Cyber Security versus Information Security

May 5, 2014
By

Post to Twitter Post to Facebook Post to Reddit

You may have seen our post on the difference between information security and information assurance. But how does cyber security fit into all this? Well, according to this recent article on JDSupra some see cyber as being broader than plain old information security. From their perspective the key difference is that information security is mainly relevant to personal information while cyber security is more universal, focusing on other concerns such as our national infrastructure.

My feeling though … is that information security is actually a super-set of cyber security since anything in the cyber realm would involve information or information systems. As usual here is my  pseudo-Venn diagram to enjoy.

Information Security vs Cyber Security

Of course a quick search on this topic will result in an abundance of contradictory definitions, including those from the JDSupra article and mine. Then we have the official NIST definitions from IR 7298 Revision 2, Glossary of Key Information Security Terms (PDF). They define cyber security and information security as follows (note there are two definitions for information security).

Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.

Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information Security (2): Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —

1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;

2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

3) availability, which means ensuring timely and reliable access to and use of information.

Based on the definitions above, the way I look at it — cyber security involves anything security-related in the cyber realm (or cyberspace). Information security involves the security of information or information systems regardless of the realm it occurs in (e.g., risk of exposure in physical world). Since anything that occurs in the cyber realm would involve the protection of information and information systems in some way, you can conclude that information security is a super-set of cyber security.

Personally, I use the terms interchangeable depending on the audience. In the government world as well as those not familiar with our field, cybersecurity is my go-to term. When chatting about it amongst my peers, infosec it is.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. -@grecs)

#####

What do you think the difference between information security and cyber security is? Let us know in the comments below. See ya!

Tags: , , , , ,

32 Responses to Cyber Security versus Information Security

  1. Aiuken (@aiuken) on May 5, 2014 at 10:03 am

    Cyber Security versus Information Security http://t.co/qmNZPgVXXY

  2. Brian Stephenson (@bahnhacker) on May 5, 2014 at 1:40 pm

    Cyber Security versus Information Security http://t.co/JYNgNJvQJz

  3. Howard Fuhs (@Hfuhs) on May 5, 2014 at 2:55 pm

    Cyber Security versus Information Security – http://t.co/qK2wa8eyaO

  4. @Cyberkeurmerk on May 5, 2014 at 5:48 pm

    Wat zou een #CYBER #REALM zijn? https://t.co/xPCryJy8QA een subset van REALM, zo blijkt. #CYBERSUBSET

  5. @AlpineCyber on May 5, 2014 at 6:53 pm

    #infosec Cyber Security versus Information Security – http://t.co/8IltKWrLMS

  6. grecs on May 5, 2014 at 7:53 pm

    oncee on Facebook mentioned the following…

    Not sure I agree. Can you point to any contained in what you call the “cyber realm” that isn’t information security? I have huge problems with the word “cyber” because it gets applied to everything from the protecting the power grid to online crime. Doesn’t it all boil down to the CIA triad in the end?

    My response:

    to me “cyber” is the same thing as “cyberspace” .. and NIST defines that as “A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” agreed with you comment that people just throw it in anywhere…

  7. CISecurity (@CISecurity) on May 6, 2014 at 9:48 am

    #Cyber Security versus Information Security
    @grecs
    https://t.co/djNpzFKWLH

  8. @huzeyfeonal on May 6, 2014 at 1:43 pm

    Cyber Security versus Information Security https://t.co/bLDemswhfF

  9. Tim Sattler (@sattlert) on May 6, 2014 at 4:30 pm

    #Cybersecurity versus Information Security https://t.co/CKsW6o7csL #InfoSec

  10. @KajaNarum on May 7, 2014 at 11:02 am

    Cyber Security versus Information Security http://t.co/wwbHz1zHbl

  11. novainfosec (@novainfosec) on May 7, 2014 at 4:01 pm

    Cyber Security versus Information Security – see our post for more info http://t.co/Ptp3osgDIw #infosec

  12. grecs (@grecs) on May 8, 2014 at 9:01 am

    Cyber Security versus Information Security – see our post for more info http://t.co/7tPbPauZaf #infosec

  13. Andy Willingham on May 9, 2014 at 8:26 am

    Without a clear definition of the word cyber is is not possible to determine the difference between the two. It is typically used to refer to virtual things such as cyberspace. There is no physical cyberspace but it can occur only because of the physical systems that gives it existence. Therefore cybersecurity is a subset of information security because cybersecurity can’t exist without the systems that are protected by information security. Cyber itself is just information that is used in sucha way as to create another preceived system.

