The field of Cybersecurity has become one of the most important and lucrative fields in ICT due to the rise of cybercrime rate the last decade. The terms cybersecurity, information security, cybercrime, and computer forensics are often perceived as identical, but they are not. Due to cultural and political differences, different countries and organizations have different perceptions for these branches of security. Various countries use cybersecurity to mean information security. In recent times, information security has been used as cybersecurity in press releases, public speeches, and movies although both terms do not mean the same.
The misuse of these terms creates confusion for those who are interested in pursuing a career or employing people in one of these exciting and growing fields. Knowing the differences helps hiring managers to identify which person qualifies for a position. This article discusses the negative impacts of misuse of these terminologies. The paper discusses the differences between terms cybersecurity and information security. The next publications discuss, in detail, the differences in these terminologies. Future publications will differentiate cybersecurity from cyber incident handling, cybercrime, and computer forensics.
The Abuse of terms “Cybersecurity” and “Information Security” and the Challenges
The abuse of terminologies: “Cybersecurity” and “Information Security” has brought several challenges. Due to inadequate awareness and knowledge in the field, several students have enrolled in programs they did not mean to enroll. Many people have chosen careers in the field they did not qualify to take. Educational institutions have advertised cybersecurity or information security programs, but none or few of their courses include cyber security or information security domains or courses. Research shows some practitioners who practiced computer forensics and cybercrime investigations have advertised their investigative services and criminology skills as cybersecurity or information security. Employers who meant to hire information security or cybersecurity practitioners ended up hiring cyber forensics, cybercrime, and forensic investigators because they did not know these branches fall under criminal justice system. Employees from cyber criminology background have not bothered to pursue cybersecurity degrees or certifications because they claim their positions qualify them as security practitioners. People make erroneous decisions about cybersecurity, information security, computer forensics, cybercrime, etc. due to lack of clarity and understanding of these terms. Everyone need to be aware of the distinction between cybersecurity, information security, cybercrime, digital forensics, etc. to determine which career path is the best fit for them.
The term “cyber” was first used in the field of “cybernetics (the science of communications and automatic control systems in both machines and living things) in the late 1940s”. From1960s through 1990s, the English language saw a proliferation of use of “cyber” as prefix, including cyber-cubicle, cyber-friend, cyber-lover, cyber-snob, and even adverbs like cyber-sheepishly. The term cyber has since been used as prefix for anything digital in nature (related to internet or electronic devices). For example, bullying through the internet or electronic device has been described as “Cyber-Bullying. Crime committed through computing and internet is also described as “Cybercrime”.
Merriam Webster Dictionary defines security as “measures taken to guard against espionage or sabotage, crime, attack, or escape. The term “Cybersecurity” is described as the method of securing, protecting, and defending digital information, electronic devices and anything related to ICT. Cybersecurity is anything involving the security of information or information systems in a digital state (e.g. database, financial systems).
Information security aims to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security. This triad has evolved into what is commonly termed the Parkerian hexad, which includes confidentiality, possession (or control), integrity, authenticity, availability and utility. Sans Institute also defines Information Security as processes and methodologies designed and implemented to protect printed, electronic, or any other form of confidential, private and sensitive information (or data) from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
Information security is anything involving the security of information or information systems regardless of the state (e.g. physical = paper | digital = database). Domains of information security include (not limited to) physical infrastructure security, security risk management, security governance, cryptography, security engineering, asset management, security assessment, cyber incident handling, etc.
Cybersecurity (as illustrated in figure 1) is all about security of anything in ICT realm, while information security is all about security of information regardless of the realm (including realms of ICT, data, personnel, and physical structures.
Figure. 1: Difference Between Information Security and Cybersecurity (Source: www.cisoplatform.com)
Both information security and cybersecurity deal with security of digital information. As illustrated in figure 2, both Information Security and Cybersecurity intersect at digital information-a branch (Digital Information). Both information security and cybersecurity entail security of digital information and technology systems.
Figure 2: Relationship between Information Security and Cybersecurity (Source: www.cisoplatform.com)
The two have been perceived as the same because both seek to ensure confidentiality, integrity, and availability of data (information). In conclusion, cyber security (a subset of information security) is about anything in ICT realm while information security is about security of information regardless of the realm.
By Sam Owusu Aduafo:
Cybersecurity Specialist (Advanced Evidence Discovery Ltd and Institute of Cybersecurity, Ghana). Member, Institute of ICT Professionals Ghana.