To understand the differences between terms like cyber security and information security is important because many banking regulatory bodies like Reserve bank of India, Hong Kong Monetary Authority, Monetary Authority of Singapore, etc. have asked banks to have separate cyber security and IS security policies.
These two words “Cyber Security” and “Information Security” are generally used as synonyms in security terminology, and create a lot of confusion among security professionals. I was discussing with some InfoSec professionals about the same and found out that some of them think that cyber security is subset of information security while others think the opposite. So, to clear this confusion, I decided to research on the same and write a blog.
Let’s start with data security. Data security is all about securing data. Now another questions arises here is to the difference between data and information. Not every data can be an information. Data can be called as information when it is interpreted in a context and given meaning. For example, “14041989″ is data. And if we know that this is date of birth of a person, then it is information. So, Information means data which has some meaning. Information security is all about protecting the information, which generally focus on the confidentiality, integrity, availability (CIA) of the information.
While cyber security is about securing things that are vulnerable through ICT. It also considers that where data is stored and technologies used to secure the data. Part of cyber security about the protection of information and communications technologies – i.e. hardware and software, is known as ICT security.
Following Venn diagram can be helpful to understand the differences.
Reference- Center for Cyber and Information Security (https://ccis.no/cyber-security-versus-information-security/)
In the diagram below, we can see that right side Venn diagram represent the Cyber security (things which are vulnerable through ICT, it includes information, both physical and digital, and non-information such as cars, traffic lights, electronic appliances, etc.), while left side represent the information security (which consist of information both digital and analog).
Note that IT security is the protection of information technologies. Practically, there is no difference in ICT security and IT security.
As you can see in following picture that both sets are having some overlap. Below diagram illustrates the relationship between ICT security, cyber security and information.
Reference- Center for Cyber and Information Security (https://ccis.no/cyber-security-versus-information-security/)
Notice that cyber security (right set) includes everything and everyone that can be accessed through cyberspace. So, one could argue that everything in this world is vulnerable through ICT. However, going by the definition of cyber security, we should protect which is to be protected, because of the security challenges posed by the use of ICT.
As per the NIST (National Institute of Standard and Technology)definition, [Source- http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf]
Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.
Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security (2): Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
Going by these definition, cyber security is all about security of anything in cyber realm, while information security is all about security of information regardless of the realm. So, from these definitions, one can think that information security is super set of cyber security.
So, we see that people have different view about these terms, and generally use them alternatively.
Also, there are cultural and even political aspects regarding the use of these words. The Americans generally use the term “cyber security”. While the Russians use “information security”.
Below diagram shows the comparison of google search volume of terms cybersecurity, cyber security, and information security for last 5 years.
In India:
We can see that search volume for term “information security” was higher than terms cyber security historically, but presently they have similar search volume. Also term “cyber security” is showing positive trend.
Worldwide:
We can see that search volume for term “information security” was higher than terms cyber security historically, but presently they have similar search volume. And search volume for term “cyber security” is higher than term “cybersecurity”. While both terms cyber security and cybersecurity shows positive trends.
In United States:
US shows similar trend as worldwide, and the reason for this is domination of U.S. in security market.
Comments