides the foundation for manufacturing products that behave in a predictable and optimal way, so the customer benefits from its procurement (Lodhi et al., 2023, p. 1). It contributes to solving the real problem signaled by other researchers, who pointed to the need that security by design should be tackled in a very specific way, in accordance with the context in which systems are being used (Harris et al., 2025, p. 3162), that is why the military ones deserve special attention. Furthermore, in the context characterized by the vision to integrate emerging technologies, such as Internet of Things (IoT) or Artificial Intelligence (AI), organizations, in general, are advised to adopt “Zero Trust Architecture” (Rathi, 2025, p. 3), fact that enhances the importance of the studied problem.
The original contribution of this study is reflected in its results, which have the potential to enhance collaboration between civilian and military actors in addressing cybersecurity challenges. On the one hand, the study identifies a ten-step process that outlines the sequence of actions required to implement security by design measures. On the other hand, it proposes a top-down approach to this implementation, clearly delineating responsibilities and actions across the strategic, operational, and tactical levels.
The concept of “design” is strongly related to putting new ideas into practice. It is defined as “ the application of scientific concepts, mathematics and creativity to envision a structure, a machine, a system, or an artifact that performs a prespecified function” (Mital et al., 2014, p. 43). Therefore, design refers to a very early stage in the life-cycle of a product, which differentiates from construction or usage stages. Understanding these stages creates the premises of a well-developed security breach assessment. Thus, the long-term disadvantages, like costs or risks, are being diminished (Harris et al., 2025, p. 3162).
Representing the core concept of this study, “security by design” has attracted considerable attention from both researchers and practitioners (Chattopadhyay et al., 2018). In the context of big data, cloud computing, and autonomous vehicles, previous research has approached it either as a process or as a model. At the same time, it has clearly stated that the development of measures aimed at enhancing security by design depends largely on the specific domain in which such actions are required. When treated as a process, security by design is closely connected to the system life-cycle and involves a preliminary analysis of available security measures, conducted in relation to existing threats and the feasibility of covering the associated costs (Awaysheh et al., 2020, pp. 3-4, 16).
Another facet of this concept emerges in the context of autonomous vehicles, which have increasingly become preferred targets for cyber-attacks. Such vehicles are considered complex systems that integrate both cyber and physical components. Securing these systems poses numerous challenges, related not only to the level of technological sophistication and automation, but also to the specific nature of the security objectives involved. For example, when connected to the internet, an autonomous vehicle can transmit operational data to the manufacturer (Chattopadhyay et al., 2018). Consequently, if one security objective is to limit the manufacturer’s access to the vehicle and ensure that the user remains the sole controller, this functionality must be incorporated from the design stage of the vehicle.
The discussion on autonomous vehicles identifies five steps for implementing security by design, which are briefly presented in Figure no. 1. The adoption of these steps is relevant for this research as both the military and civilian sectors demonstrate a growing interest in autonomous vehicles. Moreover, cyber-attacks targeting systems in one domain may generate cascading effects in the other.

The process of security by design
(Source: Author, based on Chattopadhyay et al., 2018)
To further examine the challenges associated with the security design of autonomous vehicles, previous research has also focused on military drones, which have become an essential component of contemporary warfare. Scholars identify a range of motivations that adversaries may have for compromising the security of these systems through cyber-attacks. These include obtaining confidential information, undermining user trust, disrupting access, hijacking the system, gaining control of user accounts, or accessing onboard cameras to capture real-time images. In the military domain, such actions are regarded as particularly damaging, as they may ultimately render the equipment unusable for its intended operational purposes (Ko et al., 2021, pp. 1, 2).
Consequently, specialists have developed security protocols intended to address the vulnerabilities identified in military drones. Ensuring that such protocols can be effectively implemented should therefore be considered during the design phase, thereby reducing potential threats. Among the measures typically included in these protocols there can be mentioned: mutual authentication, robust key exchange mechanisms, confidentiality, information integrity, non-repudiation, perfect forward and backward secrecy, protection against denial-of-service attacks, and protection against man-in-the-middle attacks. In addition, formal security analyses should be conducted to evaluate the effectiveness of the implemented security protocols (Ko et al., 2021, pp. 5-6, 10-20). Given that large systems – such as those used in the military domain – often consist of numerous interconnected subsystems, researchers emphasize the importance of considering each component individually, not only when applying the previously mentioned steps but also when implementing security protocols (Liu et al., 2022, p. 18).
