Information Security–vs–Cybersecurity

Information security vs. cybersecurity risk management is confusing many business leaders today. More and more, the terms information security and cybersecurity are used interchangeably. The media and recently elected government officials are dumbing down the world of security, specifically the protection of information in all forms.

Everyday the major news outlets in all countries are reporting cyberattacks organizations of all types. Social media is constantly buzzing with the latest cyberattack on well known companies or the latest list of hacked emails being circulated to expose someone.

“Companies like ours are, in large measure, are responsible for protecting their own networks. And it’s a big challenge. The bad guys only have to be right once. We have to be right 100 percent of the time.”

— William Varner

But are information security (infosec) and cybersecurity (cybersec) synonyms? In order to best answer that question, let’s explore what each term means to us today and how they came to be a part of everyday language.

According to the Oxford Dictionaries online the definitions of these terms are very similar with one small exception:

• Information security – “The state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.”
• Cybersecurity – “The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.”

To highlight the small difference between the two definitions, recognize that cybersec (cybersecurity) relates purely to digital or electronic and infosec (information security) relates to any form of information assets, digital or paper. The prefix cyber is defined as relating to or characteristic of the culture of computers, information and communication technology (ICT), and virtual reality. Interestingly, cyber hasn’t always been associated with the digital age.

Cybersecurity

What is cybersecurity?

We hear the word all the time now in reference to anything on the internet or in a digital format. But to answer the question, we have to dig a little deeper into the etymology. Just as it has been throughout history, cyber is a prefix added to many other words to form new terms. In fact, the origins of the word cyber stem from the ancient Greek word kubernētēs (κυβερνᾶν), ‘steersman’, from kubernan ‘to steer’, which is related to government or governing of people.

How did an ancient Greek word for governing transform into cyber warfare in society today?

Cybernetics.

In the 1940’s a mathematician named Norbert Wiener published his groundbreaking book, Cybernetics: or Control and Communication in the Animal and the Machine. Although Wiener wasn’t the first to use the then obscure term, as it appeared in a few works of political theory about the science of governance, he did popularize it. In fact, Wiener was part of group of specialists in the fields ranging from biology to engineering to social sciences that established the field of cybernetics – the study of communication and control systems in living beings and machines. Wiener even hypothesized that one day there would be a computer system that ran on feedback; a self-governing system the same as organic beings (artificial intelligence or AI today).

Much like Wiener’s futuristic idea, cyber continued to evolve and the science of cybernetics created cyborgs. More specifically, the cyb- of cybernetics added to org- of organism referred to a human merging with a machine that was capable of interacting and learning in both social and technological environments. After cyborgs, cybernetics continued to blaze the trail to cyberpunks. Yes, there are also cypher-punks (think cryptography and privacy), but the difference between a cypher-punk and a cyberpunk is for another article. Back to cyberpunks, starting as a digitized version of the musical punk movement that became a genre of science fiction in the early 1980s. The fresh cyberpunk movement went into hyper-drive with the film Blade Runner and the William Gibson novel Neuromancer. The cyber prefix became a great way to express something as cutting-edge or high tech by slowly replacing the word digital.

The 1990s could be referred to as the decade of cyber, because the world exploded with new cyber terms. Cyber was everywhere: cyberspace, cybergeek, cybercafé, cyberchat, cyberfriend, cyberlover, cybersex, cyberculture, cyberporn and cyberstalker. Virtual reality, only now reaching consumer potential, also started to pop up in the consumer market in the 90s, specifically in video games further expanding the ‘cyberworld of things’. But by the end of the 90s, ‘cyber-ing’ words to form new cyber related terms slowly faded, similar to the use of fellow 90s techie terms ‘surfing the web’ and ‘Information Superhighway’.

The resilient cyber terms, more specifically the uses for the prefix, that survived the 90s into the new millennium took on a negative nomenclature. These are the words we hear or read about today often used to instigate doom and gloom:

• cyberattack – any type of offensive maneuver targeting computers, ICT and networks by various means of malicious acts
• cybercrime – any crime related to computers, ICT, and networks;
• cyber espionage – practice of obtaining information (classified, copy written, patented, personal, proprietary, sensitive) without permission and knowledge of the holder or source via cyber means (malware, spyware);
• cyber terrorism – intentional use of computers, networks, and internet to threaten loss of life, hold for ransom, or cause destruction for personal objectives;
• cyber warfare – offensive and defensive operations targeting computers, ICT, networks and the internet for the purpose of causing damage, disruption, or elimination often between member states and utilizing the cyber tactics listed previously

Fortunately for all of us we also have cybersecurity. When broken down into its simplest form, cybersecurity represents the countermeasures to all of these common cyber terms over utilized by media and entertainment.

