In reading various articles and in even discussions with consultants, the terms Cyber Security and Information Security are used interchangeably and sometimes the former seems to be taking over the latter. I want to share my thoughts on this and to show how there can be a distinction between Cyber Risks and Information Security Risks and also show how these two risks can be defined.
Cyber Risks
All risks that affects the organization’s Information Systems such as breaches, IT related threats (Ransomware, virus, malware, etc.). This requires that the relevant People, Process & Technology are in place to predict, prevent, detect and respond against cyber threats.
Information Security (IS) Risks
With IS Risk the focus is on the tenets of Information Security, these are the controls which are to be designed in all IT solutions prior to go live:
Confidentiality – Controls in place to mitigate against the unauthorized disclosure of information.
Integrity – Controls in place to mitigate against the unauthorized modification of information.
Availability – Controls in place to mitigate against downtime of Information Systems, such as Denial Of Service attacks.
So Cyber Risks would relate more to the daily IT related activities of an organization and the Information Security Risks would be the controls that are baked in to IT solutions during the development phase.
Great post. They may be used interchangeably because security has been about technology and the definition of cyber is still debated. Technology is a single layer in cyber and (for example) in engineering when risks are discussed assets are identified.
It is beneficial to broaden the analysis and look at end to end aspects. Threats and Adversaries should be analysed, as well as their target impact, which may include shutting down the electrical power supply of a country, or take over the control of a vehicle or aircraft, etc.
This leads to cyberphysical risks beyond information risks.
Now information risks may cascade into genocide, as the remembrance of Auschwitz concentration camp reminds us: sensitive attributes of people (including religion, opinion, etc) should be very strongly protected.
The above illustrates a link between cyber risk and information risk.
One could use a hierarchy of end impact risk types: L=life , T=theft, E=ecosystem.
Humans may die as L, economic damage is incurred with T, reputation and trust may be damaged as E.
LTE is easy to remember (the same as 4G...).
JUST CYBER IS DEFINED IS AS FOLLOWS:
Definition of cyber
(Entry 1 of 2)
: of, relating to, or involving computers or computer networks (such as the Internet) the cyber marketplace
cyber-
combining form
Definition of cyber- (Entry 2 of 2)
: computer : computer network cyberspace
_____
That is cyber security it's security of computers and computer networks, or alternatively - it's security of cyberspace.
_____
JUST INFORMATION IS DEFINED AS FOLLOWS:
Definition of information
1a(1) : knowledge obtained from investigation, study, or instruction (2) : intelligence, news (3) : facts, data b : the attribute inherent in and communicated by one of two or more alternative sequences or arrangements of something (such as nucleotides in DNA or binary digits in a computer program) that produce specific effects c(1) : a signal or character (as in a communication system or computer) representing data (2) : something (such as a message, experimental data, or a picture) which justifies change in a construct (such as a plan or theory) that represents physical or mental experience or another construct d : a quantitative measure of the content of information specifically : a numerical quantity that measures the uncertainty in the outcome of an experiment to be performed 2 : the communication or reception of knowledge or intelligence 3 : the act of informing against a person 4 : a formal accusation of a crime made by a prosecuting officer as distinguished from an indictment presented by a grand jury
_____
It's clear that INFORMATION is a great deal wider notion as compared to CYBER. Therefor, INFORMATION SECURITY in no way is equivalent to CYBER SECURITY, those aren't interchangeable notions. It is a mistake. Take for instance, news security, or facts security, they have little to do with cyber security, they are above and beyond just cyber security. What do physical or mental experience information have to do with cyber security? Hence, INFORMATION SECURITY is a totally different animal as compared to CYBER SECURITY. If something is screwed up in a computer's hardware, or network connections, or memory chips, and alike - it's a cyber security problem having no bearing with information security. If a software engineer made an error and an application shows a wrong warning message on the screen - it is an information security problem, not a cyber security one.
_____
Look at such fundamental fields of science and technology as authentication and authorization. There are various authentication and authorization protocols. If an authentication protocol is correct - this is information security warranty. If a software engineer made an error(s) in this protocol - it becomes a cyber security problem / issue. The same is related to an authorization protocol.
_____
Your proposition about CYBER RISK and SECURITY RISK (instead of CYBER SECURITY and INFORMATION SECURITY) I see as confusing fundamental notions, and unnecessary. The key reason is that the dominating role in security is played by SECURITY POLICY of an organization, or department, or lab, etc. The standard path in following SECURITY POLICY is identifying security vulnerabilities and associated with them security threats. Only and only on the basis of these analyses security RISKS can be identified and assessed. Then, there is a number of following on security steps based on security standards, analyses of losses etc. This very simplified path of security processing in any organization show that RISK as a notion and as a practical thing is only somewhere within. Thus, introducing CYBER RISK and SECURITY RISK are highly confusing as inadequate to what is going on in reality.