  14. grecs on May 10, 2014 at 10:25 pm

    Andy: Thanks for the comment. Some great points to consider.

  15. grecs on May 10, 2014 at 10:27 pm

    Samuel Liles over at http://selil.com posted a comment on this post. Check it out for a much deeper look into this topic.

    http://selil.com/archives/5586

  16. @iKnowIT2 on May 25, 2014 at 9:10 pm

    Cyber Security versus Information Security – What’s the difference? http://t.co/GMqhAT4Khd #CyberSecurity #InfoSec

  17. @KrinBenji on February 5, 2015 at 3:16 pm

    Cyber Security versus Information Security http://t.co/8DxKh2caVh

  18. rishi anand on April 1, 2015 at 1:30 am

    Which is more important to study ..
    is that cyber security and forensics or
    information security and cyber forensics in MTech ..please tell me

  19. novainfosec (@novainfosec) on May 6, 2015 at 11:40 pm

    Best Of: Cyber Security versus Information Security http://t.co/7eSBZHZN6U

  20. @Mhcandan on May 7, 2015 at 4:29 am

    Cyber Security versus Information Security https://t.co/SariRVPbHj

  21. @Secnewsbytes on May 8, 2015 at 4:24 am

    Cyber Security versus Information Security | NovaInfosec https://t.co/QBUY6D12i5

  22. @Marce_I_P on August 16, 2015 at 7:37 pm

    Cyber Security versus Information Security https://t.co/zDDEhgBLfL

  23. @drew3ooo on August 17, 2015 at 8:04 am

    Cybersecurity as sub-set of information security http://t.co/6mkFa6j7gM or information security as super-set of cybersecurity. via @Oktavia

  24. @InfoSecSherpa on January 26, 2016 at 9:51 pm

    @grecs Just found this great 2014 blog post. May I use the graphic, & credit you, for a talk I’m giving?
    https://t.co/QudDqWZoyl

  25. @bcaplin on February 28, 2016 at 1:10 pm

    Cyber Security v Information Security @NovaInfosec https://t.co/FMXR7MnYZB << No! InfoSec is security of information, not just electronic

  26. @DaveKAtDell on February 29, 2016 at 9:00 am

    #CyberSecurity versus #InformationSecurity
    https://t.co/jN7692KPGJ
    #ITRTG https://t.co/UfTY1YWgWP

  27. InfoSecSherpa (@InfoSecSherpa) on May 22, 2016 at 7:18 pm

    @grecs I’m going to use this page for a webinar I’m doing and I will give a shout out to your group 🙂 https://t.co/QudDqWZoyl

  28. @Cyser_Group on September 20, 2016 at 6:34 am

    Cyber Security versus Information Security https://t.co/QOQDsInTpc

  29. @CyberTaters on September 30, 2016 at 12:18 pm

    This is helpful…https://t.co/mELATEaGUT #Dcdigsec

  30. @VirtualITMS on October 7, 2016 at 7:21 pm

    Cyber Security versus Information Security https://t.co/tQIcGsc16Q by @grecs

  31. @Ray_M71 on December 14, 2016 at 3:52 am

    Cyber Security versus Information Security https://t.co/2DXhr4QdQg by @grecs

  32. Joseq on January 9, 2017 at 2:46 am

    I agree with you. Cyber attacks for example DOS is against websites which are run from information systems. Hence, cyberspace cannot exists without information systems.

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.