If you’ve had any involvement at all with security you’ll have come across people using cyber security and information security
Given we’re dealing with areas that matter a lot, as people are put at risk by misunderstanding security, what is the difference?
There are a lot of different viewpoints here, so if I trample over your favourite one then please remember it’s nothing personal. I’m going to be leaning towards clear, academic definitions rather than marketing since these things really do matter.
Disciplines and Domain
First thing we need to cover is the difference between a discipline and a domain. This can get complicated, so I’ll trim out all the unnecessary detail. Different definitions exist, but these are the most useful for what we’re talking about.
Discipline: an approach, a set of knowledge and skills which can be applied to different environments to understand and interact. An example of a discipline might be biology, or physics, or medicine.
Domain: an environment or area, following the military definition these are separate theatres of operation. An example of a domain more academically might be oceans, while militarily ground and cyber are two of the domains generally recognised.
Security itself is very much a discipline, a set of skills and approaches which are designed and learned to identify threats and mitigate their impact on assets. Ultimately, regardless of the type of security we’re talking about, the threats are always going to be people, and the assets will be more people. There may be some intervening tools and technology in the way, but security is about people. If we were worried about environmental threats, we’d be calling it safety instead.
If we take security as a discipline, that means that cyber security is that discipline applied to the cyber domain. Information security is the same discipline applied to the information domain. If we want a handy metaphor, then we can compare the discipline, the security knowledge and skills, to the standard toolkit. If we’re sticking with the metaphor (and stretching it to breaking point) then the domain might be the difference between approaching an electrical job, or plumbing.
There’s clearly a difference between being a plumber or an electrician, but both types of tasks can be achieved by a skilled amateur (with no guarantees about safety or success of course). And the tools for both have a 90% overlap, with only a few specialist ones making up the difference.
What is the Information Domain?
The information domain is big.
Really big.
And old.
To be precise, the earliest known examples of information security go back more than four thousand years, to Sumerian contracts written and then enclosed within a clay envelope (with another copy of the contract written on it) to maintain information integrity.
A few hundred years later, we have chapter 12 of the Book of Judges which tells us of the first (known) use of a password to identify people, in a story which still gives us the term shibboleth today.
Another example, mere centuries ago, were the chained libraries of the Middle ages which were designed not to protect confidentiality, as you might expect, but availability - books were tempting targets for thieves, so making sure they were available in the library involved heavy chains.
Nowadays with technology being as prevalent as it is, information security often gets confused with the technology side, but it’s important to recognise that if we’re considering information security properly it applies to all information, not just what we store on a computer somewhere.
The standard lens through which people look at information security is the CIA triad - and while it definitely has its flaws it is widely recognised and well established so I’ll stick with it. CIA in this case standards for three attributes which information security is designed to protect:
- Confidentiality: information should only be available to those who are authorised to access it
- Integrity: information should not be tampered with by unauthorised parties
- Availability: information should be available when required
Other models exist, but anyone who’s done any work in information security will know the CIA triad by heart - it’s practically tattooed into our brains by repetition at this point.
What is the Cyber Domain?
So we’ve got information, what about the cyber side of things?
The nice, clean, academic definition talks about ‘an electronic information processing domain comprising one or several information technology infrastructures’. The key here is the technology piece, so the cyber domain talks about technology (and we’re going to assume electronically based technology, rather than Sumerian clay tablets) processing information.
Largely that means cyber security is a subset of information security, but it gets a little fuzzy at the outskirts as that same technology can also be functional - whether that’s in terms of industrial, or even things like access control. To keep it straightforward then we can say that the cyber domain is about technology that can be connected to other technology which links to the information domain.
The problem is that we need something more than the CIA triad as a lens to look at this world. Confidentiality, integrity, and availability are a little more distant than we need if we’re talking at the technology level. When we get into technology we have to deal with more detailed, more concrete, ideas than when we’re dealing with the information domain.
So far there isn’t really a suitable lens that’s been developed. There’s an argument for the
Ultimately, you’re probably fine to use the terms interchangeably, because almost everyone does. If you want to delve into the theory though then it’s important to recognise that there’s a significant overlap between cyber security and information security, but they are not the same thing.
Instead, cyber security leans heavily towards the technical implementation of information security within technological systems, while information security is a more conceptual implementation.
Does the difference between cyber security and information security matter?
Plenty of people will say that the difference is irrelevant, and they aren’t completely wrong. It’s worth being aware of and acknowledging though, since security really matters. Depending on the specific area you’re working within, it wouldn’t be exaggerating to call it a matter of life and death.
If you’re working within just cyber security, purely information security, or even a different domain like physical security it’s fine to do just that - but being aware of the existence of other domains and how they interface with your own is absolutely vital to do what really matters in security - protect assets (people) from threats (also people, sometimes the same ones).
Master your area, and recognise where you have gaps that require masters of the other domains. The cyber side is only going to get more complex, and interact with more domains, as we move into the