I agree that many people are not competent in the fields to make any distinction between terms and notions, and the scientific and technology fields in this area get more and more complex. But it's not a reason to keep confusing professionals working in these fields. More attention to be given to public at large for a better education. Many in sales and marketing forces cut corners in their advertisements and brochures confusing consumers on the real terminology.
Very interesting question. I also see that many are using those two terms like synonyms, but they aren't. Cyber risks can only be risks that are related to information systems/technology. On the other hand, information security risks are broader, since not all information is in information systems (there is also written or spoken information).
Cyber Risks and Information Security Risks are distinct terminologies that must not be used interchangeably. Since cyber security risks might include risks associated with the cyberspace simplistically, information security risks on the other hand includes cyber security risks seen as a subset of information security and further substends to other forms of information security associated risks like prnted information, oral information, stored information and many more.
Yes, due to the high dynamics of development of cyber crime, cyber threats, cyber risk, information security on the Internet, cyber crime risk management, information management transferred in cyberspace, hacking techniques in online and mobile banking etc. it happens that some synonymous terms are used interchangeably. This can cause interpertional dissonance. In this connection, an important issue is the permanent updating of the language of the problem in the field of cyber crime and cyber security and the semantic classification of individual concepts and relationships between them.
Regards,
Dariusz Prokopowicz
Information security and cyber security are different but share common ground and can be inter-related. An easy point to consider is the fact that information security existed way before the "cyber" word (and world) had been invented. For example, consider encryption of messages back in Roman times using the Caesar cipher or the use of homing pigeons to communicate sensitive information between two specific locations. Also note that raw data becomes information after given useful meaning and context.
When information and/or data is held or processed through "cyber" systems, it is cyber security that provides protection. Let's say I hold all customers personal details on an online system. Anyone with the correct credentials can access the customers information. I therefore need security policies and procedures to limit access to those who are authorised and even then I still need to stipulate the purposes for which that information can be used and how much of the information can be accessed by certain individuals.
I also need to consider all the threats to my customers details, which include malicious software, weakness within the online system itself, the reliability of the system to ensure the details are available when needed. Furthermore, I need to ensure the accuracy of that information and its authenticity too - i.e. prevent, and ideally detect, unauthorised changes or mistakes. All this is covered by cyber security, yet as it's information or data that's being protected, I can also easily view it as information security too.
Now, what if a cyber criminal wants to shut down a manufacturing operation that uses robots which are connected to the internet (inadvertently or otherwise). The criminal finds a way to access the LAN and causes the robots to malfunction. Breach of the network may have occurred 1) with knowledge of credentials (information) or 2) simply due to a vulnerability discovered while scanning open internet ports (cyber). As you can see, both cyber and information security could be involved, or merely cyber security due to vulnerabilities or poor network protection. A third option would be information security is breached first, followed by cyber security as a consequence.
As well, a rogue employee might illegally pass on information about a company which affects its stock price (apparently this happens a lot!). Let's say the employee informed his nephew of certain information during a social visit and his nephew subsequently acted on that advice. No cyber security controls or measures would prevent such disclosure, yet enforced information security policies might have some effect (for example adequate training, warning and checks against behaviour of connected persons, etc). And what if that rogue employee offers his online credentials to an outside accomplice?
So my current preferred view is a Venn diagram with overlap between information security and cyber security. When an organisation's strategic direction and operation depend on data/information which transits the cyber domain, information security and cyber security share common ground. Conversely , when this isn't the case, information security and cyber security may cover different areas depending on other inter-related processes. Technical controls and measures help enforce confidentiality, availability, integrity, authenticity and non-repudiation; qualities which again appear in both domains.
Broadly speaking, security is a capability that enables one to protect assets. Information security thus concerns protection of information assets and cyber security concerns protection of information technological assets.
It becomes quite interesting when you realize (1) that the IT assets contain the information assets as data, (2) IT asset configurations require alignment with the business processes they are to support and (3) that IT infrastructures tend to interconnect while they must allow access to their information assets by multiple parties which makes matters infinitely more complicated. At that point, the concept of risk enters the scene. The operational domain of cyber security (satisfying compliance requirements) emanates into the strategic domain where business objectives may begin to fail when assets turn out not to be adequately protected. In order to manage these chains of cascading risk, it should be clear who is accountable for the protection of all information assets, i.e. determine who owns a particular information assets and let that party state who may access them - entitled by a well-defined business reason and supported by a correctly implemented authorization model.
- Badges
- Science topic
- Similar topics
- Correction