It is also worth noting that specialists recommend considering the concept of “security by design” in conjunction with a complementary concept, namely “accessibility by design.” The latter refers to the principle that products and systems should be designed in such a way that individuals with various disabilities are able to use them effectively (Stelea et al., 2025, p. 8). At first glance, this concept may appear less relevant from a military perspective. However, military personnel operating on the battlefield are often required to perform multiple tasks within a very short period of time and may also suffer severe injuries or trauma that temporarily or permanently affect their ability to function normally. Under such circumstances, accessibility by design becomes an important consideration and should not be excluded from discussions on security by design.
Moreover, the benefits of associating the design stage with security considerations have been demonstrated by previous research, albeit in a different context (Carmel-Gilfilen, 2013, p. 99-101). For instance, another concept, “secure by construction”, refers to corrections applied to the designed model during the construction phase so that it can function properly when security problems could not be, or were not, identified or tested during the design phase (Liu et al., 2022, p. 1). This concept therefore appears to describe a secondary solution or measure, adopted when the primary one – security by design – was not considered.
Additionally, there is another concept, “safe by design”, which may generate confusion with the concept addressed in the present study. In contrast to “security by design”, this concept primarily aims to ensure the well-being of the end user and focuses on the benefits they derive, as well as on the potential effects on the community and the environment. The underlying premise is that risks should be identified from the outset and continuously assessed throughout each stage of the product lifecycle (Van Gelder et al., 2021, p. 2), particularly in the context of implementing emerging technologies (Bouchaut & Asveld, 2020, p. 1640). From the perspective of control theory, these considerations suggest that a system or piece of equipment should be monitored and controlled from a cybersecurity standpoint at every stage of its development, indicating that the concept has a broader scope than security by design.
The challenge of addressing cybersecurity issues during the preliminary phases of production has been characterized as “complex” by engineering experts, without fully accounting for the additional difficulty of integrating a cybersecurity mindset throughout the system life-cycle. Key actions that designers may undertake include system decomposition, the establishment of physical and logical architectures, and the subsequent verification and validation of the proposed model. The inherent complexity of modern systems further intensifies the demands placed on design engineers. Encouragingly, these actions can be continuously monitored, adapted, and refined throughout the entire design process, in close alignment with the evolving requirements specified by customers (Dillard et al., 2025, pp. 1-3).
In the armed forces, the complexity of cybersecurity is further amplified by the distinct characteristics of each branch. This is particularly evident in maritime forces, where military naval systems – closely linked to technological advancements in the naval industry – can, in some respects, be analyzed similarly to their civilian counterparts. A pertinent example is given by small autonomous vessels, for which researchers have proposed a seven-step evaluation framework applicable to analogous systems (Kalliovaara et al., 2025, pp. 2-14). The framework begins with an inventory of the system’s components, followed by the assessment of information technology integration requirements. Next, security controls are applied to physical components, and the entire system undergoes a comprehensive security evaluation. The communication system is then examined, and human factors – particularly those that enhance resilience during operation – are assessed. These steps are iterative, ensuring continuous monitoring and evaluation of the system from a cybersecurity perspective. This raises a critical question: how can such complex cybersecurity challenges be effectively addressed during the design phase?
This example is further reinforced by current military developments. The integration of autonomous ships into naval forces is already underway, with “security by design” recognized as a key solution (Cho et al., 2022, p. 1). In this respect, an important role is attributed to the private sector (Radu, 2025, p. 100), mostly to software manufacturers, as they are responsible for implementing tailored security assessment models (Cybersecurity and Infrastructure Security Agency, 2023, p. 4).
A tailored approach has been mandated for manufacturers by multiple national security agencies, including those in the USA, Canada, Australia, and Germany. Implementing this approach requires substantial allocation of resources to adapt both production platforms and products, even though such improvements may not be immediately visible to customers. Central to this process is a comprehensive risk assessment, which manufacturers must conduct to address the challenges posed by cyber threats effectively (Cybersecurity and Infrastructure Security Agency, 2023, pp. 4-5).
When the customer is a military entity, additional layers of requirements must be considered to ensure that technological advantages on the battlefield are effectively realized. For example, adversaries may attempt to compromise deployed systems or gain access to sensitive data. In light of this, experts recommend that manufacturers adopt a tailored approach during the design phase and develop multiple threat models reflecting the various operational scenarios in which a system may be deployed. Furthermore, for systems already in production and in service within the armed forces, manufacturers should establish roadmaps to enhance their resilience against evolving cyber threats (Cybersecurity and Infrastructure Security Agency, 2023, pp. 4-5).
