You may have seen our post on the difference between information security and information assurance. But how does cyber security fit into all this? Well, according to this recent article on JDSupra some see cyber as being broader than plain old information security. From their perspective the key difference is that information security is mainly relevant to personal information while cyber security is more universal, focusing on other concerns such as our national infrastructure.
My feeling though … is that information security is actually a super-set of cyber security since anything in the cyber realm would involve information or information systems. As usual here is my pseudo-Venn diagram to enjoy.
Of course a quick search on this topic will result in an abundance of contradictory definitions, including those from the JDSupra article and mine. Then we have the official NIST definitions from IR 7298 Revision 2, Glossary of Key Information Security Terms (PDF). They define cyber security and information security as follows (note there are two definitions for information security).
Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.
Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security (2): Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
Based on the definitions above, the way I look at it — cyber security involves anything security-related in the cyber realm (or cyberspace). Information security involves the security of information or information systems regardless of the realm it occurs in (e.g., risk of exposure in physical world). Since anything that occurs in the cyber realm would involve the protection of information and information systems in some way, you can conclude that information security is a super-set of cyber security.
Personally, I use the terms interchangeable depending on the audience. In the government world as well as those not familiar with our field, cybersecurity is my go-to term. When chatting about it amongst my peers, infosec it is.
(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. -@grecs)
What do you think the difference between information security and cyber security is? Let us know in the comments below. See ya!