Introduction: Evolution of Cyber Security
In today’s world, for most organizations, if not for all, information together with the underlying information system is the most important asset. Thus, it is critical that these critical assets be protected against any type of incidents, whether malicious, accidental or natural. In essence, this is what cyber security is about. But, we also come across some terms such as Computer Security, Information Technology (IT) Security or Information Security. Then, how is cyber security different from these terms and is there a better or more comprehensive definition of cyber security?
In this article, we explain what cyber security is by providing a broad definition of it that discuss the protection goals and the full environment of cyber security and the corresponding security measures.
In order to explain what each of these different security terminology means, the evolution of the field of cyber security should be discussed.
In the early days of computing, computers were rare, massive and very expensive for the organizations. In other words, computers themselves were of utmost importance for the organizations as their critical assets that needed to be protected from any harm, thus the term of computer security showed up initially.
As computers became cheaper and widespread in the organizations, thanks to the advent of personal computers and improvements on the network technologies, the term of IT security gained widespread usage, since it was the responsibility of the IT departments to protect computers and its underlying hardware and software components.
In time, computer hardware became significantly cheap and information itself emerged as the most valuable asset for the organizations. As a result of this, the term information security was coined to describe the protection of both information and the computers. The below figure depicts the evolution of the computers historically and the corresponding security terminology.
Today, information security and cyber security is used interchangeably. However, cyber security focuses on protecting information in digital form, while information security is a broader category that deals with the protection of information in any form, whether in hard copy or digital.
What is Cyber Security?
After giving a brief overview of the related terminology, let’s try to define cyber security in more detail.
“To choose a definition is to plead a cause.”Charles Leslie Stevenson (1908-1979)
In the past, a number of definitions were introduced to describe what cyber security really is and what it deals with. But these terms mostly had a predominant perspective only on the technical aspect of the cyber security rather than capturing its multidimensionality. Only recently, cyber security has started to be regarded as a multidimensional discipline taking into account the components of people and processes in addition to the traditional and fundamental component of the technology.
In this respect, a comprehensive definition of cyber security can be given as follows:
Cyber security is the protection of the confidentiality, integrity and availability of information, whether it’s in transit, in processing or at store, and the underlying information systems (both hardware and software), in a cyber space where people, processes and technology are involved, through the application of policy, training & awareness and technology.
To really grasp what the above given definition means, let’s dissect it to smaller units as depicted in the below figure and try to digest it.
What Are We Trying to Protect?
The ultimate goal of cyber security is to protect the information itself together with its underlying components of computers, network and the software.
What Are The Protection Properties?
For proper security, both the information and the underlying information system need to be protected against unauthorized access and disclosure (confidentiality), unauthorized modification (integrity) and denial of use (availability).
Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (1)
Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. (1)
Availability: Ensuring timely and reliable access to and use of information. (1)
In addition to these, some sources also mention that protection with respect to authentication and non-repudiation must be achieved as well.
Authentication: A mechanism to prove who the subject claims to be, by checking the provided credentials.
Non-Repudiation: Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
Asset Forms to be Protected
Ideally, information should be protected in any form, whether it is being processed, sent over a communication channel or when it is not in use and stored.
What Are the Threats?
Threats could arise from malicious actors such as black hat hackers, malicious insiders or inadvertently due to undereducated or under trained users. Moreover, threats could possibly occur due to natural disasters, such as earthquakes, hurricanes etc. rather than having a human origin.
Cyber Security Protection Environment
Most importantly, the cyber space does not consist of only technology. People and the processes are at least equally important components of cyber security. This is because, humans are the core components that interact with the technology and this interaction is defined as the process component of the cyber space.
Cyber Security Protection Controls
Since, we are dealing with three different dimensions in the cyber space, we should have matching controls/measures for each of them. People need to be educated and trained against cyber threats. Technical countermeasures are traditionally indispensable in protecting information and the IT systems. And, policies should be prepared to define how the technical controls are managed and how people interact with the technology.
As a final remark, the takeaway is people and processes are at least equally important in addition to the technical aspect of the cyber security. Since, humans are the weakest link, we should take them into account more seriously while designing our security mechanisms.
A system is as secure as its weakest link and the humans are the weakest link.
If you think you know-it-all about cybersecurity, this discipline was probably ill-explained to you.Stephane Nappo
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
- 44 U.S.C., SEC. 3542 Definitions
To learn more about fundamental cyber security terminology, you could also read our article What is Identification, Authentication and Authorization?