Although these software modifications are intended to enhance equipment cybersecurity, they may also introduce operational drawbacks. To mitigate this risk, it is recommended to involve and incentivize the end user, ensuring a balance between security measures and operational requirements, and confirming that customers can implement the necessary security protocols (Cybersecurity and Infrastructure Security Agency, 2023, p. 11).
Additionally, more recommendations are issued for customers, in general (Cybersecurity and Infrastructure Security Agency, 2023, pp. 12-13), that are applicable to the military ones. Among these, there can be mentioned:
to develop instruments for keeping the manufacturers accountable for security issues;
to identify the systems that need to be provided with cyber security characteristics;
to prioritize purchasing equipment which has cybersecurity characteristics implemented;
to involve the information technology (IT) departments when it comes to assessing the cybersecurity needs before purchasing the equipment and to elaborate purchasing criteria in line with the identified needs;
to gain leadership support to enforce the application of security by design purchasing criteria in purchasing decisions;
to document formally the situation in which derogations might be accepted from the security needs and to initiate a decision process which ends with senior leadership approval/disapproval;
to develop strategic partnerships with key IT providers and to expect a transparent access to the security control system implemented internally to enhance cybersecurity.
Another aspect that serves as a standpoint for this analysis refers to the comprehensive approach. Holistic in nature, this approach needs to consider six pillars (Elmarkez et al., 2025, pp. 1-30), depicted in Figure no. 2.

The comprehensive approach to security by design
(Source: Author, based on: Elmarkez et al., 2025)
To facilitate this approach, researchers have identified several areas for future study that remain underexplored and are relevant to the military context. First, cybersecurity should be considered across all phases of a system’s life cycle, not just design. Second, analyses should address not only cyber-attacks but also system vulnerabilities. Third, security objectives must encompass data integrity, confidentiality, and system availability. Fourth, potential conflicts between cybersecurity and functional requirements should be identified. Additional recommendations include adopting security standards, conducting simulations and formal verifications, specifying technical requirements, combining cybersecurity mechanisms, and developing a unified security by design methodology that integrates attack-centric, asset-centric, and system-centric perspectives (Singh, 2025, pp. 27-29).
Another key consideration for military customers is the likelihood that systems will be deployed in new operational areas, domestically or abroad. From a cybersecurity perspective, such deployments introduce challenges due to the temporary nature of networks and the need for standard operating procedures to provide training and guidance. Mission-specific factors – such as operator turnover, inadequate computing resources, prolonged handovers between contingents, changing network topologies, dispersed server locations, frequent movements, and limited time for relocation – can increase the risk of security breaches. Signal units play a critical role by establishing standardized procedures for the installation, maintenance, and administration of deployed systems and by disseminating lessons learned. To identify these cybersecurity challenges, prior research has advocated an empirical approach involving simulations: one signal unit acts as the “blue team”, managing network operations, while another serves as the “red team”, conducting cyber-attacks (Mulazzani & Sarcia, 2011, pp. 17-25). With the identified challenges in mind, these military structures could offer the basic information about aspects that can be solved during systems’ design phase.
In the military, the effectiveness of advanced combat systems depends heavily on robust cybersecurity software, as recent conflicts have demonstrated. Systems such as the Patriot, Iron Dome, David’s Sling, F-35I Adirs, loitering UAVs, and medium range cruise missiles have proven their operational advantages in combat while also reinforcing the diplomatic and strategic posture of the countries that develop them. (Singh, 2025, pp. 1-3). Therefore, the capacity to ensure resilience against cyber threats is important not only for maintaining operational advantages but also for securing strategic benefits for the nations involved.
To contribute to this outcome, the following section aims at illustrating how such measures can be effectively integrated. The research employs a qualitative approach, specifically adopting the case study methodology. The aim is to complement the activities discussed in the preceding sections by presenting concrete measures and by highlighting the sequence of actions and the associated processes that exemplify best practices.
The relevance of the cases study method for this research lies in its exploratory nature, the accent being placed on bringing more clarity (Yin, 2018, pp. 32, 62) on the way the civil and military parts should interract in order to integrate security by design measures in capability development. Although the case study method is often viewed as having limited potential for generalization, it is suitable for this research as it does not aim to validate or quantify relationships between variables; rather, it seeks to provide a preliminary, detailed analysis of the problem under investigation (Kumar, 2019, p. 127). Additionally, researchers appreciate the case study method is appropriate when trying to find answers to research questions formulated on how to solve complex problems, offering a structured framework for developing a coherent and systematic analysis (Yin, 2018, p. 47).
