Information Security vs. Cybersecurity

The CIA triad.

Information security and cybersecurity are commonly used interchangeably but actually define unique, overlapping fields.

In this article, we’ll cover broad definitions and features of both information security and cybersecurity. We’ll see how they contrast with each other and why they are both important.

What is Information Security?

Information security is the practice of protecting information in all forms. This includes information in every possible format, from written documentation to online data. It involves preventing unauthorized access to information. It also seeks to reduce the unwanted consequences of unauthorised access to information. This includes using, destroying, disclosing, or selling the information.

What is Cyber Security?

Cyber security, also known as computer security, is the protection of computer systems. It is the practice of securing computer systems against unauthorized access.

The Relationship Between Information Security and Cyber Security

The relationship between information and cyber security has been the source of much debate. While the terms are sometimes used interchangeably, they can play very different roles. Both require protecting computer systems and information.

One way to think about information security and cybersecurity is based on the systems that they try to protect. Information security tries to protect information systems, while cybersecurity tries to protect computer systems.

One of the reasons information security is so important within the field of cybersecurity is that the information in a computer system is arguably its’ most important asset to protect. An attacker could gain access to a system but this type of control itself may be of limited value. What can someone do with a system that they have control over? Of course they can link the system to a botnet or otherwise use it for nefarious purposes. But the original owner should eventually be able to kick them out and restore their own control as long as they have physical control over it and its’ inputs and outputs. So control is arguably a reversible condition. What is not reversible is the exfiltration of any data during the attack, which can be used or sold for financial gain or other purposes.

Information Systems

It’s helpful to learn the concept of an information system to better understand information security.

An information system is used for creating, collecting, processing, storing and distributing information. Most commonly this system is considered within the context of an organization.

Since most information is handled by computer systems, we can start to see the overlap between information and cyber security. Computer systems are a big part of an organization’s information system. But the information system itself is greater than the computer systems alone. The information system also includes many non-computer components.

Information security vs Cybersecurity

Information security is focused on protecting the confidentiality, integrity and availability of data. This model, known as the CIA triad, often crosses over into cyber security.

Unlike cyber security, however, infosec is also concerned with protecting information from environmental disasters and physical theft (paper documents, hard drives, etc.).

Nonrepudiation, Authenticity, Accountability

Information security is also governed by nonrepudiation, authenticity and accountability.

Nonrepudiation

Nonrepudiation is the assurance that something is undeniably valid, or that some action cannot be denied. From an infosec perspective, we can use the analogy of a tracked parcel. If a parcel is signed for, it becomes more difficult to claim that it was undelivered. The tracking gives proof that the parcel was sent, as well as proof of its’ route. The signature proves that the recipient signed for it. In IT, logging is commonly used for nonrepudiation. For example, an email log proves that an email was sent and received.

In actuality, it is very difficult to prove anything with 100% certainty. In the parcel example, an unauthorized person may be pretending to sign for the package. It may be tough to prove that the person signing was authorized on the basis of the signature alone. But you can improve the system to meet the required demands. For example, requiring an ID or having video recording of the transaction would bolster nonrepudiation in this case.

As with all security practices, the goal is to create a system that best aligns with the resources and goals of the organization.

Authenticity

Authenticity is verifying that someone is who they claim to be and that information has travelled via trusted channels.

In the example of the parcel, we can confirm the identity of the carrier and signer via identification and signature. We can check the path that the parcel has taken by using tracking. The package itself might contain information confirming its’ own identity and any quality checks the item may have gone through. This helps to confirm that the contents of the parcel are authentic.

Accountability

Accountability means you can trace your parcel at every point during its’ journey.
The entities that the parcel visits should be unique so that the parcel’s movements can be tracked. They should also be authorized to handle the parcel as it makes its way through the network.

If something goes awry with the delivery, the postal service should be able to follow its route and find out who’s accountable.

Laws

There are various laws surrounding the handling of information. These laws are designed to protect both consumers and companies.

Laws do this by ensuring that handlers of sensitive information are following best practices.

Companies may inadvertantly breach these laws if information is managed incorrectly. This could result in fines and reputational damage as well as lawsuits.

From a personal standpoint, a data breach could lead to fraud or identity theft. If data is dumped online, issues like using the same credentials could result in cascading issues.
Below are some important laws to note that correspond to information security:

– GDPR (EU)
– Health Insurance Portability and Accountability Act (HIPAA)
– Payment Card Industry Data Security Standard (PCI DSS)
– Data Protection Act (UK)
– Computer Misuse Act 1990 (UK)