Information Security

What is information security?

Information security is a more commonly used business term around the world, mostly due to the professional use of the term ISMS (Information Security Management Systems) describing an everyday business activity. Cybersecurity is associated with protecting and securing anything in cyberspace, while information security pertains to assurance through procedures and protocols for protection of information, digital or not.

A more comprehensive definition of information security is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, recording or destruction in order to provide a means for:

1) integrity – which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;

2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

3) availability, which means ensuring timely and reliable access to and use of information.

Information security has been a part of human vocabularies long before the digital age. We have all seen the ‘highly secure’ act of a king dripping candle wax onto a sealed (folded or rolled) document and pressing a one-of-a-kind ring into the wax to create the official seal. If the seal was broken, then the recipient of the document would know that the confidentiality was breached, thus a form of information security. The rise of hierarchical command and control structures of ancient civilizations for societal administration and warfare are the origins for information security.

Cryptography, a common technique used for information security then and now, is another Greek word made of κρυπτός (kryptós), ‘hidden or secret’, and γράφειν (graphein), ‘writing’. Cryptography can be generally described as constructing and analyzing protocols that prevent unauthorized access to information. The Caesar cipher, invented by Julius Caesar in 50 B.C. and used to secure secret messages throughout the Roman empire, is an ancient example of securing information. But the Caesar cipher was only a part of the infosec best practice, as the application of procedural handling controls, such as sensitive information identification prompting only trusted couriers transporting via secure storage in a strong box accompanied by armed guards, was the complete solution best practice for assuring information security.

Infosec evolved throughout the ages into an intricate aspect of warfare and civilizations, therefor the opposition’s desire to breach the security was inevitable. As the world started to introduce better and more secure forms of communication (telegraphs, telephones, computers) and cryptography, code crackers, phreakers, and hackers were spawned. The German designed Enigma machine, an electro-mechanical rotor cipher that would have blown Caesar’s mind (158,962,555,217,826,360,000 different settings), was invented at the end of the first World War and quickly adopted as the primary means of infosec protecting commercial, diplomatic, and military communications for the Nazi military. Luckily for the world, this highly successful form of information security was eventually cracked.

That is the biggest problem with information security and cybersecurity, the best defenses can be overcome by persistence and patience. The people trying to protect and secure enterprises are constantly attempting to stay ahead of other people who want to gain unauthorized access to the enterprise and the information contained within. As in the quote that begins this article, the ‘bad buys’ only have to find a tiny crack in the security for success.

The governments of the world have been attempting to get ahead of the bad guys too by passing laws and regulations that are intended to be a guide for all to follow. A guidance or catalog of security controls and procedures are often published as the means to follow in order to comply. In fact, both information security and cybersecurity have long lists of regulations and standards associated with each:

• Federal Information Security Management Act of 2002 (FISMA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Sarbanes Oxley Act
• Payment Card Industry Data Security Standard (PCI-DSS)
• Cybersecurity Enhancement Act of 2014
• The Cybersecurity Information Sharing Act
• Cybersecurity Framework – Framework for Improving Critical Infrastructure Cybersecurity v1.1
• Cyber Essentials
• Cyber Essentials Plus
• European Union General Data Protection Act (EU GDPA)
• ‘‘Cybersecurity Disclosure Act of 2017’’ (proposed bill in US congress at the time of writing)

Curious, how the regulations put in place in the early part of new millennium focused on information as a key word, but all of the most recent regulations now focus on cyber-something.

Infosec guidance in a digital world gained attention in the early 90’s through the UK Department of Trade and Industry’s Commercial Computer Security Center (CCSC). The early results produced the British Standards BS7799, that supported the proper implementation and maintenance of ICT infrastructure and ISMS. The BS7799 evolved into the ISO/IEC 27001 and spawned a family of accompanying standards in the ISO/IEC 27000 series.

We will explore the laws, regulations, mandates, acts, standards, and guidance in a follow up article. Because, gaining more clarity and a better understanding of laws and standards we can better assess the differences between information security and cybersecurity.