The case of the British Armed Forces was chosen as they have a transparent approach when it comes to security by design. This transparency is justified by the availability of relevant documents, sufficient to accomplish the objective of this research. Another argument is that, at their level, security by design constitutes the foremost strategic priority in cybersecurity, ranking first among seven. They are convinced it contributes positively to mission accomplishment (Ministry of Defence, 2025c). Addionally, their example is relevant as British Armed Forces belong to the European area, though the country is not anymore a member of the European Union. Thus, the way they approached the security by design might be relevant for other armed forces in the area and has more potential to be considered feasible.
What is more, the British Armed Forces managed to put cybersecurity at the core of capability development process. All top-level budgets and all categories of forces sustain this vision. They set a general rule that security by design measures should be integrated on all systems and services that handle defence data, either provided by commercial suppliers or the military ones. Dedicated structures are dealing with responsibilities in this area, which are coordinated by the Ministry of Defence and the National Cybersecurity Centre. They acknowledge the impossibility that one approach is suitable for every capability, highlighting the criticality, scale, and complexity as variables (Ministry of Defence, 2025a). Last but not least, their example offers a success story because it is based on military and civilian synergies that could be tracked by various other European Armed Forces.
In the United Kingdom, the direction in security by design was established at the governmental level. A national standard was issued to cover the security concerns, also tackling aspects related to security by design. Irrespective of the security dimensions tackled by this standard, the British follow the phases of security lifecycle, presented in Figure no. 3.

The security life cycle
(Source: HM Government, 2021, p. 11)
In their view, cybersecurity is a sub system of security management, along with: physical security, personnel security, technical security, and industry security. Though it has repercussions on cybersecurity, security by design is a dimension of the technical security (HM Government, 2021, pp. 11-25).
To support the implementation of the mentioned standard, supplementary directions are given through a standard dedicated to cybersecurity. The document urges that organizations in charge with providing digital services and technical infrastructure comply with the security by design principles regulated at the national level, which are mandatory for the armed forces, also highlighting that the Ministry of Defence felt the need to introduce additional principles applicable in the military (Government security, 2025a).
Subsequently, an implementation guide was issued, to help organizations respect the established deadlines. The guide details activities that should be performed in three main stages, under the lead of chief digital and information officer or his organizational counterpart (Government security, 2025b), as highlighted in Figure no. 4.

Phases and steps in security by design implementation in UK
(Source: HM Government, 2021, p. 11)
The security-by-design policies and guidelines issued at the national level have been adopted by the British Ministry of Defence to address the specific requirements of the military environment and the project management life-cycle (Government Security, 2025b). In this respect, the Joint Service Publication 440 Leaflet 5C establishes mandates for an effective implementation of security by design policy (Ministry of Defence, 2025b). Unfortunately, it is not available for the wide public.
Implementation actors are established both within the defence sector and externally. (Ministry of Defence, 2025b). Their multitude supports the complexity of this objective and highlights key dimensions of civil-military cooperation in security by design area. Additionally, it shows how the integration of security by design policy aligns with the Planning, Programming, Budgeting, and Execution process (PPBE), in place for any capability development in the United Kingdom Armed Forces (McKernan et al., 2024, pp. 8-16). For instance, the following actors are drawn from within British military structures:
the structures signaling the need for a specific capability and for developing the concept of operations, considering the operational advantages brought by that type of capability (combat structure leaders);
program directors, responsible for financial support and risk management;
a representative of the final beneficiary, who monitors the effective delivery of security by design requirements along the products’ life-cycle;
procurement officers, responsible for monitoring the way contracts provisions are respected;
teams that supervise the delivery of the equipment, which should focus on checking if the security by design requirements were solved.
The following external actors are also involved, who are normally organized in teams conducted by leaders: engineers, providers of the Integrated Logistic Support, legislative and regulatory actors, representatives of the manufacturers, involved in design issues, suppliers and their contracting authorities, to make sure security by design is integrated across the entire Logistic Supply Chain (Ministry of Defence, 2025b).
Taking into consideration the aspects presented so far, the analysis performed in the present study contributes to the existing body of research by revealing a ten-step process that underpins the integration of security by design into military capability development. The main steps of the identified process are as follows:
Setting security by design as a strategic priority in the national cybersecurity area;
Establishing national and military standards for cybersecurity that explicitly address security by design;
Integrating security by design into the core of military capabilities development process (mandatory for digital systems that handle defence data, based on the specificity of each operational area and capability);
Establishing dedicated, dual hatted military structures, with clearly defined responsibilities on security by design integration;
Defining guiding principles related to the implementation of security by design within the military domain;
Developing a regulatory framework for urging civilian (including manufacturers) and military organizations (including end users and procurement structures) to implement security by design principles;
Developing a regulatory framework that encourages both civilian actors (including manufacturers) and military organizations (such as end users and procurement structures) to implement security by design principles;
Establishing mandates and protocols to ensure effective implementation (focused on monitoring and evaluatig outcomes);
Elaborating standard operating procedures for each deployed military system;
Disseminating lessons learned to support continuous improvement.
The study showed that security by design clearly represents an area where civilian and military efforts can unite to enhance the cybersecurity of both parts capabilities and the formulated research objective was accomplished. Moreover, the study provides a detailed answer to the formulated research questions, clarifing the main concepts in the area and referring to the ways of implementing security by design in military organizations.
Starting from conceptual delineation, the study highlighted the importance of having a tailored approach to the objective of implementing security by design, depending on operational context, level of technology and automatization and each type of capability or system that is being developed, category of armed forces. The approach combines the general level with the specific one, revealing key steps and actors that could be taken or involved to enhance the cybersecurity of military systems.
Apart from the numerous phases, steps and actions mentioned as determinants for the process of implementing security by design practices, this study pointed to the importance of having a holistic approach, based on risk assessment, operational benefits, and different threat models. Additionally, this study highlighted the need to take into consideration not only the newly developed systems, but also the existing ones, which can be adapted to enhance the cybersecurity level.
The study also revealed important actors that could have a decisive impact on the implementation of security by design practices. Therefore, the phases, the steps and actions composing the identified process were complemented with subjects and responsibilities that each of them retains. For instance, the civilian actors are more involved during the design phase, but the input provided by the military ones is essential.
Considering the three levels of a military operation, the study also offers a unique contribution by providing guidelines for implementing security by design in a top-down approach, perspective that was not tackled in a structured way by previous research. To exemplify, and taking into considerations the data presented, the strategic level (both military and civilian) is responsible with:
defining a cybersecurity policy at the national level, that is in line with the strategies adopted by NATO and EU, in which security by design is given a strategic enabler role;
elaborating laws, regulations and standards referring to security by design and monitoring their implementation, inclusively to make manufacturers accountable;
guiding the financial resources to sustain the implementation of the adoptive legislative framework;
sustaining the creation of dedicated (civilian and military) structures, responsible for the effective implementation of security by design measures;
creating the legal framework for giving incentives to the suppliers (civilian and military) that offer enhanced cybersecurity solutions;
developing control instruments, both at the military and civilian actors’ levels;
prioritizing the procurement of systems with enhanced cybersecurity characteristics;
developing strategic partnerships and approving derogations form the established rules.
Taken into considerations the responsibilities enlisted above, it can be concluded that the strategic level offers a rich framework for civil-military synergies when it comes to the implementation of security by design practices.
Going down to the operational level, the civil-military cooperation for the implementation of security by design gathers actors like the national, allied and partner nations military structures, and the contractors or different entities that operate the infrastructure in a theatre of operation. At this level, based on inputs form the tactical level, the cybersecurity objectives and requirements associated with each system are centralized and the capabilities at the disposal of adversary part estimated. Basically, this is the level that confirms the need for systems with enhanced cybersecurity design. Joint level structures in cyber defence area have the potential to cooperate with other military and civilian actors, to create a clear picture of the cybersecurity needs through design measures.
At the tactical level, the need for systems and capabilities resilient to cyber threats is identified by each component of the category of armed forces. Each existing system is tested through simulations performed especially by the signal and cyber tactical level units, to discover what are the flaws. Their feedback is important for taking adaptive measures or to generate a new design that responds better to cyber attacks, if the need for new capabilities is acknowledged. Moreover, protocols are developed and implemented to enhance the cybersecurity of the systems involved in military operations. The seven-step evaluation framework is applied at this level, for systems already in use, and new cybersecurity need identified. Also at this level, the challenges posed by deployment of forces and systems are identified. Here, but also at the operational level, the implementation guide adopted by the British Armed Forces could serve as a starting point.
Apart from the mentioned results, the current research also presents several limitations, that should be taken into consideration by future studies. First, the case study relies exclusively on document analysis as the instrument for data collection. To enhance the robustness and relevance of the findings, additional research methods – such as semi-structured interviews (involving civilian and military experts) and participatory observation – could be employed (Yin, 2018, p. 49). Second, the study examines only a single case, namely that of the British Armed Forces. To improve the potential for generalization, future research should incorporate cases from multiple countries. Third, the analysis is based solely on publicly available documents; however, it provides military experts with a useful starting point for further exploring the implementation of security by design measures.
